Russia threatens Facebook over data localization, Spain orders companies to censor Catalan referendum content, U.S. and EU complete first annual Privacy Shield review

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Russia threatens to block Facebook over data localization law

Russian authorities have announced that Facebook will be blocked next year if the company does not comply with a Russian data localization law. Under the law, which entered into force in 2015, data operators processing personal data of Russian citizens must do so using servers within Russia. In November 2016, Russia blocked LinkedIn for not complying with the data localization law. In January 2017, Russian authorities also ordered Apple and Google to remove the LinkedIn app from their app stores.

Privacy advocates have raised concerns over the impact of data localization requirements, particularly in Russia, where authorities have significant mass surveillance capabilities. This could also make it more difficult for companies operating in Russia to be transparent about government access to user data. As noted in our 2017 Corporate Accountability Index Russian company analysis, Russian authorities may have direct access to communications data through a program called SORM. It therefore may be impossible for companies to publish data on Russian authorities’ requests for user information, since they may not know themselves how often various agencies exercise their authority under SORM.

Spain orders telecommunications companies and domain registry to block Catalan referendum content online

Authorities in Spain are putting pressure on companies to block content relating to the upcoming unofficial Catalan referendum for independence, which is scheduled for October 1. Spanish police raided the offices of Fundació puntCAT, the registry for the Catalan top-level domain (TLD), .cat. Fundació puntCAT reported that a staff member was also arrested, and had previously said that they had been ordered to block any .cat domains that contained information about the referendum, which they said would “suppress freedom of speech.” Catalan activists also told Motherboard that authorities had ordered telecommunications companies to block access to sites relating to the upcoming unofficial Catalan referendum for independence.

Spanish authorities have called the referendum “illegal,” and on September 20, arrested 12 Catalan officials, a move which Catalan President Carles Puigdemont said had “de facto suspended self-government and applied a de facto state of emergency” in the region.

Telecommunications and internet companies should carry out due diligence on government requests to censor or restrict content, and push back against inappropriate or overly broad requests. Companies should also be as transparent as possible about the requests they receive and comply with, including regularly publishing data on such requests, so individuals can hold the appropriate government authorities accountable.

U.S. and EU complete Privacy Shield annual review

The U.S. and EU have completed the first annual review of the U.S.-EU “Privacy Shield” data-sharing agreement, and in a joint statement, affirmed their mutual commitment to ensuring the program’s success. The agreement was developed to ensure EU data-protection standards are maintained for any personal data transferred from the EU to the U.S. Companies in the U.S. that wish to join the Privacy Shield framework must self-certify with the U.S. Department of Commerce and publicly commit to uphold the Privacy Shield requirements. These requirements include informing users about the types of data companies collect, share, and why, and offering a grievance and remedy mechanism allowing users to submit complaints over how their data is used.

As noted in our Index recommendations, companies should provide users with a more comprehensive picture of the lifecycle of their personal information, from collection to use to sharing to retention and deletion. This includes clearly disclosing what information the company shares, with whom, and its purpose for collecting and sharing user information. Governments should also develop effective data protection regimes and require companies to clearly disclose comprehensive personal data lifecycle information.

Leave a Reply