300 likes | 314 Views
Privacy. Aiyana Jackson Yoon Chang Kimberley Crouch. Privacy trends: 2016-2017. A New EU-US Data Transfer Framework FTC/Big Data Cloud Computing Cybersecurity Data Localization Laws Internet of Things Government Surveillance and Encryption.
E N D
Privacy Aiyana Jackson Yoon Chang Kimberley Crouch
Privacy trends: 2016-2017 • A New EU-US Data Transfer Framework • FTC/Big Data • Cloud Computing • Cybersecurity • Data Localization Laws • Internet of Things • Government Surveillance and Encryption
New EU-US Data Transfer Framework PRIVACY SHIELD Max Schrems v. Irish Data Protection • On October 6, 2015 European Union Court of Justice invalidated the Safe Harbor arrangement, which governs data transfers between the EU and the US. • The Result: The Privacy Shield.
Privacy shield • Many Similarities • Self-certification and internal verification • Public list of participating companies • Administered by U.S. Department of Commerce • Adherence to Privacy Principles • Notable Differences • Increased oversight and enforcement by U.S. regulators • Increased role of EU DPA • Enhanced Privacy Principles • New dispute resolution procedures, including mandatory Arbitration Procedures
Privacy shield Duplicative Principles • Choice • Security • Access Enhanced Principles • Notice • Onward Transfer • Data Integrity and Purpose Limitation • Recourse, Enforcement and Liability
Privacy shield update • Intended to be ratified in June 2016, but met with resistance from European privacy advocates • European Data Protection Supervisor Giovanni Buttarelli says Privacy Shield needs “ significant improvement”—”not robust enough”. (May 30, 2016 ) • The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection. (May. 31, 2016) • European Parliament Requires Changes to Privacy Shield: The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers. (May. 26, 2016)
PRIVACY SHIELD UPDATE • Intended to be ratified in June 2016, but met with resistance from European privacy advocates • European Data Protection Supervisor Giovanni Buttarelli says Privacy Shield needs “ significant improvement”—”not robust enough”. (May 30, 2016 ) • The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection. (May. 31, 2016) • European Parliament Requires Changes to Privacy Shield: The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers. (May. 26, 2016) • Privacy Shield formally approved by the EU Commission on July 12, 2016. Applications of self- certification with the Department of Commerce will be accepted as of August 1, 2016.
New EU-US Data Transfer Framework-GDPR • On December 15, 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonized data protection framework across the EU- General Data Protection Regulation (“GDPR”). • On April 8, 2016 the Council adopted the Regulation and on April 14, 2016 the Regulation was adopted by the European Parliament. • While the Regulation will enter into force on May 24, 2016, it shall apply starting May 25, 2018.
New EU-US Data Transfer Framework-GDPR GDPR Applies if yourcompanyenages in: • The processing of EU Citizen personal data by companies regardless of whether they are physically located within the EU, irrespective of whether a payment of the data subject is required; or • Monitors the behavior of such data subjects as far as their behavior takes place within the EU. GDPR applies to companiesinside and outside of EU, as long as they are active in the EU market and offertheirproducts and services to EU citizens.
Summary: New EU-US Data Transfer Framework-GDPR • One law, directly applicable in all 28 Member States. • Replaces the 1995 Data Protection Directive and the national laws transposing the Directive. • Companies will have to appoint Data Protection Officers when they are extensively involved in data processing activities. • Accountability-Increased accountability for controllers and processors of personal data (i.e. PIA and notification of data subjects of breaches). • Consent- If consent is required for data processing must be Explicit Consent . • Data Portability Right- user will have easy access to their data and be able to transport from data more easily from one service provider to another. • Right to be Forgotten- deletion of personal data if no legitimate use to retain it • Stronger Authorities- Independent DPAs will be strengthened and empowered for enforcement in their local jurisdictions. • Data Breach Notification. • Increased Sanctions– up to 4% of the annual turnover of enterprise.
Big Data In September 2015, recently departed FTC Commissioner Julie Brill told the Better Business Bureau's advertising division that the FTC will continue to prioritize increasing consumer control over how personal data is collected and used by third parties, including advertisers. She observed that "after all these years, consumers still don't understand what's happening with their personal information." (Julie Brill, Better Business Bureau's National Advertising Division Annual Conference Keynote Address (Sep. 28, 2015).
Big Data In January of 2016, FTC issues Guidance on Big Data covering the potential violations of: •The Fair Credit Reporting Act •Various federal equal opportunity laws •Section 5's prohibitions on unfair and deceptive practices
What is Cloud Computing? National Institute of Standards and Technology (NIST) definition: • On-demand self-service • Ubiquitous network access • Resource pooling (multi-tenant) • Rapid elasticity • Measured Service • Internet based computing that provides shared processing resources to computers and other devices on demand.
Public vs. Private Cloud • Public Cloud • Multi-tenant, massive scale, pay for use, multi-datacenter redundancy • Private Cloud • Single tenant, may or may not sit within enterprise • Wide range of approaches: • Virtualization – enables virtualized servers to be more rapidly deployed and share common hardware • Cloud Appliance – public cloud hardware and software technology packaged together • Dedicated Hosting – externally hosted on equipment dedicated for single customer
Cloud Computing: Legal Challenges Data Security Data Protection Compliance Govt. Surveillance Data Control Use & Leakage Data Portability
Cybersecurity • An expansion of cyber extortion to the Internet of Things (Ransonware) • Greater targeting of cloud providers • Jump in mobile malware and malvertising • Cybersecurity by design as a condition of market admission • Regulatory oversight will continue to grow • Cybersecurity plans as part of the corporate information security scheme
Cybersecurity • Risk Assessment.Assess the company’s risks and design a plan to address those risks. • Data Governance/Access. Ensure appropriate controls around data access. • Supplier Management.Mandate cyber security obligations for suppliers. • Incident Response. Have a plan to deal with cyber attacks. • Training. Regular employee training on cybersecurity threats is important. Often attacks prey on employees who may unknowingly surrender their passwords or click on malware links. • Cyber Insurance. An important component of risk mitigation strategy. • Information Sharing.Sharing best practices and learnings across industries is a key component in reducing risks.
Data Localization Laws (“DLLs”) • Requirement that data remain stored locally (i.e., within national or regional borders). • DLLs can be sector specific or based on the nationality of an individual. • Examples: Russia, South Korea, Brazil and Vietnam • NSA surveillance revelations have heightened the interest in DDLs. • Companies will have to reassess current data flows, storage, and IT infrastructure and solutions. • May require development of local and regional IT centers and cloud services.
Network of physical objects – devices, vehicles, buildings and other items which are embedded with electronics, software, sensors and network connectivity that enables these objects to collect and exchange data.
FTC Areas of Focus • Security – Legal standard is “reasonable” • “Security by Design” • privacy or security risk assessment • minimizing data collection/retention • testing security before launch • Training • Retain service providers with strong security and provide oversight • Identify system issues and implement “defense in-depth” (multilayer security) • Access controls • Monitor products throughout life cycle and patch vulnerabilities • Data minimization • Collect and retain only data really needed • Less data means less attractive to hackers (according to FTC) • Less data means less risk of company engaging in use that is not consistent with original collection (according to FTC) • Notice and choice • Inform users of data collection and use • Provide users with choices regarding data use and disclosure
TRENDnet “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.” -- FTC Chairwoman Edith Ramirez • First FTC “Internet of Things” action • SecurView cameras marketed for purposes from home security to baby monitoring • Faulty software led to online viewing AND listening
TRENDnet Allegations • Login credentials transmitted and stored in clear text • Failure to monitor security vulnerabilities “reported by researchers, academics, or other members of the public” • Failure to use reasonable and appropriate security in the design and testing of software for cameras • Failure to perform security reviews or testing (e.g., architecture review, vulnerability and pen testing, code testing, verifying consumer access preferences) • Lack of reasonable guidance or training for employees responsible to test, design, and review security of the camera or software
FTC Actions Available for Connected Device • Security enforcement – see TRENDnet example • Other unfairness enforcement • “Unwarranted health and safety risks may also support a finding of unfairness” -- FTC Policy Statement on Unfairness (1980) • Privacy enforcement – misleading statement / material omission • COPPA • Consumer outreach / engagement • Telemarketing Sales Rule • CAN-SPAM
Other agencies interested in IoT • FDA (recent draft guidance on postmarket management of cybersecurity in medical devices) • State attorneys general (similar enforcement to FTC) • U.S. DHHS Office for Civil Rights (HIPAA) • FCC (governing wireless technology needed to support 5G – expected to underpin 50B devices by 2020) • Law enforcement (data source for spying?)
Government Surveillance & Encryption Government surveillance & encryption
Things to Consider • The European GDPR applies to companies inside and outside of EU, as long as they are active in the EU market and offer their products and services to EU citizens. • Existing privacy laws may apply even if your company engages in Big Data initiatives. • How do DLLs affect your company? Do you collect, store or process data of countries such as Russia, South Korea, etc. • Does your company’s security policies include considerations of cybersecurity? Have you done a cybersecurity risk assessment? • Ask lots of questions to the business to get a good understanding of how the business intends to use its cloud solutions as an enterprise. • Encourage the business to try to collect only data that is necessary.