THE COMPLEX WORLD OF PRIVACY PROTECTION: WHAT INTERNATIONAL COMMUNICATIONS SERVICE PROVIDERS MUST KNOW
In 2018 two new privacy laws take effect in the European Union. One is the General Data Protection Regulation (GDPR), which upgrades the general EU standards of privacy protection. Included in the GDPR’s scope of coverage are communication service providers (CSPs). The other new privacy law is the Data Protection Directive on Police Matters (the EU Directive), which requires EU law enforcement agencies (LEAs) to protect privacy when conducting criminal investigations. The EU Directive gives each EU member state discretion to interpret the principles of the Directive in its own national laws. As a result, EU investigative privacy standards will likely vary from one state to the next.
The GDPR and the EU Directive overlap in the area of privacy protection where CSPs assist European LEA investigations. CSP assistance to LEAs may take the form of lawful electronic surveillance and/or “data retention,” which is comparable to records production in the US. Both EU-based and non-EU based companies (even those without a physical presence in the EU) that serve EU citizens must comply with the GDPR. Therefore, American CSPs that serve EU subscribers must adopt GDPR compliance programs.
How do the privacy standards of the GDPR and EU Directive compare with privacy laws governing CSP assistance to LEAs in the US? The following compares the EU and US investigative privacy frameworks.
The GDPR and EU Directive require CSPs and LEAs to destroy data that no longer needs to be stored or “processed” (used) for any CSP or LEA purpose. Such data destruction policies help protect privacy by ensuring that personal data does not remain vulnerable to unauthorized access any longer than necessary. In the case of a CSP, the data should be destroyed when no longer needed to deliver the communication service. An LEA must likewise destroy investigative data when it is no longer useful for the investigation.
In the US, CSPs and LEAs are not subject to any federal data destruction mandates. Industry data destruction polices vary widely. For example, an email or short-message service provider may delete communications immediately. Some telephone companies keep data for several months, either to help resolve billing disputes or calculate consumption taxes. According to the web site of Facebook’s Instagram service, the service provider retains “different types of information for different time periods,” and “some information may only be stored for a short period of time.”
Under the GDPR and EU Directive, CSPs and LEAs must distinguish among different categories of data. Data classification helps alert CSP employees to the different privacy needs of different types of data. Examples include subscriber information, call data records, billing amounts, non-disclosure agreement information, and trade secrets. For an LEA, the EU Directive prescribes separate categories for criminal suspects, convicts, victims, and witnesses.
US CSPs and LEAs are not currently subject to data classification requirements. However, CSPs must comply with the federal customer proprietary network information (CPNI) mandate, which protects a wide range of customer account data. An exception in the CPNI mandate permits disclosures of customer account information as needed to comply with valid LEA requests. CSPs are also subject to various state privacy laws.
The GDPR and EU Directive require CSPs and LEAs to keep their data accurate, complete, reliable and current. Most people would probably agree that the quality of personal data is important to avoid the harms of using inaccurate data. In a criminal investigation, a lapse in data quality could subject the wrong person to a privacy-infringing investigation.
There is no data quality requirement in the US. In an American LEA request for records production, a CSP is expected to disclose only the data it collects in the ordinary course of business.
Data Subject Rights
Because EU privacy law regards personal data as the property of the data subject, as opposed to the “data controller” (e.g. the CSP), the GDPR and EU Directive give subscribers the right to manage the data they give to CSPs. In support of this right a CSP must disclose to its subscribers, among other things: the contact information for the CSP’s data protection officer; the purposes of the CSP data processing (e.g. to provide a VoIP or broadband service); a channel for subscribers to lodge complaints about the data processing; methods for subscribers to access, correct, erase, or otherwise restrict the processing of their personal data; and the period during which the data will be retained.
Under a separate provision of the Directive, a state may limit the above rights as needed to accommodate LEA investigations. The goal is to avoid tipping off a suspect that he or she may be subject to an investigation. Once a suspect is aware the police are on the trail, he or she may flee the jurisdiction, destroy evidence, or murder witnesses.
Most, if not all US CSPs already post privacy notices on their web sites detailing the types of data they collect from their subscribers, how the data is used to provide the CSP service, the safeguards observed to protect subscriber privacy, how long the data is retained, and how subscribers may lodge privacy complaints. Unlike EU CSPs, US CSPs are not required to appoint data protection officers. Also, US CSPs need not let subscribers access, correct, erase, or restrict the processing of their data.
American LEAs routinely insert “do not disclose” orders in the instruments of due process (e.g. court orders, subpoenas) they serve on CSPs. As a result, the subscriber/suspect remains properly unaware of the CSP assistance as long as confidentiality is needed to preserve the integrity of the investigation. After that, the suspect is notified of the privacy infringement so he or she may raise any desired due process challenges to the process.
Records of data processing activity
The GDPR and EU Directive require CSPs and LEAs to keep records of their data processing activities. For a CSP, the records would describe the nature and methods of all processing conducted during the CSP service. The duty presumably requires the CSP to record instances when it assists LEA investigations. Similarly, the LEA must maintain its own records of the investigative interactions.
In the US, the CALEA (lawful surveillance) statute requires CSPs to keep records of the lawful surveillance assistance they provide LEAs. The records essentially note the court that issued the order, the type of order, the authorized LEA, and related profile facts. There is no counterpart requirement to log cases of records production.
Personal data cannot be adequately protected without measures to guard its security. Obviously, a data breach could cause enormous damage, not only to subscriber privacy but a CSP’s entire business model. A breach could also ruin a law enforcement investigation, leaving a serious crime unsolved.
The GDPR and EU Directive require appropriate technical and organizational measures to ensure a level of information security commensurate with the privacy risk posed by each type of data. A CSP must perform a data “impact assessment” to define the privacy risks involved and develop appropriate means to minimize those risks. Moreover, a “data breach notification” system must be established to alert relevant parties and take remedial action when personal information is accessed, stolen, or modified by some unauthorized party (e.g. a hacker).
In the US, companies such as CSPs must maintain a “reasonable” level of security for the personal information they use. The term “reasonable” is deliberately flexible because different networks call for different security measures. However, the vagueness of the word makes it vulnerable to different – and potentially inadequate — interpretations.
The privacy challenge for international CSPs
Notice that American CSPs must adopt special privacy protection measures when serving subscribers in the EU. Although a CSP would disclose the same types of personal information when assisting LEAs in both the US and the EU, it must maintain different and more elaborate privacy safeguards in the EU context. As a result, international CSPs must do more than respect subscriber privacy; they must develop specific data protection programs.