The DPPA covers transfers of data between EU and US law enforcement agencies and focuses on "the exchange of information which is critical to prevent, investigate, detect and prosecute criminal offenses, including terrorism…" It is posted on the EU Commission website here:
Yesterday, tentative agreement was reached on the successor to the Safe Harbor, known as the 'Privacy Shield', with text to follow in 4-6 weeks. A summary from the EU Commission of the new framework is here: http://europa.eu/rapid/press-release_IP-16-216_en.htm Can we look to the DPPA to find language and terms that will emerge in the Privacy Shield?
The DPPA agreement has significant elements that are noteworthy.
*It will improve EU citizen administrative and judicial redress in the US court system, upon a claimed violation of their privacy rights. This requires passage of the Judicial Redress Act, now in the US Senate.
*DPPA Article 9 calls for "appropriate technical, security and organizational arrangements for the protection of personal information…against unlawful destruction, loss or unauthorized disclosure." We are seeing more requirements for appropriate technical security, which standard will that be, NIST?
*Following proper security is a Notice provision. Upon discovery of a breach, notice shall be given to the "Competent Authority" and the individual, unless that notice could impact national security or ongoing investigations or criminal proceedings. The GDPR has an EU breach notice provision, expect some form of notice provision in the Privacy Shield.
*Using logs for data processing will be acceptable provided the data is "not retained for longer than necessary." Additional controls related to "national origin, political opinions or religious beliefs, trade union membership or sexual life" shall require added restrictions and may be 'case by case.' This language goes to profiling of terror suspects as a class. Using data science to find context is very common and useful. Will that be addressed under processing of data/metadata in commercial data centers?
*Individuals will be able to seek "rectification or correction" of personal information that is inaccurate or improperly processed. Is this language geared toward Google and Facebook and the EU notion of privacy as a Fundamental right? From what I have read, if they don’t, we can expect more challenges to this agreement before it gets off the ground. See article here: http://europe-v-facebook.org/PS_update.pdf
*The EU backlash that undermined the Safe Harbor was the PRISM program of bulk analysis of phone records and personal data. This agreement says that the Parties will ensure that personal information is processed (that includes collection) in a way that is "directly relevant to and not excessive or overbroad in relation to the purposes of such processing." The US will also establish an Ombudsman position for fair oversight with the power to "accept and act upon complaints made."
*Transparency is called for when a Competent Authority processes information of an individual. Notice shall be given on "the purpose of processing the information…sharing with other authorities…third parties to whom data is disclosed.." How does this work with the USA Freedom Act and FISA warrants?
Under "Territorial Application", the EU Commission will notify the US if UK, Denmark or Ireland, "has decided that this agreement applies to its state." Isn't it ironic that Max Schrems brought his case against Facebook before the Irish Data Protection Commissioner, for transferring data from Irish data centers to US data centers?
And at the end of all this, Ireland could reject the agreement or the US fail to pass Judicial Redress, which would undermine the DPPA and probably Privacy Shield. This is far from settled. More details are needed. How will the Privacy Shield address bulk commercial collection, mining and targeted advertising of US citizens at home and within the EU? This agreement gives us some indication of what the EU will want for the commercial transfer but there are many approvals required at home and in the EU, with stakeholders lobbying for their best result.