Corporate Accountability News Highlights: Telegram faces challenges from Russian authorities, U.S. and EU publish first annual Privacy Shield review, and data breach exposes millions of South Africans’ personal information

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Telegram faces challenges from Russian authorities

Image via Wikipedia

The messaging app Telegram has been fined for refusing to give Russian authorities access to encrypted communications. A Moscow court fined Telegram 800,000 Rubles (around 14,000 USD) after the company refused to turn over encryption keys allowing  authorities to decrypt and access the contents of user communications. In June, Telegram agreed to register as an “information distributor” with Russian communications regulator Roskomnadzor, a requirement under Russian data laws. Telegram founder Pavel Durov said this was a formality and that the company would not share private user data with the government. Durov also said the company would appeal the court ruling.

This case highlights the crackdown on encrypted communications by many governments throughout the world—both through efforts to legislate “backdoors” and law enforcement efforts to break encryption. It is important that companies publicly commit to implement high encryption standards, and advocate and push back against government efforts to undermine encryption. This also highlights challenges that many companies face in dealing with government requests for access to user information. As noted in our 2017 Corporate Accountability Index recommendations, companies should also commit to push back against excessively broad or extra-legal requests, and should use every opportunity available to pressure governments to move away from mass surveillance and institute meaningful oversight over national security and law enforcement authorities.

U.S. and EU publish first annual Privacy Shield review

The EU-U.S. Privacy Shield provides sufficient levels of protection for personal data transferred from the EU to participating companies in the U.S., but the implementation could be improved, according to the EU’s first annual review of the “Privacy Shield” data sharing agreement. Privacy Shield, launched in August 2016, was created as a legal mechanism for ensuring that EU-U.S. personal data transfers are done so in a way that maintains EU data protection standards. Participating U.S. companies self-certify compliance with the U.S. Department of Commerce. Privacy shield requirements include informing users about the types of data companies collect, share, and why, and offering a grievance and remedy mechanism allowing users to submit complaints over how their data is used.

The report recommends that U.S. authorities increase monitoring and enforcement of U.S. company compliance and suggests there should be greater awareness-raising among EU citizens of their rights under the agreement, such as procedures for lodging complaints if they feel their privacy rights have been violated.

As noted in the 2017 Corporate Accountability Index, the companies do not give users enough information in order to make informed choices about the services they use. In addition to taking steps to protect the privacy and security of user information, companies should be more transparent about their policies for handling user data, from collection to use to sharing to retention and deletion. Companies should also establish effective grievance and remedy mechanisms through which users can file complaints if they believe their rights have been violated, and make sure users are aware of these mechanisms.

Data breach exposes millions of South Africans’ personal information

A massive data breach has exposed the personal information of millions of South Africans, in the country’s largest reported personal data breach to date. The breach was discovered by a security researcher who reported the leak of a database that contained more than 30 million unique South African ID numbers, as well as other personal information, such as income and employment details, marital status, and property ownership information. The database was created by Jigsaw Holdings, a real estate company. The CEO of a subsidiary of Jigsaw Holdings said that the company had obtained the information from a credit bureau, and that it is investigating the source of the breach.

Data breaches are a growing privacy threat, as the number of large scale breaches has continued to rise. As individuals entrust companies with a great deal of their personal information, companies have an obligation to take steps to maintain data security and inform users of what these steps are. Companies should also commit to the principle of data minimization, and limit personal data collection to what is directly relevant and necessary to accomplish a specified purpose. Additionally, companies should clearly disclose what their standard procedures for responding to a data breach are, including notifying relevant authorities and affected users, and what steps they take to minimize the breach’s impact. In the 2017 Corporate Accountability Index, only three of the 22 companies evaluated disclosed any information about their policies for responding to data breaches.

Leave a Reply