US-EU Agree On New Data Privacy Rules But Hold The Champagne

UPDATE:  EU Commissioner for Justice made statements just before the agreement was approved indicating  that not everyone has signed up for this agreement.  Read Commissioner For Justice Vera Jourova’s comments here.

While the US and EU did not meet their targeted deadline of January 31st for coming up with a a replacement for Safe Harbor, they sort of came close.  But, apparently, there are still a number of hurdles to jump through.

First, the US and the European Commission agreed on February 2nd to a new agreement called Privacy Shield to replace the 15+ year old Safe Harbor Agreement.  However, they don’t have the final say on the agreement.

A next step is to get the Article 29 Working Party to agree to the agreement.  WP29 is a group of all 28 EU Nation’s Data Protection Authorities.  Their approval of this agreement is key to not having another court fight once this rule (if approved) goes into effect.  That is expected to take about 3 months.

Next, the Data Protection Authorities need to agree on what they are going to do in the mean time.  After the court struck down Safe Harbor, they agreed not to enforce the court ruling until January 31st so that the US and EU could come up with a replacement and so that they did not throw the thousands of businesses that used the Safe Harbor Agreement to transfer data between the US and EU into chaos.  That deadline  has passed.  I speculate that they will extend the moratorium, but that is anyone’s guess.

And, there is always the court to contend with.  Max Schrems could always go back to the court and say that this new agreement does not solve the problem.

Finally, the agreement requires the US to do certain things and my understanding is that those would have to happen before the agreement could go into effect.  One requirement that WP29 has already said must happen is that the US must pass a law giving EU residents a right to sue in US court for breaches of any agreement.  A bill to that affect is winding its way through Congress, but has not been passed by both Houses, reconciled or signed by the President.

While the diplomats may have signaled success by agreeing to the terms that they did, getting the 28 Data Protection Authorities to agree that these protections are sufficient is another matter.

While I have not seen the actual agreement, reports are that it calls for:

  • Clear safeguards and transparency obligations on the part of US government access.  I think this could be a challenge.  While the US has given the EU written assurances that data access will be limited, whether the gang of 28 believes the US or not could be key to getting the agreement approved.
  • Stronger obligations for US data importers to protect EU citizens’ data.
  • EU citizens must have effective rights of redress.  This includes requirements for the data importer to set up processes, the Federal Trade Commission to create a process for handling EU citizen complaints – something it has never done – and for the Intelligence Community to set up an independent ombudsman to address complaints of inappropriate access.

Some of these may require Congressional action – or not.  In any case, what is clear is that this is not over yet and US companies should not breathe a sigh of relief.  It is, however, a sign that progress is being made.

Information for this post came from the Data Protection Report.

Facebooktwitterredditlinkedinmailby feather

Big Brother Is Watching – This Time License Plates

A couple of years ago the Supreme Court ruled that the government needed a warrant to attach a GPS to a suspect’s vehicle.

So the police had to come up with a different plan.  Enter plan B.

Vigilant Corporation, a private entity, has thousands of cameras in cities around the country.  They have taken an estimated 2 billion pictures and adding 80 million a month – each with a date, time and geolocation stamp.  And they keep these pictures forever.  No law says that they can’t.  And, since these pictures are taken in public, you don’t, according to the courts, have any expectation of privacy.

These pictures are of license plates – at least right now that is what they are taking pictures of.  But next year it could be faces or the people you are talking to.

Taking this data and correlating it would allow someone to know where you go, when and even how often.

And, gee, the data is for sale.  Among their customers are 3,000 law enforcement agencies.

Let’s say the NYPD, which has its own license plate database, wanted to see where else this “suspicious” license plate showed up.  No need for a warrant or even any police work.  Log on to Vigilant’s database, enter a query and it will show you every time they saw that license plate – anywhere in the country that they have a camera.

And they don’t just sell the data to the cops.  The bank might be interested in where you drive your car in deciding whether to give you a car loan.  The insurance company might use that data to decide if they want to insure you – or at what price.

Hate groups or politicians might want to buy the data to see where a person that is causing them trouble goes – say a church or a particular doctor or an AA meeting.

In Texas, they are using it to turn police cars into ATM machines for the cities.  The police car has a license plate reader or LPR on it.  They read your plate and look to see if you owe the city money – say for court fines or fees.  The cop pulls you over and says that you can either give him your credit card or go to jail and discuss that outstanding fine with the judge.  Cha-Ching!

A logical extension would be for private debt collectors to subcontract their debt collection activities to the cops – for a cut of the debt.

Technology is wonderful, but also scary.

There are some very interesting uses that might come up.

Special interest groups might want to track where politicians spend their recreational time.

The police might want to see who reporters confidential sources are.

There really is no end of the possible uses for license plate readers.

You might want to carry a credit card with you – JUST IN CASE.

Just sayin.


Information for this post came from The Atlantic and eWeek.

Facebooktwitterredditlinkedinmailby feather

Wendy’s Could Become Test Case – And Not In A Good Way

It appears that Wendy’s may be the most recent company to get their point of sale system hacked and have customer credit card data compromised.

At this point, Wendy’s has ONLY said that it is currently investigating reports of unusual activity involving payment cards used at some of its locations.

BUT, if it quacks like a credit card breach, it likely is a credit card breach.

What they probably don’t know yet is how big it is.

Now here is the test case.

Last November, the payment card industry had a liability shift.  For companies that have not installed chip capable point of sale systems and if customers have chip credit cards, the merchant is now liable for the cost of the breach.  That not only means the charges that have to be refunded to the customer, but also the cost of investigating it, the cost of reissuing the card and all other costs.  The banks designed this to be very painful to merchants who do not upgrade the point of sale systems.

A couple of years ago Wendy’s current VP and treasurer Gavin Waugh said that their fraud rate was so low that paying the fraud liability is a whole lot cheaper than putting in [EMV] terminals.

IF, and this is a big if, it turns out that the unusual activity is a breach and again IF the number of cards compromised is large and IF Wendy’s has not installed chip readers in their POS terminals and IF the customers had chip based cards — notice that is a lot of IFs — then Wendy’s may need to reconsider whether paying the fraud liability is cheaper than those new terminals.

Some totally made up, but actually somewhat conservative numbers.

If there was a breach and it affected 1 million cards (that would be 1/40th the size of the Target breach, so, in the grand scheme of things, maybe a conservative number) and if the cost per card, on average, of the losses to the credit card companies was $250 – some more, some less – then Wendy’s could be on the hook for $250 million.

Granted there are a lot of ifs here, but we will eventually find out more answers and if it was a big breach, the $250 million could be on the low end of the scale.  10 million cards @ $100 each is a billion dollars.

SO, we shall see if Wendy’s is a test case and if so, how big the breach is.   Gavin may need to reconsider that statement.

And, for other merchants that have not upgraded their terminals consider this.  If you have a breach and it only costs you a couple of million dollars, what is the impact on your business?

Facebooktwitterredditlinkedinmailby feather