Analysis of PRISM and other surveillance programs – Part Two - Mayer Brown · 2018. 12. 30. ·...

data protection law & policy september 2013

subway system. But critics saycredit for Colorado case should goto British Intelligence, not theNSA. The Obama Administrationmeanwhile defends what appearsto be a flimsy record withgeneralities - calling NSA programs‘critical tools in protecting thenation from terrorist threats.’

But Senators Mark Udall and RonWyden, who both serve on theUSA Senate Select Committee onIntelligence, have released a jointstatement ‘refuting claims thatphone record collection by theintelligence community hasthwarted attacks against the UnitedStates’, stating: ‘In our capacity asmembers of the Senate SelectCommittee on Intelligence, wehave spent years examining theintelligence collection operationsthat have been secretly authorizedunder the USA Patriot Act. Basedon this experience, we respectfullybut firmly disagree with the waythat this program has beendescribed by senior administrationofficials. After years of review, webelieve statements that this verybroad Patriot Act collection hasbeen a critical tool in protecting thenation do not appear to hold upunder close scrutiny. We remainunconvinced that the secret PatriotAct collection has actuallyprovided any uniquely valuableintelligence. As far as we can see, allof the useful information that ithas provided appears to have alsobeen available through othercollection methods that do notviolate the privacy of law-abidingAmericans in the way that thePatriot Act collection does.’

Their analysis is in line with thestatement of J. M. Berger, anauthor and terrorist analyst: “[A]lot of people have wishes or hopesof turning the whole internet intoa smart computer that can figureout where the terrorists are. Maybethat’s possible someday - I don’tknow. You can’t just plug

something into the internet andhave a list of names come out andstart monitoring everybody on thatlist. You need a good deal ofcomplicated curation. But whenyou can do that, it can be a verypowerful and effective tool.”

Part of the problem is thatsophisticated terrorists who posethe greatest threat typically steerclear of electroniccommunications. Osama BinLaden and deceased al Qaeda Iraqileader Abu Musab al Zarqawi, forexample, used a complex networkof couriers instead of riskingexposure to the intelligenceagencies’ omnipresent electronictracking programs.

Poor use of resourcesBeyond the lack of a track record,PRISM and the phone recordsprogram may actually becounterproductive, because theirfire hose of output may distractlaw enforcement from better leads.Congressman Rush Holt said:“[T]he idea of the FourthAmendment [which protectsagainst warrantless searches andseizures] is not to get in the way oflaw enforcement and intelligence,but rather to see that they do agood job by having to prove ateach step of the way that theyknow what they’re doing, thatthey’re not off running downhunches and going off on wildgoose chases and witch hunts.”

Even collecting very basic data onevery phone call or email can resultin databases that are so large that itbecomes increasingly difficult tosort and review the information ina meaningful way. As an analogy, ifyou know there is a needle in thehaystack, you can find it very easilyusing a magnet, but if you do notknow whether you are looking fora string, needle, or stick, you willnever be able to sort every straw ofhay to find what you need. TheAdministration claims that such

SURVEILLANCE

04

Preventing terrorism Questionable effectivenessIt is questionable whether PRISMor the phone records program everstopped any terrorist plots. USAofficials have cited only two casesas having been discoveredexclusively by searching thoserecords; one involving some SanDiego men who sent $8,500 to AlQaeda-linked militants in Somaliaand another involvingidentification of communicationsthat tied a person in Colorado withplans to bomb the New York City

In recent months the media hasbeen revealing more aboutpreviously clandestine datagathering and surveillance methodsused by the National SecurityAgency (NSA) in its efforts tocombat terrorism. The newinformation has led welcome debateover the proper scope of the NSA’sauthority and oversight, and calls forreform. Despite an unprecedentedpublic defense by the NSA itself, aswell as President Obama and theDepartment of Justice, therevelations have raised a host ofquestions, confusion and conflictingassertions about what the NSA isdoing. Part One of this articleexplored the legal underpinnings ofthe NSA programs and discussedthe proposals for reform of theNSA’s legal authority now pendingbefore Congress. In Part Two of thisarticle, Alex Lakatos and MattBisanz, Partner and Associate atMayer Brown LLP respectively,address why the NSA’soverreaching authority is of dubiouseffectiveness when it comes tokeeping America safe, but may be areal threat to USA businesses.

Analysis of PRISM and othersurveillance programs – Part Two

large sets of data are needed toproperly understand howindividual pieces relate to eachother, but in 2011, according toSnowden’s disclosures, theintelligence agencies quietlydiscontinued a then-secretprogram that collected emailmetadata on Americans - ‘to’ and‘from’ information, not content -because it was not yielding muchvalue.

Harm to foreign relationsThe NSA’s overreaching programsalienate friends and allies that USArelies upon for help in the war onterror. Even America’s staunchestallies are uneasy, at best, about theNSA’s intelligence programs.

German Chancellor AngelaMerkel grew up in the EastGerman police state and expresseddiplomatic ‘surprise’ at the NSA’sactivities. She knows how the Stasicollected thousands of jars offabric from citizens, just in caseone of them later double-crossedthe state and their scent wasneeded for detection dogs. Shevowed to raise the issue of theNSA’s expensive surveillanceprogrammes with PresidentObama at the G8 meetings. TheItalian Data ProtectionCommissioner added to the debateby saying that the NSA’s programswould ‘not be legal’ in his country.British Foreign Minister WilliamHague faced heated challenge inParliament for his Government’sparticipation in the NSA programs,notwithstanding that the UKintelligence service accepts partialfunding from the NSA. PrimeMinister David Cameron facedunprecedented defeat inParliament when he asked the UKto join with the USA in relying onUSA-collected intelligence, as thebasis for military intervention inSyria.

All of this backlash may cost theUSA help from allies that is critical

to its efforts to protect againstterrorism. A CongressionalResearch Service Report titled ‘US-EU Cooperation AgainstTerrorism’ published on 4September 2013, explains “somechallenges persist in fosteringcloser US-EU cooperation [in thefight against terror… Notably] EUworries about US data protectionsafeguards and practices [are anobstacle that has] been furtherheightened by the publicrevelations in June 2013 of USNational Security Agencysurveillance programs.”

Harm to USA economicinterests There is yet another problem withthe NSA’s controversial programs,one that often is overlooked amidstheated debate that, justifiably,focuses on civil liberties andhomeland security. Namely, thatNSA overreaching (or even theperception of overreaching) canput USA technology companies ata competitive disadvantage. Thisrisk is particularly acute for USAcloud service providers (CSP) andthose that rely upon USA CSPs.Anecdotal evidence suggests thatUSA CSPs (or even vendors thatuse USA CSPs) may be losingbusiness to their non-USAcompetitors, who are seen askeeping data farther from the USAgovernment’s prying eyes. Forexample, a Cloud Security AllianceSurvey on Government Access toInformation published in July 2013reported that 56% of non-USAresponders were less likely to usecloud services in light of theSnowden’s revelations, and 10%claimed to have cancelled projectsthat would have used USA cloudservers, and about a third of USAresponders said that the Snowdenincident makes it harder for themto conduct business outside theUSA.

According to Reuters, sources

including technology executives inEurope hope that ‘the scandal mayprove a turning point for theregion’s young cloud computingindustry.’ Reuters further reportsthat European companies such astelecoms groups Orange andDeutsche Telekom are trying toexploit the concerns as they buildtheir own cloud businesses.

Caspar Bowden, an independentprivacy advocate and Microsoft’sChief Privacy Adviser from 2002-2011, said that before the Snowdenleak, the big USA cloud companieshad been largely able to quell fearsabout data security with savvypublic relations, but “the headlines[about PRISM] will change all that.The nationality of the companyand the location of the data domake a difference.”

John Engates, RackSpace ChiefTechnology Officer, said: “Arepeople concerned about doingbusiness in the USA and what theUSA could do with their data? Theanswer is yes. It’s something as acountry we need to figure out, howto allay some of the fears aboutdata moving through the USA.That’s partly why people aregravitating toward the idea ofprivate clouds that you can run inother countries.”

These concerns, however, shouldbe understood in context. The USAis still the largest and mostdominant player in the provisionof cloud services, with many offormative companies based in, andmost sophisticated servicesoriginating from, the USA. Andsignificant new business fromcustomers new and old, includingcustomers from Europe and Asia,continue to roll into the USAmarket.

Solutions for USA industryStill, the NSA is making life harderfor USA CSPs. What should theydo?

First, USA companies should

data protection law & policy september 2013 05

SURVEILLANCE

With everincreasingconcernabout theNSA conduct,and risingprotestsagainst theNSA activitiesin Europe,argumentsthat storingdata in theEU may notdo the trickmay be toolittle, too late


in its latest iPhone 5S release tokeep it off of Apple’s own cloudoffering. Other companies maychoose to outsource some data,while keeping the most sensitivematerials (such as humanresources, trade secrets) in house.None of these current solutions arefoolproof; encryption may interferewith smooth business operationsor be cracked with NSA decryptiontools, Apple’s segregation may beovercome via remote access, andeven in-house solutions are still atrisk to disloyal employees. But,they are at least attempts atinnovation.

Third, this economic concernmay persuade some in Congresswho are not swayed by civilliberties arguments to make moreserious reforms to limit what theNSA can do. It is a well-knownreality of American politics thatmoney talks and few have as muchmoney to lose as the industries thatmake, run, and use cloudcomputing technology. USAtechnology businesses who are notalready doing so (many are) shouldmake sure their voices are heard onthis issue, so that Congress and theObama Administration appreciatefully the impact of failure toachieve meaningful reform andgenuinely change perceptions athome and abroad.

Alex Lakatos PartnerMayer Brown [email protected]

Matt BisanzAssociateMayer Brown [email protected]

The authors would like to thankJeffery Taft, Partner at Mayer BrownLLP, for his assistance with thisarticle.

SURVEILLANCE

06

explain that the perception ofkeeping data in the EU will keep itsafe from prying eyes does notalways comport with reality.Through programs like PRISMand Upstream, the USAGovernment is able to obtain datathat relates to internationalcommunications, either byreceiving the data from theparticipating companies or(perhaps) even directly fromtapping of internationaltelecommunications cables. Thereare recent allegations that the NSAhacked the Brazilian state-run oilcompany Petrobras andintercepted billions of emails andcalls to Brazilians. And, movingdata to the EU certainly does notshield it from EU authorities, who- to less fanfare and perhaps lessextensively - do snooping of theirown, sometimes even at the behestof their USA counterparts. Thesearguments, however, are likely tobe unheard over the chorus ofoutrage at the USA government’spast actions. With ever increasingconcern about the NSA’s conduct,and rising protests against NSAactivities in the EU, arguments thatstoring data in the EU may not dothe trick may be too little, too late.

Second, USA companies canmarket more technologicallysecure solutions. Tien Tzuo,founder of Zuora, which sets uppayments and billing for cloudsoftware service providers,concludes that “[t]here’s a sensethat there needs to be a new breedof technologies to give a little bitmore control of their privateinformation back to consumers.And I think we’re going to see a lotof innovation in that area over thenext few years.” Many cloudproviders, such as Amazon WebServices (AWS), the cloud servicesarm of Amazon.com, provide toolsfor its customers to encrypt datathey store. And Apple hassegregated users’ fingerprint data


Comment

The Association of French-speaking Data Protection Authorities(AFAPDP), consisting of 15 countries, recently proposed a BCR-style data transfers model between member states as part of theirefforts to improve the standard of data protection in less matureregimes. Recently, Africa has seen a flurry of developments, fromMorocco’s approval of Convention 108 (Convention for theProtection of Individuals with regard to Automatic Processing ofPersonal Data), to new privacy laws in Niger and Gabon.Floriane Leclercq, the French Data Protection Authority’s(CNIL) representative at the AFAPDP, comments on theAFAPDP’s mission and how African data protection law isshaping up.

French-speaking African countries have begun to establishdata protection laws and authorities – this is a persistent andencouraging trend for the strengthening of individual rights andthe rule of law. As of June 2013, seven French-speaking Africancountries have an authority tasked with the protection ofpersonal data and bills are being drafted in six French-speakingAfrican countries. In this area of law, French-speaking countriesare ahead of the English-speaking countries. In addition to thesenational initiatives, regional organizations such as the EconomicCommunity of West African States (ECOWAS) and the AfricanUnion (AU) have taken over the protection of personal data. On16 February 2010, ECOWAS adopted a Supplementary Act onthe protection of personal data for direct application in 15countries. The AU is currently preparing a draft conventionwhich contains a section is devoted to the protection ofpersonal data.

The mission of the AFAPDP is to promote the adoption oflaws protecting personal data and the establishment of nationalinstitutions for the protection of personal data while respectingthe needs and traditions of each country. The AFAPDP offersassistance to States and local authorities to develop an expertisein the protection of personal data, based on the experience ofmembers of its network authorities.

The AFAPDP began an internal consultation on ourfrancophone Binding Corporate Rules in the past few months,which is still in progress. At the beginning of this project, wewere pursuing two main objectives: ! better supervision – protection and facilitation – of datatransfers between French-speaking countries, and! standardisation of principles and practices between French-speaking authorities.

Our working group chose to propose one supervisory toolfirst: the francophone Binding Corporate Rules, inspired by theEuropean tool of the same name, because it already works andhas proven its worth. However, as this project is in connectionwith the international context (the data protection reformscurrently under discussion in the European Union and otherenforcement initiatives such as the Global Privacy EnforcementNetwork (GPEN) and the APEC Cross-Border Privacy

A francophone BCR model to boost African data protectionEnforcement Arrangement (CPEA) and the InternationalEnforcement Group), a few discussions and months are stillnecessary to reach an adequate level of awareness and expertisein the French-speaking community.

In general, there is a growing interest in African states to enactlegislation to protect personal data in accordance withinternational standards. ! The first driving force is a political one: the right toprotection of personal data is an excellent indicator ofdemocracy. The law recognises new rights and installs a newindependent authority to protect fundamental freedoms.Moreover, the state itself is subject to supervision by the dataprotection authority. In Tunisia, the protection of fundamentalrights, including the right to protection of personal data, is inline with the context of politics and digital revolution. The lawreform, proposed by the National Personal Data ProtectionAuthority (INPDP) in June 2012, would be a way for theTunisian Government to show its commitment to strengtheningdemocratic accountability and public confidence and validatethe principle of a digital revolution and freedom of expression.! The second driving force is economic one: the right toprotection of personal data is involved in the construction of alegally secure digital economy likely to attract foreigninvestment. In Morocco, the adoption of the law of protectionof personal data and the establishment of an authority toprotect personal data with powers of authorisation and controlshows the government's commitment to strengthen the legaltransparency and provide an attractive framework for digitalcompanies creating jobs in key sectors such as internationalfinance, remote services companies, and telecommunications.

On 6 June 2013, the Moroccan government adopted a billapproving Convention 108 for the Protection of Individualswith regard to Automatic Processing of Personal Data.Ratification would make Morocco the second non-membercountry of the Council of Europe to be party to theConvention. The Council of Europe, the Moroccan dataprotection authority (DPA) and the AFAPDP did a lot tosupport the ratification. The Moroccan DPA hopes that theratification will lead to amendments of the Moroccan law - itneeds to be lightly modified to reinforce the DPA’s ability toenforce the law, its financial and functional independence, andability to recruit its own staff.

Floriane LeclercqData Protection Project Manager at the AFAPDP


it.Over the past decade, archives

addressed these organisations’ needto retain data for the requiredperiod. However, they generated ahost of new problems, including:! bloating, such as retaining dataindiscriminately with no thoughtof its value or retention period;! slow and unreliable searching;! slow data extraction, wherearchives’ built-in interfaces forextracting data were not designedfor high volume – often they couldonly work with one file at a time;! obsolete platforms, where manyarchive systems that were oncecommon became unsupported.

The challenges of archivemigrationFacing these challenges, manyorganisations decide the bestoption is to migrate the archiveddata to a modern platform or anoutsourced or cloud service. Cloud services, for example,usually cost less than runningstorage hardware in-house, orsimply make it someone else’sproblem to manage!

However, organisations oftenmigrate all their data to a newarchive or cloud service. Thisindiscriminate approach does notsolve many of the problems withthe original archive, such as thelarge volume of content that hasno business value or contains risks.It merely defers these issues for aslong as the migration takes.

Furthermore, because of thelimitations of archives’ extractioninterfaces and the sheer scaleinvolved, many migration vendorsstill claim it is impossible totransfer large volumes of data inless than a year.

Ten techniquesA faster, more efficient approachwould be to migrate only the emailmessages that have business valueor that the organisation must

retain for compliance. Thisrequires advanced migrationtechnologies that can directlyaccess the data in the sourcearchive, bypassing the built-ininterface, and create a completeand in-depth index. With thisindex, organisations can identify,retain and deal with anyinformation that presents a riskand leave behind redundant, andtrivial data to be decommissionedwith the old archive.

High-risk data remediationArchives often contain both high-risk and high-value information.One very serious risk is theprevalence of customers’ identityor financial details stored withoutappropriate security in emails andattachments. These are often theresult of employees making‘convenience copies’ of this data,for purposes such as working fromoutside the office.

While indexing the contents of anarchive, it is possible to identifyand extract items containing high-risk information such as creditcard and national identitynumbers. Organisations can alsoisolate messages and attachmentscontaining lists of ‘hot words’ andother high-risk items that areunique to their business. Theorganisation’s risk team can reviewand act on even these items beforethe migration process begins.

Search macros and legal holdMost organisations have a numberof employees subject to litigationor regulatory inquiry. In manyorganisations, there are a fewindividuals who frequently appearin litigation or regulatoryrequests—also known as ‘frequentflyer’ custodians. One of the firststeps in many archive migrationprojects is to isolate thesecustodians’ data for preservation orlegal hold purposes.

Organisations can pre-filter the

INFORMATION GOVERNANCE

08

Many organisations have hundredsof terabytes of data stored in legacyarchive systems. Due to thetechnical limitations of thesesystems, it is often difficult tosearch and analyse their contentsfor eDiscovery, data minimisationor risk management purposes.

As a result, many organisationsare looking to migrate the contentsof legacy archives to newerplatforms or cloud services.However, the same factors thatlimit our ability to understand thecontents of archives also make itvery difficult and time consumingto move them.

In addition, data migration is anopportunity to leave behind old,duplicated and otherwise space-filling data. However, organisationsalso lack a thorough and legallydefensible process for assigningvalue to data – they simply don’tknow where to start.

Did archives solve problems,or create them? Since email archives first arrived intheir current form, organisationshave purchased some form of diskarchive. Archive vendors primarilytarget large companies in highlyregulated sectors such as financialservices, pharmaceuticals andhealthcare, and large governmentagencies. These organisations havehuge data volumes and strictcompliance rules about retaining

With ever increasing data volumes,archives contain tremendousamounts of valuable and worthlessinformation. Whether by changingcircumstances or bad design, manylegacy archives make it almostimpossible to gain a trueunderstanding of their contents. DrJim Kent, CEO, EMEA and Head ofInvestigations at Nuix, explainstechniques organisations can use tospeed up data migration.

Intelligent data migration: tentechniques for best practice

Informing the legal industry since 1999

Data Protection Law & Policy is essential reading for busy

professionals operating in the data protection and privacy sphere.

Written by experts for experts, this monthly journal delivers razor-

sharp analysis and insights on the legal and regulatory topics on the

horizon.

Launched in 2004, Data Protection Law & Policy has been on the

cutting-edge of reporting, mapping out the developments in the

internet domain, the evolving role of the data privacy professional,

and the global shifts in policy and legislation.

Regulation Data Breach & Data Security

Data Transfers & Outsourcing

Social media

Mobile Apps

Case Law

Online Privacy Cloud computing

Sectorial changes including in health and banking

“Data Protection Law and Policy gets to the heart of data privacy hot topics and considers them in a practical and pragmatic way. This is

particularly useful as data privacy is a dynamic subject where interpreting the requirements of data privacy laws is fundamental to

the role of a responsible data controller”

- Sue Taylor, Senior Data Privacy Manager Leading Financial Services Company

Why subscribe?

•  No frills legal analysis written by experts •  Topical, timely and to the point •  In-depth analysis of legal and regulatory developments •  Concise - all you need to know in one place •  A global view of a truly global industry

An annual subscription to Data Protection Law & Policy is £450 (£470 outside UK)

What do you get for your money?

•  A monthly hard-copy and unrestricted online access to the publication •  Full access to the online archives stretching back to 2004, perfect for research purposes •  Priceless insight and expertise from a world-leading editorial board and leading industry practitioners

+44 (0)20 7012 1387 [email protected]

www.e-comlaw.com/data-protection-law-and-policy

Informing the legal industry since 1999

Head Office UK Cecile Park Publishing, 17 The Timber Yard, Drysdale Street, London N1 6ND Tel: +44 (0)20 7012 1380

Find us on:

Big data - Social gaming - Mobile payments

In a world that changes everyday: six legal journals to guide you through the complex global marketplace

Data Protection Law & Policy E-Commerce Law & Policy E-Commerce Law Reports

• Global privacy regulations • Privacy compliance • Data acquisition • International data transfer

• E-Commerce regulation • Distance selling • Social media • Piracy

Key cases include: • Online contracting • Distance selling • Defamation

•

! Razor-sharp analysis of global legal issues ! Editorial board of experts ! Exclusive features & interviews

! Essential information: timely news ! In-depth analysis and expert commentary ! Unrestricted access to the online archive

E-Finance & Payments Law & Policy

World Online Gambling Law Report World Sports Law Report

• E-payments • Global regulatory regimes • SEPA • Virtual currency

• Global gambling regulation • Payment processing • Social gaming • Advertising

• Player contracts • Broadcasting rights • Sponsorship • Anti-doping

To request a complimentary copy or for details on how to subscribe

Contact David Guati: +44 (0)20 7012 1387 / [email protected]

bi-monthly

Why...

Visit our website: www.e-comlaw.com

contents of the source archive toensure they migrate all datarelating to these custodians to thenew archive or to anotherrepository immediately afterprocessing.

DeduplicationArchives apply multiple techniquesto minimise the volume ofinformation they store, includingdata compression and ‘singleinstancing’, a form ofdeduplication. However, singleinstancing has several limitations,such as ignoring identical itemsreceived in different mailboxes atslightly different times.

Creating a cryptographic hashvalue for each item makes itpossible to deduplicate identicalitems from a single custodian’sdata, even when there are multiplecopies across multiple email serversor archives. In some cases it mayalso be legally defensible to removeduplicates across multiple users oran entire data set.

Age-based cullingMigration offers an opportunity tocull data based on its age. Any datapast its retention period, unless it ison legal hold, can simply be leftbehind in the old archive.

Archive metadata, such as thedate each item was created, lastaccessed and last modified,provides further insights into thevalue of the data. For example, is itworth keeping copies of a companynewsletter no-one has accessed inmore than five years?

Size-based cullingExamining archived data by filesize is another way to achieve aquick win. For example, anorganisation could examine a listof the largest email messages andattachments that were past theirretention date and that no one hadaccessed.

Distribution and auto messagesAutomated email notifications areanother large pool of low-valuedata, particularly because they areoften sent to multiple recipients ordistribution lists. Understandingwhether these messages have valuerequires consultation with endusers but often yields substantialresults. It builds user engagementwith the migration process becauseemployees can see how it can helpthem work more productively. Italso increases employees’ comfortwith the ideas of deleting data andbroader information governance,which is critical to these projects’success.

Email subject value analysisAnother powerful technique is togroup archived items across all usermailboxes by subject line or title.Across an entire archive withhundreds of millions or billions ofitems, this technique can identifymillions of messages that have nobusiness value.

For those messages that are moreambiguous (such as ‘FW:Hey’ or‘Re:Re’), information managers canmanually review a random sample.If a 5% sample of all messages withthe subject ‘Fw:Fw:Fw’ yieldsnothing but innocuous content,such as jokes, it would be quitereasonable to leave this contentbehind in a migration.

Spam and trivial dataEmail gateways generally removethe worst examples of unsolicitedcommercial email before theyreach user inboxes. However,employees often choose to receivebulk emails such as news updatesand marketing messages. Thesemessages have value to the user, atleast initially, but their worthrapidly diminishes over time.

Deciding which of these messagesto remove is, again, a consultativeprocess. A complete index makes itrelatively easy for information

managers to isolate messages by acombination of sender, the domainthe messages were sent from andkeywords such as ‘golf ’, ‘lunch’,‘weekend’ or ‘pizza.’

Predictive codingPredictive coding, mostly used ineDiscovery, has a role to play inarchive migration. Predictivecoding creates a statistical modelthat uses word frequency toautomatically separate documentsinto two categories. This is verysimilar to the way spam filterswork.

A predictive coding model mightbe useful to sort email messagesinto buckets such as ‘valuable’ and‘trivial’ or to identify specific typesof information such as contracts orcustomer feedback forms.

Near-duplication and clustering Although the deduplicationtechnique I discussed earlier ismore powerful than archives’ singleinstancing, there are categories ofduplicates it will not catch. Near-duplicate technology gets aroundthis problem by comparing thesimilarly of text between itemsusing a technique called ‘shingling’.

With any item that is particularlyvaluable, or definitely not valuable,near-duplication can identifyclusters of documents that containsimilar text – another fast way tocategorise large volumes of data.

Migrations in weeksWith today’s technology, archiveowners can use a series of logicaltechniques to minimise the volumeof data they must migrate to thenew platform, reduce target storagecosts, mitigate business risks andcomplete migrations in weeks, notyears.

Dr Jim Kent CEO, EMEA and Head of InvestigationsNuix


INFORMATION GOVERNANCE

With today’stechnology,archiveowners canuse a seriesof logicaltechniques tominimise thevolume ofdata theymust migrateto the newplatform,reduce targetstoragecosts,mitigatebusinessrisks andcompletemigrations inweeks, notyears


accounts. There was no evidencethat this change in policy was evercommunicated to the decedent orhis brother.

Beginning shortly after John'sdeath, Marianne and RobertAjemian, siblings of the decedent,tried repeatedly to gain access totheir brother's email account.Initially, they sought access inorder to obtain the email addressesof John's friends to notify them ofhis death and memorial service.Subsequently, the plaintiffs (bythen appointed as co-administrators of decedent's estate)sought the emails to help identifyand locate assets and administerthe decedent's estate.

Although Yahoo! initially agreedto turn over the information,provided the family produced acopy of John's birth and deathcertificates and otherdocumentation, it later refusedthem access to the account or itscontents, relying on the StoredCommunications Act, 18 U.S.C. §§2701 et seq. (2006).

Yahoo! interpreted that law toprevent it from disclosingdecedent's emails, even to theadministrators of his estate.Subsequent negotiations led theparties to a partial resolution,requiring Yahoo! to produce 'allsubscriber records and emailheader information, not to includeemail content,' which Yahoo!produced pursuant to thejudgment.

Probate court decisionThe co-administrators then filed asecond complaint in Probate Courtseeking the contents of the emailson the grounds that they were theproperty of John's estate andproperty of Robert as co-owner ofthe account. The probate judgedismissed the complaint on thegrounds that the Yahoo! forumselection clause in the TOSrequired that any lawsuit be

brought in California. The probatejudge also concluded that resjudicata barred the co-administrators from bringing theirclaim in a Massachusetts court, butnot in a California court.

Appeals Court decisionThe Appeals Court ofMassachusetts (Norfolk division)determined that there was a failurein the record as to whether theforum selection clause had been'reasonably communicated andaccepted' by the email accountusers; therefore, Yahoo! had notmet its burden of proof withrespect to its contract claims.Further, since the co-administrators were not signatoriesto the Yahoo! contract, the courtdetermined that it would not bereasonable to enforce the forumselection clause against them.

With respect to jurisdiction overthis dispute, the Appeals Courtfavoured Massachusetts overCalifornia. The Appeals Court heldthat since John was domiciled inMassachusetts at the time of hisdeath, 'Yahoo! [had] offerednothing to suggest that jurisdictionover assets of his estate [should be]anywhere other thanMassachusetts.'

The Appeals Court did not reachthe question of whether Yahoo!was required to keep the emailsconfidential under the StoredCommunications Act.

The Court noted that Yahoo!'srequest that the Probate Court'sdecision be affirmed under theStored Communications Act hadbeen raised only in a footnote anddid not 'rise to [the] level ofargument acceptable for appellatereview.' The judgment wasreversed and the matter remandedto the Probate Court for furtherproceedings consistent with theappellate opinion.

PERSONAL RECORDS

10

Background factsAround August-September of2002, Robert Ajemian opened aYahoo! email account for hisbrother John; Robert intended thatthe two access and share theaccount as co-users. Yahoo!'s Termsof Service and Privacy Policy(TOS) at the time when theaccount was first opened gave itthe right to terminate a passwordand discard account content forany reason, in its sole discretion.

In August of 2006, John wasstruck and killed by a motorvehicle. At the time of his death,Yahoo!'s TOS included a clauseexcluding any third-partybeneficiaries to the agreement andterminating any right ofsurvivorship to Yahoo! email

Privacy after death: analysing theposition on the deceased’s emailsPrior to the widespread adoption ofelectronic mail, obtaining access toa beloved one's personaldocuments after his or her deathwas a fairly straight-forwardprocess. The executor of the estatewould, consistent with any specificinstructions in the decedent's will,be authorised by a court of law tohave banks and postal offices openthe decedent's safety depositboxes to determine their contentsand aid with the administration ofthe estate. Frederick M. Joyce andTiffany M. Nichols, Chair of TelecomGroup and Associate at VenableLLP respectively, explores a recentMassachusetts appeals case,Ajemian v. Yahoo! Inc. 7 May 20131,involving a request by a deceasedman’s relatives to access his Yahoo!email account, which was deniedby Yahoo!, analysing the difficulty ofbalancing electronic privacy with therights of those claiming a legitimatereason to access online content.

Email assets – property of anestate? Recent news of apparentwidespread electronic snooping bythe USA government hasheightened concerns that internetservice providers guard and protecttheir customers' electroniccommunications. On the otherhand, in a world where mostpeople in developed nationscommunicate and engage incommerce largely via electronicmeans, cases like Ajemian v. Yahoo!highlight the often legitimateinterests of non-governmentalentities in gaining access tosomeone else's electroniccommunications.

Under Massachusetts law, as withmost states, upon a person's death,that person's real and personalproperty passes to their devisees orheirs. Further, the decedent'spersonal representative has theright and responsibility to takecontrol of the decedent's assets tothe extent necessary to handle theadministration of the estate. Whileit is unclear from the AppealsCourt decision whether thedecedent had a valid will upon hisdeath, this dispute might haveoccurred with or without a will,given uncertainties underMassachusetts law as to whetheremail should be deemed propertyof an estate.

Yahoo! somewhat half-heartedlyrelied on the StoredCommunications Act to deny theco-administrators access to thedecedent's email records.Nevertheless, privacy rights aregenerally understood to cease upona person's death and, personaleffects such as letters and picturesthat traditionally pass to heirs arejust as likely as emails to containpersonal information. The realconcern for email service providerslies with potential liability forunauthorised disclosure to 'badguys,' not family members, of

private and protected electroniccommunications.

One lesson to be learned fromthis case is that the drafters of willsmay need to focus their attentionon the central importance ofelectronic assets. Still, it could beanother generation until the phrase'personal effects' is recognised toinclude all of one's electroniccommunications and electronicdocuments.

In the meantime, courts willcontinue to struggle with thistension between electronic privacyrights and the legitimate interestsof a decedent's estateadministrators. As shown in thiscase, contract law provides only apartial solution, and may be part ofthe problem. Although 'a commonlaw cause of action for invasion ofprivacy may cease upon death,general freedom of contractprinciples suggest that it may stillbe possible to create a contractualright of privacy which is effectiveto protect private information ofdeceased individuals.’2

However, if a contract is deemedunlawful or contrary to publicpolicy, it is unenforceable. Absentsome record evidence that thedecedent intended Yahoo!'s privacypolicy to be binding on his estate,the Appeals Court likened Yahoo!'sprivacy policy to a contract ofadhesion, the kind a majority ofinternet users fail to read3.Consequently, the family's publicpolicy interest in administering theestate outweighed Yahoo!'sinchoate interests in protecting theprivacy of a deceased customer.

A change in venue, or even achange in email service provider,may have led to a differentoutcome. For instance, Indiana,Connecticut, Rhode Island, andOklahoma have adopted lawsgranting estates certain propertyrights in the electronically storedcommunications of decedents. Atthe same time, many email service

providers have policies in placethat would have allowed theplaintiffs access to the decedent'semails. Absent changes in federalor state electronic privacy laws,these types of probate courtdisputes may become increasinglycommon.

Frederick M. Joyce Chair, Telecom GroupVenable [email protected]

Tiffany M. NicholsAssociateVenable [email protected]

1. Ajemian v. Yahoo, 987 N.E.2d 604(Mass. App. Ct. 7 May 2013)2. Jonathan J. Darrow & Gerald R.Ferrera, 'Who Owns a Decedent's E-Mails: Inheritable Probate Assets orProperty of the Network?,' 10 N.Y.U. J.Legis. & Pub. Pol'y 281, 314 (2006-2007) at 314 (citing Willard Packing Co.v. Javier, 899 A.2d 940, 947 (Md. Ct.Spec. App. 2006); State v. Pleva, 456N.W.2d 359, 362 (Wis. 1990)).3. See Tyler G. Tarney, 'A Call forLegislation to Permit the Transfer ofDigital Assets at Death,' 40 Cap. U. L.Rev. 773, 778 (Summer 2012) (citationomitted).


PERSONAL RECORDS

[T]he family'spublic policyinterest inadministeringthe estateoutweighedYahoo!'sinchoateinterests inprotectingthe privacy ofa deceasedcustomer


authority will be granted an optionto either submit a complaint to theInformation Regulator or toapproach a court for appropriaterelief.

(ii) A party who is aggrieved by adecision by the head of a privatebody will be able to either submit acomplaint to the InformationRegulator in respect of the decisionconcerned, or to approach thecourt for appropriate relief.! The 2009 version of the Billreflected provisions dealing withthe requirement that responsibleparties (parties who processpersonal information) shouldnotify the Information Regulatorthat they process personalinformation and the requirementthat they should obtain priorauthorisation from theInformation Regulator before theyprocess certain categories ofpersonal information. Theprovisions dealing withnotification were aimed atregulating matters associated withthe requirement, such as, theparticulars to be included in thenotification, exemptions and thecriminalisation of any failure onthe part of a responsible party tonotify the Information Regulator.However, the provisions dealingwith notification were omittedfrom the final version of the Bill.

The provisions dealing with priorauthorisation which were retained,among others, require that aresponsible party must obtainauthorisation from theInformation Regulator before anyprocessing if the responsible partyplans to, among others, processpersonal information for thepurposes of credit reporting ortransfer special personalinformation or the personalinformation of children to a thirdparty in a foreign country thatdoes not provide an adequate levelof protection for the processing ofpersonal information.

What are the most importantfeatures of the law?! The Bill aims to introduce eightinternationally acceptedinformation protection principles,namely, accountability, processinglimitation, purpose specification,further processing limitation,information quality, openness,security safeguards and datasubject participation. Specialprovisions have also been includedin the Bill with the view to theprotection of special (sensitive)personal information of datasubjects and the personalinformation of children.! An independent statutoryauthority, namely the InformationRegulator, will be introduced thatwill be responsible for monitoringthe implementation of the newProtection of Personal InformationAct and the Promotion of Access toInformation Act 2000.! Enforcement of the Bill will bethrough the Information Regulatorby means of a system of notices, asa first step, where conciliation ormediation has not been successful.The Information Regulator is alsoempowered to assist data subjectsin claiming compensation fromresponsible parties where themanner in which they processpersonal information is not in linewith the requirements of the Billand such processing has causeddamage to the data subjectsconcerned.! The Bill further aims to follow aflexible approach in terms of whichindustries will be allowed todevelop codes of conduct inaccordance with the conditions(principles) for the lawfulprocessing of personalinformation. Codes of conduct willassist in the practical application ofthe conditions for the processing ofpersonal information in specificsectors. Provision is made for codesof conduct to be issued for specificsectors by the Information

SOUTH AFRICA

12

To what extent does the finalversion differ from the 2009 Bill?The final version of the Bill differsin a few respects from the 2009version. For example:! Chapter 5 of the Bill aims toregulate the establishment of anInformation Regulator and theamendments that to the Chapterwere aimed at strengthening theprovisions concerned in order toensure that the Regulator will beestablished as an independentstatutory authority. The Bill furtheraims to amend the Promotion ofAccess to Information Act 2000(Act 2 of 2000), in order toestablish the InformationRegulator as a functionary thatmay consider complaints againstdecisions that have been taken bypublic or private bodies in respectof requests for access to records ofthe bodies concerned. Thecomplaints procedure provided forin the Promotion of Access toInformation Act 2000, will beamended as follows:(i) Insofar as certain public bodiesare concerned, the compulsoryinternal appeal procedure will beretained. A party who is aggrievedby a decision of a relevant

Analysing the new Protectionof Personal Information Bill The South African Parliamentpassed - on 22 August 2013 - theProtection of Personal Information(POPI) Bill. POPI was introduced inAugust 2009 by the South AfricanCabinet and represents SouthAfrica's first comprehensive dataprotection legislation. POPI isexpected to come into force beforethe end of the year.Data Protection Law & Policyinterviewed Advocate MthunziMhaga, Spokesperson for theDepartment of Justice andConstitutional Development, to learnmore about the new Bill.

Regulator and may even makeprovision for adjudicators to beestablished in terms of such codesto be responsible for thesupervision of the processing ofpersonal information in thosespecific sectors.! The Bill also aims to makeprovision for the protection of datasubjects’ rights insofar asunsolicited electroniccommunications and automateddecision making are concerned.The Bill also provides that personalinformation may not betransferred to countries that do notensure an adequate level ofinformation protection. Thisprohibition is subject to certainexceptions, for example, where adata subject consents to thetransfer of his or her personalinformation or where the transferis necessary for the performance ofa contract between the data subjectand the responsible party.

When enacted, will the Law seea dramatic shift for South Africanbusiness and foreign businesseswishing to operate in SouthAfrica?The Bill emanates from the SouthAfrican Law Reform Commission’sreport on privacy and dataprotection. The Bill aims, inharmony with internationalstandards, to give effect to the rightto privacy, by introducingmeasures to ensure that thepersonal information of anindividual (data subject) issafeguarded. The Bill also aims tobalance the right to privacy againstother rights, particularly the rightof access to information and togenerally protect importantinterests, including the free flow ofinformation within and across theborders of South Africa. Therefore,it should be noted that, in view ofinternational trends andexpectations, the Bill willcontribute substantially towards

South Africa’s future participationin the information market as acountry which could be regardedas providing adequate informationprotection by internationalstandards.

When do businesses operating inSouth Africa have to comply withthe law?Responsible parties will have tocomply with the provisions of theBill as soon as it is implemented.However, the Legislature hasdecided to introduce a transitionalarrangement in order toaccommodate those responsibleparties who are not in a position tocomply fully with the provisions ofthe Bill upon implementationthereof. Clause 114 of the Bill, forinstance, provides that allprocessing of personal informationmust, within one year after theimplementation of the clause,comply with the provisions of theBill.

Has the Information ProtectionRegulator been nominated?When is this expected?The members of the InformationRegulator have not beennominated yet. The Bill was onlyrecently approved by Parliamentand must, in terms of section 79 ofthe Constitution of the Republic ofSouth Africa, 1996, be referred tothe President for the President toassent to and sign the Bill. A Billassented and signed by thePresident becomes an Act ofParliament and, in the present case,will take effect on a date to bedetermined by the President. Inthis regard the provisions of clause41 of the Bill should also be noted,which prescribes the procedure forthe appointment of the membersof the Regulator which, amongothers, involves Parliament.

What are the maximumsanctions?Chapter 11 of the Bill deals withoffences and penalties. TheChapter creates offences such asobstruction of the Regulator(clause 100), breach ofconfidentiality by a person actingunder the direction of theRegulator (clause 101), obstructionof the execution of a warrant(clause 102), the failure to complywith an enforcement notice (clause103) and offences by witnesses(clause 104).

Two additional offences, apartfrom those mentioned above, thatwere included in the introducedversion of the Bill, were created,namely unlawful acts byresponsible parties in connectionwith account numbers (clause 105)and unlawful acts by third partiesin connection with accountnumbers (clause 106). TheLegislature has also introduced aprovision, namely clause 109 of theBill, which aims to empower theInformation Regulator to imposeadministrative fines uponresponsible parties instead of beingprosecuted for having committedoffences in terms of the Bill.

Advocate Mthunzi MhagaSpokesperson for the Department ofJustice and Constitutional Development


SOUTH AFRICA

[I]n view ofinternationaltrends andexpectations,the Bill willcontributesubstantiallytowardsSouth Africa’sfutureparticipationin theinformationmarket as acountrywhich couldbe regardedas providingadequateinformationprotection byinternationalstandards


abroad, then the process of IToutsourcing to a cloud is subject toexport control regulations. ! Moreover, the cloud providersthemselves may wish to store thedata received, for example forfinancial reasons; with a sub-contractor in a third country witha more favourable IT coststructure. This is usual businesspractice as 'borderless' data traffic,in particular, is an integral part andadvantage of cloud computing. ! In cases where the cloudprovider's head office is in the UKbut data is being accessed fromabroad, the external access leads toan (indirect) data transfer abroad.Whether or not the data is actuallybeing accessed remains irrelevant.The sole possibility that data maybe accessed entails export controlobligations. ! Setting up an in-house privatecloud that is only accessible bycompany employees at all foreignlocations is also subject to exportcontrol regulations. Oftenbusinesses misjudge thesignificance of export controlregulations to the transfer of intra-company data. Therefore, oneoften hears the followingstatement: "It's all internal, it allstays within the firm!" This pointof view is wrong. From an exportcontrol perspective the intra-company exchange of data is veryrelevant. Since in this case, dataalso ends up abroad irrespective ofwhether the data recipient is acolleague or a third person.

EU export control regulationsThe most important Europeaninstrument is Council Regulation(EU) No 428/2009 of 5 May 2012,regarding a community regime forthe control of exports, transfer andbrokering of dual-use goods (theDual-Use Regulation) whichincludes an annex with dual-useitems that require export licences(the so-called Dual-Use List). The

Dual-Use List not only comprisesphysical goods, but alsotechnology, data and dataprocessing programmes developedor required for such goods. Theexport of dual-use items alsoapplies to the transfer of softwareor technology by way of electronicmedia (facsimile, telephone, e-mail). This includes the provisionof software and technology inelectronic formats to legal andnatural persons outside of the EU.

EmbargoesCurrently there are EU embargoesagainst 26 countries, however anEU Member State may imposefurther national restrictions againstan embargoed country (as the UKin relation to Iran) or embargo anadditional country (as the UK inrelation to Argentina).

SanctionsCompliance in the field of exportcontrol law is not just a moralquestion of company philosophyor a nice, but unnecessary variationof compliance.

Criminal and civil penaltiesIt is a criminal offence to exportgoods (including technology anddata) which are controlled orsubject to sanctions and embargoregime without a licence from theappropriate authority. Civil andcriminal penalties may be imposedboth on companies andindividuals, depending on thenature of the breach. In the UK,the maximum criminal penaltiy isup to ten years imprisonment. InGermany, the maximumimprisonment is 15 years.Enforcement has become a priorityin the UK and Germany, with anumber of recent criminalprosecutions against bothcorporations and individuals.Furthermore, corporations andindividuals can face unlimitedfines.

PRIVACY AND TECHNOLOGY

14

In the context of cloud computing,the issues of data protection andsecurity of information storedwithin the cloud have beenintensely discussed. However,businesses pay too little attentionto the significant export controlimplications in the context ofcloud computing. Most businesseshave a misleading understandingof what actually constitutes anexport and fail to recognise thatexport control mechanisms areintrinsically linked to the accessand transfer of data in the cloud.This pitfall has to be avoided assanctions for breaches of the legalrequirements are draconic: thesanctions comprise, among others,imprisonment and unlimited finesfor the corporations andindividuals. Businesses that want touse cloud computing models aretherefore well advised to takeexport control laws seriously.

Applicability to cloudcomputingExport control regulations areapplicable to cloud computing inseveral situations: ! If the cloud provider is located

Data transfers to the cloud: avoidingthe pitfalls of export control rulesUse of cloud computing in thebusiness sector is fast becomingthe norm, offering increasedflexibility, reduction of costs and astronger interconnection ofbusinesses within the competitiveglobal markets. However, exportcontrol mechanisms are oftenoverlooked when transferring datain the cloud, with severe sanctionsfor violations. Dr Philip Haellmigkand Florian Foerster, Associate andTrainee Solicitor respectively at Bird& Bird, outline the requirementsbusinesses using the cloud shouldbe aware of, as well as how toavoid falling foul of these provisions.

Denial of licenseA further consequence of an illegal datatransfer that impacts export businessesis that authorities may revoke exportlicenses that have already been granted.Furthermore, the relationship with theauthorities may be damaged to theeffect that future export licenseapplications are denied.

Reputational damageFinally, the commercial and reputationalconsequences of being subject to aninvestigation or enforcement actionmust be considered. Commercialrelationships with suppliers andcustomers can be impacted andprosecutions can attract high levels ofnegative publicity.

Compliance measuresEuropean businesses ought to checkwhether the EU and nationalregulations of export control law applyto its business prior to the use of inhouse cloud computing; irrespective ofwhich model is to be implemented.

Perform an auditDoes the IT to be outsourced containany sensitive data regarding legal exportcontrol? Has this data been recorded inthe respective lists of goods (EU Dual-Use List, national military goods list)?

Instruct employeesProviding that the IT to be outsourcedcontains sensitive data in regards tolegal export control, the employees mustbe informed. Furthermore, theemployees should be provided withwork and process instructions for theintra-corporate handling regardingexport of such sensitive data. Inaddition, it has to be stipulated whichemployee (centrally) is responsible forexchange and maintaining contact withthe authorities (applications forauthorisation, general questions etc.).On the whole, it has to be ensured thaton all corporate levels the requiredexport control compliance structuresare being implemented (starting withthe person responsible and going all the

way up to the management level).

Examine the cloud providerLegal export control compliancedoes only work if the cloudprovider is also willing to observethe export control regulations.Therefore, it has to be clarifiedwith the respective cloud providerin which countries its ITinfrastructure is located or whichsub-suppliers are situated in whichcountries (for example, checking'embargoes').

Secure contractual protectionFinally, the companies shouldsecure themselves contractuallyagainst the cloud provider and itshandling of outsourced data sincethey lose most of the control overthis data by outsourcing it.However, the company remainsresponsible for the export of thedata and its further fate.Therefore, the cloud computingcontracts should contain exportcontrol clauses which ensure thatthe cloud provider promises toobserve the respective exportcontrol regulations when providingservices. If existent, the legaldepartment should be implicitlyconsulted and/or external legaladvice should be obtained.

Dr Philip Haellmigk, LLMAssociateSolicitor (England & Wales)Rechtsanwalt (Germany) Lic. en Droit (France) Bird & [email protected]

Florian FoersterTrainee SolicitorBird & [email protected]


PRIVACY AND TECHNOLOGY

Oftenbusinessesmisjudge thesignificanceof exportcontrolregulations tothe transferofintracompanydata


Revised OECD Guidelinesinteroperability betweenjurisdictions is necessary. Membercountries should establish nationalprivacy strategies reflecting acoordinated approach across all ofgovernment. Privacy enforcementauthorities must have adequatepowers, resources and technicalcapacity to effectively enforce theprivacy laws in their respectivejurisdictions.

My Office was pleased to havecontributed to the review process.We have long believed thataccountability is the driving forcebehind privacy management.

We have also seen first-hand thefruitful results that have grown outof increased internationalcooperation and collaboration.

The OECD Council’s adoption ofthe revised Privacy Guidelines is animportant milestone for the globalprivacy community and anexcellent starting point fororganizations in countries withoutprivacy legislation. The originalGuidelines and its Basic Principlesserved as a foundation for thedevelopment of the CanadianPIPEDA in the late 1990s.

Christopher Wolf, Partner atHogan Lovells and Director of thePrivacy and InformationManagement GroupI was a member of the OECDVolunteer Group of privacy expertsasked to consult on the Guidelines,and I am truly pleased with thefinal product. The practical focuson a risk management approach toprotecting privacy makes greatsense and is the only realisticoption in a data-laden economy. Ialso strongly endorse the need forgreater efforts to address the global

dimension of privacy throughimproved interoperability.

The Guidelines recognize thestrategic importance of privacyrequires a multifaceted nationalstrategy co-ordinated at the highestlevels of government. I also ampleased to see the emphasis onprivacy management programs toserve as the core operationalmechanism through whichorganizations implement privacyprotection. The inclusion of aprovision on data security breachnotification is a reflection of thecontribution this US-originatedconcept has made to the protectionof privacy.

Cédric Burton, Senior Associate atWilson Sonsini Goodrich & RosatiThe main privacy principles stayuntouched, which demonstratesthat common global trends arecurrently emerging and becomingthe bedrock of data protectionglobally. The revised guidelinesalso build on the various existingdata protection regimes by cherry-picking obligations and conceptsthat have proven to be workingwell in some regions of the worldand are now widely recognised askey privacy principles globally.

Some aspects of the OECDprivacy guidelines have beenmodernised such as the rules ontrans-border data flows and thesecurity requirements, but one ofthe major improvement is thefocus is on accountability, privacymanagement programs and onhow privacy protections areconcretely implemented withinorganisations. This demonstrates ashift from a rather bureaucraticapproach to a more practical one.

ROUNDTABLE

The Organisation for EconomicCo-operation and Development(OECD) published - on 9September 2013 - revisions to theirGuidelines on the Protection ofPrivacy and Transborder Flows ofPersonal Data (the Guidelines).The revisions represent the firstupdate to the original 1980version, which became the first setof internationally agreed privacyprinciples. Data Protection Law &Policy has put together aroundtable of comments fromprivacy experts across the globe toprovide a truly internationalperspective on this development.

Jennifer Stoddart, PrivacyCommissioner of Canada, Chair ofthe Privacy Expert Groupreviewing the OECD Guidelines:The updated Guidelines arenotable in two respects:! Firstly, there is a greater focus onthe concept of accountability.While accountability remains oneof the key principles defined in theGuidelines, the revised Guidelinesprovide greater clarity onimplementing accountability,including direction on establishinga privacy management programmewithin an organisation. Theupdated Guidelines also introducethe concept of breach notification.Organizations should notifyprivacy enforcement authorities ofsignificant privacy breaches, and,in cases where a breach mayadversely impact individuals,organizations should inform theaffected individuals as well.! Secondly, there is a new focus onthe global dimension of privacy. Inan environment where data flowsfreely across borders, greater

SIGN UP FOR FREE E-LAW ALERTSData Protection Law & Policy provides a free alert service. We send out updates on news, forthcoming events and each month on the day of publication

we send out the headlines and a precis of all of the articles in the issue.

To receive these free e-law alerts, register on www.e-comlaw.com/updates.asp or email [email protected]

Analysis of PRISM and other surveillance programs – Part Two - Mayer Brown · 2018. 12. 30. ·...

Documents

Transcript of Analysis of PRISM and other surveillance programs – Part Two - Mayer Brown · 2018. 12. 30. ·...