Access to personal data held by Slack, under Privacy Shield
I just participated in a crowd-annotation event of Slack’s Privacy Policy. This event’s social discussion was conducted through the Twitter hashtag #digciz (digital citizenship), while the final output was collated through Hypothes.is.
The participants were mostly, as far as I can tell, US-based educators at the forefront of discussing digital issues in education, and particularly data protection. Despite their experience, they were left with many valid questions after reading the whole Slack privacy policy.
I suspect part of the point of the exercise is to assess critically the tools they intend to use in their classrooms. I am highly sympathetic to the exercise, having myself criticised many European universities for unconditionally adopting the Coursera platform to offer their online courses (this has led some of them to receive the Big Brother Award 2017…).
The view from Europe
My perspective as a resident of Europe (Switzerland, actually) is slightly different from theirs, however. One very important passage is buried deep at the bottom of that Privacy Policy:

This passage is important, as it supersedes the contractual agreement of a Privacy Policy. That passage is meant to protect my fundamental right to privacy (inalienable through contracts), though a series of tenuous links:
- Slack’s Privacy Policy links to Slack’s Privacy Shield notice;
- Slack’s Privacy Shield notice refers (but does not link) to Slack’s Privacy Shield registration with the US Department of Commerce.
That (voluntary) registration makes Slack fall under the scope of the Privacy Shield arrangement.
In my case, being based in Switzerland, it would be the US-Swiss Privacy Shield, which is the legal instrument envisioned in Article 6 of the Swiss Federal Data Protection Act in order to protect my fundamental right to privacy, as listed in Article 13 of the Swiss Constitution.
So what rights do I have under Privacy Shield? There are seven distinct Privacy Shield Principles, butI will focus here on three of them: Notice, Access and Onwards Transfer.
In short:
- Under Notice, Slack has to disclose a lot more than they do in their Privacy Policy, at least if they are asked.
- Under Access, Slack is liable for giving me access to my personal data, at least if they are asked.
- Under Onwards Transfer, Slack is liable to make sure that third parties they transfer data to maintain the same level of protection. A helpful analogy here is the virality of some software licenses.
As you see, a lot of the protections depend on users actually asking.
I have just sent in a request to their lawyer, Gabriel Stern, focusing on points 2 and 3 particularly. Slack now has 45 days to respond to my request. I think I have a pretty good idea how it will play out. As the process advances, I plan to blog more about this journey. My first step will be in detailing the request structure itself.
Paul-Olivier Dehaye is co-founder of PersonalData.IO, a startup helping individuals regain control of their personal data, through innovative products built around the GDPR. PersonalData.IO also offers compliance solutions, business innovation and consulting services to companies, as well as expert advice to educators, regulators and journalists.

