Organizational Accountability, Government Use of Private-Sector Data, National Security, and Individual Privacy

Privacy and Security

Article Snapshot

Author(s)

Martin Abrams, Fred H. Cate and James Dempsey

Source

in Bulk Collection: Systematic Government Access to Private-Sector Data, Fred H. Cate and James X. Dempsey, eds., Oxford University Press, 2017, pp. 307-324

Summary

Firms that collect data are accountable for its safety and remain accountable if the data is transferred to third-party vendors or partners. Accountability is hard to maintain when the government demands access to firm's data for police or intelligence purposes.

Policy Relevance

International agreements require firms and lawmakers to oversee the United States government’s access to data from the private sector.

Main Points

  • As of 2015, under a regulatory Safe Harbor, European firms could transfer data to firms in the United States, so long as recipients safeguarded the data as if under European law; however, United States government agencies could demand access to the transferred data, and the European Union Court of Justice ruled that the Safe Harbor was invalid.
     
  • A new "Privacy Shield" agreement was negotiated between the United States and Europe, suggesting standards for the oversight needed to maintain accountability when a private firm grants government agencies access to data.
     
  • Generally, governmental access to data raises these four questions:
     
    • How should firms review and limit governmental requests for disclosure?
       
    • How can requests be parsed to ensure that disclosure is not only legal, but appropriate?
       
    • How can firms be transparent about requests for data and the scope of disclosures?
       
    • How can governmental entities be held accountable?
       
  • Accountability guidelines suggest that firms adopt internal procedures to review government demands for data; firms should:
     
    • Interpret demands narrowly.
       
    • Seek clarification or modification of overbroad or unlawful demands.
       
    • Require that demands be made in writing.
       
    • Request government to follow established legal processes.
       
    • Challenge illegal or overbroad demands in court.
       
  • Privacy authorities note that government agencies should be subjected to public-sector oversight, including scrutiny by lawmakers and oversight by dedicated data protection authorities or agencies.
     
  • Consistent with the Privacy Shield and new laws, United States agencies are now more transparent about governmental access to private-sector data; new layers of oversight and remediation have been added, such as the Privacy Shield Ombudsman, but it is unclear whether these measures are sufficient.
     

 

Get The Article

Find the full article online

Search for Full Article

Share