Cedric Laurant

Posts Tagged ‘consumer protection’

, , , , , , , , , ,

“Privacy is Freedom”: Public Voice Event in Mexico City (31 Oct. 2011)

In Conferences on 31 October, 2011 at 15:29
"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011). Available at http://www.flickr.com/photos/gnatallica/5480065859/ (Creative Commons "Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) license.)

"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011).

Two days before the 33rd International Conference of Data Protection and Privacy Commissioners takes place in Mexico City, The Public Voice, an international coalition of NGO’s, and nonprofit organizations, is organizing this Monday a full-day event to discuss the views of Civil Society representatives from Latin America, Europe and North America, but also with several government officials and industry speakers.  The issues featured are the same as the ones that will be discussed for the following three days in the Mexican capital: privacy and data protection, and how they relate to broader issues such as freedom of expression and consumer protection.

The stated goals of the conference are to:

  • review the status of the two Madrid Declarations (Civil Society’s Madrid Privacy Declaration (“Global Privacy Standards for a Global World”) and the Data Protection Commissioners’s International Standards on Privacy and Personal Data Protection.
  • assess cultures and privacy perspectives from around the world;
  • raise public awareness on surveillance technologies and its consequences to consumers, freedom of expression and human rights;
  • explore the ongoing policy and legal issues at stake in Latin America about privacy and freedom of expression.
  • establish networking opportunities between Mexican civil society and consumer rights advocates and members of the Public Voice.

The event hosts are the Electronic Privacy Information Center and the Federal Institute for Access to Information and Data Protection (IFAI), the Mexican Data Protection Authority.  Some of the government speakers they invited include:

  • Marie-Hélène Boulanger, Head of the Data Protection Unit of the Directorate General “Justice” at the European Commission,
  • Jacob Kohnstamm, Chair of the European Article 29 Data Protection Working Party,
  • Jacqueline Peschard, IFAI’s President,
  • Peter Schaar, the Federal Commissioner for Data Protection and Freedom of Information of Germany, and
  • David Vladeck, Director of the Bureau of Consumer Protection of the United States Federal Trade Commission.

The full list of speakers is available here.

If you wanted to attend the meeting physically, unfortunately at this time it is not possible anymore to register to attend the meeting in person.  If you plan on following the event online, just go to the webcast page at the start of the event: today at 08:00am GMT-6.

Several people have already offered to tweet about the event in several languages (currently English, French, Portuguese and Spanish).  If you want to make comments about the panels or even ask questions directly to speakers, you will be able to do so by using the #tpv11 hashtag in your tweets and the speaker’s Twitter username (speakers list on Twitter).  I will be tweeting in English and French from my Twitter account (@cedric_laurant).

Public Voice event in Mexico City (Oct. 31, 2011)

Public Voice event in Mexico City (Oct. 31, 2011)

Share

, , , , , , , , , , , , , , , , , , ,

Emerging Data Protection Laws in Latin America and Doing Business in the EU

In Opinions on 15 September, 2011 at 15:33

Late August I wrote an interview for Nymity for their “Privacy Interviews with Experts” series that covers the recent and emerging developments in data protection in Latin America.  The whole interview is also available here and here (pdf).

Map of Latin America

Latin America

As Latin America increases its attention to data protection legislation and regulation, a number of questions arise. Why now? What is the impetus behind their actions? What will implementation entail? Where do these countries start from in their implementation journeys?  What challenges will they face, especially keeping pace with the EU and at the same time satisfying the demands of other economies, including the US, Russia, China and others with no data protection regulation?

Cedric Laurant, attorney and consultant and founding partner of Cedric Laurant Consulting, provides us with a summary of the privacy challenges coming ahead in Latin America.

Cedric received his legal training in Belgium and the United States, taught courses and seminars in international privacy, data protection law and comparative law as a Visiting Law Professor at the Universidad de los Andes in Colombia between 2007 and 2008, and has talked at various conferences and seminars in Latin America about privacy and related issues.  He directed the publication of the Privacy & Human Rights survey between 2002 and 2006, increasing its scope to cover most Latin American countries.

Cedric speaks about about the current challenges for data protection in Latin America during his presentation at the next IAPP Privacy Academy conference on September 15 in Dallas, TX and at the Public Voice conference preceding the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City next October 31st.

Nymity: Why data protection law and regulation in Latin America today? Is it the same in all economies, or does it differ country by country?

Laurant: Latin America is the next big region after Asia that will see major changes occur in its data protection regulatory landscape.  Several countries have recently gotten their act together by enacting or drafting new data protection laws. Is it a coincidence or the intent to follow the “mode du jour”? None of the above: data protection has been on the agenda of many Latin American countries at least for the past 10-15 years. What we are seeing now is an increasing political will among all states in the region to catch up with their neighbours, and a growing realization that adopting strong data protection laws will help their economies by increasing their commercial transactions outside and within their borders.

Although all countries in Latin America that currently have a data protection law or are drafting one largely follow the European data protection model, with a few differences here and there, the lack of a harmonized and integrated regional legal system like in the European Union has led countries to adopt laws or draft bills that feature many differences among each other, which creates a diverse patchwork of legal frameworks or regulatory initiatives.

In turn, a common characteristic that appears in many Latin American privacy regimes is the constitutional right of “habeas data”, which despite variations from country to country, enables individuals to complain before a constitutional court to protect their image, privacy, honor, informational self-determination or freedom of information by providing them with the right to access the registries that hold their personal data, the way to amend or correct obsolete data, to insure their personal information remain confidential, and to provide means to remove sensitive personal information.  Lacking from that seemingly rosy perspective is the fact that habeas data only provides an after-the-fact remedy for individuals and through the courts: when it requires a lawyer, it stays out of reach for most plaintiffs, to show damage may be arduous, and it relies on case law and offers poor legal certainty.

Nymity: What are the emerging regulatory highlights, by economy and what is the timeline for their regulatory implementation?

Laurant: Several Latin American countries have recently enacted, or are drafting, a comprehensive legislative framework to protect individuals’ personal information. Starting with Mexico that, since last summer 2010, regulates at the federal level the processing of personal data by businesses, and is working on implementing decrees that should become enforceable early 2012.

Follows Peru with a new data protection law that was enacted last July and now must be detailed in an implementing decree. The Peruvian law establishes a data protection authority, the “National Register of Personal Data Protection” that will keep a record of private and public databases and have the power to levy fines for violations of the law.

Colombia is still waiting for the approval of its recently enacted and first comprehensive data protection law by the Constitutional Court, which according to local counsels, should come during the last trimester of this year.

The Brazilian Ministry of Justice is working on enacting a comprehensive data protection law modeled after the European Data Protection Directive and the Canadian Data Protection Law (PIPEDA). The draft bill, which has been subject to public discussion for several months, guarantees a list of citizens’ basic rights regarding their personal data: the right to access one’s data, correct inaccurate or wrong data, delete them, object to their processing, be compensated for their misuse, and not be subject to purely automated decisions.

Costa Rica is on the verge of adopting a law that is also modeled after the EU Data Protection Directive: it regulates almost all types of personal data processing activities and requires express written consent for many of them. It would also create a new data protection authority that would be competent to issue sanctions for violations of the law. After the Supreme Court of Justice found the law to be free of constitutional defects in April of this year, the bill has made its way back to the Legislative Assembly.

Uruguay is waiting this year for the approval of its data protection law as offering adequate protection pursuant to the European data protection legal framework, after the European body of the Article 29 Data Protection Working Party issued an affirmative opinion late October 2010. Mexico and Peru might wish to obtain that European “seal of approval”, but should they follow that route, they will probably have to wait for 3 or 4 years, especially as the European Union is currently focussing its efforts on reviewing its own data protection framework.

A development worth to notice is the growing number of countries in Latin America (Brazil, Uruguay and Mexico) that have added data breach notification clauses in their data protection law, similar to the ones that exist in almost all US State statutes and are burgeoning in some EU Member States.

Nymity: What challenges will those economies face?

Laurant: A major hurdle for these countries is the questionable level of independence of their data protection authorities and the effectiveness of their enforcement means: will they obtain enough means – financial, human and material – entrusted to them by their governments to fine the companies that do not comply with the rules, and will they get the true authority necessary to enforce the new rules?

Another obstacle is the pervasive lack of awareness about data protection by the vast majority of the population: it may take quite some time before companies learn about their new obligations and implement them into their data processing activities.  It will also take efforts for individuals to understand their new rights and for the authority to educate stakeholders about the new law.

At a broader level, where cross-border data transfers among all countries in the region will be at stake, the lack of an integrated regional data protection framework will give headaches to companies willing to transfer data to each other while following the legal mandates.

Nymity: How long might their journey take?

Laurant: As it is the case of all the economies that have already adopted data protection or information privacy rules around the world, it will take several years for Latin American states to fully implement them in the ground and get a high enough rate of compliance.  One example might illustrate the challenges ahead: it took 20 years for Colombia, after it recognized the right to privacy in its Constitution of 1991, to come up with its first comprehensive data protection bill. It will probably take as much time for its data protection framework to reach maturity and satisfy awareness, compliance and implementation levels similar to the ones in Europe and the United States.  However, to use again the example of Colombia, changes are gradual and cannot only be assessed based on changes in the law, but also through case law. In this regard, the Colombian Constitutional Court’s decisions have shown exceptional clarity by building since 1992 a comprehensive case law about habeas data that already embodies most of the data protection principles of international data protection instruments – something some of the biggest developed economies have not achieved yet.

Among the foreseeable factors that are likely to impede the path to successful implementation of data protection rules are: a higher level of corruption than in developed economies, a much weaker public sector with limited budgets for administrative and judicial bodies, a deficit in technical expertise, a poor level of trust in the justice system and consumer protection, and a lesser degree of reliability in commercial transactions.

Nymity: What are the key challenges each economy will face from Europe? What do you recommend these economies do about these challenges?

Laurant: If these economies intend at some point in time to get the adequate protection ‘seal of approval’ from the EU, they will have to demonstrate that the law that exists in their books is enforced in practice and effectively protects individuals. It will probably prove harder to obtain than in the case of Argentina that was the first Latin American country to get the approval but has not delivered yet on all its promises. One of the difficulties comes from how they will protect their transborder data flows after receiving personal data from EU countries. However, the EU recognition will definitely help them with increased prospects of European investments, in particular in the business process outsourcing sector and in data and call centers.

In this context, a growing conflict has already reared its head between the United States and the European Union, each of them trying to influence Latin America in adopting its own data protection model, and multiplying commercial initiatives or courting them individually with unilateral trade agreements. Most of the progress to be done in data protection in those countries will come indeed from the economic incentives to develop commercial transactions with the rest of the world and attract investment from foreign companies, especially with the regions that already impose strict rules on international data transfers to protect their consumers. But it may not come by making each of them sign unilateral trade agreements. The European Union got started thanks to the brilliant idea of European states forming a group around a purely economic objective – build a common market and a community of countries around the production of coal and steel – then promoting within their united territory the circulation of goods, services and capital.  Likewise, the same idea could be a leading factor in fostering Latin American economies to make progress on increasing international data transfers and commercial transactions: through the building of economic alliances among themselves. The best for the region is most likely to build up its own data protection model, based in part on its strong habeas data heritage and its civil law system, then to agree over multilateral trade treaties that would highlight the protection of international data flows as a key requirement.

Nymity: What recommendations do you have for companies that do business in Latin America? What might they begin to do to anticipate the upcoming data protection changes?

Laurant: I would advise international companies doing business throughout Latin America to embrace the upcoming data protection standards coming along in the region. Even though it will turn out to be a more costly business proposition for them, it will only be in the short term. The advice is: get an edge over your domestic and international competitors by adopting the highest data protection standards available throughout the region, and right from the start. Translating these standards to fit into the Latin American regional context means:

  1. be as transparent as possible towards your prospective customers in how you will use their personal information;
  2. do not be seen as following the herd of domestic companies that will probably have a harder time to comply with the new rules than you will;
  3. being seen as an early adopter will be good for business and the building of your reputation;
  4. in some of the countries where trust between businesses and consumers is particularly low, trust your consumers even more: it will breed reciprocal trust in your products, services, brand and reputation;
  5. follow all consumer protection and data protection regulations, and go even beyond strict compliance by doing better than domestic companies;
  6. develop a reputation for being fully reliable for your customers.

Nymity: What recommendations do you have for companies in Latin America that want to do business outside of Latin America? What data protection measures might they consider, perhaps in addition to their emerging laws and regulations?

Laurant: If your country does not have a clear and binding data protection legal framework, lobby your Parliament members to work on one; if business is mainly with European countries, encourage your government to start the process of the “adequate protection” recognition with the European Commission. In the meantime, you will have to demonstrate that you protect well enough the personal data transferred from the EU and comply with administrative procedures and contractual steps such as signing standard contractual clauses, adopting rules that apply throughout the company everywhere it does business (“ binding corporate rules”) or obtaining approval for individual transactions by national data protection authorities.

Share

, , , , ,

The place of net neutrality in the new EU telecommunications regulatory framework

In Opinions on 17 December, 2009 at 20:15

The European Union adopted last November a revised set of rules governing electronic communications operators.  Among those rules, ‘net neutrality’ is promoted as a policy objective and regulatory principle that national telecommunications regulatory authorities must defend.  Depending upon how it is implemented in practice, this policy principle has the potential to reshape the way the Internet works and how its users will be able to access it, express themselves and share information.

The meaning of ‘net neutrality’ has been often confused.  A neutral network is one where all the data traveling through it must be treated the same way from its starting point to its final destination.  In other words, no access provider has the right to interfere with what is going through its pipes.  The access provider only has to ensure that its subscribers get a connection to the Internet, at the bandwidth level or download/upload limit they paid for, without meddling in any of the content, services, applications or devices subscribers want to have access to, or that content providers want to offer them.

Contrary to what some have said, claiming neutrality of the net is not claiming the right for a free Internet or an identical quality of service for the same flat price.  Neither does this principle prevent access providers from managing their networks for legitimate reasons, such as ensuring network security (e.g., protecting against spam or distributed denial-of-service attacks), nor does it apply to unlawful content, services and applications such as unauthorized distribution of copyrighted works of authorship.  Enforcing the obligation of a neutral network and enforcing copyright or other laws are not mutually exclusive.

The reason why net neutrality should be promoted in the first place is because the Internet was originally built in an intrinsically neutral way.  The network of networks was conceived to be unbiased towards any particular application or service provider so that the infrastructure could not be in a position to prefer one over the other.  It was created in a way that puts the intelligence at the edges (in the end-user’s computer), rather than at the heart of the network.

The current controversy about net neutrality is generally polarized between two camps: content providers and access providers.  The first ones generally support neutrality, while the latter oppose it because of the fight going on between the periphery, controlled by content providers, and the heart, or infrastructure, of the network, controlled by access providers.  In this battle, opponents intend to control what gives them the opportunity to create and innovate, and therefore generate profits.  Net neutrality advocates refer to the nature of the Internet by arguing that it is precisely its neutral feature that has brought about the unprecedented level of innovation it has known since it was first developed in the late sixties.

The debate should probably not focus on who among those two stakeholders has the best arguments, but on coming up with the best way to promote the development of the Internet that is beneficial for the two of them, and address the risks or opportunities that would result from the absence of net neutrality.

Some net neutrality detractors argue that innovation and incentives for investments in new generation networks will be stifled if neutrality is promoted through regulations or if access providers cannot charge content providers for the share of network traffic their content, services, applications or devices require.  This is a way to reduce the debate – often purposefully – to who should pick up the tab between content providers, that create traffic-hungry applications (P2P, Internet telephony, video streaming) and access providers, that should not have to bear those costs.  Cost allocation seems then the only relevant issue to solve and, once you frame the debate this way, it seems obvious to charge content providers accordingly.

Beyond generating profits, there is a more general societal debate that one has to address about how the Internet might look like if access providers obtain the control over what passes through their pipes.  It is a battle that opposes Internet end-users to access providers in a quest for the control over what end-users may use, see or consume on the Internet, and about their freedom to express themselves, get access to the information of their choice and impart it the way they wish.  Will people be as free as before if access providers can curtail their right contractually – which is becoming gradually more common – to view specific content, or use a specific service or application?

Recent abuse by access providers towards their subscribers or content providers (e.g., by blocking traffic against certain users, prioritising it in favour of some content providers, or discriminating against others) demonstrates a very tangible harm of consumers’ interests and Internet users’ fundamental right to free speech.  Will the new ‘rules of the game’ applicable to Internet access providers be able to adequately address those threats? The EU competition and telecommunications regulatory framework can be interpreted to solve many cases of traffic management abuse, where access providers are blocking certain traffic or discriminating against specific content providers, but also, although to a lesser extent, in case of “access tiering”, where they are prioritising traffic in favour of specific applications, services or devices.

Under the newly enacted “Telecoms Package”, national telecoms authorities will have the powers to establish minimum quality levels for network transmission services so as to prevent traffic hindering or slowing down.  Having those rules in place is already a good step, but is the threat they represent for access providers strong enough to deter them from managing network traffic abusively? Indeed, traffic shaping policies and service quality can be – and have been – used as an excuse to discriminate against a competitor’s services or products, or block end-users’ specific applications.  Legitimate questions to raise are whether current rules are actually enforced.  Are consumers and Internet users aware of them? How easy is it to use them to file complaints? Competition and telecoms sector rules may well exist in the books, but if they are not easily accessible, actually used or effectively enforced, relying on them to preserve net neutrality may be merely wishful thinking.

Neelie Kroes was recently appointed as the Commissioner responsible for the Digital Agenda, which includes telecommunications and net neutrality.  In January, the European Parliament will hold hearings to discuss her appointment.  This is an opportunity for the public, through its representatives, to question how Commissioner Kroes intends to protect the net neutrality principle that the Commission promised to “keep [...] under close scrutiny” as part of implementing the “Telecoms Package”, and to discuss what has become an important issue for the future of the Internet, but that still carries more questions than answers.

Share

Follow

Get every new post delivered to your Inbox.

Join 531 other followers

%d bloggers like this: