American Bar Association Online Privacy Conference: A Report

Introduction

On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:

• Lisa Sotto, a private practitioner in the US
• Billy Hawkes, Commissioner of Data Protection, Ireland
• Bojana Bellamy, Director of Data Privacy, London, UK
• Hugh Stevenson, Deputy Director of the Federal Trade Commission, US
•  Jennifer Stoddart, Privacy Commissioner, Canada.

The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy.  The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.

Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer

When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice.  They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally,  if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach.  Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend  of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors.  The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but  are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.

Privacy Seals Globally?  Privacy Seals in India?

If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy,  the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal  could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.

Accountability:

In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to  Bojana Bellamy – the EU Data Privacy Director, is  increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle”  to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed  would be comprised of two  requirements. One requirement would obligate the  data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits  The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems.  This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of  data protection officer, offering adequate data protection, training, and education to staff members.

Data Breaches:

The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem.  Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a  well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that  have included data breach requirements into their laws. Also,  Despite this, there are no broad statutes for data breach notification in the US or the EU.  Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media.  If a data breach occurs, through bad press, the  media causes  the social and monetary costs to increase, so that companies will want to  prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:

Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?

• How will the  balance between over-reporting breaches with under-reporting breaches be maintained?
• Even if there is a social incentive to provide notification of breach, is it adequate  enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?
• If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?

These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider  integrating data breach statutes into broad legislation. 

 E-Privacy Directive Breach Notification:

Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the  individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach.  If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions.  In the UK, data breach notification must include:

1.    The type of information and compromised number of records

2.    The circumstances of the loss, release, or corruption

3.     Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed

4.    details of how the breach is being investigated,

5.    whether any other regulatory bodies have been informed and, if so, their responses

6.    remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. 

Accountability, breach notification: What material should India think about for a legal privacy structure?

Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation  is going to serve, and if that purpose  reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action.  There are laws to protect certain rights, but the average person who takes action  will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy.  One of the greatest privacy challenges in India today, despite having  adopted technology, habits, and practices that  put  privacy at risk, is  the common perception  that India does not have any  privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:

·   Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?

·    If India wants a broad privacy framework how will this be set up?

·    What will be the tools used for civil education?

·    How will enforcement take place ? 

·    Is self regulated accountability or statuary accountability better?

·    Will there be a privacy tribunal?

·    How will data be categorized? 

·    Will breaches be notified?

·     Will standardized privacy policies be created?

As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was  the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy?   To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.