Archive for the ‘Accountability’ Category

« Older Entries

It’s time to dust off that privacy policy…

avatar Posted on May 2nd, 2013 by Katie Paxie

The Information Commissioner’s Office (“ICO”) has announced in the latest edition of its e-newsletter that it will be examining the privacy policies of 250 of the UK’s most popular websites during the week of 6 – 11 May 2013 as part of ‘Internet Sweep Day’. Each website will be reviewed to check whether it contains an accessible privacy policy in accordance with relevant UK and international laws.

The Internet Sweep Day initiative isn’t limited to just the UK, as the ICO is working in conjunction with other global data protection authorities. The results of the review will be collected and sent back to the Office of the Privacy Commissioner for Canada and a report of the findings will be published in the Autumn.

There is no word yet on which websites the ICO is set to consider, but this is yet another wake up call for businesses who haven’t started thinking about their public facing documents and policies to get cracking!

The announcement comes hot on the heels of updates to the enforcement section of the ICO’s website which show that the UK e-privacy enforcement space is certainly heating up and Google’s updates to its privacy policy in an attempt to comply with EU cookie consent rules.  Internal stakeholders who might be resistant to yet another review of an often overlooked part of any businesses website should be reminded that transparency is very likely to continue to be at the heart of the new European data protection framework.  It is most definitely time to get a head start now.

Tags:, ,
Posted in 95 directive, Accountability, Uncategorized

In defence of the privacy policy

avatar Posted on March 29th, 2013 by Phil Lee

Speaking at the Games Developers’ Conference in San Francisco yesterday on the panel “Privacy by [Game] Design”, I was thrown an interesting question: Does the privacy policy have any place in the forward-thinking privacy era?

To be sure, privacy policy bashing has become populist stuff in recent years, and the role of the privacy policy is a topic I’ve heard debated many, many times. The normal conclusion to any discussion around this point is that privacy policies are too long, too complex and simply too unengaging for any individual to want to read them. Originally intended as a fair processing disclosure about what businesses do with individuals’ data, critics complain that they have over time become excessively lengthy, defensive, legalistic documents aimed purely to protect businesses from liability. Just-in-time notices, contextual notices, privacy icons, traffic lights, nutrition labels and gamification are the way forward. See, for example, this recent post by Peter Fleischer, Google’s Global Privacy Counsel.

This is all fair criticism. But that doesn’t mean it’s time to write-off privacy policies – we’re not talking an either/or situation here. They continue to serve an important role in ensuring organisational accountability. Committing a business to put down, in a single, documented place, precisely what data it collects, what it does with that data, who it shares it with, and what rights individuals have, helps keep it honest. More and more, I find that clients put considerable effort into getting their privacy policies right, carefully checking that the disclosures they make actually map to what they do with data – stimulating conversations with other business stakeholders across product development, marketing, analytics and customer relations functions. The days when lawyers were told “just draft something” are long gone, at least in my experience.

This internal dialogue keeps interested stakeholders informed about one another’s data uses and facilitates discussions about good practice that might otherwise be overlooked. If you’re going to disclose what you do in an all-encompassing, public-facing document – one that may, at some point, be scoured over by disgruntled customers, journalists, lawyers and regulators – then you want to make sure that what you do is legit in the first place. And, of course, while individuals seldom ever read privacy policies in practice, if they do have a question or a complaint they want to raise, then a well-crafted privacy policy serves (or, at least, should serve) as a comprehensive resource for finding the information they need.

Is a privacy policy the only way to communicate with your consumers what you do with their data? No, of course not. Is it the best way? Absolutely not: in an age of device and platform fragmentation, the most meaningful way is through creative Privacy by Design processes that build a compelling privacy narrative into your products and services. But is the privacy policy still relevant and important? Yes, and long may this remain the case.

Posted in Accountability, Privacy by design

How to solve BCR conflicts with local law

avatar Posted on March 13th, 2013 by Phil Lee

A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Posted in Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

Do BCR now, not later.

avatar Posted on February 23rd, 2013 by Phil Lee

BCR are a big feature of the Commission’s proposed General Data Protection Regulation.  Previously a regulatory invention (the Article 29 Working Party first established a structure for BCR back in its 2003 paper WP74), the Commission has sought to put BCR on a solid legal footing by expressly recognising them as a solution for data exports under Articles 39 and 40 of the proposed Regulation.  The intent being that, by doing so, all EU Member States will uniformly have to recognise and permit global data transfers using BCR, solving the issue presented today where the national legal or regulatory regimes of one or two Member States inhibit their adoption. 

As if further poof were needed of the Commission’s support for BCR, Commissioner Viviane Reding has even gone so far as to say: “Indeed, I encourage companies of all size to start working on their own binding corporate rules!  Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens’ trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.

High praise indeed, and certainly Ms. Reding’s description of BCR matches with our own experience helping clients design and implement them.  Clients who implement BCR substantially simplify their global data movemments and embed a culture of respect for privacy that enhances compliance and drives down risk.

What the Regulation will really mean for BCR adoption

But here’s the thing: far from supporting BCR adoption, the Regulation will make authorisation of BCR harder to achieve, and this flies in the face of the Commission’s very express support for BCR.  

Historically, the main barrier to BCR adoption has been the bureacracy, effort and cost entailed in doing so – early BCR adopters tell war stories about their BCR approval process taking years and having to address conflicting requirements of multiple data protection authorities all over Europe.  This burdensome process arose out of a requirement that the BCR applicant needed to have its BCR individually authorised by every data protection authority from whose territory it exported data.

Thankfully, this is an area where huge strides forward have been achieved in recent years, through the implementation of the so-called “mutual recognition” procedure that allows BCR applicants to submit their BCR to a single lead authority;  once the lead authority approves the applicant’s BCR, it then becomes binding across all mutual recognition territories (currently 21 of the 27 EU Member States).  No more trekking around Europe visiting data protection authorities individually then.

Mutual recognition has really lifted BCR out of the dark ages into an age of BCR enlightenment, and has been vital to the upswing in BCR applications all over Europe.  Now, though, the proposed Regulation – despite its intended support for BCR – threatens to actually inhibit their adoption, pushing controllers back to using “check box” solutions like model clauses that provide little in the way of real protection.

Why?  Because under the draft Regulation, any authority wishing to approve BCR must first refer the matter to the European Data Protection Board under the Regulation’s proposed “consistency mechanism” (designed to ensure consistency of decision making by authorities across Europe).  The European Data Protection Board can be thought of as the “Article 29 Working Party Plus”, and comprises the head of each data protection authority across Europe and the Data Protection Supervisor.  In effect, the consistency mechanism necessitates that an applicant’s BCR must once again be tabled before every data protection authority before authoristion can be granted – a step backwards, not forwards.  As the ICO noted in its initial analysis of the Regulation: “It is not entirely clear what would happen if, for example, the UK supervisory authority were to approve a set of binding corporate rules but, once informed of the approval, the EDPB takes issue with it.

To make things worse, it’s not clear how the consistency mechanism will sit with the mutual recognition procedure we have today.  Maybe it will supersede the mutual recognition procedure.  Maybe it will apply in addition.  Or maybe some kind of hybrid process will evolve.  We just don’t know and uncertainty is never a good thing. 

The time for BCR is now

What this means is that while BCR will remain the only realistic solution for multinationals exporting data on a global basis, the process for achieving them once the Regulation comes into effect will become much tougher.  Add to this that the fact that, as a whole, the Regulation will impose stricter data protection standards than exist under the Directive, and BCR applications will attract an even greater level of scrutiny once the Regulation comes into effect than they do today.

So given that there is strong regulatory support for BCR, but that the Regulation will create barriers to adoption, what strategy should multinational conrtollers adopt? 

The answer is simple: do BCR now, not later. 

The process for achieving today BCR is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.   When you look at it like that, why not do BCR now?

Posted in Accountability, Binding Corporate Rules, Legislative reform, Model clauses

How the EU and US approach Cybersecurity – the compliance puzzle for the private sector

avatar Posted on February 14th, 2013 by Stewart Room

A common, though slightly belated, New Year resolution has emerged within the EU and the US; a fully-formed ambition to see greater Cybersecurity across the private sector. In the EU, this is signified by the Draft Cybersecurity Directive. In the US, it’s the President Obama Cybersecurity Executive Order. While the details and tools of regulation differ, there isn’t a cigarette-paper’s width between them on the motives for regulation and the core objectives of Cybersecurity law making. Both agendas were published this month, just four days apart, and they herald the beginnings of a very challenging new compliance puzzle for a wide range of private sectors actors, if they underpin economic stability and societal well-being.

Before considering the detail of the two approaches, its worth remembering the wider context within which they sit. Cybersecurity has been one of the hottest political topics of recent years. It has been rammed up the agenda by a combination of hundreds of high profile cyber incidents, sometimes extreme rhetoric from “opinion formers”, a lot of political grandstanding, and bucket loads of fear mongering, often from people who have solutions to sell. Occasionally the language has been regrettable, with concepts like “Cyber Armageddon” and the UK government’s rating of Cybersecurity being a greater threat than Nuclear weapons (within the UK Cyber Security Strategy) being cases in point. Yet, between the FUD there is truly a very real problem here. Cybersecurity is an incredibly serious problem for societies like our’s whose reliance on electronic communications networks and services is total. Neelie Kroes, the EU Commissioner behind the Directive, and President Obama, speak the truth when they say that the threats to Cybersecurity could cause us very grave damage.

This contextual view leads to only one conclusion; regardless of the overstatements and the hyperbole, new Cybersecurity law making is necessary and the trajectory for many businesses is one where wholesale operational change will be necessary.

Yet, a person new to this topic may think after reading the Directive and the Order that the EU and US are not as aligned as my opening seeks to suggest. A reader in the private sector could suggest that on the face of the Order there isn’t much for them to worry about. I mean, President Obama isn’t actually saying that his vision is one of Cybersecurity lawmaking for bigCos.

That observation is fair as far as it goes, but the President lays many clues for those who want to spot them. In his speech launching the Order, he referred expressly to the financial system as being under threat. The Order talks about the economy. There is more than enough there to say with supreme confidence that the US has chartered exactly the same course as the EU, as far as the private sector is concerned. To borrow a phrase from one of President Obama’s predecessors, “it’s the economy, stupid” and so it’s obvious where the President’s priorities lie. The US has to protect the key platforms that support business because the economy rests on them and much of this is in the private sector. Period.

This will be borne out soon enough, because the Secretary of Homeland Security has been charged with a Presidential task to identify critical infrastructures that need to be protected for, cyber threats. This task, which needs to be completed within 150 days, cannot avoid identifying critical infrastructures in the private sector.

However, the US approach to regulation will be one that builds more on cajoling than coercion, in stark contrast to the EU approach. This reflects political differences just as much as cultural and legal differences and viewing US matters from this size of the pond it’s clear that the President will always have to be cautious in his approach and how he presents things, seeing how the US political system is so split. So, the Order talks about consultations, voluntary frameworks, rather than “you must do this”. But however they get there, our US cousins are on the same path as us Europeans.

This is not to say that the EU will not promote consultation processes, industry working groups, the creation of public sector – private sector “partnerships”, and other positive engagements with business, which are the meat and drink of the Presidential Order, but the EU’s overwhelming preference is always regulation with a slap; as far as the EU is concerned why give a friendly tickle when a punch in the mouth will do?

So, what we see within the Directive is the standard EU approach to regulation; the EU prescribes its objectives and then commands the Member States to deliver. The natural result is that rather than dancing around the issue, the Directive names key parts of the private sector as being a compulsory focus of regulation. If President Obama is ballet dancer, the EU is a headbanger. The Directive is as subtle as a brick. All “market operators” are being ordered to “up” their Cybersecurity, which includes ecommerce platforms, internet payment gateways, cloud services, app stores, search engines, social networks and the financial and payment services sector, namely banking and credit institutions and financial market infrastructures, including stock exchanges and central counterparty clearing houses. And if they fail to be cybersecure they will have to disclose security breaches and take the regulatory pain that will be metered out. At all times they will be overseen by a watchdog, who will feel overwhelming pressure to be tough on failure.

There is a complex compliance puzzle here. For multi-nationals, they will have to cope with different regulatory styles, that is a given and it can be very unhelpful, yet this is not an uncommon problem and people will adjust. The greater problem is the nature of organisational change that will be required to deliver legal compliance. Presently, Cybersecurity is a silo’d operational function, where most of the corporate intelligence is contained in individuals’ minds, rather than written down on paper. The cybersecurity function will be concerned more about delivering patching, monitoring its dashboards and so on, rather than creating an organisational structure that is capable of demonstrating legal compliance to a regulatory mind. The means by which the adjustment from an operational function to a legal compliance function can be properly managed is probably the greatest puzzle that the Directive and the Order present.

Posted in Accountability, Legislative reform

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Privacy’s greatest threat and how to overcome it

avatar Posted on October 22nd, 2012 by Phil Lee

After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated.  The same might also be said of privacy.  Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.“.  However, if last week’s IAPP Privacy Academy in San Jose was anything to go by, privacy is very much alive and kicking.

It’s easy to understand why concerns about the death of privacy arise though.  Today’s data generation, processing and exploitation is simply vast – way beyond a level any of us could meaningfully hope to comprehend or, dare I suggest, control.  The real danger to privacy though is not the scale of data processing that goes on – that’s simply a reality of living in a modern day, technology-enabled, society; a Pandora’s box that, now opened, cannot now be closed.  Instead, the real danger to privacy is excessive and unrealistic regulation.

Better regulation drives better compliance

From many years of working in privacy, it’s been my experience that most businesses work hard to be compliant.  Naturally, there are outliers, but these few cases should not drive the regulation that determines how the majority conduct their business.  It’s also been my experience that compliance is most often achieved where the standards applied by legislators and regulators are accurate, proportionate and not excessive – the same standards they expect our controllers to apply when processing personal data.  In other words, legislation and regulation drives the best behaviour when it is achievable.

By contrast, excessive, disproportionate regulation that does not accurately reflect the way that technology works or recognise the societal benefits that data processing can deliver often brings about the opposite effect.  By making compliance impossible, or at least, disproportionately burdensome to achieve, businesses, unsurprisingly, often find themselves falling short of expected regulatory standards – in many cases, wholly unintentionally.

The recent “cookie law” is a good example of this: a law that, though well-intentioned, is effectively seen as regulating a technology (cookies) rather than a purpose (tracking), leading to widespread confusion about the standards that apply and – let’s be honest – non-compliance currently on an unprecedented scale throughout the EU.

Why the Regulation mustn’t make the same mistake

In its current form, the proposed General Data Protection Regulation also runs this risk.  The reform of Europe’s data protection laws is a golden, once-in-a-generation opportunity to re-visit how we do privacy and build a better, more robust framework that fosters new technologies and business innovation, while still protecting against unwarranted privacy intrusions and harm.

But instead of focussing on the “what”, the legislation focuses too much on the “how”: rather than looking to the outputs we should strive to achieve (namely, ensuring that ever-evolving technologies do not make unwarranted intrusions into our private lives) the draft legislation instead mandates excessive accountability standards that do not take proper account of context or actual likelihood of harm.

For example:

*  How, exactly, does an online business ensure that its processing of child data is predicated only on parental or guardian consent (Article 8)?  My prediction: many websites will build meaningless terms into their website privacy policies that children must not use the site – delivering no “real” protection in practice.

*  Why is it necessary for an organisation transferring data internationally to inform individuals “on the level of protection afforded by that third country … by reference to an adequacy decision of the Commission” (Article 14)? Do data subjects really care where their data goes and whether the Commission has made an adequacy decision – or do they just want assurance that their data will be used for legitimate purposes and at all times kept safe and secure, wherever it is?  How does this work in a technology environment that is increasingly shifting to the cloud?

*  Why should controllers be required to provide data portability to data subjects in an “electronic and structured format which is commonly used” (Article 18)?  Surely confidentiality and data security is best achieved through the use of proprietary systems whose technology is not “commonly used”, therefore less understood and vulnerable to external attack?  Are we legislating for a future of security weakness?

*  Why should data controllers and processors maintain such extensive levels of data processing documentation (Article 28)?  How will smaller businesses cope with this burden?  Yes, an exemption applies for businesses employing less than 250 persons but only if their data processing is “ancillary” to the main business activities – immediately ruling out most technology start-ups.

*  And how can we still, in this day and age, operate on a misguided assumption that model contracts provide a sound basis for protecting international exports of data (Article 42)?  Wouldn’t it make more sense to require controllers to make their own adequacy assessment and to hold them to account if they fall short of the mark?

Make your voice heard!

For the past 17 years, the European Union has been a standard-bearer in operating an effective legal and regulatory framework for privacy.  That framework is now showing its age and, if not reformed in a way that understands, respects and addresses the range of different (and competing) stakeholder interests, risks being ruinous to the privacy advancements Europe has achieved to date.

The good news is that reforming an entire European legal framework doesn’t happen overnight, and the process through to approval and adoption of the General Data Protection Regulation is a long one.  While formal consultation periods are now closed, there remain many opportunities to get involved in reform discussions through legislative and regulatory liaisons at both a European and national level.

To make their voices heard, businesses throughout the data processing spectrum must seize this opportunity to get involved.  Only through informed dialogue with stakeholders can Europe hope to output technology-neutral, proportionate legislation that delivers meaningful data protection in practice.  If it does this, then Europe stands the best chance of remaining a standard-bearer for privacy for the next 17 years too.

Posted in 95 directive, Accountability, Children Privacy, Cloud computing, Cookie rule

Privacy in the global village

avatar Posted on September 4th, 2012 by Eduardo Ustaran

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

Posted in Accountability, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Direct marketing, Financial penalties, Privacy professionals, Sanctions

Why the Big Buzz about Big Data?

avatar Posted on June 29th, 2012 by Phil Lee

Another year, another buzz word, and this time around it’s “Big Data” that’s getting everyone’s attention. But what exactly is Big Data, and why is everyone – commercial organisations, regulators and lawyers – so excited about it?

Put simply, the term Big Data refers to datasets that are very, very large – so large that, traditionally, supercomputers would ordinarily have been required to process them. But, with the irrepressible evolution of technology, falling computing costs, and scalable, distributed data processing models (think cloud computing) Big Data processing is increasingly within the capability of most commercial and research organisations.

In its oft-quoted article “The Data Deluge”, the Economist reports that “Everywhere you look, the quantity of information in the world is soaring. According to one estimate, mankind created 150 exabytes (billion gigabytes) of data in 2005. [In 2010], it will create 1,200 exabytes.“  Let’s put that in perspective – 1,200 exabytes is 1,200,000,000,000 gigabytes of data. A typical Blu-Ray disc can hold 25 gigabytes – so 1,200 exabytes is about the equivalent of about 48 billion Blu-Ray discs. Estimating your typical Blu-Ray movie at about 2 hours long (excluding special features and the like), then there’s at least 96 billion hours of viewing time there, or about 146,000 human life times.  OK, this is a slightly fatuous example, but you get my point – and bear in mind that global data is growing year-on-year at an exponential rate so these figures are already well out of date.

Much of this Big Data will be highly personal to us: think about the value of the data we all put “out there” when we shop online or post status updates, photos and other content through our various social networking accounts (I have at least 5). And don’t forget the search terms we post when we use our favourite search engines, or the data we generate when using mobile – particularly location-enabled – services. Imagine how organisations, if they had access to all this information, could use it to better advertise their products and services, roadmap product development to take account of shifting consumer patterns, spot and respond to potentially-brand damaging viral complaints – ultimately, keep their customers happier and improve their revenues.

The potential benefits of Big Data are vast and, as yet, still largely unrealised. It goes against the grain of any privacy professional to admit that there are societal advantages to data maximisation, but it would be disingenuous to deny this. Peter Fleischer, Google’s Privacy Counsel, expressed it very eloquently on his blog when he wrote “I’m sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don’t care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we’ve barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it’s a mistake to try to minimize data generation and retention. Maybe the privacy community’s shibboleth of data deletion is a crime against science, in ways that we don’t even understand yet.” (You can access Peter’s blog “Privacy…?” here.)

This quote raises the interesting question of whether the compilation and analysis of Big Data sets should really be considered personal data processing. Of course, many of the individual records within commercial Big Data sets will be personal – but the true value of Big Data processing is often (though not always) in the aggregate trends and patterns they reveal – less about predicting any one individual’s behaviours, reactions and preferences, and more about understanding the global picture. Perhaps its time that we stop thinking of privacy in terms of merely collecting data, and look more to the intrusiveness (or otherwise) of the purposes to which our data are put?

This is perhaps something for a wider, philosophical debate about the pros and cons of Big Data, and I wouldn’t claim to have the answers. What I can say, though, is that Big Data faces some big issues under data protection law as it stands today, not least in terms of data protection principles that mandate user notice and choice, purpose limitation, data minimisation, data retention and – of course – data exports. These are not issues that will go away under the new General Data Protection Regulation which, as if to gear itself up for a fight with Big Data proponents, further bolsters transparency, consent and data minimisation principles, while also proposing a new, highly controversial ‘right to be forgotten’.

So what can and should Big Data collectors do for now? Fundamentally, accountability for the data you collect and process will be key. Your data subjects need to understand how their data will be used, both at the individual and the Big Data level, to feel in control of this and to be comforted that their data won’t be used in ways that sit outside their reasonable expectations of privacy. This is not just a matter of external facing privacy policies, but also a matter of carefully-constructed internal policies that impose sensible checks and balances on the organisation’s use of data. It’s also about adopting Privacy Impact Assessments as a matter of organisational culture to identify and address risks whenever using Big Data analysis for new or exciting reasons.

Big Data is, and should be, the future of data processing, and our laws should not prevent this. But, equally, organisations need to be careful that they do not see the Big Data age as a free for all hunting season on user data that invades personal privacy and control. Big issues for Big Data indeed.

Posted in 95 directive, Accountability, Cloud computing, Data minimisation, Right to be forgotten, Targeted advertising

« Older Entries