Engine files comments to the California AG’s office on the new California Consumer Protection Act.
Privacy and security debates continued to unfold in 2017. While we saw the extension of fights from previous years—including efforts to require a warrant to access user data on the Hill and an administration pushing for backdoors into encrypted products and services—policymakers and the courts were forced to grapple with questions raised by new events, court developments, and deadlines.
Engine applauds Senators Lee and Leahy for their continued work on updating the Electronic Communications Privacy Act (ECPA). The Lee-Leahy bill will modernize the nation’s electronic privacy laws and bring protections against warrantless searches into harmony with the technological realities of today.
Earlier this month, Engine held its first briefing of the year: a conversation around the ways that startups are harnessing big data to drive innovation and develop targeted solutions for some of society’s greatest challenges. The event was headlined by Reps. Blake Farenthold (R-TX) and Derek Kilmer (D-WA), who were joined by a distinguished panel of startup leaders and policy analysts.
Today, the U.S. House of Representatives passed the widely supported, broadly bipartisan Email Privacy Act, making this the second consecutive year that this common-sense update to the Electronic Communications Privacy Act (ECPA) has passed the House. The bill makes a critical update to existing digital privacy laws that clarifies that law enforcement must obtain a warrant—except in certain clearly defined emergencies—before accessing an individual's electronic communications.
Engine commends Congressman Kevin Yoder (R-KS), Congressman Jared Polis (D-CO), Congressman Bob Goodlatte (R-VA), Congressman John Conyers (D-MI), and the bill’s other cosponsors for today’s reintroduction of the Email Privacy Act, legislation that would make critical reforms to our nation’s outdated outdated digital privacy laws.
Privacy and security issues were top of mind for policymakers once again in 2016: the Apple-FBI battle pushed questions around encryption to the forefront; massive data breaches and cyberattacks called attention to cybersecurity issues; uncertainty around data transfers between the U.S. and EU persisted; and the heated debate around government access to digital communications thrust electronic privacy reform back into the spotlight. But even with all of these prominent debates, 2016 did not see much actual legislative movement. It’s unclear what will come to pass next year, but we are hopeful that any policies Congress or the new Administration pursue take into account the unique needs and realities of the evolving startup ecosystem.
In the months since the original Safe Harbor agreement was invalidated by the European Court of Justice, the startup community has been in legal limbo awaiting resolution. The approval of this revised trans-Atlantic data-transfer framework brings much needed certainty for American startups with European users.
Today, the U.S. House of Representatives passed the widely supported, broadly bipartisan Email Privacy Act by a unanimous vote of 419-0. The bill would make long overdue updates to the Electronic Communications Privacy Act (ECPA) to bring our digital privacy laws into the 21st century. Specifically, the bill would clarify that law enforcement must obtain a warrant—except in certain clearly defined emergencies—before accessing individuals’ electronic communications.
It is hard to overstate how incredibly dangerous and foolish the Burr-Feinstein “Compliance with Court Orders Act of 2016” draft legislation is and even harder to believe it was coauthored by California’s senior senator, Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C.
This week, a U.S. District Court judge ruled that Apple must assist the Federal Bureau of Investigation (FBI) by providing technical assistance to help the Bureau unlock the iPhone used by one of the San Bernardino shooters. While a resolution to this litigation is far off (due to likely appeals), the case has suddenly catapulted the debate over privacy, security, and encryption into the headlines of nearly every major news outlet in the United States and beyond. And though this case is specific to Apple—the manufacturer and licensor of the hardware and embedded software—the ramifications of the final decision in the case may have a profound impact, both in the technology industry and beyond.
While this isn’t the first time that policymakers have grappled with serious questions related to encryption and digital security—just last year, the White House backed away from a proposal seeking “backdoors” into encrypted devices after a multitude of stakeholders spoke out about the dangers of such anti-security measures—it is likely the most difficult case yet involving such issues. Certainly, the FBI has a strong interest in thoroughly investigating terrorist activity and preventing such acts in the future. Technology companies also care deeply about stopping criminal activity, which is why this is such a difficult problem: though the FBI’s request is tailored to investigating a specific terrorist activity, it will ultimately weaken security standards and may lead to serious vulnerabilities that will put countless consumers at risk.
In the past, Apple has cooperated with law enforcement to unlock phones in order to gain access to information, at least when doing so was technologically feasible. This situation is slightly different, as the court order requires Apple to create an entirely new version of Apple’s operating system (OS) to allow the government to circumvent security features that Apple built into its OS to prevent brute force attacks. This software will effectively make brute force attacks on encrypted devices possible—whether it’s the FBI attempting to brute force the phone or anyone else that has access to the software. Though the FBI says it intends to use this modified OS in this situation only, the spate of high-profile hacks and data breaches over the past year (including a breach of sensitive government information) should cast doubt on any such guarantees.
And, while some may argue that Apple’s strong opposition to the FBI’s request in this case demonstrates that any future requests for similar security circumvention activities will be limited to only the most extreme circumstances, that only holds true if the company being tasked with providing access to encrypted information has the resources to mount such a robust legal challenge. The startups that are responsible for so much of the tech sector’s growth have nowhere near the legal resources needed to fight spurious requests for dangerous encryption backdoors. Establishing a precedent that obligates companies to undermine the security measures that keep millions of consumers and their data safe from criminals will only increase the chances that these security circumvention technologies are employed in spurious cases or, worse, fall into the wrong hands.
Law enforcement is fully justified in attempting to do everything possible to prevent future terrorist attacks, just as Apple is fully justified in arguing that what the FBI wants could have serious negative repercussions for the security of its users. But, the security vulnerabilities that could arise by forcing Apple to undermine the strong encryption technologies it has built into its products should make anyone think twice about establishing such a dangerous precedent.
The European Court of Justice’s rejection last October of the European Commission’s so-called “safe harbor” agreement with the U.S. forced many American startups to grapple with a difficult choice: spend considerable time and money trying to find a different mechanism to legally import EU consumer data or sit tight and hope regulators worked it out before member states started filing lawsuits. Neither option was particularly appealing, and thankfully, the EC’s announcement this morning that negotiators had reached a framework agreement on Safe Harbor 2.0 (rebranded as “Privacy Shield”) removes some of the uncertainty startups have faced over the past three months. But does this tentative framework provide the future-proof, legal certainty that is essential for startups operating in the EU?
For those of you who are just tuning in, here’s a quick refresher: the EU’s Data Protection Directive imposes certain obligations on how entities in different countries can handle data from EU consumers. To help streamline compliance, the EC and U.S. entered into an agreement that allowed U.S. companies to self-certify compliance with the Directive and thereby legally transfer data across the Atlantic. This system worked quite well in facilitating EU-U.S. data flows, until the ECJ issued a ruling in October that U.S. laws permitting the NSA to conduct mass surveillance of consumer data violated the Data Protection Directive, thereby voiding the safe harbor and opening up the door to potential legal action against companies that continued to import EU consumer data without a different legal justification.
Policymakers in the EC and the U.S. Department of Commerce promptly got to work on a new safe harbor agreement but faced considerable time pressure, as European Data Protection Agencies were set to commence enforcement proceedings against non-compliant companies if the parties could not reach an agreement by January 31. Crafting an important international agreement in such a relatively short time frame was a challenging endeavor, and as Sunday’s deadline approached, the possibility of a world without safe harbor began to set in.
For many U.S. companies that had previously relied on the safe harbor, failing to finalize a new agreement would be an inconvenience, but hardly insurmountable. Large multinationals had many alternative data transfer pathways at their disposal, like Binding Corporate Rules or Model Contractual Clauses. Others could simply set up servers overseas and process EU consumer data locally. But, these strategies were only feasible for those with enormous financial resources and a legal staff sufficient to navigate 28 different state data agencies and regulations—resources that small, cash-strapped startups just don’t have.
Consequently, startups faced a much more dire situation, and many simply had no idea how to proceed. Some mature, better-funded startups followed the lead of larger tech companies, working up model contract clauses, often at the behest of international partners that wouldn’t proceed without such agreements. Other hoped that updates to their privacy policies and consent processes would suffice, though this was something of a legal gamble and a potential disruption to business (how many consumers enjoy having to click through new popup consent forms?). Some companies, devoid of other sensible options, planned to continue business as usual, expecting that policymakers would eventually craft a solution and hoping they were too small to draw the ire of member state regulators if no agreement could be reached.
The EC’s Tuesday announcement of a “political agreement” was therefore met with cautious optimism and relief. The hard work that the EC and the U.S. Department of Commerce put in over the past few months paid off, pulling out an agreement at the eleventh hour and returning stability and some certainty to the international data flows that make the Internet work. Going forward, consumers and companies on both sides of the Atlantic should hope that this newly formulated “Privacy Shield” will provide a simple, well-defined framework for data exchange, so long as it remains in force. But this difficult experience should serve as a reminder of how the heavy burden of regulatory uncertainty often falls hardest on the smallest players. Startups that made user security and privacy a central part of their companies were nevertheless caught in an international dispute between national governments and multinational companies with few feasible options to stay square with laws that quickly became unclear. In the end, the drama surrounding Safe Harbor 2.0 is both a win for prompt, sensible policymaking and a lesson of how policy disputes can impact the startup sector in unexpected ways.