Cedric Laurant

Posts Tagged ‘privacy’

, , , , , , , , , , ,

Release of “European Privacy & Human Rights 2010″

In News on 31 January, 2011 at 01:28

On Data Protection Day, 28 January 2011, and after 10 months of efforts, we published the European Privacy & Human Rights 2010 report (“EPHR”), a collective work that investigates the European landscape of national privacy and data protection laws and regulations, as well as any other laws or recent developments that have had an impact on privacy, in particular over the last two years.  The research field encompasses jurisdictions of all 27 EU Member States, two EFTA countries (Norway and Switzerland), three EU accession candidate countries (Croatia, Macedonia and Turkey), and the EU itself as a jurisdiction.

The study presents an overview of European privacy and data protection laws and developments in 33 reports, each available in English and translated into the country’s official language. It is accompanied by a comparative legal and policy analysis of privacy topics, with its particular methodology, criteria and metrics and key findings, as well as a privacy ranking of all countries surveyed, a summary of country developments, and privacy resources.

Privacy ranking chart based upon "European Privacy & Human Rights 2010" (EPHR Project/Privacy International)

Privacy ranking based upon "European Privacy & Human Rights 2010" (EPHR Project/Privacy International)

The “EPHR 2010″ report is part of a broader project that comprises 3 action areas:

  1. action area 1: the report itself;
  2. action area 2: the dissemination of information and its publication on multiple online and offline platforms, and
  3. action area 3: the development of innovative awareness-raising campaigns.

The last two are yet to be finished over the next 6 months. The video above is one of the first outputs of “action area 2″.  You can find more information about the EPHR project from the presentation I gave last February 2010 in Barcelona, and about the video here.

Many people contributed to this report: first of all, my colleague Matteo Bonfanti, with whom I completed and edited all country reports; more than 90 privacy and data protection experts from 32 countries all over Europe: colleagues, academics, privacy advocates and lawyers; the research teams at Privacy International (Gus Hosein, Alexander Hanff and others , who built the comparative legal and policy analysis) and at the Center for Media and Communication Studies of the Central European University (my colleague Kristina Irion in particular, who also coordinates the whole EPHR project).  Last but not least, the European Commission’s Special Programme “Fundamental Rights and Citizenship (2007-2013)” funded most of this project, including the video.  Without their help, none of this would probably have seen the light of day.

The EPHR report builds upon the legacy of EPIC & Privacy International’s Privacy & Human Rights survey, to which more than 300 privacy experts from all over the world have participated over more than a decade, making this survey the world’s most comprehensive report on privacy and data protection ever published.

Share

, , , , , , , , ,

New Blog: “Information Security Breaches & The Law”

In News on 7 August, 2010 at 22:15

Last June, I have started with a colleague, Marie-Andrée Weiss, a blog dedicated specifically to the topic of information security breaches (“Information Security Breaches & The Law”) from both a legal and technical perspectives.

The blog, which is written in English and French, and later will also be in Spanish, will include opinions, comments on recent news, laws or other developments, research notes and conference reports in the area of information security breaches, mainly in the United States, Europe and Latin America.  It also features a “Security Breaches Library” that includes links to major recent reports and surveys, upcoming conferences, calls for papers and news, all on the same subject of information security breaches.

It should be of interest to company executives concerned with information security issues in their business, as well as to professionals practicing in the field of information security, privacy and data protection, along with the interested general public.

Below is an outline of the first blog posts:

  • Will France adopt a law requiring the notification of security breaches? (August 6, 2010): A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” or the French data protection authority, of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly. (A French version of this article is also available here.)
  • Article 29 Data Protection Working Party reports on implementation of Data Retention Directive (July 19, 2010): The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
  • Are ‘clouds’ located outside the European Union unlawful? (July 16, 2010): A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure. Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
  • The Safe Harbor Framework: not a “safe harbor” anymore for US companies? German expert body insists on stronger compliance stance (July 9, 2010): On April 29, 2010, the Düsseldorfer Kreis, an informal group of German data protection authorities, published a decision that could have significant repercussions on U.S. companies importing personal data from organizations operating in the European Union. One of these repercussions is that German organizations exporting personal data to the United States should check if the U.S. data importer does indeed comply with the Safe Harbor Framework. Security plan recommendations will provide for a useful guideline to E.U. data exporters to help them comply with the Safe Harbor’s Security Principle.
  • Canada May Soon Have a Data Breach Law (June 5, 2010): a bill called the “Safeguarding Canadian’s Personal Information Act” (C-29) that would amend Canada’s national privacy legislation. C-29 would introduce a security breach disclosure (also called “notification” in the United States) requirement in PIPEDA. Canada does not yet have such a law, contrary to the United States where the majority of states have enacted data breach notification statutes.

Share

, , , , ,

“Educating” about Facebook’s recent privacy policy changes

In Opinions on 20 December, 2009 at 05:25

In response to the Washington-based Electronic Privacy Information Center (EPIC)’s recently filed complaint against Facebook for its new privacy policy changes, Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, wrote the following comment:

“How Facebook handles user reaction is more important than even an FTC complaint. Certainly the new privacy setting changes will lead to some Facebook users sharing information more widely, and that warrants privacy scrutiny and debate. Other users may use the new controls to make case by case decisions about what they share. The key question is whether users are aware of the settings and whether they are using them. So far, many users seem to be aware of the changes and are adjusting the privacy controls as they see fit. As people react to the new options, Facebook should continue to respond as they have done by continuing to add educational information and to adjust to ensure they meet user expectations.”

(“Statement in Response to FTC Complaint Filed Regarding Facebook Privacy Settings“)

One cannot object that a company intend to make profits when, like in Facebook’s case, the company aims at monetizing its users’ profile information by making some of it fully public, and selling it to advertisers, search engines and other businesses. However, it’s a big no no for a company to mislead its users. Firstly by leading them to think that the latest change to its privacy policy is an “upgrade” when it should instead be called a “downgrade” — much more information is now considered “publicly available” like contacts and friends’ list, geographic region and profile picture). Secondly, by disregarding its users’ previous privacy settings by, e.g., making their profiles available for indexing by search engines.

If, as Jules Polonetsky writes, “how Facebook handles user reaction is more important than even an FTC complaint”, then the company should, first of all, have been straighforward by telling its users the truth: that its business model is based on extensive data mining and targeting of users; that users should carefully review all of their privacy settings; that its formerly acclaimed granular privacy settings are now a thing of the past; and that the main aim of the changes are to make even more personal information available publicly or to the company’s API (application programming interface) developers and advertisers. This would then have been properly called “educational information”. Instead it cannot be called otherwise than misinformation and deception (a “representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment”, as the U.S. Federal Trade Commission’s definition goes), especially when considering that many of Facebook’s users are still in high school, or even younger than that.

Consumer privacy and the protection of personal information are an essential value of the online social networking experience. It cannot be a hostage to a constantly changing privacy policy that does not have any other (business, not educational) purpose than monetizing its user base. Like in the offline world, in the online one, you are ready to share certain types of information depending on whom you address the information to, be they friends, colleagues or strangers. Facebook by changing, from one day to the other, the basic assumption on which many people relied upon when they signed up for the service — that your list of contacts and friends is not public information — is deceiving its users.

For all these reasons, the complaint to the Federal Trade Commission is well-founded and will be very educational for the general public and Facebook’s 350 million users.

Here are a few links truly educative for Facebook’s users, detractors and apologists alike about the nature and implications of its recent privacy policy changes:

- Kevin Bankston (Electronic Frontier Foundation), Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly (9 Dec. 2009)

- Jason Kincaid (TechCrunch), The Looming Facebook Privacy Fiasco (1 July 2009)

- EPIC’s complaint with the U.S. Federal Trade Commission (17 Dec. 2009)

Here is a detailed legal analysis of the Facebook website under Canadian data protection rules:

- Elizabeth Denham (Office of the Privacy Commissioner of Canada), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act (16 July 2009)

and a legal analysis of social networking websites under European Union data protection rules:

- Article 29 Data Protection Working Party, Opinion 5/2009 on online social networking (12 June 2009)

Share

,

Is privacy dead?

In Opinions on 2 November, 2009 at 07:00

“Privacy is dead, and social media hold smoking gun”, writes Pete Cashmore in a recent column about social networking for CNN.com.  See http://edition.cnn.com/2009/OPINION/10/28/cashmore.online.privacy/.

To write that “privacy is dead”, and that social media are responsible for it, is failing to understand the basic distinction between the private and professional spheres.  The disclosure of personal information in both areas obeys different rules.  To disclose information online in a professional context certainly has many benefits for people looking for a job.  On the contrary, private information disclosed in that same context is generally not relevant and a social faux pas because it is no one’s business.  While the columnist has a point when he states that “[t]he value of a life led in public is most obvious to those seeking employment”, “[w]ithout industry connections or a valuable audience for your work, you aren’t even on the radar”, or “[t]he ‘who you know’ mantra holds true throughout the world of work, and the more content we share, the more connections and opportunities open up”, this would only be true in the professional realm.

The author actually wishes that everyone publicized all of their profile information on social networking websites, because it is what the publishing, marketing and behavioural advertising industries wish everyone did.

People, fortunately, still have the option of choosing who, among their contacts and ‘friends’ has access to their information.  And if they feel that they are losing the capacity of controlling what people might know about them, they generally get resentful against what they see as a violation of their privacy.  This has been shown several times in the past in the case of certain social networking websites abusing the confidence their users had placed in how they thought the website would handle their personal information.  The reaction was generally virulent (http://civ.moveon.org/facebookprivacy/071120email.html).

Privacy does not die because some individuals decide to publish their entire private life for the whole world to see.  It lies in the freedom that everyone has to protect it.

What is, however, truly dangerous for the privacy of individuals using such websites is what happens with their profile data – especially the sensitive information they only allow their very close friends or family members to see – and how that information is mined and re-used by social networking companies.

Share

Follow

Get every new post delivered to your Inbox.

Join 318 other followers