In this second instalment of our 3-part blog series on IDV privacy and ethics, we will be covering the considerations for data in transit from a privacy and ethical perspective.
International transfers are now tougher
Let’s take a look at the subject of international data transfers. In 2020, the EU’s highest court struck down a trans-Atlantic agreement that allowed companies to easily move user data between the EU and the US. The decision stated that the US did not sufficiently protect data from government surveillance, and therefore the transfer agreement, called Privacy Shield, failed to meet the EU’s data privacy standards.
Earlier in 2023, in a demonstration of just how seriously the EU is taking data privacy, Meta was fined 1.2 billion € ($1.3 billion) for exporting European data to the US. This is not an example of Meta playing loose with privacy laws; Meta had put in place numerous policies and practices designed to meet the GDPR. Meta’s undoing was that an American law gives US enforcement the right to demand communications data, and this demand would override any policy or practise Meta could put in place.
The US and the EU/UK have needed to find a political solution to this political conundrum. And they have done so by creating the EU-US Data Bridge and the UK-US Data Bridge. At its heart, the solution is to give EU and UK citizens enhanced protection (over and above the rights of US citizens) against US agencies obtaining their personal data. US companies need to opt in to the Bridge and then the transfer of data is deemed acceptable by the EU and UK.
It feels inevitable that these Bridges will be challenged: either by a certain Mr. Schrems or perhaps in the US by those who think it unfair that US citizens have lesser rights in the US than foreigners.
Data sharing & reciprocal protection
Fraudsters communicate and work together to identify soft links in security and process, and to share ideas on how to defraud financial institutions. Perhaps financial institutions and IDV providers should work together to identify fraudsters and protect each other.
The UK Digital Identity and Attributes Trust Framework (UKDIATF) contains various goals on threat and intelligence sharing, but there is little actually implemented currently. There are member schemes in the UK operated by entities such as CIFAS and Synectics that share details on suspected fraudsters.
Some of the leading IDV providers have a fraud or threat service. They create their own databases of suspected fraud attacks and then scan against it for each new end user. It is possible to use this database across different clients. The IDV provider, though, needs to consider how:
- It can do this compliantly with privacy laws;
- It can do its best to ensure victims of fraud do not end up on the database; and also
- Have a process to ensure victims of fraud understand that they might be in this database and can be manually removed from this database.
Questions to ask your IDV provider:
- In which jurisdiction will the data of my end users be hosted?
- Can we select different jurisdictions for data hosting depending on where the data originated?
- At any point in the IDV process, is any data transferred from the UK or the EU into the US?
- If yes to Q3, what is the lawful mechanism the transfer is made under?
- Has the US importer of the data opted into the EU/US or UK/US Data Bridge?
- Is my end user data used in any fraud signal sharing database? If so, please share your Data Protection Impact assessment so we can understand the legality of this processing.
About the post:
Images are generative AI-created. Prompt: Three little pigs, one sleeping, one running, one working on laptop. Tools: Craiyon (fka DALL-E Mini), ChatGPT.
About the author:
Peter Violaris is Global DPO and Head of Legal EMEA and APAC for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 6 years and before that worked for London law firms.