Why Privacy Now Goes Far Beyond Complying With Your Privacy Policy Peter Swire Facebook:...
-
Upload
gloria-manning -
Category
Documents
-
view
221 -
download
0
Transcript of Why Privacy Now Goes Far Beyond Complying With Your Privacy Policy Peter Swire Facebook:...
Why Privacy Now Goes Far Beyond Complying With Your
Privacy Policy Peter Swire
Facebook: Privacy@ScaleJune 3, 2015
Overview: Why Privacy Has Gotten Harder
The history: First Wave of Global Privacy Protection – 1990’s Post 9/11: comply with the privacy policy was the key Second Wave – what we are in now
The technology: From the Internet (90s) to multiple new tech
challenges, from social networks to IoT The result:
Responses from post 9/11 period do not handle the risks and realities in privacy and cyber today
Also, update on USA Freedom Act
First Wave
1993 – commercial activity on Internet The First Wave
EU Directive in effect (1998); Safe Harbor (2000) HIPAA (rules 1999-2000) GLBA (law 1999) Children’s Online Privacy Protection Act (1998) Privacy policies and FTC rise to prominence for
Internet privacy
Post 9/11 – Privacy slowdown
Security vs. privacy Connect the dots From “need to know” to “need to share”
Patriot Act 2001 (compare to 2000 proposal) PNRs as US/EU focus – sharing more data Self-regulatory efforts declined FTC focus on “harm” only Corporate focus primarily on the privacy policy
Post-9/11 (continued)
Meanwhile Institutionalization of the CPO role Safe Harbor adoption While US did little
Canada, Mexico & steady stream of others led to over 100 countries with comprehensive laws by 2012 …
2012 Privacy Laws
Comprehensive LawSectoral Law
Compare 2012 with 1998 Privacy Laws
Comprehensive LawSectoral Law
The Second Wave: Public Attention to Privacy and Cyber Like the 90’s, press stories very prominent on privacy
and cyber See the IAPP Daily Dashboard – it’s long every day
(11) Press and private sector
WSJ and “what they know” series Growth industry for privacy, data breach, cyber
reporters
The Second Wave – New Technologies by 2010 that Weren’t Prominent Post-9/11
• Social networks• Facebook not open to the public until 2006
• Mobile and smartphones• Location; new customer data to many companies
• Online behavioral advertising• Huge slump after dot.com crash• Today, central to many business strategies
• Cloud• Government access (Snowden)• Cyber-security/encryption/information sharing
The Second Wave – New Technologies Emerging since 2010
• Internet of Things• Pervasive sensors reveal the limits of notice and choice
• Big Data• Analytics of PII core to growing range of businesses• Challenges to de-identification when have so many data
points• Discrimination and ethics as emerging major topic
• Contrast with 1990’s web and E-commerce:• OBA is based on web surfing (in part)• Social networks, smartphones/location, cloud, IoT, Big Data
– raise many different issues than B2C web surfing
EU as a Driver of Change (Again)
Coming soon: General EU Data Protection Regulation Right to be Forgotten 2% of global revenues Expanded jurisdiction
Expanding DPA enforcement/activity Coming changes to Safe Harbor And, it’s not just the EU
Global companies need a global strategy
Second Wave: The Snowden Effect
Press and government surveillance (Snowden) Created atmosphere for possible change Competitive issue for US companies abroad
One response was President Obama’s Review Group on Intelligence & Communications Technology
December 2013: The Situation Room
Second Wave: More Reform than the Skeptics Predicted
USA Freedom Act and Review Group Recommendations Section 215 order only with judicial approval and heightened
standard (Rec 1) End government storage of bulk telephone data and have
records held in private sector, accessible only with a judicial order (Rec 5)
Similar limits on bulk collection: National Security Letters (Rec 2) General rule limiting bulk collection (Rec 4) Greater transparency by government about foreign intelligence
orders (Rec 9 & 10) Congressional approval of public interest advocates to represent
privacy and civil liberties interests before the FISC (Rec 28) Multiple executive branch reforms described in Swire March 2015
IAPP Privacy Perspectives
Second Wave: Many US Government Privacy Initiatives
Obama administration Privacy a big part of 2015 State of the Union Information sharing bills have passed the House Data breach being seriously considered this year New bill language for Consumer Privacy Bill of Rights Student privacy (K-12): bipartisan
FTC: far beyond 2005 view of “harm” Consent decrees in privacy: “comprehensive” programs So many issues/workshops: OBA/DNT, Big Data (discrimination),
IoT, data brokers, cross-device tracking Cyber security (along with many other federal agencies)
Congress Info sharing, data breach, drones, IoT, Big Data, wearable health
devices, ECPA …
Second Wave: The Private Sector
Self-regulation is back Student privacy; online advertising; smart grid; mobile notices;
beacons and retailers; connected cars; drones; IoT CPO – far beyond drafting privacy policy & compliance
Benefits of data – monetization strategy Cyber – big data and risk of big data breach Your company’s data strategy
Compliance with current rules Compliance with what is coming Insight about where to position your company Ethics, training beyond compliance
Conclusion
A lot happened in the first wave of global privacy protection With 9/11, less privacy change But the second wave is on us now
Multiple, important emerging technologies that generate many issues beyond web surfing
I started talking about the second wave, and predicting legislative change, in 2012
USA Freedom is one result Be prepared for others Organizations need a strategy to manage their data for business
goals, consistent with both privacy and security