Business

The U.S. and EU’s key data-protection deal is lifeless. How one of many world’s largest information brokers is adapting

The U.S. and EU’s key data-protection deal is dead. How one of the world’s biggest data brokers is adapting


Acxiom is a kind of American corporations that most likely is aware of rather a lot about you, even in case you’ve by no means heard of it.

The agency is a database advertising and marketing firm, also called an information dealer—it builds “anonymized” profiles of individuals and sells them to advertisers, to allow them to higher goal their adverts.

As such, Acxiom is of intense curiosity to Europe’s privateness regulators—privateness campaigners within the U.Okay. filed a grievance in late 2018, alleging that it was breaking the bloc’s powerful Common Information Safety Regulation (GDPR) by exploiting folks’s private information with out their consent.

The corporate can be considered one of many to really feel the affect of the current “Schrems II” ruling by the EU’s prime courtroom, the Courtroom of Justice. Citing inadequate privateness protections within the U.S, that call immediately killed the Privateness Protect data-sharing settlement between the U.S. and the EU, whereas additionally casting into doubt the viability of one other authorized mechanism known as commonplace contractual clauses (SCCs), which is extensively utilized by corporations from Fb to Google as a foundation for transferring Europeans’ information to U.S. servers.

Fortune had a chat this week with Acxiom’s Jordan Abbott, to debate the agency’s tackle that ruling and EU privateness regulation generally. Abbott has an fascinating job title—chief information ethics officer.

Right here’s a transcript of that dialog, frivolously edited for readability.

Fortune: What are the implications for companies of the Schrems II determination?

Abbott: It’s Groundhog Day another time. We went by way of this with [Privacy Shield predecessor] Secure Harbor in 2015. When Privateness Protect was introduced in 2016, my colleagues and I had been skeptical about its long-term prospects. We believed on the time that it had the identical kind of infirmities that plagued Secure Harbor. And, certainly, I made a prediction that sooner or later Privateness Protect could be challenged for most of the identical causes that Secure Harbor was challenged.

The instant affect on companies on account of [the ruling] is that corporations that had been counting on Privateness Protect for information transfers from the EU to the U.S. now need to depend on an alternate mechanism of switch, similar to commonplace contractual clauses. Most corporations don’t have binding company guidelines [or BCRs; a far more expensive, time-consuming legal mechanism for data transfers within multinationals] which were authorized by information safety authorities.

Thankfully for Acxiom, lots of our agreements—if not most—had a belt-and-suspenders method to information transfers, saying that within the occasion Privateness Protect is invalidated, transfers would depend on commonplace contractual clauses.

Even then, corporations like Acxiom need to do an evaluation to find out whether or not U.S. [legal protections for] transfers of information are basically equal [to EU protections] to guard European residents and, if there are points, what kind of supplementary measures will be put in place to create basically equal adequacy—issues like encryption. For us, along with reviewing our agreements with our shoppers and our companions, we’re additionally doubling down on the need of information transfers, and information minimization.

So that you at the moment are counting on commonplace contractual clauses because the authorized foundation on your EU-to-U.S. transfers?

For information transfers from the U.Okay. to the U.S., the U.Okay. Info Commissioner’s Workplace and the U.S. Division of Commerce each stated, “Maintain doing what you’re doing in the interim,” whereas they examine the choice extra.

However for information transfers from the European Financial Space, we acquired extra steerage from the European Information Safety Board [the umbrella body for the EU’s privacy regulators] final week and it indicated that SCCs are legitimate, supplied a case-by-case evaluation is finished with respect to the information importation. We’re constructing our assessments to take action proper now.

There are two colleges of thought concerning the Schrems II ruling as regards SCCs: one says no SCCs for information transfers to the U.S. will get up now, due to U.S. surveillance practices; the opposite says this can solely have an effect on corporations, similar to Google and Fb, that fall below Part 702 of the Overseas Intelligence Surveillance Act (FISA). What’s your tackle this, and might Acxiom precisely inform an EU information safety authority or the European Information Safety Board that U.S. intelligence will not be snooping on its information?

Acxiom’s present viewpoint is it’s slightly little bit of each, that corporations won’t be able to contract their manner out of this situation. It’ll need to be solved by the governments of the affected international locations, on this case the U.S. and EU—and to a sure extent, after the Brexit transition, the U.Okay.

However transfers to different international locations might be impacted too. For these, they might want to tackle [the issue] on a political and authorities degree.

I believe for corporations that use cloud suppliers, it will be tough for them to say that they don’t seem to be doubtlessly topic to a Part 702 FISA program. However I do imagine corporations like Acxiom, that principally deal in demographic and life-style info that’s used for advertising and marketing functions…my hope and expectation is it’s a decrease space of threat.

Since Acxiom will not be an Web service supplier or telecommunications firm, we’re not on the entrance strains of the Part 702 surveillance situation. To my information, we haven’t been contacted by the U.S. authorities about information on EU residents, a minimum of not since Privateness Protect. The varieties of information we acquire are a separate class that, I believe, could also be of much less curiosity.

One different observe: though we acquire demographic and life-style info, we use finest practices to safeguard the safety and confidentiality of the information. Amongst different issues, we’re performing an evaluation to substantiate that our information transfers are encrypted—not simply delicate or particular classes of information. Equally, we’re reviewing our information flows to substantiate information minimization and that we’re limiting what we share to solely what is critical for our shoppers, whereas sustaining applicable transparency, entry and management for people to assessment and proper their information. 

Some have recommended {that a} manner across the Schrems II ruling is to maintain European information within the EU, somewhat than sending it to the U.S. Is that this data-localization method viable, or a purple herring?

All choices are being thought-about at this second, together with information localization or establishing information facilities throughout the EU. Nevertheless, we essentially imagine the free circulate of data between the EU and the U.S. is important for each our economies, and certainly the world economic system.

To the extent {that a} U.S. Acxiom affiliate has entry to an EU information heart to view information, then information localization would doubtlessly be undermined. We predict a greater method is a authorities resolution that adequately protects European residents whereas permitting for information transfers to locations that facilitate environment friendly processing and information administration.

Do you foresee a Huge Tech lobbying push on this entrance within the U.S.?

I do imagine there shall be an enormous push by trade, together with Huge Tech corporations, to advocate for a nationwide privateness legislation within the U.S. And certainly that has been taking place over the past 12 months or so.

Definitely with the passage of the California Client Privateness Act, it underscores the necessity for a uniform and predictable method in the US that can be interoperable with different international locations and different geographies and areas such because the EU.

I additionally imagine that trade is supportive of granting European residents basically equal rights to people who are afforded to U.S. residents. The issue that needs to be overcome is constitutional and authorized.

It offers with a precept known as “standing”—the power for an individual to deliver a case in courtroom. The U.S. has to determine a option to remedy that downside and permit residents exterior the U.S. to deliver claims to redress hurt.

Given how the Courtroom of Justice killed Privateness Protect and Secure Harbor for related causes, is there any level to the U.S. and EU attempting to provide you with a 3rd model, whereas U.S. privateness legislation stays basically insufficient?

It’s worthwhile to check the Courtroom of Justice’s determination intently and see if a Privateness Protect 2.zero or Secure Harbor 3.zero is viable. Definitely, the courtroom dominated that the Ombudsman [an office established under Privacy Shield to hear Europeans’ complaints about their data’s treatment in the U.S.] was not sufficiently impartial, so maybe a tribunal that’s arrange particularly for European residents might be thought-about.

And that is likely to be one thing that’s worthwhile, as a result of, again to the central situation, Acxiom and firms like us need to weed out the irresponsible habits. We need to drive moral and accountable habits. We need to deal with information in a good and clear method. We predict something the governments can do to facilitate good habits, whereas hunting down unhealthy habits, must be pursued.

However is a 3rd settlement potential or not?

I believe it’s worthwhile to a minimum of have a look at it, examine the Schrems II determination, see if there may be alternative to create a sustainable substitute to Privateness Protect, recognizing that the European courts could also be skeptical concerning the probabilities for fulfillment.

I imagine belief performs a significant function in constructing relationships and is crucial to doing enterprise in a data-driven economic system. Issues like SCCs, BCRs, supplementary measures—these all add to constructing belief and accountability, which is clearly vital to European citizen and European information safety authorities.

Acxiom and firms like us need to do what we are able to to boost belief and accountability.

The place do issues stand with the EU investigation into information brokers and the GDPR?

Earlier than Privateness Worldwide filed their grievance, the U.Okay. Info Commissioner’s Workplace had introduced it was going to conduct an evaluation of the Acxiom U.Okay. workplace in January 2019. We totally cooperated with that evaluation. We imagine the Privateness Worldwide grievance lacked benefit and we have now been in conversations with the ICO since.

We don’t anticipate any kind of enforcement motion and we have now carried out among the suggestions that [the ICO] have made to this point, and we’re working with the ICO on the remaining points. We’re hopeful that the matter shall be resolved in the end.

Extra must-read worldwide protection from Fortune:

  • Kodak’s shift to prescription drugs comes years after rival Fujifilm made the identical pivot
  • The sacred European trip is in danger as second-wave fears grip vacationer hotspots
  • HSBC tried to defend itself in China. Web censors erased the submit
  • Google’s upcoming Grace Hopper subsea cable will span the Atlantic Ocean
  • Europe’s auto trade is within the midst of a shocking rebound. Analysts differ on how lengthy it might final