Archive for the ‘Privacy professionals’ Category

2013 a big year for privacy? You ain’t seen nothing yet!

Posted on December 31st, 2013 by

If you thought that 2013 was a big year for privacy, then prepare yourself: it was only the beginning.  Many of the privacy stories whose winding narratives began in 2013 will continue to take unexpected twists and turns throughout 2014, with several poised to reach dramatic conclusions – or otherwise spawn spin-offs and sequels.

Here are just a few of the stories likely to dominate the privacy headlines in 2014:

1.  EU data protection reform:  The Commission’s draft General Data Protection Regulation arrived with a bang in January 2012, proposing fines of up to 2% of global turnover for data protection breaches, a 24-hour data breach notification regime, and a controversial new right for individuals to have their data “forgotten” from the Internet, among many other things.  Heated debate about the pros and cons of these reforms continued into 2013, with the European Parliament’s LIBE Committee only voting on and publishing its position on the draft Regulation in October 2013 (missing two earlier deadlines).  All eyes then turned to the Council, expecting it to put forward its position on the draft Regulation sometime in December, only to discover that it had gotten hung up on the “one stop shop” principle and made little real progress at all.  With the original goal being to adopt the new Regulation before the European Parliamentary elections in May 2014, a real question mark now hangs over whether Europe will achieve this deadline – and what will happen if it doesn’t.

2.  NSA surveillance:  The biggest privacy story – if not the biggest news story – of 2013 concerned the leaks of classified documents from the US National Security Agency by its contractor, Edward Snowden.  The leaks revealed that the NSA had been collecting Internet users’ metadata from the servers of leading technology companies and from the cables that carry our Internet communications around the world. This story has had a profound effect in terms of raising individuals’ privacy awareness worldwide, impacting global political and trade relationships, and adding impetus to the European Union’s regulatory reform agenda.  With the Guardian newspaper recently declaring that it has so far revealed only about 1% of the materials Edward Snowden has disclosed to it – and British television broadcasting an “alternative” Christmas message from Edward Snowden on “Why privacy matters” – it’s safe to say that this is a story that will continue to headline throughout 2014, prompting the global privacy community to contemplate perhaps the most fundamental privacy question of all: to what extent, if at all, will we trade personal privacy in the interests of global security?

3.  Safe harbor: Regulators across several European territories have, for many years now, been grumbling about the “adequacy” of the EU/US safe harbor regime as a basis for exporting data from the European Union to the US.  The Snowden revelations have further fuelled this fire, ultimately leading to the European Commission publishing a set of 13 recommendations for restoring trust in safe harbor.  The Commission has set the US Department of Commerce an ambitious deadline of summer 2014 to address these recommendations – and raised the “nuclear” prospect that it may even suspend safe harbor if this does not happen.  With some 3,000+ US companies currently relying on safe harbor for their EU data exports, many US-led corporations will be watching this story very closely – and would be well-advised to begin contingency planning now…

4.  New technologies:  Ever-evolving technologies will continue to challenge traditional notions of data privacy throughout 2014.  In the past year alone, Big Data has bumped heads with the concepts of purpose limitation and data minimisation, the Internet of Things has highlighted the shortcomings of user consent in an everything-connected world, and the exponential growth of cloud technologies continue to demonstrate the absurdity of extra-EEA data export restrictions and their attendant solutions (Do model clauses really provide adequate protection? Tsch.) Quite aside from the issues presented by technologies like Google Glass and iPhone fingerprint recognition, who can say what other new devices, platforms and services we’ll see in 2014 – and how these will challenge the global privacy community to get creative and adapt accordingly.

5.  Global interoperability:  As at year end, there are close to 100 countries with data protection laws on their statute books, with new privacy laws either coming into effect or getting adopted in countries like Mexico, Australia and South Africa throughout 2013.  And there are still many more countries with data privacy bills under discussion or with new laws coming into effect throughout 2014 (Singapore being one example).  Legislators around the world are waking up to the need to adopt new statutory frameworks (or to reform existing ones) to respect individuals’ privacy – both in the interests of protecting their citizens but also, with the digital economy becoming ever more important, in order not to lose out to businesses looking for ‘safe’ countries to house their data processing operations.  All these new laws will continue to raise challenges in terms of global interoperability – how does an organization spread across multiple international territories comply with its manifold, and often varied, legal obligations while at the same time adopting globally consistent data protection policies, managed with limited internal resources?

6.  Coordinated enforcement:  In 2013, we’ve seen the first real example of cross-border privacy enforcement, with six data protection authorities (led by the CNIL) taking coordinated enforcement action against Google over the launch over its consolidated privacy policy across its various service lines.  With the limitations of national deterrents for data privacy breaches that exist for regulators in many territories (some cannot impose fines, while others can impose only limited fines) and continuing discussion about the need for “one stop shop” enforcement under the proposed General Data Protection Regulation, it seems likely that we’ll see more cooperation and coordinated enforcement by data protection authorities in 2014 and beyond.

2013 was undoubtedly an exciting year for data privacy, but 2014 promises so much more.  It won’t be enough for the privacy community just to know the law – we must each of us become privacy strategists if we are to do proper justice to protect the business and consumer stakeholders we represent.  We have exciting times ahead.

Happy New Year everyone!

EU Parliament delivers – The world awaits

Posted on October 21st, 2013 by

They said it couldn’t be done. A draconian initial text and 4,000 suggested amendments to digest made the task so difficult that many experts had already given up hope. However, today the European Parliament has silenced many sceptical voices by approving a draft Data Protection Regulation which aims to replace the aging 1995 EU data protection directive.

The job is by no means completed. Now the Council of the EU (which shares the EU legislative power with the Parliament) has to deliver its own draft and provide the Member States’ contribution to this crucial process.

In the meantime, here are what I see as key highlights of the text approved by Parliament:

* The EU Parliament has considerably softened its original uber-strict approach and that should be welcomed because it makes the law more realistically applicable in practice.

* However, the complexity of the Commission’s proposal is retained and even expanded in some cases. For example, the one stop shop concept is now less clear cut and therefore, less likely to work.

* The EU Parliament wants to introduce a standardised format for privacy notices using icons. This is a brave move. The approach suggested is slightly dogmatic but the idea is a good one.

* The provisions on profiling remain but in a more reasonable format. This will continue to be a key area of debate over the coming months.

* There is a new emphasis on bi-annual compliance reviews, which together with the appointment of compulsory data protection officers will make legal compliance significantly more onerous.

* Disappointingly, there still are very unrealistic limitations on international data transfers, which are particularly onerous when made to non-EU public authorities. As predicted, the NSA revelations have distorted this issue and it will take a lot of work to untangle this.

* Finally, the massive fines of up to EUR 100,000,000 or 5% of annual turnover seem to be designed to send a clear signal out there about how serious this stuff is.

In summary, I don’t think the Parliament’s draft is entirely workable as it stands, but with the adoption of this text we are closer to having a modern EU data protection framework than ever before.

Incentivising compliance through tangible benefits

Posted on September 29th, 2013 by

The secret of compliance is motivation. That motivation does not normally come from the pleasure and certainty derived from ticking all possible boxes on a compliance checklist. Although, having said that, I have come across sufficiently self-disciplined individuals who seem to make a virtue out of achieving the highest degree of data privacy compliance within their organisations. However, this is quite exceptional. In truth, it is very difficult for any organisation – big or small, in the private or public sector – to get its act together simply out of fear of non-compliance with the law. Putting effective policies and procedures in place is never the result of a sheer drive to avoid regulatory punishment. Successful legal compliance is, more often than not, the result of presenting dry and costly legal obligations as something else. In particular, something that provides tangible benefits.

The fact that personal information is a valuable asset is demonstrated daily. Publicly quoted corporate powerhouses whose business model is entirely dependent on people’s data evidence the present. Innovative and fast growing businesses in the tech, digital media, data analytics, life sciences and several other sectors show us the future. In all cases, the consistent message coming not just from boardrooms, but from users, customers and investors, is that data fuels success and opportunity. Needless to say, most of that data is linked to each of us as individuals and, therefore, its use has implications in one way or another for our privacy. So, when looked at from the point of view of an organisation which wishes to exploit that data, regulating data privacy equates regulating the exploitation of an asset.

The term ‘exploitation’ instinctively brings to mind negative connotations. When talking about personal information, whose protection – as is well known – is regarded as a fundamental human right in the EU, the term exploitation is especially problematic. The insinuation that something of such an elevated legal rank is being indiscriminately used to someone’s advantage makes everyone feel uncomfortable. But what about the other meaning of the word? Exploitation is also about making good use of something by harnessing its value. Many responsible and successful businesses, governments and non-profit organisations look at exploiting their assets as a route to sustainability and growth. Exploiting personal information does not need to be negative and, in fact, greater financial profits and popular support – and ultimately, success – will come from responsible, but effective ways of leveraging that asset.

For that reason, it is possible to argue that the most effective way of regulating the exploitation of data as an asset is to prove that responsible exploitation brings benefits that organisations can relate to. In other words, policy making in the privacy sphere should emphasise the business and social benefits – for the private and public sector respectively – of achieving the right level of legal compliance. The rest is likely to follow much more easily and all types of organisations – commercial or otherwise – will endeavour to make the right decisions about the data they collect, use and share. Right for their shareholders, but also for their customers, voters and citizens. The message for policy makers is simple: bring compliance with the law closer to the tangible benefits that motivate decision makers.

This article was first published in Data Protection Law & Policy in September 2013 and is an extract from Eduardo Ustaran’s forthcoming book The Future of Privacy, which is due to be published in November 2013.

Privacy in the global village

Posted on September 4th, 2012 by

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

This article was first published in Data Protection Law & Policy in August 2012.

The future of privacy

Posted on May 31st, 2012 by

Not that long ago, reading this article (let along writing it) would have been regarded as nerdy.  Data protection used to be seen as arcane and irrelevant to businesses and ordinary people.  Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks.  However, at some point, something suddenly changed.  What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd rules has become a critical consideration for business and government.  What happened?  What was the event that radically altered our perception of the importance of personal information for the world’s prosperity?  The crucial catalyst was in fact a combination of three factors that will also shape the future of privacy and data protection going forward.

The first one is the most obvious of all because it has impregnated our lives to such degree that we can no longer live without it.  Remember life before e-mail, mobile phones, the Internet, search engines, CCTV cameras, biometric passports, chip & pin, apps and cookies?  The evolution of technology has been the primary contributor to the growing importance of data protection as digitalisation has led to a never ending, yet not always visible, churn of personal data.  The second one has been the realisation that personal data is a very valuable asset.  Some examples: last year, Google’s turnover was nearly $38bn, LinkedIn doubled the value of its shares on the day it floated on the stock exchange, and Facebook’s IPO reportedly created 1,000 millionaires overnight.  What these businesses have in common in addition to being amazing success stories of the post-dotcom boom is that their success is based on the power and value of personal information.  The third critical factor is no other than the reality of data globalisation: the fact that geographical distance and cultural barriers have become almost negligible for the exploitation of data.

These three factors have thrown into the air many existing preconceptions and turned legal conundrums into business critical issues.  Getting the right answer to which law applies or who is in control of the information generated by our daily use of global interconnecting technologies has massive practical implications.  Some will be purely financial and others political, but their significance has not gone unnoticed.  Even the very thing at the centre of the legal debate – ascertaining what is and what isn’t personal data – has become an issue of great economic impact for businesses across all industry sectors, from technology to financial services and from retail to life sciences.  As an overarching theme, the question of how to ensure global compliance with maximum effectiveness and minimum cost has suddenly focused the minds of business leaders and politicians.

But having got to this place, the question that we now need to address is this: what happens next?  Or in other words: what is the future of privacy and data protection?  For policy makers and data reliant businesses alike the answer to that question lies in addressing the three issues that have so radically changed things.  Regulating and managing the evolution of technology necessarily involves understanding technology.  That means that a likely component of tomorrow’s privacy regulation will be about explaining technology in a way that their users can understand what is likely to happen to their personal information generated by the use of that technology.  This is transparency 2.0 and from a compliance perspective, collecting and using data will entail making the impenetrable world of new technologies understandable to everyone.  But beyond pure transparency, something that no legal regime has addressed to date but that will form part of the legal obligations of the future is the provision of value.  When a government or a business asks a citizen or customer for their personal information, it will only be fair to give that person something back or to share with individuals part of the value extracted from their data.  That would certainly be a much better way of getting the control balance right than seeking an empty and meaningless consent.

One remaining challenge is the international nature of data flows and information exploitation.  Data protection will never be a local issue again.  Data is no longer transferred from A to B.  Geographically speaking, where data actually is in an interconnected world is completely irrelevant, because data is ever accessible from everywhere.  Law and practice will have to come to terms with that.  Overcoming the legal limitations affecting international data transfers has always been a difficult challenge because, even in the old days, data was pretty fluid.  Today’s and tomorrow’s data globalisation needs a completely different approach which focuses on mutual recognition of rules, regulatory collaboration and incentives to do the right thing.

This article was first published in issue number 100 of Data Protection Law & Policy in May 2012.

Have your say on the draft Data Protection Regulation

Posted on February 8th, 2012 by

Is a fine of up to 2% of annual worldwide turnover too big? Is it possible to report data breaches within 24 hours?

The Ministry of Justice has opened a call for evidence on the European Commission’s draft General Data Protection Regulation. The information obtained from the four-week long evidence gathering exercise will be used to help inform the Government’s negotiating position on the Regulation.

The call for evidence itself is wide-ranging and comments are requested on:

- the potential consequences of the Regulation on the processing of personal data;

- the likely benefits to individuals and the effect on their data protection rights;

- the extent to which the proposal builds “trust in the online environment”; and

- the impact of the proposal on economic growth.

Stressing the need for responses to include “quantifiable costs and benefits” and “real life examples”, the Ministry of Justice appears receptive and keen to hear views on the proposed Regulation.

To make the most of this opportunity, we suggest that you review the draft Regulation in the context of your industry and think about how the rights and obligations it creates will apply to your business. For example, how will an individual’s ‘right the be forgotten’ sit with the way that your sector uses personal data? Will the changes regarding the use of data processors affect the way that you operate? We can of course help you decode the Regulation and consider how it may apply – we also recognise from our own experience working on the Regulation that the challenge for business will be in framing a response which clearly sets out its impact.

Although time is short (there is a four week window) in which to delve through the Regulation and draft an effective response to the call for evidence, the willingness on the part of the Ministry of Justice to engage with stakeholders suggests that it will be worth it. Given the scale of the proposed changes and on the premise that if ‘you don’t ask, you don’t get’, the call for evidence offers interested parties a valuable opportunity to engage with, and help shape the future of data protection both in Europe and, if the current draft Regulation is anything to go by, worldwide!

The call for evidence closes on either 4 March 2012 (according to the Call for Evidence paper itself) or 6 March 2012 (the date provided on the Justice website). Further information, including the call for evidence questionnaire can be found at

Unlocking the value of data

Posted on April 28th, 2011 by

According to the World Economic Forum, personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike. This statement by the Swiss organisation behind the prestigious annual Davos meeting summarises its stance on the issue of personal information as an asset. Let’s forget for a second the idea of data protection as a fundamental right and look at it as a tool to maximise the economic and societal value of data. Perhaps the big thinkers at the Forum are up to something.

Earlier this year, the World Economic Forum published a paper called “Personal Data: The emergence of a new asset class” which looked at the current personal data ecosystem and suggested a number of actions aimed at making the most of it. The Forum’s premise is that the full potential of data lies in creating equilibrium among the various stakeholders influencing the personal data ecosystem. In other words, a lack of balance between stakeholder interests – business, government and individuals – can destabilise the personal data ecosystem in a way that erodes rather than creates value. Therefore, the paper explains that to achieve this balance, positive steps are needed across five distinctive areas.

The first one is innovation around user-centricity and trust. The idea is that personal data should be shared in a way that allows all stakeholders to trust the integrity and safety of the data. According to the Forum, offering more transparency on how personal data is used and educating users on the benefits of trust will significantly strengthen trust among all stakeholders. In practical terms, the key action to achieve this is to integrate data protection principles into the development of new services and platforms through the concept of privacy by design.

The second area is not a new one for those involved in legal compliance – the divergence in regulatory frameworks and the establishment of global principles. Privacy-related laws differ significantly across jurisdictions with different cultural, political and historical contexts. This has a number of downsides including the increased costs associated with compliance. Therefore, although the Forum acknowledges that it is unrealistic to hope to develop globally accepted standards and frameworks while national and regional versions are still in significant flux, establishing an international dialog will allow for more rapid harmonisation.

This is linked to the third area – the need to strengthen the dialogue between regulators and the private sector. Whilst self-regulation in the area of personal information protection may not be the answer, it is important that regulatory authorities are made fully aware of the technological advances so that they can adopt 21st century digital policies. This is absolutely critical in the European Union at a time when the regulatory framework is under review.

The fourth area focuses on a technological aspect – the need for interoperability and open standards. The reason for this is simple. If the highest potential for economic and societal value creation lies in the aggregation of different personal data types, the implication is obvious: data should be portable. To enable the seamless sharing of personal data across organisational borders, the Forum lists the following technical requirements: common communication standards and system architectures, accepted personal data terms and definitions, and standard interface design specifications.

The final area highlights the dynamic nature of this issue. For the Forum, it is crucial that stakeholders continuously share knowledge. Interestingly, the key component in this knowledge sharing exercise will be a central gatekeeper within each organisation who actively contributes to the personal data dialog. That person’s competence would not only include privacy, but also encompass a business development and strategic perspective. And that is precisely the essence of the World Economic Forum’s thinking around personal data. Unlocking the value of personal data is about balancing privacy and economic development so that everyone, absolutely everyone, can win.

This article was first published in Data Protection Law & Policy in April 2011.