This has been a busy week for international recognition of privacy issues. On Wednesday, Ben Emmerson, a UN special rapporteur on counterterrorism, sent a 22-page report to the UN General Assembly detailing how mass surveillance is “corrosive of online privacy” and is undermining international law. Meanwhile, leaders of the world’s data protection authorities (DPAs) came together with some of privacy’s top voices to talk big-picture issues in the African nation of Mauritius.
Though I did not get a chance to go there (must be nice…), I have gone through this year’s declaration from the DPAs and three resolutions released from the 36th Annual International Conference of Data Protection and Privacy Commissioners. We hope to feature more insight from those who were at the event, but in the meantime, here’s a quick look at some of the takeaways.
The Internet of Things Is for Real, But There’s Work To Do
In recent years, the conferences’ declarations have emphasized the “appification of society” and profiling; this year focused on the Internet of Things (IoT), with the declaration noting that it “is here to stay.” Though benefits will be afforded—especially in the healthcare, transportation and energy sectors—the privacy implications of IoT are huge.
“Self-determination is an inalienable right for all human beings,” the declaration states. “Personal development should not be defined by what business and government know about you.”
The declaration thus makes seven conclusions, which I’ve here summarized:
1. IoT sensor data “is high in quantity, quality and sensitivity,” allowing for greater inferences and identifiability, and therefore, “such data should be regarded and treated as personal data.”
2. IoT value is not just in devices but in services as well.
3. “Transparency is key,” and businesses using IoT must have privacy policies that adequately explain how the data is being collected, used and shared. Notably, “Companies need a mind shift to ensure privacy policies are no longer primarily about protecting them from litigation.”
4. Processing starts at collection—and from that start, Privacy by Design and security by design are a must.
5. Security needs to be taken to a whole new level—“A simple firewall is no longer sufficient”—and one suggestion is to store data locally on the device. When not feasible, businesses should employ end-to-end encryption.
6. Ominously, the regulators are paying attention to IoT, and they won’t be afraid to work together internationally and across jurisdictions to mete out justice if necessary.
7. But, the declaration backs a multi-stakeholder dialogue to be constructive and raise awareness.
Accreditation Brings More Agencies Into the Fold
As the scope of international data protection increases, three new members have been considered and include the State Commissioner for Data Protection and Freedom of Information in Bremen, Germany, Ghana’s Data Protection Commissioner and the Commission of Personal Data Protection in Senegal.
Plus, the Executive Committee proposed that Bermuda’s Ministry of Education and Economic Development Department of E-Commerce, Japan’s Specific Personal Information Protection Commission, Mexico’s Transparency, Public Information Access and Personal Data Protection Institute, Singapore’s Infocomm Development Authority and the U.S. Commodity Futures Trading Commission all be granted observer status.
Big Data Is Key Challenge to Privacy Principles
Proposed by the Norwegian DPA, big data remained on the radar this year, and, according to the resolution, “can be perceived to challenge key privacy principles, in particular the principles of purpose limitation and data minimization.” And keeping in mind previous resolutions, caution is urged around profiling.
As such, this year’s commissioners call upon those who use big data to:
- respect purpose limitation;
- limit collection and retention;
- obtain “valid consent” from users;
- be transparent about what data is collected, how, for which purposes and whether it’s shared;
- provide users with access rights, rights to know sources of data and, where possible, tools to allow user control;
- provide access rights to decision-making criteria; i.e., algorithms;
- carry out privacy impact assessments, especially when using data in novel/unexpected ways;
- employ anonymization, but it should be done on case-by-case basis, and it’s not a silver bullet;
- in general, be careful with personal data, and
- be accountable with decision-making. Plus, profiles and algorithms need continuous reassessments and regular reviews, not to mention ethical considerations and proportionality.
Increased International Cooperation
As always, the annual conference called for increased collaboration among regulators across the globe.
More specifically, trans-border data flows are increasing and affect many users. These flows should be “accompanied by increased cross-border information sharing and enforcement cooperation” between data protection authorities. Additionally, the Office of the Privacy Commissioner of Canada has announced the launch of the Common Thread Network, which "is aimed at facilitating the sharing of experiences, knowledge and expertise" with other Commonwealth stakeholders.
Of the DPAs' six resolutions, two stuck out to me:
1. to encourage all DPAs to participate in the Global Cross Border Enforcement Cooperation Arrangement so, for example, multiple DPAs could work together on a large-scale data breach;
2. to “support the development of a secure international platform which offers a ‘safe space’ for members of the international conference and their partners to share confidential information and to facilitate the initiation of coordinated enforcement action and complement other international enforcement coordination mechanisms, adding value to the international enforcement operational framework.”
Privacy in the Digital Age: Let’s Talk About Mass Surveillance
Finally, in the post-Snowden era, how can the world’s data protection authorities not mention bulk electronic surveillance? The international conference welcomed “with great interest the probing report of the Office of the United Nations High Commissioner for Human Rights on ‘The right to privacy in the digital age’” and, among others but notably:
1. affirmed readiness to participate in multi-stakeholder dialogue proposed in Office of the High Commissioner’s Report to address modern communications technology privacy issues;
2. called on conference members to advocate for compliance of any electronic surveillance program with at least the general data protection and privacy principles laid down in the 2009 Madrid Standards, the International Covenant on Civil and Political Rights and the Convention of the Council of Europe, and
3. looked to share best practices among DPAs on the oversight of mass electronic surveillance programs.
And next year, all roads lead to Amsterdam!
If you want to comment on this post, you need to login.