A US Data Breach – Lack of Redress and Safe Harbor

Just before Christmas, Databreaches.net reported that a database of over 190 million US voters was out in the wild with no security. 191 million names, addresses, phone numbers, voting preferences, and other voter profile data was sitting on a database, naked and exposed to anyone who knew how to search for them and find them.

Over the following days, other databases were found containing subsets of this data set, with additional data appended such as religious beliefs, statements of political or philosophical opinion, voting history etc.

Our team have skin in this game. We know someone who is a Californian living in Ireland and is a registered voter. So we reached out to Dissent and the team at Databreaches.net to see if this person were included in the data. What we found was both worrying and amusing.

• The person in question was included in the dataset at least once.
• The data about them had been combined with other data that had led to significant data quality problems, including data accuracy.

Our initial thought was that, as US political parties often have Chapters founded in EU countries to fundraise and promote the interests and agenda of those parties overseas, the Weltimmo and Google Spain cases would apply and potentially create a situation where US political parties would have an establishment within the EU and would therefore need to comply with EU rules, and Data Protection Authorities could take action against the parent Party for breaches of EU data protection law in the handling of voter data.

However, subsequent investigation by the team at Databreaches.net revealed that the data was most likely from Christian right-wing not-for-profit PAC operating and targeting voters within the United States and with no establishment in an EU Member State, so Weltimmo and Google Spain are unlikely to apply. This is why the Irish Data Protection Commissioner declined to investigate the potential impact of the breaches on Irish residents and Irish citizens (you can be a naturalized Irish citizen and still be a registered US voter).

It would be inappropriate to suggest that, heading into an election year here, the Irish DPC would be ‘uneasy’ drawing attention to any potential question marks over the gathering and management of electoral data. However, one would have thought an outreach to the relevant US regulatory authority to alert them to the potential for EU skin in the game would be a reasonable step to take to be seen to act, albeit by kicking the issue to touch.

However, in the US the situation is no less complex as it remains to be seen which State or Federal agency actually has standing to investigate this breach and prosecute any criminal wrong doing. So, the Irish DPC may not have a clue who the relevant US regulatory authority is to contact. Certainly, the experienced investigators at Databreaches.net were still phoning around to try and find the right agency to act last time I checked…

• The State of California has very strict laws on sharing of voter data. So the Californian Attorney General might be the right entity to investigate and prosecute, but there is more than one State’s data in the databases identified and different States have different rules.
• The FTC can take action against for-profit commercial entities for “unfair practices”, but cannot act against PACs or other not-for-profits
• The FTC might be able to take action against a service provider (a Data Processor) if they were at fault.

But for EU-based California natives, or natives of other US States living in the EU, whose data has been leaked on-line, there is no effective and uncomplicated avenue of redress and no single entity they can easily raise their concerns to or through. This highlights one of the issues that arose in the Schrems case and which no amount of deck-chair arranging on the Titanic of Safe Harbor will resolve: when a Data Subject in the EU has their data privacy rights breached in the US, there is very little that any EU Regulator can do to help (unless a Weltimmo/Google Spain situation can be established. And, unless the organization that has breached is a commercial entity there are limited enforcement options in US law.

This lack of redress, this fragmentation of potentially relevant regulators, and this lack of clarity about who a Data Subject, or for that matter an EU-based Regulator, can engage with when a data breach of this nature occurs is a symptom of the weaknesses in Safe Harbor and the sectoral approach to Data Privacy regulation in the US. It can only be addressed through an effective reform of Data Privacy laws in the US to meet equivalent standards to the EU. This would not just be a benefit to US citizens/voters living in the EU, or to EU organizations transferring data to the US, but would improve the protection of personal data privacy for Americans in the United States as well.

While not related to the use of big data sets for intelligence gathering or mass surveillance, the US voter data breaches have highlighted the need for effective redress mechanisms to be put in place, replacing the current patchwork of regulation, regulators, and controls in the US, to benefit all data subjects across all potential sectors where their data is used. Without such deep reform of Privacy Regulation in the US, it is difficult to see how a Safe Harbor 2.0 will meet the requirements of the CJEU in Schrems.