Photos to the Web

I'm always amazed how many photos I find on the Web, of friends, family or myself, that none of us knew were there. Because things on the Web, in particular, photos, can last forever, forgetfulness is one of the big new themes in the privacy debate, particularly in Europe. There's lots of discussion about how to re-introduce a human concept of memory/forgetfulness/evanescence into a technical world of computers and websites and the Internet. I'll be joining a conference on this theme next week in Brussels.

I also joined a French government-sponsored conference on this theme recently in Paris. At the conference, much was said about the risks to people to having their photos posted online, without their knowledge or consent. With some sense of irony, I noticed a bunch of photos of me were published from that conference without my knowledge or consent, like the one here, in the online photo album of the Minister, no less,...I don't mind, and I would have happily consented, but it does make an interesting point, and I re-posted it to this blog, but that was my choice. If thoughtful people sitting in a conference about the problems of posting photos online are taking photos of people at the conference and posting them online, all without their knowledge or consent, well, maybe the sociology of online photo-sharing has developed beyond the state of the debate.

Happy 80th Birthday, Dad!

The "adequacy" regime is inadequate

There are many people in Europe who would rather eat their “chapeau” than admit that non-European countries like the United States might have adequate privacy protection, based on long-standing cultural or ideological bias. In my opinion, it’s the European “adequacy” regime that has become inadequate in today’s world. It’s near the top of my list of things that need to be modernized in European privacy law. It’s a political/bureaucratic fiction that some countries provide “adequate” data protection, while others don’t, because the decision is based on criteria that have almost nothing to do with the level of data protection on the ground, in the real world. A country can’t be deemed “adequate” if it doesn’t have an EU-style data protection authority. But the idea is ludicrous to me that privacy somehow couldn’t be protected in countries without such an agency, and in fact, the vast majority of countries in the world don’t have such an agency. And whatever labels are applied, the reality, in the age of the Internet, is that data is flowing around the globe. To take one topical example, cyber attacks do not respect borders, and take no note of whether or not a target is based in a country with “adequate” data protection.

So, recently, Israel and the Principality of Andorra have been added to the EU list of “adequate” countries. They join other countries already on the list, including: Argentina, Canada, Guernsey, Jersey, the Isle of Man, and Switzerland. Stop to read that list again, and ask yourself, really, this is the global list of “adequate” countries outside the EU? Really?

In privacy terms, what’s the right way forward for the future? As I’ve said before, follow the Canadian model, and make any company/government that collects personal data responsible and accountable for protecting it, regardless of where it happens to process it. If it can’t protect data adequately in a particular country, it shouldn’t send it there. If a company decides it can adequately protect its data in Japan, but not in Bulgaria, so be it, even if EU law would suggest the contrary. Common sense should prevail for the sake of privacy.

At the beginning of each year, I make a resolution to visit at least two new countries a year. If I’m lucky, I’ll have my wish and get to visit Andorra and Israel this year. They’re both on my adequacy list.

Privacy Officers with a French accent

Since I’m based in France, I’ve recently been appointed as Google’s “Correspondant” for data protection with the French Data Protection Authority, the CNIL. The profession of privacy officers is generally less developed in Europe than the US, and indeed, the position of “correspondant” was first created in France in 2004. Like many things in France, even this private-sector role is defined and guided by the government, in the long French tradition of dirigisme:

“From now on, local authorities, public services and associations are allowed to appoint a "Correspondant Informatique et Libertés" (CIL). It is a major innovation in the application of the law, as prior pedagogy and advice are emphasized. Indeed, the data controller which appoints a CIL is exempted, in most cases, from the notification process to the CNIL. The CIL has the duty to ascertain that the information system of the organization will expand without harming the rights of the users, clients and employees.”

As a privacy professional, I’m very excited by anything that supports the development of meaningful empowerment and development for the profession. As long as the role of Correspondant avoids the trap of becoming a purely administrative function, I think it could prove to become a serious contribution to the growth of this profession in Europe.

Practice makes perfect

I recently got away for a few days to play tennis in Florida. I left with a clear conscience, thinking that 2009 was a good year at Google in terms of privacy tools.

Google launched three major industry-leading privacy initiatives that implemented the key privacy principles of transparency and choice -- interest-based advertising, the data liberation front, and Google Dashboard.

It's a great tennis facility, on Key Biscayne, with grass courts, no less. Someone builds and maintains a grass court in that unlikely climate, and it must be a lot of work. And people pay a lot of money to live in "privacy", which usually means living in a place, like Key Biscayne, where they are secluded and protected from other people. So, now that there are online privacy tools, like the ones I just mentioned, I wonder if people will really use them more. I mean, to play tennis, you have to run and serve and swing. To protect your privacy, you should hustle a little too. Someone else can build the grass court, but it's up to you to play.

Watching people walk down the street

It's just snowed in Paris, and I'm looking out my window, watching the children and the dogs play. Almost everyone walking down avenue Foch seems to be speaking on a cell phone. I doubt many of them are thinking about how their location data is being captured, stored or used.

EU countries began passing the Data Retention laws mandated by a European Directive. That means that massive databases of communications logs will now be collected and stored by communications service providers across Europe for 6 months to 2 years, for police and law enforcement purposes (France, for example, chose 12 months). This is the largest police surveillance database ever mandated in the history of humanity to date. The year ahead will define how all this is going to work in practice: who will be able to access them, for what purposes, under what controls, how should this work in a cross-border context, etc. Will other countries follow Europe down this path? For most people, I imagine, the most sensitive aspect of this is the idea that their physical movements can be tracked by the police over long periods of time.

But the mobile revolution is just starting. Think for a moment about the intersection of mobile and face recognition software. For some years, in small controlled contexts, the police have already been using face recognition software to find individuals in a crowd. Online photo albums already offer some face recognition software in the contexts of particular albums, or in the contexts of social networking sites: take a look at face.com. But reflect on the prospect of face recognition software that could be used from any Internet-connected smart phone that can photograph a face and return instant search results. Google already announced the launch of Goggles without face recognition and acknowledged the privacy concerns in applying similar technologies to identifiable human faces. There's a lot of work to do to think through the privacy design of image recognition software applied to faces. The more I think about it, the more complicated it gets.

The web is going mobile, and as Internet apps go mobile too, location-aware services will explode in 2010 and beyond. That means that location data will be captured and used. Location privacy will become a key new issue in the mainstream in the year ahead. It's been around for years in cell phones, of course, but the issues will grow exponentially in the age of proliferating third-party location aware apps. It's one thing for you to know (or be dimly aware) that your cell phone company knows where you are based on your cell phone's location, it's quite another to have a plethora of third-party apps know that too.

Mobile is where the next generation of tough privacy issues will come, I muse, as I watch people walk down a Paris street that hasn't changed much in a hundred years.

DC: discussing privacy in public

I spent a few days in Washington DC in December. While I was there, I slipped into a public workshop hosted by the Federal Trade Commission on privacy. The content of the workshop has already been covered: http://blogs.wsj.com/digits/2009/12/07/ftc-takes-on-online-privacy/

Coming from Europe, I found this sort of transparency and public consultation by a privacy regulator novel and refreshing. The FTC regularly holds public workshops, where it invites stakeholders from many different sectors (academia, advocacy, government, private sector) to discuss problems in privacy and potential regulatory responses to them. This is meant to help the FTC staff understand the issues that it will grapple with. Moreover, the FTC often issues its guidelines in draft form, for the sake of public review and comment, before finalizing them, as it has done with its privacy guidelines for online behavioral advertising principles: http://www.ftc.gov/opa/2009/02/behavad.shtm

So, in my mind, I couldn't help but contrast all this with the practices of one of the world's other great bodies of privacy regulators, the EU Working Party. The Working Party has never, to my knowledge, held a public workshop. It has never opened any of its meetings to the public, and indeed, it is very rare that anyone from outside the closed world of Data Protection Authorities to be invited to attend one of its meetings. It publishes almost no information about its agendas, other than a few sentences to describe its annual work program. It never publishes its opinions in draft form for public review and comment before finalizing them. And finally, since it only issues "opinions", rather than enforceable decisions, its work has never, to my knowledge, been subject to judicial review. Seeing the transparency of the Federal Trade Commission's public workshop in action made me appreciate the benefits of transparent and open government.

On the sidewalk in Milan

I was relaxing with a glass of chianti watching The Bourne Ultimatum on tv. The shadowy authorities use surveillance technologies to try to track down Jason Bourne.

So, I'm no Jason Bourne. Back in January 2008, as I've blogged before, I was surrounded on a sidewalk in Milan in front of the ancient University by 5 Italian policemen. Many confused thoughts went through my head at that moment, as I'm sure you can imagine: fear, confusion, surprise, indignation. But also, a nagging question: how did these policemen know that I would walk down this sidewalk at this moment in a foreign city and how did they recognize me on a crowded city sidewalk?

As anyone who's checked into a hotel in Italy knows, the first thing that Reception asks you for is a passport. This is also true in most European countries. It's for the police. There is zero transparency or choice in this process: no one I've ever met knows where this data goes or how long it's kept or what it's used for. Needless to say, if you're sharing a room with another person, the police will know this too. You do not have the option of checking into your hotel room anonymously.

In my case in Milan, I don't think there was any great use of police surveillance technology. I'm guessing the police were waiting on the sidewalk because there had been some minor press coverage before the privacy conference where I was scheduled to speak. I assume they downloaded a photo of me from the web and knew from the conference program roughly when I'd be arriving. Why five policemen were sent, I have no clue. Were they expecting me to make a run for it, like Jason Bourne?

According to independent reports, Italy leads the world with more wiretaps per capita than any other country. Wiretaps in the age of the cell phone now include location information.

http://www.theregister.co.uk/2007/03/07/wiretap_trends_ss8/

I've always enjoyed the freedom of walking down the streets of foreign cities with the liberating sense of anonymity. I feel a little less free now. I hope technology will find a way to put users in control of their location information. I'm off somewhere else now, but come to think of it, I'd rather you didn't know where.

Remembering and Forgetting in Berlin

I've spent a few days in Berlin, and I've spoken with many interesting politicians and journalists about privacy. The most interesting case must surely be this one:

Two German Killers Demanding Anonymity Sue Wikipedia’s Parent

http://www.nytimes.com/2009/11/13/us/13wiki.html?_r=1&scp=3&sq=german%20wikipedia%20murder&st=cse

In some countries in Europe, like Germany and France, there are well-established principles about the "right to be forgotten", an awkward translation of the "Droit a l'Oubli." As a privacy-sensitive guy, I'm all for the idea that people ought to be able to walk away from some awkward facts at some point in their lives. But I have never heard anyone be able to tell me how the "right to be forgotten" does not quickly cross the line into censorship. If two German murderers can require German publishers to remove references to their names in articles after they have served their sentence, isn't that censorship? And wouldn't it be even worse if they tried to re-write news archives, which are now rapidly becoming instantly findable online? And in the real world what will be the consequences if German Wikipedia deletes content that English Wikipedia still publishes?

And while I was in Berlin, I visited the Holocaust memorial, as I always do when in Berlin, and I wondered about the "right to be forgotten" in the midst of the memorial to "never forget".

Madrid and Berlin, trying to find workable approaches

Here’s an interesting article about the day-to-day challenges and contradictions of national laws in the context of the global Internet (ok, it does use some of us Google guys as unhappy examples, but just to make a valid point):

http://www.bloomberg.com/apps/news?pid=20601039&sid=aAv2iLcBnqtI

At the International Data Protection Commissioners' Conference in Madrid, I added my voice to support the development of global privacy standards, as I've done for several years. I can’t think of a better way forward than trying to develop a more global approach to privacy standards internationally. Here's one example (in Spanish):

http://www.expansion.com/2009/11/12/juridico/entrevistas/1258051264.html

I’m off to Berlin now. Germany is one of those places where I feel the need to listen more than talk. I'll blog about what I learn afterwards.

Thanksgiving

Like most Americans, I woke this morning to one of my favorite days of the year, Thanksgiving. Unlike most Americans, I also woke this morning to news reports of an Italian prosecutor calling for me to be sentenced to one year in prison.

http://www.boston.com/business/technology/articles/2009/11/25/italian_prosecutors_seek_jail_for_google_execs/

But in the spirit of the day, now that I’ve skimmed the news and reassured friends that I’m not going to prison (I hope), I’ll go about my day:

I’ll do some planning for my Dad’s 80^th Birthday Party, do a kick-boxing class at gym, work on an academic privacy paper on the hotly-debated question of whether IP addresses should be considered “personal data” under EU law, give legal advice on some privacy questions, prepare for some meetings in Berlin, and, best of all, I’ll end the day with a candle-light dinner with the person I love in the city I love.

That’s a lot to be thankful for (well, not the Berlin or the Milan parts), but the rest anyway.

European law on hosting platforms

As you can imagine, I've spent a lot of time researching European law on hosting platforms. International legislation recognizes that hosting platforms like Google Video are neither the creators nor the controllers of content. The European Union's Electronic Commerce Directive, enacted in 2000, sets a clear legal framework for establishing liability for unlawful content on the Internet. It provides a safe harbor for entities acting as intermediaries, drawing a clear line between those who create content, and those who, in their capacity as technological intermediaries, provide the tools to make this content publicly available. By establishing legal certainty and creating a single EU-wide standard, the E-Commerce directive allows the development of open platforms that promote free expression and the free flow of information on an unprecedented scale, and play a crucial role in the development of the new economy in Europe.

How does the E-Commerce prescription work in real life? Say an Internet user uploads a video filled with illegal hate speech, nudity, or violence. When notified of this illegal content, the hosting platform is obliged to take it down. The hosting platform, however, is not obliged to monitor and prevent the upload. The responsible party is the Internet user who posts the content. In this case, Google did exactly what the law requires - it removed the content upon notification, and took the further step of complying with law enforcement requests, helping to bring the wrongdoers to justice.

If Google and companies like it were responsible for every piece of content on the web, the Internet as we know it today – and all of the economic and social benefits it provides – would disappear. Without appropriate protections, no company would be immune: any potentially defamatory text, inappropriate image, bullying message or violent video would have the power to shut down the platform that had unknowingly hosted it. In the offline world, it would be like criminally prosecuting post office employees because someone mailed an inappropriate letter. European law recognizes the importance of providing limitations on the liability of hosting platforms.

The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. This is confirmed in the first Report from the Commission to the European Parliament on the application of Directive 2000/31/EC dated 8 June 2000. See p. 4: "The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. Furthermore, it applies equally both to business-to-business (B2B) and business-to-consumer (B2C) e-commerce." And see p. 12: "The limitations on liability provided for by the Directive are established in a horizontal manner, meaning that they cover liability, both civil and criminal, for all types of illegal activities initiated by third parties."

From a public policy perspective, it wouldn't make any sense if it didn't apply to criminal charges. The objective of the directive was to foster a competitive and dynamic knowledge-based economy in the EU. To provide an environment in which its citizens would have access to inexpensive, world-class communications infrastructure and a wide range of services. To create conditions for e-commerce and the internet to flourish. To enhance quality of life, to stimulate innovation and job creation, and to contribute to the free flow of information and freedom of expression. Those are words directly from the Commission. It wouldn't make any sense to apply these protections only to civil matters; doing so would permit criminal claims to eviscerate the very benefits the directive sought to achieve.

Today in Milan

Today in Milan, the Milan Public Prosecutors’ Office will make their closing arguments why 4 Google employees including me should be held personally criminally liable for content created by four Italian high school students and uploaded to Google Video. I have no idea what the Prosecutors will say in court today, and my lawyers have told me not to set foot in Italy, so I wanted to provide some factual background on this case.

In terms of timeline, the Prosecutors present their case today, November 25. The Google employees' lawyers will present their defense on December 14 and a verdict should be issued on December 23.

The Judge hearing this case is Judge Magi, who recently convicted 23 Americans, mostly CIA agents, as reported by the New York Times:

In a landmark ruling, an Italian judge on Wednesday convicted a base chief for the Central Intelligence Agency and 22 other Americans, almost all C.I.A. operatives, of kidnapping a Muslim cleric from the streets of Milan in 2003.

http://www.nytimes.com/2009/11/05/world/europe/05italy.html

Today’s trial stems from an incident in 2006 when teenagers at a school in Turin filmed and then uploaded a video to Google Video that showed them bullying a disabled schoolmate. Google removed the video promptly after being notified. Even so, last summer, the Public Prosecutor brought the following criminal charges against four Google employees, including myself. All of us face one or two charges:

Charge A: Criminal defamation against the Vivi Down Association, an association that represents individuals with down syndrome

Charge B: Failure to comply with the Italian Privacy Code

It should be obvious, but none of us Google employees had any involvement with the uploaded video. None of us produced, uploaded or reviewed it.

The video, shot by a student in a classroom, depicts a boy being harassed by teenagers, including one who makes reference to the Vividown Association. A teacher was allegedly present during part of the filming. Four youths between the ages of 16 and 17 from the Technical Institute in Turin were involved in the creation and uploading of the video. One of these young men actually filmed the video. The teenagers who created the video uploaded it to Google Video, which at the time was Google’s online video-sharing service. Google Video was a host for user-generated content. The Vividown Association and later the family of the boy who was filmed filed a claim against Google in Milan, which is how Google was initially brought into the case. The family of the boy later withdrew from the case. Google complied with law enforcement requests to help identify the bullies, who were subsequently punished.

The Prosecutor then chose to charge individual Google employees. Today he will present his case.

Ciao, Italia!

I won't be attending my trial in Milan in person. I'll be represented by outside counsel. I believe that each of my 3 co-defendants has reached the same conclusion. As for me, I'm under clear instructions from my outside counsel not to set foot in Italy, at all. That's a tragedy, since I love Italy. It means I won't be speaking at this privacy conference in Bologna in May, which still seems to be advertising me as a speaker:

http://www.sassuolo2000.it/2009/11/17/bologna-la-privacy-al-tempo-di-facebook-8-incontri-ad-alma-graduate-school/

It also means I won't go hiking with friends in the Dolomites this summer.

Why? Well, Italy has a legal concept which is unknown in Anglo-Saxon countries: namely, that an employee of a company can be held personally criminally liable for the actions or non-actions of the corporation he works for. Moreover, Italy has also criminalized much of its data protection laws, meaning that routine data protection questions can give rise to criminal prosecutions. As everyone in the field of privacy knows, data protection laws are full of sweeping statements that need to be interpreted with judgment and common sense. But imagine the consequences if every data protection decision made by a company can be second-guessed by a public prosecutor with little knowledge of privacy law. Does that mean that a data protection lawyer working for a company is running the risk of personal criminal arrest and indictment and prosecution for routine business practices? Well, I guess you can see why I've been advised not to set foot in Italy. I'm sure such prosecutions will remain rare, and perhaps my current prosecution will the be last of its type. But maybe not. And working for one of the world's most visible Internet companies puts me at more risk than most of my colleagues in the field of data protection, as the current prosecution has shown.

Italy is my favorite country in the world to visit. What a shame.

Ciao, Italia!

On Trial in Italy

I'm relieved that the Google "privacy" trial in Italy is finally underway. This week, the Milan Public Prosecutor will make his case why four random Google employees should be held personally criminally liable for a video that some high-school kids in Turin made and uploaded to Google Video.

For me, I've lived under this Sword of Damocles for two years now. It began in January 2008 when I was invited to speak at a privacy conference at the University of Milan. I was approaching the University on foot, when I heard someone call my name. I turned around, and saw a guy in plain clothes, who told me to wait a minute, while he spoke into a cell phone, and within seconds, I found myself on the sidewalk surrounded by 5 Italian policemen. I had no idea what was going on. I was scared. I couldn't understand much, but I did understand that they wanted to take my passport, asked me to sign some documents, and wanted to escort me to a judge. I was allowed to put a call into my Italian colleagues at Google, who thankfully were able to rush to the scene and talk to the policemen. I was escorted by the policemen on foot through central Milan, with tourists and locals alike stopping to stare at the scene. My colleagues told the group of policemen that I was supposed to deliver a speech at the privacy conference shortly. After much discussion, it was agreed that I would be allowed to deliver the speech, after providing my passport and signing various documents that were being served on me, and that I would be interrogated by the Public Prosecutor afterwards.

And so, I was allowed to deliver this talk. If I look a little distracted, now you know why. [between us, I had to stop to vomit, but that part has been edited out.]

http://www.youtube.com/watch?v=ZkN12ZR9dvE

This whole Italian prosecution has been an ordeal. I just want it to be over soon. After two years, well, it's finally underway.

Guys in Ties, thinking about children and privacy

First, thanks to a bunch of you for sending me notes, encouraging me to keep blogging. I will.

I recently joined a group of privacy experts working with a Spanish foundation dedicated to children's issues to think about how to help protect kids' privacy online, in particular in social networking services. We've just had one inaugural meeting, a brainstorming session. It's too early to say which approach the group will take. But for my part, I recommended a crowd-sourcing approach, where we encourage (sponsor?) an open-ended contest to invite people to create videos on YouTube where kids talk to other kids about privacy. I doubt a top-down approach would work, where governments or corporations lecture kids about what they should or should not do online. I think kids will react more to videos by other kids, who talk about sharing with their friends, what happens if they share personal stuff with the wrong people, how to make good choices.

If you have a better idea about how to approach the challenge of sensitizing kids about the privacy risks when they post stuff online, please let me know, and I'll take it to the group.

I've been taking a break

I've been taking a break from blogging.

In case you wonder why, it's because I was rattled to see an Italian public prosecutor scour my blog and print out copies of it to help him indict and prosecute me and some of my Google colleagues for some "privacy" criminal theory. I'm all for free speech, and love a robust debate of privacy issues, but seeing your own words being combed through by a prosecutor who's looking for evidence to convict you in criminal court is enough to give anyone reason to pause from blogging.

I'll start blogging again soon. At least I know I have one reader.

The Cloud: policy consequences for privacy when data no longer has a clear location

Cloud Computing has become one of the more influential tech trends of our day. The Cloud is roughly analogous to remote computing, where computing and storage move away from your personal device to servers run by companies. A simple example might be online photo albums, which allow users to move their pictures off personal computers and into a secure and accessible space on the Web. Some Cloud services, like Hotmail, have been around for roughly a decade. And others have appeared since; almost all of Google's services, for example, run in the Cloud. As these services become more widely used, it's important to ask how our privacy laws and regimes should deal with this new phenomenon.

Some privacy laws, such as in the EU Directive, base regulation in part on the location of data. If data is in the Cloud, where exactly is that? Data in the Cloud exists within the physical infrastructure of the Internet, in other words, on the servers of the companies offering these services, as well as on users’ own machines. Cloud services are built on the concept that data held in the Cloud enables users to access and share data from anywhere, anytime and from any Internet-enabled device.

To know the “location” of data in the Cloud, you’d need to understand the architecture of data centers, among other things. Some companies like Google have data centers in multiple locations. A data center is a building that houses many, many, computers-- not too different from the ones you may have in your home. Companies try to pick places that, among other things, have a skilled workforce, reasonable local business regulation and are near low-cost and abundant sources of electricity. They tend not to provide too many specific details about these data centers, for a couple reasons. First, the data center industry is highly competitive and companies try not to disclose too many details that may give competitors a leg up. Second, knowing that users' personal information is stored in these computers, companies take the privacy and security of this data seriously and ensure that these buildings are well secured so that no one could just walk out with a computer holding your credit card information. The geographical location of data centers can be optimized to enhance the speed of a service, e.g., serving European users from a European data center might be faster than having the data cross the Atlantic. Finally, having data centers in different locations allows companies to optimize computing power, automatically shifting work from one location to another, depending on how busy the machines are.

Moreover, cloud applications are architected not to lose users’ data and to respond to queries quickly. Applications therefore usually replicate users’ data in more than one place. No Internet user would be happy if they lost access to all their email or calendar information, for example, just because the power goes out in some data center location. Applications may dynamically load balance their users among different data centers, so that the location of a particular user's data may change over time.

For all these reasons, it’s actually very hard to answer the apparently simple question: “where’s my data?” Indeed, it's becoming problematic that existing EU data protection laws were largely written in an era when data had an easily-identifiable location. For example, EU laws impose restrictions on the transfer of personal data outside the EU to any jurisdiction where there is not "adequate" data protection. In the past, "transfer" was defined as the physical shipment of data, such as sending a computer tape or paper files to an office in a faraway location. However, nowadays almost any activity on the Internet involves a transfer of data outside of the EU. Sending a document to a colleague in New York, for example, can technically be considered a transfer of material outside of the EU. In today's era of connectivity, strict and literal application of these laws would cause more than just a headache for companies and regulators: it would cause the Internet to shut down.

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to identify a better model of privacy protections. Data doesn't start and stop at national borders when it travels on the Information Super-highway. From a privacy perspective, the important question is not “where is my data?”, but rather “who holds my data, and what are their privacy policies?" For a user, the important thing is to research and understand the data protection policies of the company which holds the data, regardless of its location.

I’ve looked at various laws around the world, and I’m impressed by the far-sighted model adopted in Canada’s privacy laws. I can’t do better than just quote the Office of the Privacy Commissioner:

http://www.privcom.gc.ca/information/guide/2009/gl_dab_090127_e.asp

"European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information. In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy… [U]nder PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement…

Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. ... [O]rganizations must in their own best interests, as well as those of their customers, do what they can to protect the information."

Canada’s approach works to preserve privacy protections, and to hold data collectors accountable for privacy protections regardless of the location of data. Canada has blazed a trail that will help guide us in the age of the Cloud.

A picture of your house on the Internet for all to see

I did a little OpEd in the French paper Liberation on Google's Street View and privacy. Only fair, I guess, to put a picture of my own house on this blog. I confess, I did hesitate a minute before posting it. In any case, I do believe in taking one's own medicine, or eating one's own dogfood, as the case may be.

D’ici une centaine d’années, quelles avancées auront marqué notre époque ? Nos progrès politiques comme la création de l’Union européenne ? Les avancées scientifiques ?
Selon nous, s’il y a un progrès en gestation depuis la fin du XXe siècle qui pourrait marquer le passage de notre génération sur terre, c’est bien celui du partage de la connaissance. Engendrée par Internet, la démocratisation de l’accès à l’information au tournant du millénaire est une révolution dont on se souviendra probablement très longtemps. Dans une tribune parue le 13 février dans Libération, Odile Belinga et Etienne Tête ont émis un certain nombre de critiques concernant Street View, la nouvelle fonctionnalité de Google Maps qui permet de naviguer virtuellement dans les grandes villes françaises. Les deux auteurs affirment que ce service ne respecte pas la vie privée des individus et le comparent à de la vidéosurveillance.
Street View permet quotidiennement à des milliers d’utilisateurs de naviguer à trois cent soixante degrés grâce à des photos prises dans la rue à hauteur d’homme. Les internautes du monde entier peuvent ainsi se déplacer virtuellement, préparer leur prochain voyage à Rome, descendre les Ramblas à Barcelone, explorer leur ville, ou tout simplement repérer l’adresse de leur prochain appartement. C’est aussi un formidable outil pour mettre en valeur le patrimoine d’une ville ou promouvoir l’activité d’un commerçant. Il s’agit ici de contribuer à l’écosystème ouvert et bénéfique permis par Internet. Les nombreux partenaires qui ont choisi de s’associer à ce service (Télérama, Cityvox, l’Office du tourisme et des congrès de Paris…) ne s’y sont pas trompés.
Le service Street View respecte-t-il la vie privée ? La question est tout à fait légitime. Et la réponse est oui. Rappelons tout d’abord une évidence : sur Internet, l’information, comme la concurrence, est toute proche, à un seul clic de souris. Autrement dit, sans l’intérêt et la confiance de l’internaute, un site ne vaut pas grand-chose. Et cette confiance, il s’agit de ne pas la bafouer.
Les photographies affichées dans Street View sont parfaitement licites. Elles ne contiennent que des images de voies publiques et ne dévoilent aucune information qui n’était déjà exposée à la vue des passants. Les arguments selon lesquels un service de cartographie comme le nôtre ne pourrait pas utiliser de telles images au nom du respect de «l’intimité» remettent fondamentalement en cause la notion d’espace public. Ils dénaturent au contraire cette sphère de l’intime à qui la loi accorde, à juste titre, une protection accrue.
Les images de Street View sont les mêmes que celles que pourrait prendre n’importe quel passant dans la rue avec son appareil photo. Des images de ce type, sur les villes du monde entier, sont déjà diffusées dans toutes sortes de formats sur la Toile mondiale. Conscient que ce service rassemblait ces images en un seul endroit, Google a volontairement décidé de prendre des précautions supplémentaires en créant une technologie de floutage automatique des visages et des plaques d’immatriculation, dont la Cnil a d’ailleurs salué la mise en œuvre. Pour aller plus loin, en cas de visage non flouté ou imparfaitement flouté, toute personne peut demander la suppression des images concernées en cliquant sur un simple bouton. Les photos ne sont pas datées (ni heure, ni jour) et ne sont pas des prises de vue en temps réel. Bref, tout sauf des caméras de surveillance !
Soyons curieux, doutons, c’est ce qui a animé nos échanges avec la Cnil avant le lancement de Street View en France. Mais n’ayons pas peur, par principe, du progrès et des avancées technologiques qu’il implique. Prenons l’exemple récent de «Google Flu Trends» : avant d’appeler leurs médecins, beaucoup d’internautes utilisent comme mot-clé «symptômes de la grippe» dans leur moteur de recherche. Cette requête, multipliée par des millions d’individus a permis à Google de développer un outil de prévision des foyers de grippe capable de devancer jusqu’à dix jours celui des autorités sanitaires. En observant simplement les zones géographiques renseignées par les rapports de connexion. Soyons curieux, soyons vigilants, mais n’ayons pas peur d’Internet.
Bien plus que le véhicule de menaces, aussi réelles sur Internet que dans le monde physique, c’est avant tout un outil extraordinaire qui facilite nos vies au quotidien

Lead Data Protection Authority

Lead Data Protection Authority:  how EU data protection regulation can catch up with other areas of European law

Being a global company means having employees, partners and users who interact on a worldwide basis without geographical or jurisdictional limitations.  Maximising efficiency is a key driver so most global companies attempt to adopt a consistent way of doing business internationally.  Whilst cultural differences may have an impact on some activities, economic globalisation encourages a uniform and coherent approach to most operations, from sales practices to compliance protocols.  However, global companies still have to comply with diverse laws across jurisdictions and be accountable to many national regulators.  All of these trends become even more pronounced for companies doing business over the Internet. 

In the European Union, some industry sectors can benefit from regulatory regimes which are specifically aimed at simplifying the way in which players within those sectors comply with cross-jurisdictional rules.  For example, pharmaceutical companies may rely on simplified procedures to have their products evaluated and authorised across the EU.  One solution is called the “decentralised procedure”, by which companies can go directly to a national authority to obtain permission to market its products in that member state and then seek to have other member states accept the approval of the first member state.  This procedure is applicable in cases where an authorisation for a pharmaceutical product does not yet exist in any member state.

Alternatively, pharmaceutical companies may in some instances rely on the mutual recognition procedure, by which the assessment and marketing authorisation of one member state should be mutually recognised by other concerned countries within the EU.  Under the mutual recognition procedure, the pharmaceutical company submits its application to the chosen country, which will carry out the assessment work and approve or reject the application.  The other countries then have 90 days to decide whether they approve or reject the decision made by the original country.

Similarly, financial services firms can seek authorisation in one member state and obtain “passport rights” to enable them to carry on financial services in other member states.  When a financial services provider wishes to establish a branch or provide services in several EU countries, notification of such intention is submitted to the regulatory authority in the home member state.  This notification is then forwarded to the regulator in the member states in which the operator intends to open the branch or provide its services. As a result, a particular product licensed in the home member state becomes automatically recognised in all other member states and may therefore be sold across borders free of undue bureaucratic controls.

Some areas of law – such as e-commerce – also follow the “country of origin” principle.  This principle establishes that where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed.  For example, if a company sells products online across Europe but it is formally established as a limited company under the laws of one member state, that commercial activity will normally be subject to the law of that country.

Data protection regulatory complexities

The jurisdictional rules under the EU data protection directive do not work like that.  When a company handles personal information about employees, customers, suppliers and others, it will be subject to the different privacy and data protection regimes in force in each EU jurisdiction.  In the European Union, data protection laws will establish a number of very specific requirements and compliance will be overseen by the data protection authorities of each member state.  This means that the use of personal information by that company will be regulated in slightly different ways across the EU.

All European directives pursue the same overriding objective: achieving harmonisation across EU member states whilst respecting the national legislative power of each jurisdiction.  This is normally achieved by establishing a set of principles that each member state incorporates into its own legislation within the parameters of the directive.  When a directive, like the 1995 data protection directive, creates a complex regulatory regime involving an independent regulator, member states devise suitable structures that provide for the establishment and operation of that regulator.

This approach to data protection regulation has caused a number of complexities that diminish the two-fold aim of the directive, namely: protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data between member states.  The fact that laws and regulators are different make pan-European compliance more difficult and hence less effective.  At the same time, the existence of disjointed regulatory approaches creates inefficiencies, business barriers and unnecessary expense for those companies seeking to comply with all applicable laws and regulations.

The lead authority concept

Whilst legislative harmonisation may not be achieved without radical constitutional changes, the experience of simplified oversight in some industry sectors shows that adopting a lead regulator approach is not only possible but desirable.  The most promising step in this direction within the data protection regime is the “lead authority” concept that was created for the purpose of assessing and approving Binding Corporate Rules (“BCR”) applications.  In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities.  This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union.  More recently, a group of data protection authorities within the Article 29 Working Party launched the BCR mutual recognition procedure, so that approval by one authority will automatically lead to approval of the same BCR by the others. 

Whilst for some organisations it may be obvious which data protection authority should act as the lead authority, where it is not clear which authority should become the entry point, the co-ordinated approval mechanism establishes that organisations must consider the following factors to determine the most appropriate data protection authority:

·                     The location of the corporate group’s European headquarters or office with data protection responsibilities.

·                     The location of the company which is best placed to lead the BCR application and, if necessary, enforce compliance.

·                     The place where any key operational decisions in terms of the purposes and means of the data processing are made.

·                     The EU country from which most international transfers originate.

Extending the concept beyond BCR

Both the co-ordinated approval mechanism for BCR and the mutual recognition procedure are contributing to making BCR a much more credible and attractive option for organisations using personal data on a global basis.  The fact that the approval stage itself focuses on meeting one single set of standards and expectations – even when these are high – allows those organisations to concentrate their compliance efforts in a consistent and effective way.  In other words, companies can devote their attention to ensuring that they apply the right standards and achieve a workable level of privacy and data protection, rather than to dealing with the diverse expectations of a plethora of similar regulators.

Given that BCR systems include policies and procedures affecting the whole range of data protection obligations and rights, it should also be possible to take the lead authority concept beyond BCR and apply it to data protection compliance generally.  The criteria to determine the most appropriate data protection authority for BCR applications could also be used to identify the most suitable authority overall.  If the single regulator idea has worked in heavily regulated sectors like health care and banking, it is not inconceivable that the same idea could work very effectively in the area of data protection compliance.

If this were the case, global companies collecting, using and sharing data in the EU could not only benefit from the harmonisation of legal standards but from the simplification of regulatory activities across the EU.  The national regulators themselves would be able to operate in a much more focussed way.  These efficiency gains would ultimately translate into a greater and more realistic level of protection for individuals.  So the case for a lead data protection regulator to oversee the data activities of pan-European organisations is one that the EU data protection authorities themselves, as well as the EU Commission, should be making their own.