How Europeans fight to keep personal data safe

The concern of EU citizens regarding the storage of their personal data by global corporations has grown significantly in recent years and is already bordered by open indignation. The reason for this was the rapid development of communication technologies, the increasing incidence of personal data leaks, the vague IT giants policy regarding the protection of personal information and the lack of uniform and transparent rules.

Under pressure from activists, the European justice authorities and the European Parliament passed a series of laws to protect the personal data of their fellow citizens and their reputation (“General Data Protection Provisions” - GDPR and the sensational “ right to oblivion ”). However, judging by recent events, the struggle for the preservation of confidential information is still far from over.

It was even about a possible ban on the storage of personal data of citizens outside the EU. Concerns were expressed that existing agreements on the processing of personal data from companies such as Facebook, Amazon, and Google might run counter to EU privacy policies and subsequently lead to an “armageddon of information flows.”

Maximilian Shrems v. Silent Harbor



In October 2015, the European Court of Justice canceled the transatlantic agreement on the use of personal data, known as Silent Harbor. This was preceded by several court hearings, initiated by the Austrian Maximilian Schrems.

Austrian Master of Laws, Media Lawyer SchremsAs a student, he began to suspect that Facebook stores all the information about users in the USA and uses it without regard to EU law. After many calls to the social network, Shrems received a CD-ROM from Facebook with all the information about himself, which was stored in America. At the first viewing, he found messages that were deleted and closed by him from public viewing, which were still in the company's database.

Based on these violations, the activist filed a complaint in August 2011 with an Irish personal data court. The court ordered the social network to be more careful about data confidentiality, however, Zuckerberg’s company ignored this decision.

Then Max, along with his associates, decided to fight for the right of Europeans to data privacy. He created the public organization “Union for the exercise of the right to data protection“ Europe against Facebook ”” (Verein zur Durchsetzung des Grundrechts auf Datenschutz " http://europe-v-facebook.org/ ").

In 2013, Shrems filed a new lawsuit against the social network in Dublin, but he was rejected, then the activist seeks the transfer of the case to the European Court of Justice (ECC).

In October 2015, the ESS ruled that the data of the Europeans on the servers of American companies are not sufficiently protected, which violates the laws of the European Union. ESA Attorney General Yves Bot subjectedcriticized primarily the availability of personal information to American intelligence agencies. Based on the above facts, it was decided to denounce the Silent Harbor agreement.

Following the decision, Edward Snowden wrote on Twitter: "Congratulations, Max Shrems, you have changed the world for the better." A lot of media in the United Kingdom and in the United States awarded Shrems the title “Continuation of the Snowden Affair.”

After the abolition of Quiet Harbor, the “ modern contract clauses ” continued , under which thousands of multinational corporations transatlantic data transmission.

As statedShrems: “I don’t think that the European Court of Justice can recognize the Model Agreement as valid, because before that it had made a decision to terminate the Quiet Harbor, based on the same American laws. All data protection lawyers know that the “Model Contract” is very unreliable, but it was the simplest and quickest solution they could come up with. Until the United States substantially changes its laws, I see no way to resolve the situation. "

Since the end of 2015, the EU and the US have been discussing a new agreement to replace the Quiet Harbor, called the EU-US Privacy Shield . Project enteredeffective August 1, 2016, contains a written commitment by the U.S. government to limit and control any access on their part to users' personal data.

It is also noted that an independent ombudsman, reporting directly to the US Secretary of State, will be appointed to identify and deal with Europeans' complaints about the actions of American intelligence agencies.

New EU personal data storage requirements



In April 2016, the European Parliament finally ratified the “General Data Protection Provisions” - GDPR, which will enter into force on May 4, 2018. Companies in the European Union must bring their business into line with the new legislation within 2 years. According to experts, the data protection reform is long overdue, given the increased influence of large volumes of data, social media and the upcoming heyday of Internet of Things.
The reform aims to unify the rules and create a single and reliable data protection mechanism for EU citizens. Lawmakers hope that increasing the level of legal certainty will stimulate innovation in the digital services market.

According to the EDPS expert report, the ongoing debate is complicated by a misunderstanding of the concepts of notification and consent. In accordance with the European legislation on data protection, acceptance of the privacy policy means a free choice with the ability to say “yes” without any damage and refusal to use the service. It also requires a clear understanding of what a person agrees with.
A large number of studies indicate that the success of new products and services that aggregate databases is largely due to user confidence. In many respects, part of the GDPR requirements relates to providing users with convenient tools for controlling personal data. Also, users need to provide a “right to oblivion” and the ability to be notified if personal data is compromised.

The new rules will provide the ability to transfer personal data from one service provider to another. In this way, startups and small companies will be able to gain access to markets where digital giants dominate today and attract consumers with better PD protection. This, as politicians are sure, will make the European economy more competitive.

In addition, organizations will be required to publish corporate data protection policies in a way that is understandable and easily accessible to users. Special “icons” on websites will explain how, by whom and under whose responsibility personal data will be processed.

The rules require that personal data protection tools be integrated into products and services from the very beginning of their development (Data protection by design), which will encourage companies to develop “confidential” technologies like pseudo-anonymization, encryption and protocols to protect personal correspondence.

Due to the fact that companies have a need to reformat their activities in connection with the introduction of GDPR, the demand for consulting services has increased.

One of the leaders in IT consulting, Veritas Technologiespublished a series of recommendations to help companies prepare for the entry into force of the GDPR.

According to studies , 52% of the information stored and processed by organizations around the world is “dark data” - information resources that companies collect, process and store in the ordinary course of business, but cannot use for other purposes - for analysis, business relationships or direct monetization. Therefore, the new rules of the “General Provisions” may be hindered by the fact that most companies do not have access to about half of the information they store.

Consulting offices offer several solutions to reduce the amount of “dark data”. To do this, they develop programs to provide a better understanding of unstructured information, control access to information, and automatically classify data.

And what about Russia?

On September 1, 2015, amendments to Law No. 242 “On Personal Data” entered into force in Russia , which require the localization of personal data in Russia. According to the document signed by the president, Russian and foreign companies must ensure the recording, accumulation and storage of personal data of Russians. Databases must be localized in the Russian Federation. Compliance with these standards is monitored by Roskomnadzor. According to researchRAEC, 242-ФЗ will become the industry driver - by 2018, the country's data processing market will grow by 2 times (26.3 billion rubles).

By the time the normative act came into force, a number of companies announced the transfer of personal data to Russian data centers: Samsung, Lenovo, Aliexpress, Ebay, PayPal, Uber, Booking.com, Obi, Teradata, Avito, Western Union, etc.

Foreign companies , which are present on the Russian market of data storage and processing, in connection with the adoption of the law, they felt an influx of new customers. In particular, the British IXcellerate announced a significant expansion of its customer base in Russia. according to reportsMedia, at a Russian server capacity IXcellerate localized such a global giant as Apple. The European office of another major player in the domestic data storage and processing market, the subsidiary of Orange, the largest French mobile operator Orange Bussiness Services, systematically informed its customers in Europe about the innovations in Russian law before the 242nd federal law came into force . They were invited to use the Orange cloud solution, which was completely closed on Russian servers.

European regulators also followed with great interest the preparation for entry into force and the implementation of the Russian law on the localization of personal data. This conference was largely devoted to the conference “Last November in Moscow”Protection of personal data ”, where many European authorized bodies sent their representatives. It is possible that it is precisely the Russian regulatory experience that will be taken as a basis by the EC authorities.