“Unfair practices” make user consent impossible, prosecutors allege
Authorities in Italy have launched an investigation into “unfair practices” employed by Apple, Google and Dropbox as the Europe-wide crackdown on data use by US tech giants continues.
Italy’s Competitions and Markets Authority – the AGCM – has initiated six investigations into iCloud, Google Drive and Dropbox around a lack of clarity in their terms of service when it comes to user data.
It is the latest incident to put the spotlight on the data practices of Big Tech following July’s European Court of Justice (ECJ) decision in the Schrems II case on the transfer of European user data to the US, which invalidated the US-EU Privacy Shield used by many businesses to protect client information.
The Troublesome Trio’s “Unfair Practices”
The AGCM alleges that Apple, Google and Dropbox do not explain how cloud user data might be used for commercial purposes, and these “unfair practices” mean users are unable to give full consent for how their information is deployed. Dropbox is further accused of not explaining to customers where to find terms and conditions, how they can cancel their contract and how they can access dispute settlement mechanisms.
Prosecutors will also look at whether T&Cs provided by the three firms, which give them the right to suspend or interrupt their service, and exempt them from liability for any loss of data stored in the cloud, violate Italy’s consumer rights directive.
Computer Business Review has approached the three businesses for comment.
It is the second time Apple has been in the cross-hairs of the Italian Government in recent months. In July the offices of Apple and Amazon were raided as part of an antitrust investigation into allegations that the two businesses agreed that sellers not part of Apple’s official programme would be prevented from retailing Beats headphones and Apple products. This investigation is ongoing.
Ramifications of Schrems II Becoming Clearer
US tech firms are already facing up to the ramifications of the Schrems II judgement, which looked at the transfer of European data to be stored in the US. The ruling effects any business which transfers data to a US-based cloud, or has a commercial relationship with an American company that involves the exchange of customer information.
The case was brought by privacy activist Max Schrems, who objected to his data being transferred to the US over surveillance concerns.
The court was asked to consider whether two mechanisms used to protect user data being transferred out of the EU – Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Shield – should be invalidated due to legislation in the US that allows law enforcement agencies to access personal information.
It ruled that the privacy shield should be invalidated as it fell short of the required protection standard, but that SCCs remained valid subject to adequacy assessment and the potential addition of more data safeguards. Data Protection Authorities (DPAs) will now be required to immediately halt transfers that do not meet the required standards.
What does this mean in practice? Well, the first substantive guidance from an European Data Protection Authority (DPA) has emerged from Germany, where the state of Baden-Württemberg has issued advice for businesses. The guidance only applies to businesses based in the state, but provides some interesting insights.
What to do About Schrems II?
The Baden-Württemberg DPA recommends data transfers to the US should be subject to additional safeguards such as encryption where “only the data exporter has the key” to keep it away from the prying eyes of intelligence services.
Anonymisation or pseudonymisation should also be considered, with the data exporter being the only one who can identify users.
When transferring information to other non-European territories, data controllers must verify the legal state of play to ensure that sufficient rights and protections are afforded to users, the DPA says.
Companies must also assess and record the necessity of transfers and only work with third parties that will minimise the risk of data exposure. The DPA suggests it could take action, including stopping a data transfer all together, if it is not convinced mitigating steps have been taken.
The guidance also includes a checklist of steps businesses can take. Recommendations include:
- Taking stock of the cases in which your company exports data to third countries.
- Contacting your service provider/partner in the third country to let them know about the decision of the ECJ and the consequences.
- Find out about the legal situation in the third country as to whether the protections are considered adequate.
An International Standard for Data Protection?
In the wake of the Schrems II judgement, human rights organisation The Council of Europe has called for international standards of data protection to be agreed.
Yesterday it released a statement encouraging countries around the world to join “Convention 108+” referring to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, data privacy and protection guidance launched in 1981 and adopted by 55 countries around the world.
The convention has recently been updated to reflect the challenges presented by digital data storage and focuses on keeping information flowing while respecting human rights and fundamental freedoms. The United Nations’ Special Rapporteur on the right to privacy has recommended that UN member states adopt the convention.
A joint statement from the CoE’s Convention 108 committee and its Data Protection Commissioner reads: “Countries must agree at international level on the extent to which the surveillance performed by intelligence services can be authorised, under which conditions and according to which safeguards, including independent and effective oversight”.