In September 2018, the Marriott hotel chain discovered that the private data of up to 339 million people was stolen from the company's guest reservation database in a massive hacking process years ago.
Names and addresses, telephone numbers, email addresses, passport numbers, credit card numbers and expiry dates, information about customer cards, birth dates, gender, arrival and departure dates and reservation dates were hacked.
The UK data protection authority announced a fine of £ 92m (€ 108m) under the EU's data protection regime, the General Data Protection Regulation (GDPR). Around 30 million of the guests concerned came from EU or EFTA countries.
Thanks to the GDPR, data protection authorities in other Member States did not have to take any action for their citizens – the UK regulator, the Information Commissioner & # 39; s Office (ICO), was at the forefront to investigate and punish the violation.
With the Brexit, Great Britain will leave the GDPR.
Data breaches: what the future holds
"With the ICO off the tent," said Helen Dixon, Ireland's Data Protection Officer (DPC), "these member states would have to take their own enforcement action if (Marriott) were to fail." We can no longer contact the UK and say that you are the lead agency. This increases the workload for all of us. "
However, Brexit will have broader ramifications for Ireland's place in the deepening matrix of consumer protection, big data, organized crime and government surveillance.
Data generated through online consumer activity is now an extremely valuable asset that is currently flying around the world.
Consumers and governments are trying to reconcile privacy with the fight against crime and terrorism. multinational companies want to restrict their regulation; Authoritarian states want to use data to control citizens.
"For the US," said Pascal Lamy, the former director general of the World Trade Organization (WTO), in Brussels this week, "data is to be bought and sold." For Europe, data is private property. For China, the data belongs to the state and the party. "
During this three-way battle, Ireland was under an unusually harsh spotlight because it houses a disproportionate number of global multinationals that are uniquely powered and connected by the harvest of consumer data.
Since Google, Facebook, Airbnb, Linkedin, Apple and other data giants are headquartered in Ireland, any complaint that an EU citizen has about their personal data goes to the Irish Data Protection Bureau.
In 2015 the DPC received 932 complaints. Since the GDPR came into force, it has received 13,000 complaints and 8,000 reports of violations.
Enforcement is different across Europe
There is no central EU data protection authority. Instead, there are several national and, in some cases, regional data protection officers who all enforce the GDPR rules, but a high degree of discretion about how they do it.
"They have all these different enforcement cultures across Europe," says a senior EU official who is familiar with the application of the GDPR. “In Spain there is a fine for every violation, in the Scandinavian countries there is no fine. There are resource imbalances. There is no rubric for whether, if you have a jurisdiction of a certain size, you should have a certain amount of resources. "
When the UK is gone, Ireland is more susceptible to accusations of protecting privacy so as not to alienate US multinationals.
The British regulator was considered the standard vehicle for a more differentiated way of enforcement. "It was just about engagement," says the official. "Talking to companies: If you want to do this and want to avoid violations, you have to do it this way. This allows companies to test products in a controlled environment."
Ireland has followed this more collaborative approach. When the United Kingdom is gone, however, Ireland will be more likely to be accused of protecting privacy so as not to alienate US multinationals.
"There is a belief in Berlin and Paris that Ireland is a soft thing for these big companies," said the official. "Before Brexit, there would be a better synergy with the UK regulatory approach (they also want to indulge in Google), and if that happens, I think Ireland will be even more isolated than before."
Helen Dixon rejects any suggestion that Ireland is a gentle touch. "The companies are based in Ireland for many reasons," she says. “Qualified workers, affordable tax regulations – reasons that existed long before the applicable data protection laws. So there is certainly no question that a company for the data protection regime is located here. "
Post-Brexit data flow
The GDPR can result in a box being checked when you open a website, but it does facilitate the free flow of data across EU borders. This means that data flows north and south across the island of Ireland and large amounts of data flow from Ireland to the UK and back again.
What happens on December 31 when the transition period ends and Britain leaves the GDPR?
The EU can decide whether a third country has an adequate data protection system that can be trusted to receive data from EU citizens.
In the policy statement attached to the Withdrawal Agreement, the two sides agreed that the EU would begin to draw up an "adequacy agreement" for the United Kingdom and that the United Kingdom would also "take steps to comparable ease of transfer of personal information Ensure data to the United Kingdom (European Union. "
This week the UK announced that it was "developing separate and independent policies in areas such as … data protection".
The EU is obliged to check the trustworthiness of its counterparts' data protection provisions every few years.
The EU's draft negotiating directives also state that any future agreement "should reaffirm the obligation of the parties to ensure a high level of protection of personal data".
The EU has only 14 adequacy agreements with third countries. They are not forever and one day – the EU is obliged to check the trustworthiness of its counterparts' data protection regulations every few years.
All signs indicate that both sides are still interested in the data continuing to flow through an adequacy agreement.
However, there are a number of problems.
According to the sources, the cooperative spirit reflected in the draft negotiating documents released this week in London and Brussels contrasts with a tougher line that the EU adopted during the divorce negotiations.
"The Commission has been monitoring the data flows very closely," says a well-placed industry source. "Of course (after the UK) it was said that you would like to be classified as appropriate in relation to the GFPR and you assume that you will be because you have just left the EU.
"But we have countries in the Balkans that want to become members, we want to assess their regimes." We have other priority countries. After Japan (with which the EU signed a trade agreement last year) we have Korea, Mexico and Chile.
"They even called on the data protection authorities to keep the line that Britain would not receive preferential treatment."
Data exchange is critical for security
The EU is expected to conclude a security and defense agreement if the European Commission changes its stance, and the UK is keen to conclude an agreement on police and judicial cooperation.
Data protection for consumers and businesses generally falls under the GDPR, while data protection in relation to police and judicial cooperation has its own law enforcement guidelines (cross-border agencies such as Eurojust, Europol, Eurodac have their own data protection regulations). ,
The EU wants the UK to ensure that its standards are the same in all areas through an adequacy agreement.
Brussels and London have signaled that they want to continue working together on money laundering, terrorist financing and illegal immigration. An essential part of this collaboration will be the possibility of data exchange.
This includes the exchange of Passenger Name Record (PNR) and DNA, fingerprint and vehicle registration data (in accordance with the so-called Prüm Convention, to which 14 EU member states are signatories) and the exchange of information on crime records.
The interest in passenger records was a direct result of the September 11 terrorist attacks.
The EU is planning an agreement on Passenger Name Record as long as the UK "complies with data protection standards that are essentially in line with EU standards" – in other words, the GDPR and EU law enforcement directives.
However, the entire PNR operation was very controversial from the start.
The interest in passenger records was a direct result of the September 11 terrorist attacks. Investigators believed that the data that the hijackers had left when booking their flights could have prevented the attacks.
In 2003, the United States introduced a law requiring airlines to provide all of this information – itineraries, means of payment, contact details, fellow travelers, etc. – to security services so that incoming passengers can be fully screened.
The United States and the EU subsequently negotiated a joint PNR agreement for flights between the EU and the United States in 2004. As part of the agreement, the European Commission recognized the US data protection regime as "appropriate" according to the so-called Safe Harbor principles.
However, this agreement was annulled by the European Court of Justice (ECJ) in 2006.
In 2007, both sides negotiated a new Passenger Name Record Agreement, but it also got into trouble after President George W. Bush released a number of US agencies from its jurisdiction.
Despite ongoing concerns about the security of EU citizens' data when flying to the United States, the European Parliament finally approved a successor PNR agreement between the EU and the United States in 2012.
However, the tension between privacy protection and national security requirements remains undiminished and will certainly complicate future EU-UK relations.
Tension between privacy and security
Member States have always jealously protected the right to keep national security and the rules of the internal market separate.
Indeed, the EU treaties guarantee this. Article 4 (2) of the Lisbon Treaty states that "national security is the sole responsibility of each Member State".
Over the past 15 years, however, the European Court of Justice has been increasingly concerned with the defense of privacy, which it sees as fundamental EU law.
This tension has increased since the EU passed its own counter-terrorism law after the 9/11 attacks.
In 2006, the EU followed the US in adopting a data retention policy. It obliged Member States to require Internet providers to keep user data for a period of six to 24 months, and Member States were free to extend this period if they so wished.
However, the directive has been relentlessly questioned by the European courts.
The Swedish telecommunications operator Tele2 Sverige has stopped storing the communication data. The decision was immediately challenged by the Swedish police, who believed that it would seriously hamper the law enforcement.
In 2010, Digital Rights Ireland (DRI) brought an appeal against the directive to the Irish High Court on the grounds that it violated the EU Charter of Fundamental Rights. The High Court referred the case to the CJEU and in 2013 the Luxembourg court ruled in favor of DRI.
The directive violated the data protection provisions of the Charter of Fundamental Rights because it “could allow very precise conclusions to be drawn about the private life of the people whose data were kept, such as B. The habits of everyday life, permanent or temporary whereabouts, daily or other movements, the activities carried out and the social environments they frequent ”.
The court effectively repealed the 2006 data retention policy.
After the judgment, the Swedish telecommunications operator Tele2 Sverige stopped storing communication data. The decision was immediately challenged by the Swedish police, who believed that it would seriously hamper the law enforcement.
A similar thing happened in Great Britain. The Data Retention and Investigation Powers Act (DRIPA) was challenged in the High Court, and when it found it violated the DRI ruling, then Home Secretary Theresa May appealed.
Both the Swedish and British cases brought the matter back to the ECJ.
In 2016, the CJEU ruled that EU data protection directives and the Charter of Fundamental Rights prevent security authorities from having extensive access to the stored data.
National laws that allowed the “general and arbitrary storage of all traffic and location data of all participants and registered users in relation to all electronic means of communication” were not compatible with the basic EU rights.
It was only on January 15 of this year that the European Court of Justice issued an opinion that data may only be retained "in exceptional cases and temporarily" and only if this is justified by "imperative considerations relating to threats to public security or national security" , "
According to an EU official, this is an ongoing struggle between Member States wishing to use data for security purposes and the ECJ, which emphasizes the protection of privacy and the coherence of the internal market.
"The member states will not let go," says the official. “They want data retention laws that require telecommunications companies, Google, and others to keep data for a period of time so they can access it for their research. The court keeps saying that you cannot do this systematically for everything. It has to be targeted. "
Britain could face an EU court for data warfare
But if the UK is outside the EU and outside the jurisdiction of the ECJ, why should it matter?
This is important as the UK will still be deeply embedded in data transmission across the EU.
The House of Lords Brexit Committee reported in July 2017 that two-thirds of UK cross-border online consumer and public sector data is shared with EU Member States.
The UK Data Protection Agency told the committee that the UK "is so integrated into the EU … it would be difficult for the UK to get along without adequate regulation."
Under Boris Johnson, a UK post-Brexit could deepen the use of data retention for national security purposes.
The other reason why the CJEU will remain interested in the UK after Brexit is the risk of legal challenge due to the UK's suspected culture of monitoring citizens and their private data.
The House of Lords report found that when assessing its adequacy decision, the European Commission considered the UK "in the round, including national security rules".
In other words, under Boris Johnson, a UK post-Brexit could deepen the use of data retention for national security purposes.
However, if the UK wants an adequacy agreement with the EU, a more intrusive data retention approach could once again come before the ECJ as it would be data from EU citizens.
How Privacy Shield was founded
It goes without saying that data protection fighters will watch this closely and we need look no further than Max Schrems.
In 2013, the Austrian student filed a complaint against Facebook with the Irish data protection officer, which was finally referred to the ECJ.
It was followed by allegations by US whistleblower Edward Snowden that US multinationals such as Facebook had teamed up with the National Security Agency to investigate Internet users' data without their knowledge.
The data protection officer had argued that all data collected by Facebook (headquartered in Ireland) is protected by the Safe Harbor Convention, the EU's adequacy agreement with the United States.
In 2015, the ECJ ruled that Safe Harbor was not suitable for this purpose.
The EU and the US were then forced to establish a new regime, the Privacy Shield, which entered into force on July 12, 2016.
Privacy Shield urged the US to monitor and enforce EU data protection regulations more closely and to intensify cooperation with European regulators.
Since Privacy Shield was not yet ready, Facebook used SCCs to continue transferring data from the EU to the United States.
But Max Schrems, now a world-renowned data protection activist, wasn't ready.
The CJEU had granted Schrems' complaint that sending data from EU citizens to the USA violated EU data protection law.
For this reason, Facebook decided on an alternative way: the Standard Contractual Clause (SCC).
SCCs have been used for some time by companies in the EU that transmit data to third countries with which the EU has not concluded an adequacy agreement. Since Privacy Shield was not yet ready, Facebook used SCCs to continue transferring data from the EU to the United States.
Schrems immediately updated his complaint to the Irish data protection officer that SCCs were also suspect. The matter returned to the ECJ through the Irish High Court.
On December 19 last year, the Advocate General of the European Court of Justice found that the SCC are valid in that they compensate for any data protection deficiencies found in third countries.
However, the Advocate General also recognized that an SCC was not legally binding in some third countries and as such may be difficult to implement.
As a result, third country regulators would have to check on a case by case basis whether the transmission of EU data complies with a standard contractual clause. If these regulators have the impression that there is a conflict between the SCC and, for example, US law, the SCC is invalid.
Are you confused?
All of this leads to a fairly confused mess when it comes to predicting how smooth things will be after Brexit.
Even if an adequacy agreement between the EU and the United Kingdom is concluded before the end of the transition (December 31), it still needs to be updated every few years and the UK may want to deviate from EU rules in the meantime.
With the world's Max Schremses still active, an adequacy agreement could face a legal challenge due to the UK's tendency towards intrusive surveillance.
"Great Britain will have the same problem as the USA," says Max Schrems by telephone from Austria. “As a Member State, the United Kingdom could rely on Article 4 (2), the national security exemption. Since the UK does not have this option after Brexit, the ECJ will certainly seek to review the adequacy decisions.
"The difference is that the UK is still under the European Court of Human Rights (ECHR), so foreigners have at least a minimum level of protection for the protection of their data."
A senior EU official said: "Regardless of whether companies behave or not, as if the GDPR is still being used as it was before Brexit, the British security apparatus is as intrusive, if not more intrusive, than that in the United States. Americans would argue that there is even less control: there is no equivalent of congressional oversight, control, and balance that does not exist in Britain. "
Britain "behaved like a bunch of cowboys"
Britain has already angered the EU over a data breach.
In May 2018, the UK was found to have illegally copied classified information from a database reserved for members of the passport-free Schengen zone.
Although the United Kingdom was never part of the Schengen area, it was granted limited access to the Schengen Information System (SIS), a database of 76 million records that the police use to find undocumented migrants, missing persons, stolen property and suspected criminals.
An investigation by the European Commission, reported by EU Observer, found that the UK has been illegally copying records for a number of years and releasing them to other law enforcement agencies around the world.
Dutch MEP Sophie In’t Veld told the European Parliament: "This is a country that is not a Schengen member because it does not want to be a Schengen member." You do not want to be a member of the European Union. Nevertheless, we gave them access to the Schengen information system and they behaved like a bunch of cowboys. "
Administrative headache if deal is not agreed
What happens if the EU and the UK cannot reach an adequacy agreement in time for December 31?
Both sides have to fall back on our old friends, the (now cloudy) standard contract clauses (SCCs).
These must be used by companies on the island of Ireland – including sports organizations – when transferring data across the border.
The European Commission has approved a pre-made version of SCCs, which means that they can be 'plug and play' inserted into a contract between parties.
"We have got used to this flow of data and cannot understand how uncomfortable it will be if there is a legal full stop."
However, Helen Dixon, the Irish data protection officer, is concerned not only with the legal question mark that hangs over SCCs, but also with Irish companies not knowing what they are, how they work, or whether they have the resources to enter them ,
"It's a huge administrative and resource intensive job," she says. “There is so much data, especially between Ireland and Northern Ireland, in so many contexts, apart from trading and banking.
"It's about law enforcement, traffic security, tourism, and sports. We're used to this flow of data and can't understand how uncomfortable it will be if there is a legal full stop."
Dixon says she was often greeted with "blank faces" when contacting business when asked if companies were aware of the data protection implications of Brexit.
However, the Irish regulator is more concerned about the impact of the December ECJ report on SCCs, although this report is not (yet) binding.
Suppose a company in Belfast deals with a company in Drogheda. The opinion would oblige the data importer in Belfast to ensure that nothing in the UK's laws and practices results in them being unable to comply with EU data protection standards.
If the Belfast company could not do this, it would have to notify the Drogheda company and interrupt the data transfer.
"Really," asks Dixon, "is it possible for importers and exporters to make this very detailed assessment?"
In the case of SCC transfers to the United States, both the importer and the exporter of the data would have to assess what U.S. intelligence agencies could do with the data under the powers granted to them by U.S. law and state that this is one such is a legal contract – that none of these powers would endanger European data.
While trade and fisheries attract the most attention before the negotiations, the complexity of Brexit and data protection will have to be observed.