For this assignment, I personally am going to go with the American spelling of Harbor, instead of the proper European spelling of Harbour as the assignment brief I received spelled it Harbor.
To understand Safe Harbor and data protection and its history here in Ireland, we need to look at the history of how it developed by going back a few years…
In the early 1960’s and 1970’s, computer I.T. systems and personal information on paper were growing rapidly in daily use for businesses, healthcare and the financial sectors around the world. At this early point in I.T. and computer system history, there were concerns about the safeguarding of peoples private information and data and who was responsible for taking care of said data and protecting it. People were worried about the safe guarding of their information, regardless if it was in electronic or paper form.
In 1970, the federal state of Hessen in Germany passed the first national data protection law, which governs the exposure of personal data, which are manually processed or stored in IT systems and this was the first data protection law in the world. The first draft of this bill was submitted for a federal data protection act. Eight years later, in January 1979, the first federal data protection act came into force. (Bundesdatenschutzgesetz, 2016).
Skip forward to 1998 and the next two years up till 2000 were when the Safe Harbor Privacy Principles were developed. They were designed to prevent private organisations within the European Union or United States which store customer data from accidentally disclosing or losing personal information.
US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. In July 2000, the European Commission decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called “Safe Harbor Scheme”, were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbor Decision. (International safe harbor privacy principles, 2016)
So where does Facebook come into the Safe Harbor agreement?
Facebook’s Irish Head quarters in Grand Canal In Dublin Credit: Facebook Dublin
Facebook is one of the international companies that has its European headquarters based here in Ireland and has to adhere to the Safe Harbor regulations. Facebook would have server farms in many locations all over the world holding user data, with server farms mainly on the east and west coasts of the United States as well as Texas and North Carolina, Sweden and soon to be Clonee here in County Meath.
Facebooks user base has exploded in the last few year from approximately 100 million users back in 2008 to a staggering 1.6 billion users by the end of 2015 worldwide, (see graph below). The Clonee server farm is the first server farm for Facebook in Ireland and probably not the last mainly because of our climate, not too hot or cold, which is quite suitable for operating server farms.
Amount of users of Facebook from Q3 2008 to Q4 2015 in Millions Credit: statista.com
The proposed data center to be built in Clonee, County Meath Credit: Facebook.com
The Social Impact:
Irish people are among the highest per population in the English speaking world to have a Facebook account compared to other countries. 63% of citizens in Ireland have a Facebook account and of that 63%, 74% would log into the service and use it daily. (Ipsos MRBI, 2016)
Credit: Ipsos MRBI
Facebook is rapidly becoming the new home page of the Irish internet user. It’s developed from a social media tool that basically keeps people in contact with family and friends at home and abroad, to a place where online communities grow, i.e. football and sports dedicated pages for various team and societies, to pages where hobbyists, enthusiasts and fans can meetup and converse with likeminded individuals and to support group pages for everything from cancer support to autistic children.
It’s also where people get their daily news stories and articles from and also where businesses grow through promoting and reaching out for new customers and where people sell, buy and trade everything from cars to kitchen sinks.
The Legal Impact:
So who does own the data, pictures and information we put up on Facebook?
In a Facebook company blog post way back in 2009, (around the time of the major changes to Facebooks privacy policy that caused uproar), Mark Zuckerburg basically explained that the issues are not so cut and dry. “When you share your personal data with someone else, whether it be an email or a photo, it becomes their data as well. You cannot normally rescind data you share with other people in an e-mail. So why should a social network be any different?” (Zuckerburg, 2009)
I personally would like to think that most of us are protective when our personal data is involved, mainly because it is our data and why should a big company like Facebook profit from it? We may have privacy laws in place to protect us all from being spied on and protecting us from the copying by others of any material we may create, but data that is out there online about us, doesn’t necessarily mean it belongs to us.
The Economic Impact:
With its European headquarters located in Grand Canal Square in Dublin city, Facebook provides employment to approximately 1000 people and has a further 91 positions available on its website as of February 2016. Its workforce includes advertising specialists, HR, IT, Legal, network engineers and product marketing to list a few. All these jobs are very beneficial to the economy through not only the taxes being paid to the government from the company and the taxes of the employees, but the knock on effects it has, as service industries like hotels, pubs, restaurants benefit from the extra influx of business people staying nearby the Facebook HQ while on a business trip to the company.
Having a company like Facebook set its headquarters here in Ireland is also a great advert for how much faith the company has in Dublin as well as Ireland as a place in which to do business. It is a sign to other multinationals to look at Ireland as a place to do business.
Facebooks Sources of Income:
Advertising – Mobile and mainstream website
Facebook gets paid by companies to deliver adverts to targeted audiences. It does this by using algorithms to determine what you have liked on the site as well as your interactions with other users. If a person tends to like pages about cars, motorsport, racing and so on, they will tend to get targeted adverts from companies offering products and services related to that person’s hobbies/passion, so an increase in company adverts from the likes of Toyota Ireland, Ford, Opel Ireland and Micks Garage etc. will be observed on that users Facebook page. These big companies pay Facebook to ensure their adverts get directed to the targeted users with interests related to their products.
Users of the site with small to medium businesses can also advertise using smaller scale budgets to advertise their products and services. So if you have a small garage in Navan that services all makes and models of car you can run a relatively cheap Facebook advertising campaign to boost your business page or post.
Facebook gets paid directly by credit or debit card or even PayPal by these small business owners for these advertised (or boosted) page posts and like post adverts.
Gaming and Apps
There are millions of Facebook users who play popular games like Farmville and Mafia wars on the site every day and even though these games are made by Zynga and other companies and not directly by Facebook, Facebook receives a percentage of the revenues spent by users on those games. While this income is nowhere near the sort of figures generated by advertising on Facebook, it still is a major revenue stream for Facebook.
Safe Harbor and Facebook:
As mentioned earlier, Safe Harbor is an agreement between the EU and US that was established in 2000.
It was established to help US companies and businesses to acquire data from Europe without breaking EU rules which does not allow personal data from being transferred and processed in parts of the world that do not provide security and privacy provisions for the same data. Safe Harbor allows US companies to self-certify and therefore prove that they are upholding rules regarding data storage security and privacy.
Facebooks own Safe Harbor certificate Credit: Safe Harbor website
In 2013, Edward Snowden (pictured) leaked details about PRISM, which was a project operated by the National Security Agency (NSA). It was reported that the NSA had access to the data of non US residents (mainly European residents) which was being held on servers in the US belonging to large US multinationals and companies.
Edward Snowden
Max Schrems, a privacy campaigner and Austrian citizen filed a complaint with the Irish Data Protection Commissioner asking the commissioner to look into what data Facebook might be holding on US servers and passing on to the various United States intelligence services. (As Facebook had its European headquarters in Dublin, it was the Irish Data Protection Commissioner who was responsible for investigating this complaint.)
Max Schrems with the mountain of data on him from Facebook Credit: Max Schrems
The Irish Data Protection Commissioner rejected the complaint and said that the Safe Harbor scheme ensures an adequate level of protection of personal data. Max Schrems, contested the ruling of the commissioner and it was referred to the European Court of Justice (ECJ).
On the 6th of October 2015 the ECJ made its ruling regarding the case:
The ECJ ruled the 15-year-old Safe Harbour arrangement, which allowed about 4,500 US companies to transfer personal data to the US, violates the fundamental rights of EU citizens to privacy and data protection. (Carolan, 2015)
ECJ Tweet Credit: businessinsider.com
Later that month, the Irish Data Protection Commissioner has since confirmed that she will be taking up the originally filed complaint by Mr Schrems and will be investigating if and what data Facebook passes onto US intelligence Agencies.
A January 31st 2016 deadline was set for US and EU counterparts to come to agreement on a new Safe Harbor arrangement… this was passed but a new agreement was reached on Tuesday, February 2nd 2016. This new agreement is called the EU-US privacy shield and its one stand out stipulation is that it allows for US law enforcement officials to access data subject to strict limitations.
Facebook stores data belonging to users on servers in its various server farms in the US and Sweden. It obviously saw the problems regarding the derailment of the Safe Harbor agreement due to the Max Schrems case and it chose to start building more data centres in Europe, hence the Clonee plans.
Facebook uses Hyper Text Transfer Protocol Secure (HTTPS) which basically acts as encryption of any data you send from your browser to the website server. It rules out anyone being able to view, tamper or modify any communications used while accessing the Facebook site. HTTPS was originally only used for online payments, but has become mainstream over the past ten years and is used on most website that you need to login to.
An example of HTTPS being used on Facebook Credit: Facebook.com
Back In 2013, Facebook doubled its encryption key strength to 2,048-bit and has augmented HTTPS with perfect forward secrecy. “With SSL, there’s going to be a single key that opens every car on the highway, and with perfect forward there’s now a different key for each car,” said Joe Sullivan – Facebooks security chief. For mobile users the company has developed Conceal for Android, a set of Java APIs that encodes large files using cryptographic algorithms from OpenSSL. (Edited: theregister.co.uk, 2016)
Facebook was found to be lax in security back before the Edward Snowdon leaks, and even Joe Sullivan said that Facebook was not encrypting all internal traffic between its off-site data centres. That has since changed and Facebook takes data security and encryption very seriously.
Facebook and your data:
Facebook does share information about users. If your profile is public, your information is obviously shared by the company to everyone who sees your profile.
Facebook shares your information with…
Apps, websites and third-party integration on or using the Facebook services:
For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your Public Profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them.
Sharing within Facebook companies:
They share information we have about users within the family of companies that are part of Facebook. These companies include:
• Facebook Payments Inc. (https://www.facebook.com/payments_terms/privacy)
• Atlas (http://atlassolutions.com/privacy-policy)
• Instagram LLC (http://instagram.com/about/legal/privacy/)
• Onavo (http://www.onavo.com/privacy_policy)
• Parse (https://parse.com/about/privacy)
• Moves (http://moves-app.com/privacy)
• Oculus (http://www.oculus.com/privacy/)
• LiveRail (http://www.liverail.com/privacy-policy/)
• WhatsApp Inc. (http://www.whatsapp.com/legal/#Privacy)
Advertising, Measurement and Analytics Services:
For example, we may tell an advertiser how its ads performed, or how many people viewed their ads or installed an app after seeing an ad, or provide non-personally identifying demographic information (such as 25 year old female, in Madrid, who likes software engineering) to these partners to help them understand their audience or customers
Facebook also transfers information to vendors, service providers, and other partners:
Such as analysing how global partner services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys. (Edited: Data policy, 2016)
EU-US Privacy Shield, The new agreement in place for data transfers. Credit: Irish Times
Because Facebook has data on its servers in the US, belonging to users from outside the US it must adhere to the Safe Harbor rules, (or as it is now known: the EU-US privacy shield). As we now live in a world where the pace of technology moves faster than the laws, paperwork, guidelines and agreements in place for that same technology, I personally believe it will become increasingly harder and harder to govern data movement through electronic means. Let’s just hope the EU-US privacy shield does not fail in the near future.
Infographic:
Safe Harbor Timeline Infographic Credit: Nathan Doyle
References:
Bundesdatenschutzgesetz (2016) in Wikipedia. Available at: https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz (Accessed: 20 February 2016).
Carolan, M. (2015) Data protection commissioner to investigate Max Schrems claims. Available at: http://www.irishtimes.com/news/crime-and-law/courts/high-court/data-protection-commissioner-to-investigate-max-schrems-claims-1.2398728 (Accessed: 20 February 2016).
Data policy (2016) Available at: https://www.facebook.com/about/privacy/ (Accessed: 21 February 2016).
Facebook HQ Dublin Picture (2016) Available at: http://www.independent.ie/incoming/article30366037.ece/ALTERNATES/h342/FB1.jpg (Accessed: 20 February 2016).
Facebook careers (2016) Available at: https://www.facebook.com/careers/locations/dublin/ (Accessed: 20 February 2016).
International safe harbor privacy principles (2016) in Wikipedia. Available at: https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles (Accessed: 20 February 2016).
Ipsos MRBI SOCIAL MESSAGING TRACKER – January 2016 (2016) Available at: http://ipsosmrbi.com/wp-content/uploads/2016/01/SM_Jan16.png (Accessed: 23 February 2016).
Max Schrems (2016) in Wikipedia. Available at: https://en.wikipedia.org/wiki/Max_Schrems#.27Europe_v_Facebook.27_lawsuit (Accessed: 21 February 2016).
Max Schrems Vs Facebook (no date) Available at: http://cdn.arstechnica.net/wp-content/uploads/2012/11/50.evf_max_stack.jpg (Accessed: 20 February 2016).
Number of monthly active Facebook users worldwide as of 4th quarter 2015 (in millions) statista.com (2016) Available at: http://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/ (Accessed: 20 February 2016).
Organization information – Facebook (2015) Available at: https://safeharbor.export.gov/companyinfo.aspx?id=28012 (Accessed: 20 February 2016).
Price, R. (2015) ECJ Tweet – Everything you need to know about the pivotal Max Schrems-Facebook case. Available at: http://uk.businessinsider.com/ecj-safe-harbor-ruling-bots-expected-2015-10 (Accessed: 21 February 2016).
Santhakumar, N. and SanthakumarNirmala, N. (2013) ‘How Facebook is earning money?’, Social networks, 13 June. Available at: http://www.mymagicfundas.com/how-facebook-is-earning-money/ (Accessed: 20 February 2016).
Schonfeld, E. (2009) Zuckerberg on who owns user data on Facebook: It’s complicated. Available at: http://techcrunch.com/2009/02/16/zuckerberg-on-who-owns-user-data-on-facebook-its-complicated-2/ (Accessed: 20 February 2016).
Strasbourg, S.L. (2016) Safe Harbour: EU and US reach deal on data transfers. Available at: http://www.irishtimes.com/business/technology/safe-harbour-eu-and-us-reach-deal-on-data-transfers-1.2519880 (Accessed: 21 February 2016).
theregister.co.uk Facebook security chief: We’re not encrypting everything between our data centers just yet (2016) Available at: http://www.theregister.co.uk/2014/03/19/facebook_security_chief_talks/ (Accessed: 21 February 2016).
Digital Marketing Blog 
