Settling in to the New World of 2017: ePrivacy, AI, the US Privacy Agenda, and

other Regional Developments

Thursday, 20 July 2017 Washington, DC

Welcome & Introduction

2

Bojana Bellamy

President

Centre for Information Policy Leadership

CIPL Deliverables 2016-2017

Mission – Developing global solutions for privacy and the responsible use of data to enable the modern information age

Vision – Global partner for business leaders, regulators and policymakers on privacy and information policy issues

3

• 5 Workshops/Working Sessions/Roundtables • 12 GDPR Project White Papers, Written Submissions and

Articles • 3 Webinars • 6+ Ad-hoc Meetings with Regulators

• Data Transparency workshop, paper and article • Side event at ICDPPC on transparency, risk assessment and

accountability

• Received formal guest status for APEC privacy meetings • APEC E-Commerce Business Alliance Forum in China • Participated in APEC privacy meetings • 2 APEC CBPR Events

Corporate Digital Responsibility (Accountability Plus)

Global Data Flows, Interoperability and Co-Regulatory Frameworks

Regulator Outreach and Regional Focus GDPR Implementation Project

• In addition to GDPR, regulatory outreach meetings and delegation visits: APPA, Brazil, Japan, Singapore, US (FTC, Dept. Of Commerce) and UK ICO

• Smart Data Protection Workshop • Japan Workshop • 5 Public Comments to Government Agencies

• Amsterdam (Kick-off), Paris (DPO, Risk), Brussels (Certifications), Madrid (Transparency, Consent, Legitimate interest) , Dublin (Smart Regulation)

5 Workshops and working sessions

• DPO • Risk and DPIA • One Stop Shop and Lead DPA • Certifications • Transparency, Consent, Legitimate Interest

5 CIPL Papers Submitted to WP29

ePrivacy Regulation Consultation Response

• DPO, Data Portability, Lead SA, DPIA 4 CIPL Responses to WP29 Guidance

GDPR Readiness Survey Report

• Smart Regulation • ePrivacy Regulation • Profiling and Automated Decision-Making

3 CIPL Papers in Progress

4

CIPL Project Deliverables to Date www.informationpolicycentre.com

Session 1

The Proposed EU ePrivacy Regulation

5

Moderator: Hielke Hijmans, Senior Policy Advisor, Centre for Information Policy Leadership

Cornelia Kutterer, Senior Director, EU Government Affairs, Privacy and Digital Policies, Microsoft

Rita Balogh, Public Policy Senior Analyst, Google, Inc.

Scott Goss, Vice President and Privacy Counsel, Qualcomm, Inc.

Ensure the effective legal protection of respect for privacy and communications, beyond the protection of personal data.

Update existing ePrivacy Directive in line with GDPR and extend scope to OTT and machine-to-machine communications.

Effective protection of privacy re terminal equipment because storage of sensitive information has become indispensable.

Centralize consent re software and prompt users with information about the privacy settings thereof.

Uniformity across the EU: Regulation instead of directive.

Enforcement relies on the supervisory authorities and the consistency mechanism of the GDPR.

6

Main Objectives of the EU Commission’s Proposal

1

2

3

4

5

6

Electronic communications data: includes content and metadata; not necessarily confined to personal data.

OTTs: Internet-based services enabling inter-personal communications, such as instant messaging, VOIP services, web-based email.

IoT devices, machine-to-machine communications.

Monitoring/Tracking of any devices

Territorial scope: Services in the EU, regardless of whether or not the processing takes place in the EU.

7

Chapter I: Definitions and scope

1

2

3

4

5

Art 5: Electronic communications data shall be confidential. No interference allowed.

Art 6: General exception [content and metadata]: Necessity for transmission or for security or for technical faults, or data made anonymous

Additional Exception Content: Necessary for sole purpose of providing a specific service to end-user and with end-user(s) consent

Additional Exception Content: With end-users consent, and DPA consultation.

Additional Exception Metadata: With end-user(s) consent, provided purpose(s) could not be achieved by processing anonymous data.

Additional Exceptions Metadata: Necessary for mandatory quality of service requirements, payment, fraud/abuse or subscription.

Art. 7: Rules on storage and erasure

8

Art 5-7: Confidentiality of Communications

1

2

3

5

6

7

4

Proposal covers (1) information stored in or emitted by such equipment (f.e.: cookies), and (2) information relating to the connection between

devices and between devices and networks (f.e.: wifi-connections).

Processing and collection of these types information only allowed under specific conditions (prohibition, unless ..).

Conditions for using cookies (and, e.g., spyware, web bugs, hidden identifiers, tracking tools, device fingerprinting): Necessary for sole purpose of carrying out communication;

prior consent; necessary for providing service requested by individuals.

A Specific exception for web measuring, but only for first party cookies

Conditions for using information relating to connection: Necessary in order to, for the time necessary, and for the purpose of establishing a connection, or with clear and prior

notice (Security requirements GDPR apply).

9

Art 8: Terminal Equipment

1

2

3

4

5

Art 9: Specification of consent rules in GDPR.

Consent could be obtained via browser settings; Reminder of possibility to withdraw consent each 6 months.

Art 10: Obligation for software providers: offer end-users effective information and choices about privacy settings

(e.g. configure browser settings).

Art 11: Purposes and conditions for Member States to restrict protection for public policy goals (“data retention”).

10

Chapter II: Art 9-11

1

2

3

4

5

Art 12 and 13: Prevent calling line identification to guarantee anonymity.

Art 14: Limit the reception of unwanted calls.

Art 15: Conditions of including end-users in publicly available directories.

Art 16: Conditions for unsolicited communications for direct marketing.

Art 17: Inform end-users in case of a particular security risk.

11

Chapter III: End-users’ Control

1

2

3

4

5

Scott Goss VP, Privacy Counsel Qualcomm Incorporated 20 June 2017

sgoss@qualcomm.com

ePrivacy: opportunities and challenges for mobile technology

13

Qualcomm Data Services

Data is important to core mobile technologies

• https://www.qualcomm.com/info/public-policy/privacy

14

Enabling better satellite location performance Qualcomm XTRA

GPS

XTRA Client Qualcomm

XTRA Servers

IP Network

XTRA Assistance Request: HTTP(s)

XTRA data download

Galileo GLONASS

BDS

15

Enabling better indoor location performance Qualcomm Global Terrestrial Positioning (GTP)

WWAN: Upload: Opportunistic Download: As needed when entering area not covered with data available on the device

Wi-Fi: Upload: Opportunistic. Crowdsourced data mostly gets uploaded using Wi-Fi connectivity Download: As needed when entering area not covered with data available on the device.

GTP Client Qualcomm GTP Server

IP Network

GTP Request for Content & GTP Upload

GTP Download Qualcomm

GTP DB

16

Powering connected and automated vehicles

Machine learning

Autonomous vehicle

Vehicle-to-network (V2N) communications

4G/5G

ALERT! Accident 2 miles

ahead

WARNING! Speed Limit is 70 km/h

ROAD WORK AHEAD Speed slows to 50 km/h in

2 km

Heavy stop and go traffic ahead. Would you like me

to drive?

Sensor fusion compute

Vision processing

Car behind changing lanes

Road sensors

Enabling safer, greener and more efficient transport

GNSS

Vehicle-to-vehicle (V2V) communications

Vehicle-to-infrastructure (V2I) communications

17

Is this an ‘ePrivacy Regulation’ or an ‘eData Regulation’?

From devices to people

Article 8 Protection of information stored in and related to

end-users’ terminal equipment

18

Application to core mobile technologies

• Location technologies • Connectivity technologies • Software stability technologies • Security technologies • Performance technologies

The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited …

Prohibition under Article 8(1)

19

Consent required, with very limited exceptions

1. What is ‘necessary’, or ‘strictly technically necessary’?

2. Addresses ‘information society services’ or web audience measurement but what about device functionality itself?

(a) it is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or (b) the end-user has given his or her consent; or (c) it is necessary for providing an information society service requested by the end-user; or (d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

Exceptions under Article 8(1)

20

Hint, we’ve had this discussion before

Solution!

•Consent should be rare exception, not default basis

•Use all six bases for lawful processing under the GDPR

• Include the Dutch exception for low impact on the private life of the user

21

Other lawful bases for processing

Legal obligation

Vital interests of the data subject

Public interest

Legitimate interest

22

Legitimate interest examples

As discussed:

• Device Performance

• Connectivity Performance

• Security “The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks” Case C-582/14 (Breyer)

23

Preventing routers from shouting they exist? Are Wi-Fi access points terminal equipment?

How can you stop a fake Wi-Fi access point if the bad guy does not give you consent?

2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or (b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection

24

Session 2

Accountable Machine Learning & AI

25

Moderator: Paula Bruening, Principal, Casentino Strategies Travis Breaux, Associate Professor of Computer Science at Carnegie

Mellon Alex Hubbard, Senior Policy Officer, UK Information Commissioner’s

Office Rob Sherman, Deputy Chief Privacy Officer, Facebook, Inc. Marisa Jimenez, Public Policy Senior Counsel - Data Governance,

Google, Inc. Geff Brown, Assistant General Counsel, Microsoft Corporation

26 26

27

27

Accountable Machine Learning and Artificial Intelligence Geff Brown, Associate General Counsel, Regulatory Affairs, Microsoft Corp. July 20, 2017

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

29

30

• https://www.youtube.com/watch?v=R2mC-NUAmMk

31

Emergent behavior & unpredictability

32

Public Perception

33

Microsoft’s Principles

34

Session 2

Accountable Machine Learning & AI Breakout Session

35

Breakout Group Discussion Leaders: Allen Brandt, Executive Director & Associate General Counsel, CPO, Depository

Trust & Clearing Corporation Frank Dawson, Director, Privacy Compliance, Nokia Corporation Kim Gray, Global Chief Privacy Officer, QuintilesIMS Jennifer Handa, Director, Legal Services – Global Ethics & Compliance,

Accenture Ben Hayes, Chief Privacy Officer, Nielsen (London) Jade Nester, Senior Policy Manager, GSMA (Brussels) Caroline Louveaux, Assistant General Counsel, Privacy & Data

Protection, MasterCard

Session 3

Regional Privacy Updates from Canada, Asia-Pacific and Latin America

36

Moderator: Markus Heyder, Vice President & Senior Policy Counselor, Centre for Information Policy Leadership

Patricia Kosseim, Senior General Counsel and Director General, Office of the Privacy Commissioner of Canada

Shannon Coe, Team Lead Data Flows and Privacy, Office of Digital Services Industries, Department of Commerce

Jonathan Fox, Director Strategy and Planning, Chief Privacy Office, Security & Trust Organization, Cisco Systems, Inc.

Laura Juanes Micas, Director, Privacy Policy, Facebook, Inc. Jonathan Avila, Vice President & Chief Privacy Officer, Wal-Mart Stores, Inc.

APEC CBPR and APAC Developments

July 20 2017

Strategic Considerations

38

Cisco’s Data Protection & Privacy Program

S

Customer & Market Expectations

Risk Landscape Competitive Differentiation

Legal Obligations

Why Do We Care About APEC?

39

Global Frameworks & Enforcement

Excerpt from “International Efforts by the [Japan] Personal Information Protection Commission” – Mar 2017

40

Data Protection & Privacy Certifications DATA PROTECTION

APEC CBPRs

EU-US Privacy Shield

Swiss-US Privacy Shield

Binding Corporate Rules (GDPR aligned)

July 2016 Sept 2016 May 2017* May 2018**

April 2017

* filed on May 9, 2017 ** anticipated certification date

Cisco

Updates

• Korea • South Korea joins APEC CBPR

• Japan

• EU-Japan Economic Partnership Agreement

• China

• Critical Information Infrastructure Protection Measures released for comment

42

trust.cisco.com

LatAm Update

Centre for Information Policy Leadership

Annual Executive Retreat

Washington, D.C.

_____________________________________________________________________

July 20, 2017

45

Mexico

• January 26, 2017: General Law on the Protection of Personal Data held by Obliged Subjects [Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados] (the General Law) published in the Federal Official Gazette – Applicable to public entities in Mexico – Law entered into force January 27, 2017, with six months for incorporation

in regulations, etc. of affected entities – First comprehensive scheme for public entities

46

Mexico

• General Law incorporates ARCO (Access, Rectification, Cancellation and Objection) rights familiar from regulatory scheme applicable to non-public controllers

• General Law based upon principles carried over from Federal Law on the Protection of Personal Data held by private parties – Legality, purpose, loyalty, consent, quality, proportionality, notice

(information) and accountability

47

Mexico

• Privacy Impact Assessments required for high risk processing operations

• Security obligations: Documentation of data inventory and of all necessary measures to guarantee the confidentiality of data; adopt and maintain appropriate technical, administrative and physical security measures to avoid damage, loss, alteration, destruction, unauthorized use, access or processing

48

Mexico

• General Law defines cloud computing and imposes obligations on data controller to contract appropriately with cloud provider, including: – Transparent subcontracting – Prohibition upon contractors’ acquisition of ownership of data – Deletion of data upon completion of services

49

Chile

• March 13, 2017: President sent bill to Senate that significantly amends law on Protection of Private Life – Law would go into effect 13 months after publication; data controllers will

have four years to bring into compliance previously established databases – July 7, 2017: Senate Constitution Commission generally approved bill’s

text

• Scope: All public and private individuals and entities, except press and individuals engaged in purely personal activity

50

Chile

• Key changes: – Definition of personal data includes restriction that data be individually

identifiable with reasonable effort – Defines consent in greater detail by eliminating “in writing” requirement and

substituting “an act of assertion proving the clarity of the subject’s will” – Establishes new exceptions to consent – Establishes new category of sensitive data to include biometric data – Restricts automated processing, entitling data subjects to object to such

processing that has significant personal effect – Creates DPA with maximum fining authority of approx. $350K (U.S.) – Regulates international data transfers – Establishes breach notification obligation

51

Peru

• Data Privacy in private sector governed by Law No. 29733 on the Protection of Personal Data 2011 – Law contains all essential features of comprehensive data protection law,

including independent DPA

52

Peru

• January 7, 2017: Fundamental law supplemented by publication of Legislative Decree No. 1353 – Now permits processing without data subject’s consent to:

• Prevent money laundering and financing of terrorism

• Protect free speech

• Measures taken prior to entering into contract with data subject

– Eliminates obligations to register databases with DPA – Creates obligation to notify data subjects regarding new data processors or

data transfers that result from controller’s mergers and acquisitions – Establishes obligation to register international transfers with National

Registry for Personal Data Protection

53

THANK YOU

Jonathan D. Avila

Vice President and Chief Privacy Officer

Walmart Stores Inc. 702 SW 8th Street

Bentonville, AR 72716

jonathan.avila@walmart.com

Session 4 Keynote:

What is on the Privacy Horizon for the FTC?

54

Maneesha Mithal

Associate Director

Division of Privacy and Identity Protection, Bureau of Consumer Protection

U.S. Federal Trade Commission

Session 4

What’s Ahead for Privacy under the new US Administration?

55

Moderator: Fred Cate, Senior Policy Advisor, CIPL, and Vice President for Research at Indiana University

Sheila Colclasure, Chief Privacy Officer and Global Executive for Privacy and Public Policy, Axciom

Tony Hadley, Senior Vice President, Government Affairs & Public Policy, Experian

Closing Remarks

56

Bojana Bellamy

President

Centre for Information Policy Leadership

57

Thank you

Centre for Information Policy Leadership www.informationpolicycentre.com

Hunton & Williams Privacy and Information Security Law Blog

www.huntonprivacyblog.com

FOLLOW US ON TWITTER @THE_CIPL

FOLLOW US ON LINKEDIN linkedin.com/company/centre-for-information-policy-leadership