A Privacy Policy To Which Nobody Agreed
By Andrew Morris | February 24, 2020
On Monday, February 10th, Attorney General Barr announced an indictment of four members of China’s Military for hacking into Equifax.
Equifax operates in a unique space: like Facebook, they have troves of data about a significant number of people. Specific data about financial balances, transactions, payment histories, and creditworthiness. The data may not be as socially personal as Facebook’s, but it is every bit as sensitive, if not more. However, unlike Facebook, nobody agreed to house their data there.
Equifax doesn’t have a privacy policy as much as a marketing page about privacy[1] and a “privacy statement”[2].
In this document, Equifax has taken the time to ensure that they are compliant with laws and best practices about data management and correction right up until the point where it starts to involve sensitive data.
It is worth noting that the California Consumer Privacy Act (CCPA) permits California residents to manage and delete their data. A dedicated page[3] details those rights. However, on my attempt to actually exercise these rights (2/21/2020 at 7:39pm PST), their dedicated site was unresponsive to requests.
Given the scope of recent breaches (147 million US residents), it might reason that regulators and government agencies would address consumer rights in the United States. The FTC made a statement about the Equifax data breach recently and accompanied it with some additional information.[4] On this page, there is a telling ‘question and answer’ that the FTC provides:
Q: I don’t want Equifax to have my data. What can I do?
A: “Equifax is one of three national credit bureaus. These companies collect information about your credit history, such as how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit. You cannot opt out of this data collection. However, you can review your credit report for free and freeze your credit.”
In other words, the financial credit system is so essential to commercial operations, the FTC has decided that this data collection is effectively mandatory for most of America.
This organizational system, where private organizations are responsible for infrastructure and data management for the financial system, is not unique to the United States. Some examples highlight the key differences:
- Germany relies on a company called Schufa Holding AG. [5] However, they provide customers the right to erase, rectify and restrict processing of personal data under GDPR. [6]
- Austria relies on another company called Kreditschutzverband von 1870 (KSV1870 for short – literally, Credit Protection Association from 1870), which operates as a blacklist-style credit list. This type of system would be un-ideal for granting opt-out rights, and yet they do allow the Austrian Data Protection Authority to intervene. [7]
- The UK uses a variety of companies. One of them is TransUnion, who manages a specific page on the rights to delete data [8], and it requires some discussion and acknowledgment of the potential consequences, but there is a process to address it.
These exceptions seem to be limited to Europe. Anywhere where the General Data Protection Regulation (GDPR [9]) applies, the specific data subjects have rights. To summarize the legislation, these rights include simple terms and conditions explaining consent, timely notification of data breaches, the right to access your data, the right to be forgotten, data portability, and privacy by design. There is also a significant number of appropriate technical and organizational measures to ensure security levels and risk are commensurate.
In other words, many of the protections built into the GDPR would address both the rights of data subjects and potentially help some of the operational elements that permitted the Equifax data breach. Consumers and data subjects in the United States would benefit from either an expansion of the CCPA or GDPR to cover all residents.