v AgendaØIntroduce speakersØFrame the problemØDiscuss Galway Accountability Project

outcomesØLayout changes in both data flows and

data managementØConclusionsØQ & A

Martin Abrams The Centre for Information Policy Leadership

Paula BrueningThe Centre for Information Policy Leadership

Richard PurcellThe Privacy Projects.org

Paul SchwartzUC Berkeley School of Law

ATM network

fraudpreventionservices

personal bank

ATM Cash Withdrawalvv I go to the Dallas I go to the Dallas

Airport to start Airport to start my vacation in my vacation in Thailand. Thailand.

vv I stop for dollars I stop for dollars at an ATM.at an ATM.

merchant

network

fraud service

merchant’s bank

personal bank

Credit Card Purchase

vv I buy magazines I buy magazines at the airport with at the airport with my credit card.my credit card.

vv The merchant, The merchant, his bank, the his bank, the network, a fraud network, a fraud service, and my service, and my bank each touchbank each touchthe transaction.the transaction.

vv The airline shares The airline shares data about my flight data about my flight with the with the Transportation Transportation Security Security Administration Administration (TSA).(TSA).

vv I use my credit card I use my credit card to purchase from to purchase from duty free on the duty free on the flight. flight.

vv My data cuts new My data cuts new paths involving paths involving many new players many new players as the charge is as the charge is processed in flight.processed in flight.

vv I change planes in Tokyo. I change planes in Tokyo.

vv I use my credit card again I use my credit card again cutting new, cutting new, unpredictable paths.unpredictable paths.

vv I land in Thailand and I land in Thailand and immediately use my immediately use my ATM card. ATM card.

vv New players and New players and processes jump in. processes jump in.

vv My data takes a detour My data takes a detour to determine whether to determine whether the person in Thailand the person in Thailand could logically be me.could logically be me.

Dallas Tokyo

Thailand

vv I get into the taxi and go to the hotel. I get into the taxi and go to the hotel.

vv My credit card is used for the 4My credit card is used for the 4thth time in a time in a completely new geography. completely new geography.

vv New processors see my data and fraud checks New processors see my data and fraud checks calculate whether the card could logically be calculate whether the card could logically be used in all these different locations in less used in all these different locations in less than 24 hours.than 24 hours.

vv The fact is that my travel is generating The fact is that my travel is generating continuing data transfers with continuing data transfers with unpredictable locations. unpredictable locations.

vv All require speed, high levels of security All require speed, high levels of security and rules that cover who can do what and rules that cover who can do what with the data.with the data.

vv Each data transmission is a data breach waiting to Each data transmission is a data breach waiting to happen.happen.

vv Each new processor adds risk for the consumer Each new processor adds risk for the consumer that he will be harmed.that he will be harmed.

vv Each new location creates jurisdictional Each new location creates jurisdictional complexity for the consumer.complexity for the consumer.

vv The fact is that travel is The fact is that travel is just an example of a just an example of a process that generates process that generates almost continuous data almost continuous data transfers with many transfers with many players.players.

vv It is not possible for the It is not possible for the consumer to read the consumer to read the policies of every player. policies of every player.

vv It is not possible for the players to define It is not possible for the players to define with certainty what path will be on any given with certainty what path will be on any given day at any given moment.day at any given moment.

vv Instead we expect a chain of accountability Instead we expect a chain of accountability that begins with the players we know.that begins with the players we know.

vv The players we know create accountability The players we know create accountability with those we donwith those we don’’t.t.

vv Yet the legal structures that facilitate Yet the legal structures that facilitate accountability are unfinished.accountability are unfinished.

vv Only in the last year have we begun to Only in the last year have we begun to define how accountability: define how accountability: ØØ Protect consumersProtect consumersØØ Create legal certainty for businessCreate legal certainty for businessØØ Be trusted by regulatorsBe trusted by regulators

ProtectProtect

TrustTrustCreateCreate

AccountabilityAccountability

What Is Accountability?v An accountable organization takes

responsibility for the risks raised by the collection and use of information --- and is answerable for protecting and securing that information.

v An accountable company manages to the risks not just compliance.

v First mentioned in International guidance in 1980.

v Never fully defined until the Galway process.

The Essential Elements of Accountability

v Organizational Commitmentv Policies and Processes v Internal Oversightv Consumer Participationv Recourse and Redress

Accountability Project ParticipantsJoseph AlhadeffRosa BarceloJennifer BarrettMarcus BelkeBojana BellamyDaniel BurtonEmma ButlerFred H. CateMaureen CooneyPeter CullenGary DavisElizabeth DenhamMichael DonohueLindsey Finch

Giusella FinocchiaroRafael Garcia GozaloConnie GrahamBilly HawkesDavid HoffmanJane HorvathGus HoseinPeter HustinxTakayuki KatoChristopher KunerBarbara LawlerArtemi Rallo LombarteRocco PanettaDaniel Pradelles

18

Florence RaynalStéphanie RegnieManuela SianoDavid Smith Hugh StevensonScott TaylorBridget TreacyK. Krasnow WatermanArmgard von RedenJonathan WeeksMartin AbramsPaula J. Bruening

Managing Global Data Privacy

A Report From The Privacy Projects

The Privacy Projects• Dedicated to developing and contributing

‘evidence-based’ information to the ongoing dialogue for enhancing and improving personal information privacy and data protection– Independent non-profit

– Board of noted experts in privacy and data protection

• www.theprivacyprojects.org

The Project – Cross-border Data Flows• Examine the processes and controls implemented for

cross border data flows– Six case studies from North American companies

– Practices of companies actively seeking responsible data protection practices

• Case Studies - Confidential– Pharma, Marketing, Technology, Financial Srvcs

• Paul M. Schwartz– Professor of Law, University of California, Berkeley

– Noted author re: data protection law in US and EU

A Flat World is Not a Simple World

Major Changes• The scale of data flows, individually and in the

aggregate, has increased massively

• Processing involved in data flows has expanded to include highly complex and process-oriented steps implemented within systems of networks

• Oversight over data flows has evolved into a model of collaboration, professionalization, and resource commitments

Prior Basis for Regulation• Centralized Databases

– Segmented customer files

• IT Controls– Technical drivers, not policy

• Point-to-Point Transfers– Discrete, scheduled, occasional

• Proprietary transfer protocols– Tapes in boxes– Specialized communications lines

• Non-networked

A Change in Scale

• Discrete Events

• Localized Content

• Point 2 Point

• Temporal

• Continuous Process

• Dynamic Needs

• Routing by Algorithm

• Ongoing

A Change in Processing

• Centralized Db’s

• Controller Sourced

• Discrete Actions

• Geographical Basis

• Networked Processes

• Sourcing Flexibility

• Distributed Computing

• Needs Basis

A Change in Management

• Primary Driver: IT

• Low Investment

• Vague Ownership

• Ad Hoc Knowledge

• Primary Driver: Policy

• High Investment

• Privacy/Security Officers

• Professional Certification

New Challenges – New Controls• Data transfers are complex, involving numerous processes and

parties

– Consumer informed consent unsustainable

• Algorithms determine the path and destination for specific data types

– ‘Controller’ and ‘processor’ definitions outdated

• Processing occurs in data centers AND on the network itself

– ‘Personal information processing’ definition outdated

• Global networks interoperate with regional data sets

– Database registrations cannot control or manage networked series of

processes

Regulatory Control Changes?• The transformation of global data transfers

– Simple to complex– Ad hoc to managed– Occasional to ubiquitous– Single process to a series of networked processes– Point to point to globally-networked

• The need for transformation of regulatory controls– Basis on informed consent needs to yield to corporate

accountability that avoids risks to individuals– Meaningful standards and expectations applicable to

globally-operating companies– Personal information as a key corporate asset requiring

respect and protection

A State of Constant Change “Data protection regulations, whether in

national or in supranational sectors, are never

static or even completed regulations. They

react to information and communications

technologies that are developing ever more

quickly.”Spiros Simitis, Einleitung, in Bundesdatenschutzgesetz 147

(Spiros Simitis, ed., 6th ed 2006)

Progressing Forward“The key to the merits of an accountability regime will

be in the details of any regulation. Nonetheless, it is

possible to say that leading corporations have

developed the kind of preconditions for a data

protection regime whose safeguards and

requirements concentrate on institutional privacy

outputs rather than managerial inputs.”

Paul M. Schwartz, “Managing Global Data Privacy”, a report from The Privacy Projects

Contact Us

© 2009 The Centre for Information Policy Leadership at Hunton & Williams LLP. The content of this presentation contains the views of the Centre for Information Policy Leadership and does not represent the opinion of either its individual members or Hunton & Williams LLP. The views expressed in any attached represent the views of the individual correspondents reporting on behalf of the Centre for Information Policy Leadership and should not be construed as the views of Hunton & Williams LLP or any of its clients. These materials have been prepared for informational purposes only. Visit us at www.informationpolicycentre.com

Martin Abrams Executive Directormabrams@hunton.com

Paula BrueningDeputy Executive Directorpbruening@hunton.com

Richard PurcellExecutive Directorrichard@theprivacyprojects.org

Paul SchwartzProfessor of Lawpschwartz@law.berkeley.edu

www.informationpolicycentre.com

www.theprivacyprojects.org