Settling in to the New World of 2017: ePrivacy, AI, the US ... · 4G/5G . ALERT! Accident 2 miles...
Transcript of Settling in to the New World of 2017: ePrivacy, AI, the US ... · 4G/5G . ALERT! Accident 2 miles...
Settling in to the New World of 2017: ePrivacy, AI, the US Privacy Agenda, and
other Regional Developments
Thursday, 20 July 2017 Washington, DC
Welcome & Introduction
2
Bojana Bellamy
President
Centre for Information Policy Leadership
CIPL Deliverables 2016-2017
Mission – Developing global solutions for privacy and the responsible use of data to enable the modern information age
Vision – Global partner for business leaders, regulators and policymakers on privacy and information policy issues
3
• 5 Workshops/Working Sessions/Roundtables • 12 GDPR Project White Papers, Written Submissions and
Articles • 3 Webinars • 6+ Ad-hoc Meetings with Regulators
• Data Transparency workshop, paper and article • Side event at ICDPPC on transparency, risk assessment and
accountability
• Received formal guest status for APEC privacy meetings • APEC E-Commerce Business Alliance Forum in China • Participated in APEC privacy meetings • 2 APEC CBPR Events
Corporate Digital Responsibility (Accountability Plus)
Global Data Flows, Interoperability and Co-Regulatory Frameworks
Regulator Outreach and Regional Focus GDPR Implementation Project
• In addition to GDPR, regulatory outreach meetings and delegation visits: APPA, Brazil, Japan, Singapore, US (FTC, Dept. Of Commerce) and UK ICO
• Smart Data Protection Workshop • Japan Workshop • 5 Public Comments to Government Agencies
• Amsterdam (Kick-off), Paris (DPO, Risk), Brussels (Certifications), Madrid (Transparency, Consent, Legitimate interest) , Dublin (Smart Regulation)
5 Workshops and working sessions
• DPO • Risk and DPIA • One Stop Shop and Lead DPA • Certifications • Transparency, Consent, Legitimate Interest
5 CIPL Papers Submitted to WP29
ePrivacy Regulation Consultation Response
• DPO, Data Portability, Lead SA, DPIA 4 CIPL Responses to WP29 Guidance
GDPR Readiness Survey Report
• Smart Regulation • ePrivacy Regulation • Profiling and Automated Decision-Making
3 CIPL Papers in Progress
4
CIPL Project Deliverables to Date www.informationpolicycentre.com
Session 1
The Proposed EU ePrivacy Regulation
5
Moderator: Hielke Hijmans, Senior Policy Advisor, Centre for Information Policy Leadership
Cornelia Kutterer, Senior Director, EU Government Affairs, Privacy and Digital Policies, Microsoft
Rita Balogh, Public Policy Senior Analyst, Google, Inc.
Scott Goss, Vice President and Privacy Counsel, Qualcomm, Inc.
Ensure the effective legal protection of respect for privacy and communications, beyond the protection of personal data.
Update existing ePrivacy Directive in line with GDPR and extend scope to OTT and machine-to-machine communications.
Effective protection of privacy re terminal equipment because storage of sensitive information has become indispensable.
Centralize consent re software and prompt users with information about the privacy settings thereof.
Uniformity across the EU: Regulation instead of directive.
Enforcement relies on the supervisory authorities and the consistency mechanism of the GDPR.
6
Main Objectives of the EU Commission’s Proposal
1
2
3
4
5
6
Electronic communications data: includes content and metadata; not necessarily confined to personal data.
OTTs: Internet-based services enabling inter-personal communications, such as instant messaging, VOIP services, web-based email.
IoT devices, machine-to-machine communications.
Monitoring/Tracking of any devices
Territorial scope: Services in the EU, regardless of whether or not the processing takes place in the EU.
7
Chapter I: Definitions and scope
1
2
3
4
5
Art 5: Electronic communications data shall be confidential. No interference allowed.
Art 6: General exception [content and metadata]: Necessity for transmission or for security or for technical faults, or data made anonymous
Additional Exception Content: Necessary for sole purpose of providing a specific service to end-user and with end-user(s) consent
Additional Exception Content: With end-users consent, and DPA consultation.
Additional Exception Metadata: With end-user(s) consent, provided purpose(s) could not be achieved by processing anonymous data.
Additional Exceptions Metadata: Necessary for mandatory quality of service requirements, payment, fraud/abuse or subscription.
Art. 7: Rules on storage and erasure
8
Art 5-7: Confidentiality of Communications
1
2
3
5
6
7
4
Proposal covers (1) information stored in or emitted by such equipment (f.e.: cookies), and (2) information relating to the connection between
devices and between devices and networks (f.e.: wifi-connections).
Processing and collection of these types information only allowed under specific conditions (prohibition, unless ..).
Conditions for using cookies (and, e.g., spyware, web bugs, hidden identifiers, tracking tools, device fingerprinting): Necessary for sole purpose of carrying out communication;
prior consent; necessary for providing service requested by individuals.
A Specific exception for web measuring, but only for first party cookies
Conditions for using information relating to connection: Necessary in order to, for the time necessary, and for the purpose of establishing a connection, or with clear and prior
notice (Security requirements GDPR apply).
9
Art 8: Terminal Equipment
1
2
3
4
5
Art 9: Specification of consent rules in GDPR.
Consent could be obtained via browser settings; Reminder of possibility to withdraw consent each 6 months.
Art 10: Obligation for software providers: offer end-users effective information and choices about privacy settings
(e.g. configure browser settings).
Art 11: Purposes and conditions for Member States to restrict protection for public policy goals (“data retention”).
10
Chapter II: Art 9-11
1
2
3
4
5
Art 12 and 13: Prevent calling line identification to guarantee anonymity.
Art 14: Limit the reception of unwanted calls.
Art 15: Conditions of including end-users in publicly available directories.
Art 16: Conditions for unsolicited communications for direct marketing.
Art 17: Inform end-users in case of a particular security risk.
11
Chapter III: End-users’ Control
1
2
3
4
5
Scott Goss VP, Privacy Counsel Qualcomm Incorporated 20 June 2017
ePrivacy: opportunities and challenges for mobile technology
13
Qualcomm Data Services
Data is important to core mobile technologies
• https://www.qualcomm.com/info/public-policy/privacy
14
Enabling better satellite location performance Qualcomm XTRA
GPS
XTRA Client Qualcomm
XTRA Servers
IP Network
XTRA Assistance Request: HTTP(s)
XTRA data download
Galileo GLONASS
BDS
15
Enabling better indoor location performance Qualcomm Global Terrestrial Positioning (GTP)
WWAN: Upload: Opportunistic Download: As needed when entering area not covered with data available on the device
Wi-Fi: Upload: Opportunistic. Crowdsourced data mostly gets uploaded using Wi-Fi connectivity Download: As needed when entering area not covered with data available on the device.
GTP Client Qualcomm GTP Server
IP Network
GTP Request for Content & GTP Upload
GTP Download Qualcomm
GTP DB
16
Powering connected and automated vehicles
Machine learning
Autonomous vehicle
Vehicle-to-network (V2N) communications
4G/5G
ALERT! Accident 2 miles
ahead
WARNING! Speed Limit is 70 km/h
ROAD WORK AHEAD Speed slows to 50 km/h in
2 km
Heavy stop and go traffic ahead. Would you like me
to drive?
Sensor fusion compute
Vision processing
Car behind changing lanes
Road sensors
Enabling safer, greener and more efficient transport
GNSS
Vehicle-to-vehicle (V2V) communications
Vehicle-to-infrastructure (V2I) communications
17
Is this an ‘ePrivacy Regulation’ or an ‘eData Regulation’?
From devices to people
Article 8 Protection of information stored in and related to
end-users’ terminal equipment
18
Application to core mobile technologies
• Location technologies • Connectivity technologies • Software stability technologies • Security technologies • Performance technologies
The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited …
Prohibition under Article 8(1)
19
Consent required, with very limited exceptions
1. What is ‘necessary’, or ‘strictly technically necessary’?
2. Addresses ‘information society services’ or web audience measurement but what about device functionality itself?
(a) it is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or (b) the end-user has given his or her consent; or (c) it is necessary for providing an information society service requested by the end-user; or (d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.
Exceptions under Article 8(1)
20
Hint, we’ve had this discussion before
Solution!
•Consent should be rare exception, not default basis
•Use all six bases for lawful processing under the GDPR
• Include the Dutch exception for low impact on the private life of the user
21
Other lawful bases for processing
Legal obligation
Vital interests of the data subject
Public interest
Legitimate interest
22
Legitimate interest examples
As discussed:
• Device Performance
• Connectivity Performance
• Security “The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks” Case C-582/14 (Breyer)
23
Preventing routers from shouting they exist? Are Wi-Fi access points terminal equipment?
How can you stop a fake Wi-Fi access point if the bad guy does not give you consent?
2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or (b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection
24
Session 2
Accountable Machine Learning & AI
25
Moderator: Paula Bruening, Principal, Casentino Strategies Travis Breaux, Associate Professor of Computer Science at Carnegie
Mellon Alex Hubbard, Senior Policy Officer, UK Information Commissioner’s
Office Rob Sherman, Deputy Chief Privacy Officer, Facebook, Inc. Marisa Jimenez, Public Policy Senior Counsel - Data Governance,
Google, Inc. Geff Brown, Assistant General Counsel, Microsoft Corporation
26 26
27
27
Accountable Machine Learning and Artificial Intelligence Geff Brown, Associate General Counsel, Regulatory Affairs, Microsoft Corp. July 20, 2017
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
29
30
• https://www.youtube.com/watch?v=R2mC-NUAmMk
31
Emergent behavior & unpredictability
32
Public Perception
33
Microsoft’s Principles
34
Session 2
Accountable Machine Learning & AI Breakout Session
35
Breakout Group Discussion Leaders: Allen Brandt, Executive Director & Associate General Counsel, CPO, Depository
Trust & Clearing Corporation Frank Dawson, Director, Privacy Compliance, Nokia Corporation Kim Gray, Global Chief Privacy Officer, QuintilesIMS Jennifer Handa, Director, Legal Services – Global Ethics & Compliance,
Accenture Ben Hayes, Chief Privacy Officer, Nielsen (London) Jade Nester, Senior Policy Manager, GSMA (Brussels) Caroline Louveaux, Assistant General Counsel, Privacy & Data
Protection, MasterCard
Session 3
Regional Privacy Updates from Canada, Asia-Pacific and Latin America
36
Moderator: Markus Heyder, Vice President & Senior Policy Counselor, Centre for Information Policy Leadership
Patricia Kosseim, Senior General Counsel and Director General, Office of the Privacy Commissioner of Canada
Shannon Coe, Team Lead Data Flows and Privacy, Office of Digital Services Industries, Department of Commerce
Jonathan Fox, Director Strategy and Planning, Chief Privacy Office, Security & Trust Organization, Cisco Systems, Inc.
Laura Juanes Micas, Director, Privacy Policy, Facebook, Inc. Jonathan Avila, Vice President & Chief Privacy Officer, Wal-Mart Stores, Inc.
APEC CBPR and APAC Developments
July 20 2017
Strategic Considerations
38
Cisco’s Data Protection & Privacy Program
S
Customer & Market Expectations
Risk Landscape Competitive Differentiation
Legal Obligations
Why Do We Care About APEC?
39
Global Frameworks & Enforcement
Excerpt from “International Efforts by the [Japan] Personal Information Protection Commission” – Mar 2017
40
Data Protection & Privacy Certifications DATA PROTECTION
APEC CBPRs
EU-US Privacy Shield
Swiss-US Privacy Shield
Binding Corporate Rules (GDPR aligned)
July 2016 Sept 2016 May 2017* May 2018**
April 2017
* filed on May 9, 2017 ** anticipated certification date
Cisco
Updates
• Korea • South Korea joins APEC CBPR
• Japan
• EU-Japan Economic Partnership Agreement
• China
• Critical Information Infrastructure Protection Measures released for comment
42
trust.cisco.com
LatAm Update
Centre for Information Policy Leadership
Annual Executive Retreat
Washington, D.C.
_____________________________________________________________________
July 20, 2017
45
Mexico
• January 26, 2017: General Law on the Protection of Personal Data held by Obliged Subjects [Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados] (the General Law) published in the Federal Official Gazette – Applicable to public entities in Mexico – Law entered into force January 27, 2017, with six months for incorporation
in regulations, etc. of affected entities – First comprehensive scheme for public entities
46
Mexico
• General Law incorporates ARCO (Access, Rectification, Cancellation and Objection) rights familiar from regulatory scheme applicable to non-public controllers
• General Law based upon principles carried over from Federal Law on the Protection of Personal Data held by private parties – Legality, purpose, loyalty, consent, quality, proportionality, notice
(information) and accountability
47
Mexico
• Privacy Impact Assessments required for high risk processing operations
• Security obligations: Documentation of data inventory and of all necessary measures to guarantee the confidentiality of data; adopt and maintain appropriate technical, administrative and physical security measures to avoid damage, loss, alteration, destruction, unauthorized use, access or processing
48
Mexico
• General Law defines cloud computing and imposes obligations on data controller to contract appropriately with cloud provider, including: – Transparent subcontracting – Prohibition upon contractors’ acquisition of ownership of data – Deletion of data upon completion of services
49
Chile
• March 13, 2017: President sent bill to Senate that significantly amends law on Protection of Private Life – Law would go into effect 13 months after publication; data controllers will
have four years to bring into compliance previously established databases – July 7, 2017: Senate Constitution Commission generally approved bill’s
text
• Scope: All public and private individuals and entities, except press and individuals engaged in purely personal activity
50
Chile
• Key changes: – Definition of personal data includes restriction that data be individually
identifiable with reasonable effort – Defines consent in greater detail by eliminating “in writing” requirement and
substituting “an act of assertion proving the clarity of the subject’s will” – Establishes new exceptions to consent – Establishes new category of sensitive data to include biometric data – Restricts automated processing, entitling data subjects to object to such
processing that has significant personal effect – Creates DPA with maximum fining authority of approx. $350K (U.S.) – Regulates international data transfers – Establishes breach notification obligation
51
Peru
• Data Privacy in private sector governed by Law No. 29733 on the Protection of Personal Data 2011 – Law contains all essential features of comprehensive data protection law,
including independent DPA
52
Peru
• January 7, 2017: Fundamental law supplemented by publication of Legislative Decree No. 1353 – Now permits processing without data subject’s consent to:
• Prevent money laundering and financing of terrorism
• Protect free speech
• Measures taken prior to entering into contract with data subject
– Eliminates obligations to register databases with DPA – Creates obligation to notify data subjects regarding new data processors or
data transfers that result from controller’s mergers and acquisitions – Establishes obligation to register international transfers with National
Registry for Personal Data Protection
53
THANK YOU
Jonathan D. Avila
Vice President and Chief Privacy Officer
Walmart Stores Inc. 702 SW 8th Street
Bentonville, AR 72716
Session 4 Keynote:
What is on the Privacy Horizon for the FTC?
54
Maneesha Mithal
Associate Director
Division of Privacy and Identity Protection, Bureau of Consumer Protection
U.S. Federal Trade Commission
Session 4
What’s Ahead for Privacy under the new US Administration?
55
Moderator: Fred Cate, Senior Policy Advisor, CIPL, and Vice President for Research at Indiana University
Sheila Colclasure, Chief Privacy Officer and Global Executive for Privacy and Public Policy, Axciom
Tony Hadley, Senior Vice President, Government Affairs & Public Policy, Experian
Closing Remarks
56
Bojana Bellamy
President
Centre for Information Policy Leadership
57
Thank you
Centre for Information Policy Leadership www.informationpolicycentre.com
Hunton & Williams Privacy and Information Security Law Blog
www.huntonprivacyblog.com
FOLLOW US ON TWITTER @THE_CIPL
FOLLOW US ON LINKEDIN linkedin.com/company/centre-for-information-policy-leadership