Practice makes perfect

I recently got away for a few days to play tennis in Florida. I left with a clear conscience, thinking that 2009 was a good year at Google in terms of privacy tools.

Google launched three major industry-leading privacy initiatives that implemented the key privacy principles of transparency and choice -- interest-based advertising, the data liberation front, and Google Dashboard.

It's a great tennis facility, on Key Biscayne, with grass courts, no less. Someone builds and maintains a grass court in that unlikely climate, and it must be a lot of work. And people pay a lot of money to live in "privacy", which usually means living in a place, like Key Biscayne, where they are secluded and protected from other people. So, now that there are online privacy tools, like the ones I just mentioned, I wonder if people will really use them more. I mean, to play tennis, you have to run and serve and swing. To protect your privacy, you should hustle a little too. Someone else can build the grass court, but it's up to you to play.

Watching people walk down the street

It's just snowed in Paris, and I'm looking out my window, watching the children and the dogs play. Almost everyone walking down avenue Foch seems to be speaking on a cell phone. I doubt many of them are thinking about how their location data is being captured, stored or used.

EU countries began passing the Data Retention laws mandated by a European Directive. That means that massive databases of communications logs will now be collected and stored by communications service providers across Europe for 6 months to 2 years, for police and law enforcement purposes (France, for example, chose 12 months). This is the largest police surveillance database ever mandated in the history of humanity to date. The year ahead will define how all this is going to work in practice: who will be able to access them, for what purposes, under what controls, how should this work in a cross-border context, etc. Will other countries follow Europe down this path? For most people, I imagine, the most sensitive aspect of this is the idea that their physical movements can be tracked by the police over long periods of time.

But the mobile revolution is just starting. Think for a moment about the intersection of mobile and face recognition software. For some years, in small controlled contexts, the police have already been using face recognition software to find individuals in a crowd. Online photo albums already offer some face recognition software in the contexts of particular albums, or in the contexts of social networking sites: take a look at face.com. But reflect on the prospect of face recognition software that could be used from any Internet-connected smart phone that can photograph a face and return instant search results. Google already announced the launch of Goggles without face recognition and acknowledged the privacy concerns in applying similar technologies to identifiable human faces. There's a lot of work to do to think through the privacy design of image recognition software applied to faces. The more I think about it, the more complicated it gets.

The web is going mobile, and as Internet apps go mobile too, location-aware services will explode in 2010 and beyond. That means that location data will be captured and used. Location privacy will become a key new issue in the mainstream in the year ahead. It's been around for years in cell phones, of course, but the issues will grow exponentially in the age of proliferating third-party location aware apps. It's one thing for you to know (or be dimly aware) that your cell phone company knows where you are based on your cell phone's location, it's quite another to have a plethora of third-party apps know that too.

Mobile is where the next generation of tough privacy issues will come, I muse, as I watch people walk down a Paris street that hasn't changed much in a hundred years.

DC: discussing privacy in public

I spent a few days in Washington DC in December. While I was there, I slipped into a public workshop hosted by the Federal Trade Commission on privacy. The content of the workshop has already been covered: http://blogs.wsj.com/digits/2009/12/07/ftc-takes-on-online-privacy/

Coming from Europe, I found this sort of transparency and public consultation by a privacy regulator novel and refreshing. The FTC regularly holds public workshops, where it invites stakeholders from many different sectors (academia, advocacy, government, private sector) to discuss problems in privacy and potential regulatory responses to them. This is meant to help the FTC staff understand the issues that it will grapple with. Moreover, the FTC often issues its guidelines in draft form, for the sake of public review and comment, before finalizing them, as it has done with its privacy guidelines for online behavioral advertising principles: http://www.ftc.gov/opa/2009/02/behavad.shtm

So, in my mind, I couldn't help but contrast all this with the practices of one of the world's other great bodies of privacy regulators, the EU Working Party. The Working Party has never, to my knowledge, held a public workshop. It has never opened any of its meetings to the public, and indeed, it is very rare that anyone from outside the closed world of Data Protection Authorities to be invited to attend one of its meetings. It publishes almost no information about its agendas, other than a few sentences to describe its annual work program. It never publishes its opinions in draft form for public review and comment before finalizing them. And finally, since it only issues "opinions", rather than enforceable decisions, its work has never, to my knowledge, been subject to judicial review. Seeing the transparency of the Federal Trade Commission's public workshop in action made me appreciate the benefits of transparent and open government.

On the sidewalk in Milan

I was relaxing with a glass of chianti watching The Bourne Ultimatum on tv. The shadowy authorities use surveillance technologies to try to track down Jason Bourne.

So, I'm no Jason Bourne. Back in January 2008, as I've blogged before, I was surrounded on a sidewalk in Milan in front of the ancient University by 5 Italian policemen. Many confused thoughts went through my head at that moment, as I'm sure you can imagine: fear, confusion, surprise, indignation. But also, a nagging question: how did these policemen know that I would walk down this sidewalk at this moment in a foreign city and how did they recognize me on a crowded city sidewalk?

As anyone who's checked into a hotel in Italy knows, the first thing that Reception asks you for is a passport. This is also true in most European countries. It's for the police. There is zero transparency or choice in this process: no one I've ever met knows where this data goes or how long it's kept or what it's used for. Needless to say, if you're sharing a room with another person, the police will know this too. You do not have the option of checking into your hotel room anonymously.

In my case in Milan, I don't think there was any great use of police surveillance technology. I'm guessing the police were waiting on the sidewalk because there had been some minor press coverage before the privacy conference where I was scheduled to speak. I assume they downloaded a photo of me from the web and knew from the conference program roughly when I'd be arriving. Why five policemen were sent, I have no clue. Were they expecting me to make a run for it, like Jason Bourne?

According to independent reports, Italy leads the world with more wiretaps per capita than any other country. Wiretaps in the age of the cell phone now include location information.

http://www.theregister.co.uk/2007/03/07/wiretap_trends_ss8/

I've always enjoyed the freedom of walking down the streets of foreign cities with the liberating sense of anonymity. I feel a little less free now. I hope technology will find a way to put users in control of their location information. I'm off somewhere else now, but come to think of it, I'd rather you didn't know where.

Remembering and Forgetting in Berlin

I've spent a few days in Berlin, and I've spoken with many interesting politicians and journalists about privacy. The most interesting case must surely be this one:

Two German Killers Demanding Anonymity Sue Wikipedia’s Parent

http://www.nytimes.com/2009/11/13/us/13wiki.html?_r=1&scp=3&sq=german%20wikipedia%20murder&st=cse

In some countries in Europe, like Germany and France, there are well-established principles about the "right to be forgotten", an awkward translation of the "Droit a l'Oubli." As a privacy-sensitive guy, I'm all for the idea that people ought to be able to walk away from some awkward facts at some point in their lives. But I have never heard anyone be able to tell me how the "right to be forgotten" does not quickly cross the line into censorship. If two German murderers can require German publishers to remove references to their names in articles after they have served their sentence, isn't that censorship? And wouldn't it be even worse if they tried to re-write news archives, which are now rapidly becoming instantly findable online? And in the real world what will be the consequences if German Wikipedia deletes content that English Wikipedia still publishes?

And while I was in Berlin, I visited the Holocaust memorial, as I always do when in Berlin, and I wondered about the "right to be forgotten" in the midst of the memorial to "never forget".

Madrid and Berlin, trying to find workable approaches

Here’s an interesting article about the day-to-day challenges and contradictions of national laws in the context of the global Internet (ok, it does use some of us Google guys as unhappy examples, but just to make a valid point):

http://www.bloomberg.com/apps/news?pid=20601039&sid=aAv2iLcBnqtI

At the International Data Protection Commissioners' Conference in Madrid, I added my voice to support the development of global privacy standards, as I've done for several years. I can’t think of a better way forward than trying to develop a more global approach to privacy standards internationally. Here's one example (in Spanish):

http://www.expansion.com/2009/11/12/juridico/entrevistas/1258051264.html

I’m off to Berlin now. Germany is one of those places where I feel the need to listen more than talk. I'll blog about what I learn afterwards.

Thanksgiving

Like most Americans, I woke this morning to one of my favorite days of the year, Thanksgiving. Unlike most Americans, I also woke this morning to news reports of an Italian prosecutor calling for me to be sentenced to one year in prison.

http://www.boston.com/business/technology/articles/2009/11/25/italian_prosecutors_seek_jail_for_google_execs/

But in the spirit of the day, now that I’ve skimmed the news and reassured friends that I’m not going to prison (I hope), I’ll go about my day:

I’ll do some planning for my Dad’s 80^th Birthday Party, do a kick-boxing class at gym, work on an academic privacy paper on the hotly-debated question of whether IP addresses should be considered “personal data” under EU law, give legal advice on some privacy questions, prepare for some meetings in Berlin, and, best of all, I’ll end the day with a candle-light dinner with the person I love in the city I love.

That’s a lot to be thankful for (well, not the Berlin or the Milan parts), but the rest anyway.

European law on hosting platforms

As you can imagine, I've spent a lot of time researching European law on hosting platforms. International legislation recognizes that hosting platforms like Google Video are neither the creators nor the controllers of content. The European Union's Electronic Commerce Directive, enacted in 2000, sets a clear legal framework for establishing liability for unlawful content on the Internet. It provides a safe harbor for entities acting as intermediaries, drawing a clear line between those who create content, and those who, in their capacity as technological intermediaries, provide the tools to make this content publicly available. By establishing legal certainty and creating a single EU-wide standard, the E-Commerce directive allows the development of open platforms that promote free expression and the free flow of information on an unprecedented scale, and play a crucial role in the development of the new economy in Europe.

How does the E-Commerce prescription work in real life? Say an Internet user uploads a video filled with illegal hate speech, nudity, or violence. When notified of this illegal content, the hosting platform is obliged to take it down. The hosting platform, however, is not obliged to monitor and prevent the upload. The responsible party is the Internet user who posts the content. In this case, Google did exactly what the law requires - it removed the content upon notification, and took the further step of complying with law enforcement requests, helping to bring the wrongdoers to justice.

If Google and companies like it were responsible for every piece of content on the web, the Internet as we know it today – and all of the economic and social benefits it provides – would disappear. Without appropriate protections, no company would be immune: any potentially defamatory text, inappropriate image, bullying message or violent video would have the power to shut down the platform that had unknowingly hosted it. In the offline world, it would be like criminally prosecuting post office employees because someone mailed an inappropriate letter. European law recognizes the importance of providing limitations on the liability of hosting platforms.

The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. This is confirmed in the first Report from the Commission to the European Parliament on the application of Directive 2000/31/EC dated 8 June 2000. See p. 4: "The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. Furthermore, it applies equally both to business-to-business (B2B) and business-to-consumer (B2C) e-commerce." And see p. 12: "The limitations on liability provided for by the Directive are established in a horizontal manner, meaning that they cover liability, both civil and criminal, for all types of illegal activities initiated by third parties."

From a public policy perspective, it wouldn't make any sense if it didn't apply to criminal charges. The objective of the directive was to foster a competitive and dynamic knowledge-based economy in the EU. To provide an environment in which its citizens would have access to inexpensive, world-class communications infrastructure and a wide range of services. To create conditions for e-commerce and the internet to flourish. To enhance quality of life, to stimulate innovation and job creation, and to contribute to the free flow of information and freedom of expression. Those are words directly from the Commission. It wouldn't make any sense to apply these protections only to civil matters; doing so would permit criminal claims to eviscerate the very benefits the directive sought to achieve.

Today in Milan

Today in Milan, the Milan Public Prosecutors’ Office will make their closing arguments why 4 Google employees including me should be held personally criminally liable for content created by four Italian high school students and uploaded to Google Video. I have no idea what the Prosecutors will say in court today, and my lawyers have told me not to set foot in Italy, so I wanted to provide some factual background on this case.

In terms of timeline, the Prosecutors present their case today, November 25. The Google employees' lawyers will present their defense on December 14 and a verdict should be issued on December 23.

The Judge hearing this case is Judge Magi, who recently convicted 23 Americans, mostly CIA agents, as reported by the New York Times:

In a landmark ruling, an Italian judge on Wednesday convicted a base chief for the Central Intelligence Agency and 22 other Americans, almost all C.I.A. operatives, of kidnapping a Muslim cleric from the streets of Milan in 2003.

http://www.nytimes.com/2009/11/05/world/europe/05italy.html

Today’s trial stems from an incident in 2006 when teenagers at a school in Turin filmed and then uploaded a video to Google Video that showed them bullying a disabled schoolmate. Google removed the video promptly after being notified. Even so, last summer, the Public Prosecutor brought the following criminal charges against four Google employees, including myself. All of us face one or two charges:

Charge A: Criminal defamation against the Vivi Down Association, an association that represents individuals with down syndrome

Charge B: Failure to comply with the Italian Privacy Code

It should be obvious, but none of us Google employees had any involvement with the uploaded video. None of us produced, uploaded or reviewed it.

The video, shot by a student in a classroom, depicts a boy being harassed by teenagers, including one who makes reference to the Vividown Association. A teacher was allegedly present during part of the filming. Four youths between the ages of 16 and 17 from the Technical Institute in Turin were involved in the creation and uploading of the video. One of these young men actually filmed the video. The teenagers who created the video uploaded it to Google Video, which at the time was Google’s online video-sharing service. Google Video was a host for user-generated content. The Vividown Association and later the family of the boy who was filmed filed a claim against Google in Milan, which is how Google was initially brought into the case. The family of the boy later withdrew from the case. Google complied with law enforcement requests to help identify the bullies, who were subsequently punished.

The Prosecutor then chose to charge individual Google employees. Today he will present his case.

Ciao, Italia!

I won't be attending my trial in Milan in person. I'll be represented by outside counsel. I believe that each of my 3 co-defendants has reached the same conclusion. As for me, I'm under clear instructions from my outside counsel not to set foot in Italy, at all. That's a tragedy, since I love Italy. It means I won't be speaking at this privacy conference in Bologna in May, which still seems to be advertising me as a speaker:

http://www.sassuolo2000.it/2009/11/17/bologna-la-privacy-al-tempo-di-facebook-8-incontri-ad-alma-graduate-school/

It also means I won't go hiking with friends in the Dolomites this summer.

Why? Well, Italy has a legal concept which is unknown in Anglo-Saxon countries: namely, that an employee of a company can be held personally criminally liable for the actions or non-actions of the corporation he works for. Moreover, Italy has also criminalized much of its data protection laws, meaning that routine data protection questions can give rise to criminal prosecutions. As everyone in the field of privacy knows, data protection laws are full of sweeping statements that need to be interpreted with judgment and common sense. But imagine the consequences if every data protection decision made by a company can be second-guessed by a public prosecutor with little knowledge of privacy law. Does that mean that a data protection lawyer working for a company is running the risk of personal criminal arrest and indictment and prosecution for routine business practices? Well, I guess you can see why I've been advised not to set foot in Italy. I'm sure such prosecutions will remain rare, and perhaps my current prosecution will the be last of its type. But maybe not. And working for one of the world's most visible Internet companies puts me at more risk than most of my colleagues in the field of data protection, as the current prosecution has shown.

Italy is my favorite country in the world to visit. What a shame.

Ciao, Italia!

On Trial in Italy

I'm relieved that the Google "privacy" trial in Italy is finally underway. This week, the Milan Public Prosecutor will make his case why four random Google employees should be held personally criminally liable for a video that some high-school kids in Turin made and uploaded to Google Video.

For me, I've lived under this Sword of Damocles for two years now. It began in January 2008 when I was invited to speak at a privacy conference at the University of Milan. I was approaching the University on foot, when I heard someone call my name. I turned around, and saw a guy in plain clothes, who told me to wait a minute, while he spoke into a cell phone, and within seconds, I found myself on the sidewalk surrounded by 5 Italian policemen. I had no idea what was going on. I was scared. I couldn't understand much, but I did understand that they wanted to take my passport, asked me to sign some documents, and wanted to escort me to a judge. I was allowed to put a call into my Italian colleagues at Google, who thankfully were able to rush to the scene and talk to the policemen. I was escorted by the policemen on foot through central Milan, with tourists and locals alike stopping to stare at the scene. My colleagues told the group of policemen that I was supposed to deliver a speech at the privacy conference shortly. After much discussion, it was agreed that I would be allowed to deliver the speech, after providing my passport and signing various documents that were being served on me, and that I would be interrogated by the Public Prosecutor afterwards.

And so, I was allowed to deliver this talk. If I look a little distracted, now you know why. [between us, I had to stop to vomit, but that part has been edited out.]

http://www.youtube.com/watch?v=ZkN12ZR9dvE

This whole Italian prosecution has been an ordeal. I just want it to be over soon. After two years, well, it's finally underway.

Guys in Ties, thinking about children and privacy

First, thanks to a bunch of you for sending me notes, encouraging me to keep blogging. I will.

I recently joined a group of privacy experts working with a Spanish foundation dedicated to children's issues to think about how to help protect kids' privacy online, in particular in social networking services. We've just had one inaugural meeting, a brainstorming session. It's too early to say which approach the group will take. But for my part, I recommended a crowd-sourcing approach, where we encourage (sponsor?) an open-ended contest to invite people to create videos on YouTube where kids talk to other kids about privacy. I doubt a top-down approach would work, where governments or corporations lecture kids about what they should or should not do online. I think kids will react more to videos by other kids, who talk about sharing with their friends, what happens if they share personal stuff with the wrong people, how to make good choices.

If you have a better idea about how to approach the challenge of sensitizing kids about the privacy risks when they post stuff online, please let me know, and I'll take it to the group.

I've been taking a break

I've been taking a break from blogging.

In case you wonder why, it's because I was rattled to see an Italian public prosecutor scour my blog and print out copies of it to help him indict and prosecute me and some of my Google colleagues for some "privacy" criminal theory. I'm all for free speech, and love a robust debate of privacy issues, but seeing your own words being combed through by a prosecutor who's looking for evidence to convict you in criminal court is enough to give anyone reason to pause from blogging.

I'll start blogging again soon. At least I know I have one reader.

The Cloud: policy consequences for privacy when data no longer has a clear location

Cloud Computing has become one of the more influential tech trends of our day. The Cloud is roughly analogous to remote computing, where computing and storage move away from your personal device to servers run by companies. A simple example might be online photo albums, which allow users to move their pictures off personal computers and into a secure and accessible space on the Web. Some Cloud services, like Hotmail, have been around for roughly a decade. And others have appeared since; almost all of Google's services, for example, run in the Cloud. As these services become more widely used, it's important to ask how our privacy laws and regimes should deal with this new phenomenon.

Some privacy laws, such as in the EU Directive, base regulation in part on the location of data. If data is in the Cloud, where exactly is that? Data in the Cloud exists within the physical infrastructure of the Internet, in other words, on the servers of the companies offering these services, as well as on users’ own machines. Cloud services are built on the concept that data held in the Cloud enables users to access and share data from anywhere, anytime and from any Internet-enabled device.

To know the “location” of data in the Cloud, you’d need to understand the architecture of data centers, among other things. Some companies like Google have data centers in multiple locations. A data center is a building that houses many, many, computers-- not too different from the ones you may have in your home. Companies try to pick places that, among other things, have a skilled workforce, reasonable local business regulation and are near low-cost and abundant sources of electricity. They tend not to provide too many specific details about these data centers, for a couple reasons. First, the data center industry is highly competitive and companies try not to disclose too many details that may give competitors a leg up. Second, knowing that users' personal information is stored in these computers, companies take the privacy and security of this data seriously and ensure that these buildings are well secured so that no one could just walk out with a computer holding your credit card information. The geographical location of data centers can be optimized to enhance the speed of a service, e.g., serving European users from a European data center might be faster than having the data cross the Atlantic. Finally, having data centers in different locations allows companies to optimize computing power, automatically shifting work from one location to another, depending on how busy the machines are.

Moreover, cloud applications are architected not to lose users’ data and to respond to queries quickly. Applications therefore usually replicate users’ data in more than one place. No Internet user would be happy if they lost access to all their email or calendar information, for example, just because the power goes out in some data center location. Applications may dynamically load balance their users among different data centers, so that the location of a particular user's data may change over time.

For all these reasons, it’s actually very hard to answer the apparently simple question: “where’s my data?” Indeed, it's becoming problematic that existing EU data protection laws were largely written in an era when data had an easily-identifiable location. For example, EU laws impose restrictions on the transfer of personal data outside the EU to any jurisdiction where there is not "adequate" data protection. In the past, "transfer" was defined as the physical shipment of data, such as sending a computer tape or paper files to an office in a faraway location. However, nowadays almost any activity on the Internet involves a transfer of data outside of the EU. Sending a document to a colleague in New York, for example, can technically be considered a transfer of material outside of the EU. In today's era of connectivity, strict and literal application of these laws would cause more than just a headache for companies and regulators: it would cause the Internet to shut down.

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to identify a better model of privacy protections. Data doesn't start and stop at national borders when it travels on the Information Super-highway. From a privacy perspective, the important question is not “where is my data?”, but rather “who holds my data, and what are their privacy policies?" For a user, the important thing is to research and understand the data protection policies of the company which holds the data, regardless of its location.

I’ve looked at various laws around the world, and I’m impressed by the far-sighted model adopted in Canada’s privacy laws. I can’t do better than just quote the Office of the Privacy Commissioner:

http://www.privcom.gc.ca/information/guide/2009/gl_dab_090127_e.asp

"European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information. In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy… [U]nder PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement…

Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. ... [O]rganizations must in their own best interests, as well as those of their customers, do what they can to protect the information."

Canada’s approach works to preserve privacy protections, and to hold data collectors accountable for privacy protections regardless of the location of data. Canada has blazed a trail that will help guide us in the age of the Cloud.

A picture of your house on the Internet for all to see

I did a little OpEd in the French paper Liberation on Google's Street View and privacy. Only fair, I guess, to put a picture of my own house on this blog. I confess, I did hesitate a minute before posting it. In any case, I do believe in taking one's own medicine, or eating one's own dogfood, as the case may be.

D’ici une centaine d’années, quelles avancées auront marqué notre époque ? Nos progrès politiques comme la création de l’Union européenne ? Les avancées scientifiques ?
Selon nous, s’il y a un progrès en gestation depuis la fin du XXe siècle qui pourrait marquer le passage de notre génération sur terre, c’est bien celui du partage de la connaissance. Engendrée par Internet, la démocratisation de l’accès à l’information au tournant du millénaire est une révolution dont on se souviendra probablement très longtemps. Dans une tribune parue le 13 février dans Libération, Odile Belinga et Etienne Tête ont émis un certain nombre de critiques concernant Street View, la nouvelle fonctionnalité de Google Maps qui permet de naviguer virtuellement dans les grandes villes françaises. Les deux auteurs affirment que ce service ne respecte pas la vie privée des individus et le comparent à de la vidéosurveillance.
Street View permet quotidiennement à des milliers d’utilisateurs de naviguer à trois cent soixante degrés grâce à des photos prises dans la rue à hauteur d’homme. Les internautes du monde entier peuvent ainsi se déplacer virtuellement, préparer leur prochain voyage à Rome, descendre les Ramblas à Barcelone, explorer leur ville, ou tout simplement repérer l’adresse de leur prochain appartement. C’est aussi un formidable outil pour mettre en valeur le patrimoine d’une ville ou promouvoir l’activité d’un commerçant. Il s’agit ici de contribuer à l’écosystème ouvert et bénéfique permis par Internet. Les nombreux partenaires qui ont choisi de s’associer à ce service (Télérama, Cityvox, l’Office du tourisme et des congrès de Paris…) ne s’y sont pas trompés.
Le service Street View respecte-t-il la vie privée ? La question est tout à fait légitime. Et la réponse est oui. Rappelons tout d’abord une évidence : sur Internet, l’information, comme la concurrence, est toute proche, à un seul clic de souris. Autrement dit, sans l’intérêt et la confiance de l’internaute, un site ne vaut pas grand-chose. Et cette confiance, il s’agit de ne pas la bafouer.
Les photographies affichées dans Street View sont parfaitement licites. Elles ne contiennent que des images de voies publiques et ne dévoilent aucune information qui n’était déjà exposée à la vue des passants. Les arguments selon lesquels un service de cartographie comme le nôtre ne pourrait pas utiliser de telles images au nom du respect de «l’intimité» remettent fondamentalement en cause la notion d’espace public. Ils dénaturent au contraire cette sphère de l’intime à qui la loi accorde, à juste titre, une protection accrue.
Les images de Street View sont les mêmes que celles que pourrait prendre n’importe quel passant dans la rue avec son appareil photo. Des images de ce type, sur les villes du monde entier, sont déjà diffusées dans toutes sortes de formats sur la Toile mondiale. Conscient que ce service rassemblait ces images en un seul endroit, Google a volontairement décidé de prendre des précautions supplémentaires en créant une technologie de floutage automatique des visages et des plaques d’immatriculation, dont la Cnil a d’ailleurs salué la mise en œuvre. Pour aller plus loin, en cas de visage non flouté ou imparfaitement flouté, toute personne peut demander la suppression des images concernées en cliquant sur un simple bouton. Les photos ne sont pas datées (ni heure, ni jour) et ne sont pas des prises de vue en temps réel. Bref, tout sauf des caméras de surveillance !
Soyons curieux, doutons, c’est ce qui a animé nos échanges avec la Cnil avant le lancement de Street View en France. Mais n’ayons pas peur, par principe, du progrès et des avancées technologiques qu’il implique. Prenons l’exemple récent de «Google Flu Trends» : avant d’appeler leurs médecins, beaucoup d’internautes utilisent comme mot-clé «symptômes de la grippe» dans leur moteur de recherche. Cette requête, multipliée par des millions d’individus a permis à Google de développer un outil de prévision des foyers de grippe capable de devancer jusqu’à dix jours celui des autorités sanitaires. En observant simplement les zones géographiques renseignées par les rapports de connexion. Soyons curieux, soyons vigilants, mais n’ayons pas peur d’Internet.
Bien plus que le véhicule de menaces, aussi réelles sur Internet que dans le monde physique, c’est avant tout un outil extraordinaire qui facilite nos vies au quotidien

Lead Data Protection Authority

Lead Data Protection Authority:  how EU data protection regulation can catch up with other areas of European law

Being a global company means having employees, partners and users who interact on a worldwide basis without geographical or jurisdictional limitations.  Maximising efficiency is a key driver so most global companies attempt to adopt a consistent way of doing business internationally.  Whilst cultural differences may have an impact on some activities, economic globalisation encourages a uniform and coherent approach to most operations, from sales practices to compliance protocols.  However, global companies still have to comply with diverse laws across jurisdictions and be accountable to many national regulators.  All of these trends become even more pronounced for companies doing business over the Internet. 

In the European Union, some industry sectors can benefit from regulatory regimes which are specifically aimed at simplifying the way in which players within those sectors comply with cross-jurisdictional rules.  For example, pharmaceutical companies may rely on simplified procedures to have their products evaluated and authorised across the EU.  One solution is called the “decentralised procedure”, by which companies can go directly to a national authority to obtain permission to market its products in that member state and then seek to have other member states accept the approval of the first member state.  This procedure is applicable in cases where an authorisation for a pharmaceutical product does not yet exist in any member state.

Alternatively, pharmaceutical companies may in some instances rely on the mutual recognition procedure, by which the assessment and marketing authorisation of one member state should be mutually recognised by other concerned countries within the EU.  Under the mutual recognition procedure, the pharmaceutical company submits its application to the chosen country, which will carry out the assessment work and approve or reject the application.  The other countries then have 90 days to decide whether they approve or reject the decision made by the original country.

Similarly, financial services firms can seek authorisation in one member state and obtain “passport rights” to enable them to carry on financial services in other member states.  When a financial services provider wishes to establish a branch or provide services in several EU countries, notification of such intention is submitted to the regulatory authority in the home member state.  This notification is then forwarded to the regulator in the member states in which the operator intends to open the branch or provide its services. As a result, a particular product licensed in the home member state becomes automatically recognised in all other member states and may therefore be sold across borders free of undue bureaucratic controls.

Some areas of law – such as e-commerce – also follow the “country of origin” principle.  This principle establishes that where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed.  For example, if a company sells products online across Europe but it is formally established as a limited company under the laws of one member state, that commercial activity will normally be subject to the law of that country.

Data protection regulatory complexities

The jurisdictional rules under the EU data protection directive do not work like that.  When a company handles personal information about employees, customers, suppliers and others, it will be subject to the different privacy and data protection regimes in force in each EU jurisdiction.  In the European Union, data protection laws will establish a number of very specific requirements and compliance will be overseen by the data protection authorities of each member state.  This means that the use of personal information by that company will be regulated in slightly different ways across the EU.

All European directives pursue the same overriding objective: achieving harmonisation across EU member states whilst respecting the national legislative power of each jurisdiction.  This is normally achieved by establishing a set of principles that each member state incorporates into its own legislation within the parameters of the directive.  When a directive, like the 1995 data protection directive, creates a complex regulatory regime involving an independent regulator, member states devise suitable structures that provide for the establishment and operation of that regulator.

This approach to data protection regulation has caused a number of complexities that diminish the two-fold aim of the directive, namely: protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data between member states.  The fact that laws and regulators are different make pan-European compliance more difficult and hence less effective.  At the same time, the existence of disjointed regulatory approaches creates inefficiencies, business barriers and unnecessary expense for those companies seeking to comply with all applicable laws and regulations.

The lead authority concept

Whilst legislative harmonisation may not be achieved without radical constitutional changes, the experience of simplified oversight in some industry sectors shows that adopting a lead regulator approach is not only possible but desirable.  The most promising step in this direction within the data protection regime is the “lead authority” concept that was created for the purpose of assessing and approving Binding Corporate Rules (“BCR”) applications.  In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities.  This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union.  More recently, a group of data protection authorities within the Article 29 Working Party launched the BCR mutual recognition procedure, so that approval by one authority will automatically lead to approval of the same BCR by the others. 

Whilst for some organisations it may be obvious which data protection authority should act as the lead authority, where it is not clear which authority should become the entry point, the co-ordinated approval mechanism establishes that organisations must consider the following factors to determine the most appropriate data protection authority:

·                     The location of the corporate group’s European headquarters or office with data protection responsibilities.

·                     The location of the company which is best placed to lead the BCR application and, if necessary, enforce compliance.

·                     The place where any key operational decisions in terms of the purposes and means of the data processing are made.

·                     The EU country from which most international transfers originate.

Extending the concept beyond BCR

Both the co-ordinated approval mechanism for BCR and the mutual recognition procedure are contributing to making BCR a much more credible and attractive option for organisations using personal data on a global basis.  The fact that the approval stage itself focuses on meeting one single set of standards and expectations – even when these are high – allows those organisations to concentrate their compliance efforts in a consistent and effective way.  In other words, companies can devote their attention to ensuring that they apply the right standards and achieve a workable level of privacy and data protection, rather than to dealing with the diverse expectations of a plethora of similar regulators.

Given that BCR systems include policies and procedures affecting the whole range of data protection obligations and rights, it should also be possible to take the lead authority concept beyond BCR and apply it to data protection compliance generally.  The criteria to determine the most appropriate data protection authority for BCR applications could also be used to identify the most suitable authority overall.  If the single regulator idea has worked in heavily regulated sectors like health care and banking, it is not inconceivable that the same idea could work very effectively in the area of data protection compliance.

If this were the case, global companies collecting, using and sharing data in the EU could not only benefit from the harmonisation of legal standards but from the simplification of regulatory activities across the EU.  The national regulators themselves would be able to operate in a much more focussed way.  These efficiency gains would ultimately translate into a greater and more realistic level of protection for individuals.  So the case for a lead data protection regulator to oversee the data activities of pan-European organisations is one that the EU data protection authorities themselves, as well as the EU Commission, should be making their own.  

  

 

 

Launching another "global" forum to talk about privacy

There is a new buzz these days in privacy circles: the idea of global standards seems to be gaining momentum.  On January 12, privacy commissioners, and a handful of invited academics, advocates and CPO's, met in Barcelona for an inaugural meeting to launch work on a "Joint Proposal for a Draft of International Standards for the Protection of Privacy and Personal Data."  http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/resolution_international_standards_en.pdf  

There have been several very serious attempts at developing international, or regional, privacy standards.  The oldest, and perhaps most successful, was the OECD Privacy Guidelines from 1980.  Essentially all privacy laws in the world today derive from the OECD's work.  The OECD was so successful, because it maintained the privacy guidelines at a sufficiently high-level that they were not rendered obsolete by technological developments.  And the OECD refrained from mixing implementation issues into its guidelines, wisely recognizing that its member countries have very different legal and regulatory regimes.  

The EU Data Protection Directive of 1995 is probably the most complete and detailed set of regional privacy laws in the world.  Because the Directive was very focused on European Common Market issues, it took great strides to harmonize pan-European regulatory and implementation issues.  Since many of these implementation issues, such as the mandatory creation of an "independent" data protection authority, are unique to the European legal and regulatory context, the Directive itself is not suitable for broad global adoption, except in countries with European colonial traditions, like Hong Kong.  

APEC continues its work on a Privacy Framework, building on the OECD Privacy Guidelines and adding new and effective concepts of "accountability" and "harm".  APEC is the most exciting initiative underway anywhere in the world in terms of new thinking about how to move forward on global privacy standards.  Singapore, as this year's revolving host country, will host further meetings to build on the strong progress that's been made in past years.  

I attended most of this week's meeting in Barcelona.  It's too early to tell if this initiative, sponsored by the Data Protection Commissioners, will have legs in terms of moving forward the debate.  The inaugural meeting on January 12 was mostly attended by Europeans.  The documents that it cited as reference points were mostly European.  The overwhelming majority of participants were European data protection authorities, who naturally are very familiar with the EU Data Protection Directive, and come to the table imbued with the European approach.  A sprinkling of North Americans rounded out the participants, which left me thinking that this "global" meeting represented countries with something like 10% of the global population.   This particular initiative will sadly fail in the international arena, if it simply turns into an exercise of European commissioners to try to convince the rest of the world to adopt something like the EU Data Protection Directive.  They've already been doing that for over a decade, so there's little incremental benefit from continuing down that path.  

I think the world needs minimum international privacy standards, as I've blogged many times before. OECD and APEC are also promising forums to advance the debate.  In parallel, Europe will continue its reflections on how to modernize its own data protection concepts, and perhaps, streamline some of its rather inefficient bureaucracy.  Europe would certainly be more credible as a global leader, if it got its own data protection house more up to date and efficient.  [I'll be contributing to that effort in a separate forum.]  In the meantime, if I were from a country with no pre-existing tradition of privacy laws, I would be looking to the OECD and APEC for inspiration.  In any case, competition is good, even in the sphere of privacy policy thinking.  

Lessons from the failure of global financial regulation

The financial crisis has everyone talking about global financial regulation. Why didn’t regulations work? And how can regulation be reformed to prevent future melt-downs? Who should regulate in a global context? In a sense, these are the same questions I’ve been pondering for years, in the context of global privacy regulation. Like many people in the privacy community, I’ve been calling for better global privacy standards now, so that we’re not faced with a crisis later.

What lessons have we learned from the financial regulatory crisis that are relevant for privacy?

The issues are global. The crisis is global. Financial and data flows are global. Money, in all its diverse forms, flows across borders, making all of finance inter-connected. Global financial flows are now essentially digital data traffic. When it comes to money, and data, countries are not islands, as Iceland has clearly demonstrated. And if there’s anything that flows globally even more quickly than money, it’s data.

You can identify problems before they turn into crises. In retrospect, the problems were pretty obvious, even if people were enjoying the party at the time too much to want to sober up enough to confront them. It’s fashionable to claim that you can only identify a bubble in retrospect. I think that’s nonsense: I knew Florida condos were a bubble when my house painter bought a condo there, on which the annual maintenance fees alone exceeded his annual income, as he proudly told me, but he was unworried, “because real estate prices only go up.” Similarly, in the world of privacy, we already know what the issues are… so, the only real question is whether we need to wait for a crisis to muster the willpower to drive change.

Regulations that are out-of-date are useless. The financial crisis is exposing lots of regulations from other eras that have proven useless. I hardly need to remind readers of the bizarre patchwork of regulations that apply differently, or not at all, to banks, to investment banks, to special financial vehicles, to hedge funds, etc. Similarly, much of the world’s privacy regulations were designed for a pre-Internet world. Having regulations that are out-of-date means that they are either not applied at all, or applied poorly, or simply “re-interpreted” according to the tastes of individual regulators, like the German “regulator” who blithely declared all search engines to be “illegal”, whatever that means. So, having European data protection regulations that require things like “prior authorizations” from “supervisory authorities” before an international transfer of data is quaint (at best), or dangerous (at worst), in the age of the Internet. In fact, I think it’s dangerous to base international data protection rules on obsolete fictions, like the fiction that data flows somehow stop at borders.

Solutions have to be global. Without global solutions, we create the risk of regulatory havens, like tax havens, where actors can engage in regulatory arbitrage, moving from highly-regulated to lightly-or non-regulated spheres, be they countries or industries (e.g., the move from banks to hedge funds). Much of the privacy debate in recent years has been almost exclusively trans-Atlantic. For example, if you read the work of the EU Working Party data protection regulators over the last decade, you would come away with the impression that they are obsessed with privacy issues of US companies and the US government, while almost completely ignoring any privacy issues relating to data flows to or from anywhere else on the planet, such as India, to cite but one example. But surely, even EU data protection authorities in the anti-American ideological camp (perhaps I should use the German word “Anti-Amerikanismus”) will recognize that the US provides much more solid legal protections for personal data than the vast majority of countries on the planet. So, the obsession with the trans-Atlantic data flows issues is actually becoming dangerous, if it blinds us to the global nature of data flows. That’s one reason why I’m so excited about the APEC initiative, a process where many countries with no tradition of privacy laws are coming together to define privacy standards that are up-to-date, multi-national, and forward-looking. APEC is the most positive thing to happen in the world of global privacy standards since the EU Data Protection Directive of 1995.

Enforcement has to be local. While regulations need to be thought of in global terms, enforcement has to be local, to remain anchored in local legal and regulatory traditions. Some have suggested that we should create “super-regulators” with global mandates, like a mini-UN agency. Personally, I think international bodies have a strong role to play in driving forward international standards, but I’ve watched too many international meetings descend into farce to have much hope that they can function as day-to-day regulators. Moreover, different countries cannot have the same regulatory structures, often because of fundamental constitutional reasons. The US simply cannot have an independent Federal Data Protection Authority in the French mode, because the US Constitution wouldn’t allow it. So, calls for global harmonization of regulatory structures are doomed. The French can try to convince French-speaking Ivory Coast of the need to create a French-style data protection authority, and they may succeed, but that’s not a formula for global success. Whether that’s good for the Ivory Coast is another question entirely. The Spanish can try to convince Spanish-speaking Colombia of the need to create a Spanish-style data protection authority, and they may succeed, but they can’t expect a country with a very different constitutional structure, like the US, to follow that lead. There are some people who honestly believe that you can’t have privacy without an EU-style data protection authority…well, hey, they might want to open their eyes wider.

Regulatory experimentation is a good thing. No one really has all the answers. The US experimented with Security Breach Notifications laws, and they generally seem to work, so Europe is adopting them too. Europe experimented with the creation of dedicated privacy Data Protection Authorities, and many countries around the world, from Argentina to New Zealand, have adopted them since. Maintaining some level of regulatory experimentation, even as we move towards global privacy standards, is a healthy foundation for the innovation in privacy frameworks that we need.

There’s no “Mission Accomplished” moment. Moving towards global privacy standards will be a multi-year process, with steps forward, and back, with vigorous debates, with ideology, with pragmatism, with passion. It’s a process, hopefully with progress in a more or less straight line, towards ensuring better privacy protections in our new global reality. Some people will stress the need for a legal framework and legal enforcement powers; others will stress the usefulness of self-regulatory standards. That’s fine, and it reflects traditions: some peoples expect the government to solve most of their problems; others expect the private sector to do most of the work. One thing is certain; we’ll need to carry on this debate virtually, without expensive global summits or conferences, since thanks to the global financial crisis, none of us can afford to travel anymore. Oh well: blogging is great and free.

Why would Germans claim their "privacy" laws prevents them from publishing a list of victims of Nazi terror?

There was a short report in the BBC today which struck me, my highlights in red :  

"The federal archive in Berlin has for the first time compiled a list of some 600,000 Jews who lived in Germany up to 1945 and were persecuted by the Nazis.

The names and addresses, which took four years to compile, will be made available to Holocaust groups to help people uncover the fate of relatives.

Archive officials from the Remembrance, Responsibility and Future Foundation said the list was not yet definitive and would require further work.

It will not be released to the public because of Germany's privacy laws, but will be passed on to museums and institutions, including Israel's national Holocaust memorial, Yad Vashem.

"In handing over this list, we want to make a substantial contribution to documenting the loss that German Jewry suffered through persecution, expulsion and destruction," said Guenter Saathof, the head of foundation."

I'm a privacy legal expert, and it's baffling to me why German "privacy" laws would prevent this list from being published to the Internet.   This is a valuable historical document.  Putting it on the Internet would allow people around the world to study it.  I would like to see if my grandfather is on the list.  I could check if his address in Berlin was indeed correct.  I think this information belongs to humanity.  

Now, of course, I can imagine certain privacy issues.  A very very small number of people included in the list may still be alive.  Privacy laws are only meant to protect living human beings, after all, not dead people or their reputations after death.  Other laws, like libel laws, can apply after death, but privacy laws cannot.  So, I would call on the Foundation to publish its work on the Internet.  I think it is wrong to cite "privacy" laws as a reason not to make this information public.   

Because, after all, whose "privacy" are we protecting now, for a list which includes names and addresses from something like 70 years ago, and most of whom have been dead for over half a century?

This is the sort of nonsense that gives German privacy law a bad name.     

Relax: the Faroe Islands have adequate data protection

Lots of people in Europe are trying to figure out how to reduce bureaucracy and red tape.  Let's face it:  we Europeans face some of the highest tax burdens in the world, with some of the highest numbers of public servants as a percentage of the general population anywhere on the planet.  So, let me pick a little example, to make a point. 

 

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to be talking about global privacy standards.  Data doesn't start and stop at national borders when it travels on the Information Super-highway.  So, all the time and effort that has been spent in recent years, trying to segregate the world's countries into "adequate" and "not adequate" regimes in terms of data protection, has become largely obsolete and pointless.  Data doesn't stop, take a look around, and wait to find out if the European Commission has categorized a country as having "adequate" data protection.   The whole process is becoming a bit tired and irrelevant.  Last year, the European privacy regulators adopted an opinion, concluding that Jersey and the Faroe Islands have "adequate" data protection. 

http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_11_10_07_en.pdf

 

Indeed, Jersey and the Faroe Islands.  I haven't been to either.  I'm sure they're lovely places.  I think they do fishing in the Faroe Islands.  As for Jersey, I have some sense of the kind of data that goes to places that are known as international tax havens.  International tax havens as a rule have "privacy" laws, and it's pretty obvious why.  I'm perfectly prepared to accept that these islands have solid data protection laws.  But why aren't we talking about more important topics, like Japan, for example, to name a country that is widely viewed as having very strong data protection practices, even if they're different than Europe's?  

 

Let's face it.  This process, reviewing a country's data protection regime, to ensure that it exactly mirrors Europe's, before awarding it a bureaucratic seal of approval, is a process that is out-of-date.  It doesn't reflect the realities in the world:  under current opinions, Argentina, Romania and Bulgaria are "adequate", but Japan is not!  Does anyone in the real world believe that personal data is better protected in Argentina, Romania or Bulgaria than in Japan?  And if our taxpayer-paid government leaders are spending their time writing opinions about the adequacy of data protection in the Faroe Islands, it's fair to ask whether our taxes are being wisely spent.