Yunita Ong – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 As Europe’s privacy laws evolve, so must American companies when operating ‘across the pond’ http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/as-europes-privacy-laws-evolve-so-must-american-companies-when-operating-across-the-pond/ Thu, 19 Mar 2015 14:30:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21125 Continue reading ]]> WASHINGTON — In 1998, a Spanish newspaper announced that a man named Mario Costeja González had his home repossessed.

A decade later, González Googled his name and found that the incident came up in search engine results. Incensed, he complained to Google, asking that information related to him be erased because he thought it was no longer relevant.

Google refused and the dispute ended up in court. In 2014, the Court of Justice of the European Union ruled in favor of González.

The ruling may seem like an affront to free speech, but the court’s decision reflected the region’s long-running commitment to privacy protection.

With the global nature of Internet commerce, Google will not be the only American company ensnared by European data protection laws. Many other firms may find themselves – sometimes unwittingly – intruding on European privacy laws, and they are spending more money and effort into coping with this digital clash of cultures.

More than an ocean apart

Citizens in the U.S. and Europe value privacy. But they articulate it differently in legal terms.

Every European citizen has the “right to respect for his private and family life, his home and his correspondence,” according to the 1953 European Convention on Human Rights – and the most significant legislation by the European Union in recent years is a 1995 directive, which outlines core principles its members should observe.

The directive says that governments, institutions and companies should inform citizens of what information is being collected, ensure data is not disclosed to other parties without the individuals’ consent and allow them to access and correct to data about them.

The directive has formed the backbone of many European countries’ national privacy laws protecting citizens against intrusions by government and by companies, said Viktor Mayer-Schönberger, an Internet governance and regulation professor at England’s University of Oxford.

One component of the European Union directive states that personal data can be processed only with unambiguous consent given by the subject, among other requirements.

The EU’s Court of Justice ruled in favor of González last year for precisely this reason: Since individuals must give permission for the search engine to handle their data, the companies have to handle requests that their information be taken down.

Privacy law is articulated very differently on the U.S. side of the Atlantic. It is not explicitly guaranteed in the Constitution and only suggested by the Fourth Amendment’s requirement for a warrant for the government to search a citizen’s home.

“What the U.S. lacks is an omnibus privacy laws that binds not just the public sector but the private sector as well,” said Mayer-Schönberger. “But the U.S. does have a number of sectoral privacy laws that also apply to the private sector, such as in the context of health data.”

In other words, “privacy in relation to private companies is seen as a species of commercial regulation,” said Bill McGeveran, an information law professor at the University of Minnesota.

The implication of this is enormous for companies wishing to collect and process information about their consumers.

“In Europe, you can only do so if the law says you specifically can, but in the U.S. you can collect data about anyone, anytime, unless there’s a law that prohibits it,” said McGeveran.

“Data is a resource in Europe and the U.S. but in Europe, it’s something in the ground and you need to ask permission before you can mine it.”

Why Europe and America differ on privacy issues

People in the U.S. want privacy just as much as people in Europe, Mayer- Schönberger emphasized. But there is no single easy answer for why data protection legislation is more clearly laid out in Europe.

Europe’s tangled history with data privacy could be a reason – the Nazis used personal data to target marginalized communities during the Holocaust, and in the 1980s, privacy advocates in Germany protested against a census in West Germany that asked questions they deemed too invasive.

“As Germany has always been a key power broker in the EU, that spilled over into the European debate,” he said.

Fred Cate, a law professor at Indiana University, also said the economic reliance of the U.S. economy on technology is also an important reason.

“The U.S. is huge on data innovation – privacy is important, but so is economic success,” he said. “There isn’t a European search engine that can compete with Bing and Google, and so fewer European companies are using privacy as a competitive tool.”

What this means for American companies

For American companies, complying with European privacy laws is a complex process because the level of enforcement varies from country to country. McGeveran said that while privacy regulators in England and Ireland tend to be more cooperative, Spain and Germany are tougher on firms, slapping violators with fines.

Firms may have to jump through additional legal hurdles to do something like moving internal company data, such as payroll information, out of Europe to the U.S.

The clashing regulations could put companies in a legal quandary.

Cate cited the example of a company that was required by a U.S. court to produce certain data that the German government prohibited it from obtaining. “You’re stuck between a rock and a hard place,” he said. “Whose law do you choose to violate?”

American companies therefore must plan carefully when operating into Europe, especially with the ever-changing Internet landscape and the privacy concerns it has raised.

“They cannot assume that their structure and business model in the U.S. can be duplicated in Europe without any modifications,” McGeveran warned.

The 2014 European decision about Google highlighted this challenge starkly. Search engines engines have scrambled to cope with the new development in European privacy law.

Google and Yahoo have set up online forms for users to submit removal requests.

To date, Google has approved 286,814 – or 40 percent – of the removal requests they have received, after judging whether the results were outdated, inaccurate, inadequate, excessive or of interest to the public.

Yahoo has set up a similar intake form as well as a task force to figure out how to process the removal requests, said Laura Juanes Micas, a senior legal director of international privacy at the search engine company.

“This situation was about a particular case in Spain and it has been challenging to create general rules for all removal requests from this one case,” she said.

She added that the ruling placed the burden on search engines to figure out how to balance the rights of the individual to privacy and a third party’s right to freely express himselves on the Internet – but this was hard for private companies whose main duty is to make profit and serve its customers.

American search engines are not erasing search results in non-EU web domains for now, meaning that the information would still be viewable in the U.S. version of Google, for instance. However, European regulators are pushing them to apply the ruling for all web domains, said Lucio Scudiero, a privacy legal counsel in Italy and fellow at the non-profit think-tank Italian Institute of Privacy, said.

“I expect this issue to end up in courts on both sides of the pond soon,” he warned.

]]>
Obama’s cybersecurity plan could infringe on privacy protections: security experts http://nationalsecurityzone.medill.northwestern.edu/blog/2015/02/26/obamas-cybersecurity-plan-could-infringe-on-privacy-protections-security-experts/ Thu, 26 Feb 2015 20:37:17 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=20924 Continue reading ]]> WASHINGTON – The Obama administration’s plan to urge businesses to share data with the government to fight cyberthreats could infringe on Americans’ privacy rights, experts warned.

While current cybersecurity proposals by President Barack Obama would safeguard people’s personal information from unnecessary exposure, the vast amount of data that companies and government agencies would be sharing still poses a risk.

“We don’t want the possibility down the road that companies will share information that could later be used for general law enforcement purposes,” Harley Geiger, advocacy director and senior counsel at the Center for Democracy and Technology said on Feb. 19 at a panel hosted by the Center for National Policy and the Christian Science Monitor.

The president has made public-private information sharing a pillar of his cybersecurity agenda after a series of high-profile cyberattacks on companies in 2014 such as the Sony Pictures breach and the Heartbleed bug.

He recently unveiled a proposal urging companies to share cyberthreat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would then be disseminated to other agencies and privately-run information sharing hubs.

“We will take cyberthreat information such as malware, IP addresses and such threat indicators from victims and companies and add them together to create a big weather map where we can spot the fronts coming,” said Phyllis Schneck, the Department of Homeland Security’s chief cybersecurity official in a speech before the Feb. 19 panel.

The proposal also protects consumer privacy, said Schneck. As a condition for receiving liability protection from the government for sharing information with them, companies must strip unnecessary personal information and protect the personal data that must be shared.

However, experts at the panel remained wary of the proposal, which Geiger said would give the government much power. “The way it’s structured now – with the companies getting liability protection only after they share information with the government forces an almost government-centric sharing regime,” he said.

While acknowledging the privacy protections the administration has proposed as a positive step, Geiger also said that years down the road, the large amount of data could be used for general law enforcement purposes, amounting to what he called a “giant wiretap.”

“I would like to see more protection over the information being shared because it is very lucrative,” said John Pescatore, the director the SANS Institute, a cybersecurity training company and another panelist.

Andrew Borene, federal chief strategist for IBM’s security, intelligence and big data analytics team said obtaining large quantities of data is necessary for countering cyberespionage and breaches. “We’re trying to find the needle in the haystack, but to do so, we need the whole haystack,” he said.

In addition to the information sharing plan, the president also announced earlier this year that he will pursue a federal data breach law, which would notify consumers if their data has been compromised within a certain time period after the breach. To beef up the workforce, his administration will also provide $25 million in grants over the next five years to a cybersecurity education.

The government also should create incentives for the business community to invest in cybersecurity, added Pescatore. He noted that that Target, a $72 billion retailer, lost about $200 million last year when hackers stole credit and debit card of 40 million consumers.

“In the end, it all comes down to business decisions,” he said.

]]>