How Europeans are fighting for the safety of personal data

The concern of EU citizens, related to the storage of their personal data by global corporations, has greatly increased in recent years and already borders on open resentment. This was due to the rapid development of communication technologies, the increased incidence of leaks of personal data, the vague policy of IT giants regarding the protection of personal information and the lack of uniform and transparent rules.

Under pressure from activists, the European Justice and European Parliament adopted a series of laws to protect the personal data of their fellow citizens and their reputation (“General Data Protection Provisions” - GDPR and the sensational “ right to oblivion ”). However, judging by the latest events, the struggle for the safety of confidential information is far from over.

It was even about a possible ban on the storage of personal data of citizens outside the EU. It was feared that existing agreements on the processing of personal data of companies such as Facebook, Amazon and Google could go against the EU's policy in the field of personal data protection and subsequently lead to "Armageddon information flows."
')
Maximilian Schrems vs. Silent Harbor



In October 2015, the European Court of Justice canceled the transatlantic agreement on the use of personal data, known as “Safe Harbor”. This was preceded by several court hearings, initiated by the Austrian Maximilian Schrems.

The Austrian LL.M., media scholar Schrems, as a student, began to suspect that Facebook stores all user information in the United States and uses it without regard to EU law. After many appeals to the social network, Schrems received a CD from Facebook with all the information about himself that was stored in America. During the first viewing, he found messages that were deleted and closed from public viewing, which were still in the company's database.

On the basis of these violations, an activist filed a complaint in August 2011 with an Irish court for the protection of personal data. The court ordered the social network to be more careful about the confidentiality of the data, but the Zuckerberg company disregarded this ruling.

Then Max and his colleagues decided to fight for the right of Europeans to the privacy of data. He created the public organization “Data Protection Rights Enforcement Union“ Europe vs. Facebook ”(Verein zur Durchsetzung des Grundrechts auf Datenschutz" http://europe-v-facebook.org/ ").

In 2013, Schrems brought a new lawsuit against the social network to Dublin, but he was rejected; then the activist seeks to transfer the case to the European Court of Justice (ESS).

In October 2015, the ESS ruled that the data of Europeans located on the servers of American companies are not sufficiently protected, which violates the laws of the European Union. ESS Attorney General Yves Bot criticized primarily the availability of personal information to US intelligence agencies. Based on the above facts, it was decided to denounce the Safe Harbor Treaty.

After the decision, Edward Snowden wrote on Twitter: “Congratulations, Max Schrems, you have changed the world for the better.” Quite a few media in the United Kingdom and in the United States awarded Schrems the title of "successor of Snowden."

After the abolition of “Quiet Harbor”, the “Model Contract” (modern contract clauses) continued to operate, under which thousands of multinational corporations transmit transatlantic data.

As Schrems stated : “I don’t think that the European Court of Justice can recognize the“ Model Treaty ”as valid, because before that it had decided to terminate the Safe Harbor, based on the same American laws. All data protection attorneys know that the “Model Treaty” is very unreliable, but it was the simplest and quickest solution they could come up with. Until the United States substantially changes its laws, I do not see the possibility of resolving the situation. ”

Since the end of 2015, the EU and the US have been discussing a new agreement to replace the “Safe Harbor”, called the “EU-US Privacy Shield ”. The project, which entered into force on August 1, 2016, contains a written commitment from the US government about the limitations and controllability of any access on their part to personal data of users.

It is also noted that an independent ombudsman, who reports directly to the US Secretary of State, will be appointed to identify and deal with complaints of Europeans against the actions of the US special services.

New EU requirements for the storage of personal data



In April 2016, the European Parliament finally ratified the “General Data Protection Provisions” - GDPR, which entered into force on May 4, 2018. Companies within the European Union are obliged to bring their business in line with the new legislation within 2 years. According to experts, data protection reform is long overdue, given the increasing influence of large amounts of data, social media, and the upcoming heyday of the Internet of Things.
The reform aims to unify the rules and create a single and reliable data protection mechanism for EU citizens. Lawmakers hope that increasing legal certainty will stimulate innovation in the digital services market.

As stated in the EDPS expert opinion, the current controversy is complicated by the misunderstanding of the concepts of notification and consent. In accordance with the European legislation on data protection, acceptance of the privacy policy means free choice with the ability to say “yes” without any prejudice and refusal to use the service. It also requires a clear understanding of what a person agrees with.
A large amount of research shows that the success of new products and services that aggregate databases is largely due to the trust of users. Therefore, part of the requirements of the GDPR are concerned with providing users with convenient tools for controlling persistent data. Also, users must be given the “right to oblivion” and the ability to be notified if personal data has been threatened.

New rules will provide the ability to transfer personal data from one service provider to another. Thus, start-ups and small companies will be able to gain access to the markets where digital giants dominate today, and attract consumers with better PD protection. This, as politicians are sure, will make the European economy more competitive.

In addition, organizations will be required to publish corporate data protection policies in a way that is understandable and easily accessible to users. Special “icons” on websites will explain how, by whom and under whose responsibility personal data will be processed.

The rules require that personal data protection tools be built into products and services from the very beginning of their development (Data protection by design), which will encourage companies to develop “confidential” technologies like pseudoanonymization, encryption and protocols for protecting personal correspondence.

Due to the fact that companies have a need to reformat their activities due to the introduction of the GDPR, the demand for consulting services has increased.

One of the leaders in the field of IT consulting, Veritas Technologies has published a number of recommendations to help companies prepare for the entry into force of the GDPR.

According to research , 52% of the information stored and processed by organizations around the world is “dark data” - information resources that companies collect, process and store as part of normal business activity, but cannot be used for other purposes - for analysis, business relationships or direct monetization. Therefore, the new norms of the “General Provisions” can be hindered by the fact that about half of the information they store is not available to most companies.

Consulting offices offer several solutions to reduce the amount of “dark data”. To do this, they develop programs that allow for a better understanding of unstructured information, control access to information and produce automatic data classification.

And what about Russia?

On September 1, 2015, amendments to Law No. 242 “On Personal Data”, which require localization of personal data in Russia, came into force in Russia. According to the document signed by the president, Russian and foreign companies must ensure the recording, accumulation and storage of personal data of Russians. Databases should be localized in the territory of the Russian Federation. Roskomnadzor monitors compliance with these standards. According to the RAEC study , 242-FZ will become the industry driver - by 2018, the country's data processing market will grow by 2 times (26.3 billion rubles).

By the time the regulation came into force, a number of companies announced the start of transfer of personal data to Russian data centers: Samsung, Lenovo, Aliexpress, Ebay, PayPal, Uber, Booking.com, Obi, Teradata, Avito, Western Union, etc.

Foreign companies that are present in the Russian market of data storage and processing, in connection with the adoption of the law, felt an influx of new customers. In particular, the British IXcellerate announced a significant expansion of its client base in Russia. According to media reports, a global giant like Apple has been localized at the Russian server capacities of IXcellerate. The European office of another major player in the domestic data storage and processing market, the subsidiary of Orange Bussiness Services, the largest French cellular operator Orange, systematically informed its customers in Europe about Russian legislation innovations before the entry into force of Federal Law 242. They were offered to use the Orange cloud solution, fully enclosed on Russian servers.

European regulators also followed with great interest the preparations for the entry into force and the implementation of the Russian law on the localization of personal data. This issue was largely devoted to the conference “ Protection of personal data ” held in November last year in Moscow, to which many European authorized bodies sent representatives. It is possible that it is the Russian regulatory experience that will be taken as a basis by the EU authorities.