The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Google Spain Decision – July 2 Discussion

On Wednesday, July 2, PRIS and the Media and Technology committees will host a dial-in to discuss the recent Google Spain “right to be forgotten” case.  Please join an expert EU-based panel to learn more about this landmark case and its implications for internet platforms going forward.

When: July 2 at noon ET.

Who: Mark Stephens, UK media law barrister; Professor Judith Rauhofer, privacy scholar; Professor Steve Peers, EU law scholar.

Link to Register: http://www.americanbar.org/content/dam/aba/marketing/20140702_at140702.authcheckdam.pdf

Please feel free to direct any questions – before, during, or after the call – to Gail Slater at lgslater@comcast.net.  Thanks.

 

Advertisements


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.


Leave a comment

French DPA Launches Public Consultation on Right to Be Forgotten

The French DPA, the (CNIL), launched on May 30 a public consultation on the right to be forgotten. As noted, in French, on the CNIL’s website:

The draft European Regulation would establish the principle of a digital “right to be forgotten” which would allow us to better control our online life. This new right would be exercised in respect of freedom of expression, the right of the press and the duty of memory. In this context, the CNIL has launched an online consultation about this right, which is often cited but whose contours remain unclear. In parallel, the CNIL also will consult professionals concerned with this issue. “

Some Questions Asked by the CNIL

Here are some of the questions individuals may choose to answer.

The CNIL asks individuals if they have ever published on the Internet their email, name, photographs or videos representing them, or if they have published personal information on a social network, such as their address or geolocation. The CNIL also asks individuals if they regularly check how their personal information is disseminated on the Internet.

The CNIL also asks individuals if they have ever found that information about themselves has been posted on the Internet without their consent, and if such dissemination of personal data has had negative consequences for them, whether it be on their personal life, professional life, or both. Participants may also share whether they have tried to remove or have removed this information, or have tried to remove or have removed this information on behalf of their minor children.

The CNIL also asks participants to share their opinion about the right to be forgotten. Do they think that this right constitutes the ability to erase one’s digital traces such as cookies, the ability to delete negative information about oneself, or the ability to control everything that is said about oneself, or even a form of Internet censorship?

The CNIL also asks whether individuals would like to be able to choose to index in search engines the information they post, or to de-reference information from a search engine once the information has been removed from the original site, or if websites should offer the opportunity to set “expiration dates” for one’s own publications, such as social networks posts.

The European Union Proposal Would Provide a Right to Be Forgotten

Article 17 of the Proposal would provide the data subject a right to be forgotten and to erasure. Article 12(b) of Directive 95/46/EC already provides such right. The data controller must, at the request of the data subject rectify, erase or block data which does not comply with the Directive, particularly if the personal data is incomplete or inaccurate.

The new Regulation would expand that right. The controller would have the obligation to inform third parties which are processing data of the data subject’s request to have any links to, or copies, or replications of that personal data, erased.

The debate on the right to be forgotten is open. The European Network and Information Security Agency (ENISA) published a report on the topic in November 2012. It states that the right to be forgotten would require defining the scope of personal data. ENISA asked whether personal data should include information that can be used to identify a person “with high probability but not with certainty” such as a picture of a person, or if it should include information identifying a person “not uniquely, but as a member of a more or less small set of individuals, such as a family.”

ENISA also pointed out the importance of clarifying who has the right to ask for deletion of personal data, and why this is needed. The report gives as example a photograph representing Bob and Alice. If Alice wants the picture to be “forgotten,”but not Bob, who should have the right to final decision? In the US, many believe that the right to be forgotten may be a threat to freedom of expression.

The results of the public consultation will be published on the CNIL’s site. We’ll keep you posted.


Leave a comment

Federal Trade Commission Announces Privacy Settlement with Myspace

The FTC has reined another tech giant, albeit a waning one, into a settlement agreement over alleged privacy violations. On May 8, the FTC announced a consent decree with Myspace LLC that forbids it from misrepresenting its privacy policies and requires it to institute a comprehensive privacy policy and submit to biennial audits for compliance for twenty years. This is the third settlement that the FTC has achieved with a major tech company in the social networking arena– the agency reached similarly structured settlement agreements with Google and Facebook last year.

The FTC’s Allegations

The FTC’s allegations stem from a gap between Myspace’s privacy policy and its practices from January 2009 until June 2010. In its policy, Myspace promised that it would not share a user’s personally identifiable information (defined as name, email, mailing address, phone number or credit number) without notice and user consent; that its means for delivering customized ads and sharing browsing data with advertisers; and that it complied with the U.S.-E.U. Safe Harbor framework for data protection.

However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer’s “Friend ID,” which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users’ full name and any other information designated as public in the users’ settings. The public information could then be combined with additional information harvested by the advertiser’s tracking cookie and by any other means.

According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance – although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.

Settlement Terms

The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all “covered information.” This includes a user’s name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all “widely disseminated statements” about Myspace’s privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace’s compliance.

The 20-year timeframe, which has been the standard in FTC’s previous privacy consent decrees, has raised some snickers among commentators about Myspace’s longevity, given the site’s declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook’s number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.

The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.

Links


1 Comment

The European Commission launches a public consultation on the ‘Internet of Things

The European Commission has launched a public consultation on the ‘Internet of Things’ (IoT) and is inviting comments until July 12, 2012. Members of the public are invited to respond to an online questionnaire.

Privacy

The public is invited to submit comments on the privacy implications of the IoT, as smart objects collect data which may also reveal information about an individual, his habits, location, or interests, and this whether his identity is known, or unknown, and might be indirectly revealed by combining data from different sources. One of the questions is:

Traditional data protection principles include fair and lawful data processing; data collection for specified, explicit, and legitimate purposes; accurate and kept up-to-date data; data retention for no longer than necessary. Do you believe that additional principles and requirements are necessary for IoT applications?”

Safety and Security

The questions are also about the safety and security issues which may be raised by IoT. Indeed, IoT objects are able to act on behalf of people and therefore need protection against false requests for information and against unauthenticated commands by using user authentication to ensure the authenticity of both the device and the data.

The public is invited to state whether they agree that “[d]ata life cycle management in the IoT infrastructure includes data creation, processing, sharing, storing, archiving, and deletion of data… [and that] [g]uidelines should be developed to ensure secure and trusted data life cycle management.”

Security of Critical IoT Supported Infrastructures

Comments may also address the security of critical IoT supported infrastructures, as there is a risk of abuse and attacks of such systems. The public may answer whether they agree that “[p]olicy makers should provide guidance on security-by-design and applicable security technologies.”

Ethical Issues

The questionnaire also addresses ethical questions. One of the questions is whether “IoT applications could change our sense and definition of personal identity.”Another question asks whether “IoT applications could interfere with individuals’ autonomy when decisions are taken by autonomous systems.

Open Object Identifiers and Interoperability

The IoT is able to identify each connected object by its identifier, and the questionnaire states that, if there are right now some 5 billion mobile phone subscribers, there may be 50 billion connected non-phone devices in 10 years, a rather stunning figure.

Should openly accessible identifier solutions allowing for the interoperability of smart devices be authorized?  The public is invited to state whether IoT identifier policy should promote business models for open interoperable platforms.

Other topics of the questionnaire include governance issues and standards for meeting policy objectives.


Leave a comment

EU Data Protection Reforms Outlined

The EU Commissioner responsible for data protection recently outlined the growing contours of EU data protection reform legislation expected to issue early next year.  In a November 28 speech to the American Chamber of Commerce, Viviane Reding, Vice President of the EC Commission, and EU Justice Commissioner, spoke of her determination to deliver "a strong, consistent and future-proof framework for data protection, with consistent rules across all Member States and across all Union policies."

Commissioner Reding began her speech by outlining the challenges currently facing businesses operating under the EU’s 1995 data protection legislation.  First, EU data protection laws are fragmented between 27 EU member states, leading to varying legal interpretations and enforcement regimes.  Reding estimated that this fragmentation costs businesses €2.3 billion a year.  Second, fragmentation is inconsistent with the EU’s goal to unify its 27 member states in a single market by "making it difficult to sell or shop cross-border." Third, according to EU survey data, existing data protection rules do not have the confidence of consumers, thus inhibiting the adoption of new technologies such as cloud computing.

According to Commissioner Reding, the need for data protection has grown exponentially since 1995 "when the full potential of the Internet had not yet been realized.  In 1993 the Internet carried only 1% of all telecommunicated information.  By 2007, the figure was more than 97%."

Commissioner Reding went on to detail some specific regulatory reforms impacting businesses including: increased coordination between member state data protection authorities (DPAs); eliminating the requirement to notify data processing to DPAs; a single point of contact for companies dealing with multiple EU DPAs; and mutual recognition by DPAs of binding corporate rules approved by another DPA.  The Commissioner also outlined the individual data protection safeguards in the reform proposal, such as timely notification of data protection breaches to consumers.

Reding included in her remarks her position on the role of industry self-regulation.  According to the Commissioner, self-regulation "has an important, complementary role to play in this reform.  But let me be clear: self-regulation is not a fig-leaf for non-compliance; self-regulation only works if there is strong, legally binding regulation in the first place."