got privacy? Musings on the state of Privacy in a connected world.
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional
On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184. The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions).
The document has three goals:
1) The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States. This exercise may even be a way to align the laws of all the Member States;
2) To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;
3) To advice as to future policy in the area of data breach reporting.
The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches. The Working Party feels the development of policy should emphasize two areas
a) Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive. This is a newly created power under the authority of the Lisbon treaty. The Working Party anticipates the Commission will exercise its power only in some well defined areas.
b) To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.
PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE
The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services. (In this area, the EU should look at the way data breaches are handled and regulated in the USA).
The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services. One also may argue that data controller activities and electronic communication activities should be considered independently from each other.
The e-Privacy Directive’s core elements are simple.
- It includes the definition of data breach.
- The required legal thresholds for the reporting of breaches to users and governments,
- Content and time for notification
- The exemption of notification requirements when the data is protected by technological devices such as encryption.
The core elements do not seem to be a preoccupation for the Working Party. Rather, the Working Party believes there are three areas which will be problematic.
1) The scope of the application of the obligation is the first identified problematic area. Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry. The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).
2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States. However, this could be easily solved if the Commission issues implementation guidelines. The Commission’s guidelines will always trump over all guidelines adopted by the Member States.
3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States. Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.
STATUS OF THE TRANSPOSITION
According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet. The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th. Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.
SUGGESTIONS
The Working Party also makes several suggestions for the future:
A) The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.
B) When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.
C) Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States. The drafting should take into consideration six areas proposed by the Working party. The areas mostly deal with the harmonization and exercise of regulations by the commission
Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.
If you would like to contact Raul, either email raulmendez1@earthlink.net or call 206.264.0849.
On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184. The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions).
The document has three goals:
1) The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States. This exercise may even be a way to align the laws of all the Member States;
2) To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;
3) To advice as to future policy in the area of data breach reporting.
The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches. The Working Party feels the development of policy should emphasize two areas
a) Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive. This is a newly created power under the authority of the Lisbon treaty. The Working Party anticipates the Commission will exercise its power only in some well defined areas.
b) To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.
PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE
The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services. (In this area, the EU should look at the way data breaches are handled and regulated in the USA).
The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services. One also may argue that data controller activities and electronic communication activities should be considered independently from each other.
The e-Privacy Directive’s core elements are simple.
- It includes the definition of data breach.
- The required legal thresholds for the reporting of breaches to users and governments,
- Content and time for notification
- The exemption of notification requirements when the data is protected by technological devices such as encryption.
The core elements do not seem to be a preoccupation for the Working Party. Rather, the Working Party believes there are three areas which will be problematic.
1) The scope of the application of the obligation is the first identified problematic area. Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry. The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).
2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States. However, this could be easily solved if the Commission issues implementation guidelines. The Commission’s guidelines will always trump over all guidelines adopted by the Member States.
3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States. Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.
STATUS OF THE TRANSPOSITION
According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet. The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th. Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.
SUGGESTIONS
The Working Party also makes several suggestions for the future:
A) The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.
B) When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.
C) Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States. The drafting should take into consideration six areas proposed by the Working party. The areas mostly deal with the harmonization and exercise of regulations by the commission
Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.
If you would like to contact Raul, either email raulmendez1@earthlink.net or call 206.264.0849.
Add Comment
Marcus Morissette, Managing Director, Concise Consulting
HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.
HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.
Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.
I have so many concerns with this new law that I will have to address them in a series of blog posts. The first of these will be posted tomorrow.
UPDATE 6/30
As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come. The more I pull the string on this new law, the more potential issues I uncover with it. So stand by…
HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.
HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.
Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.
I have so many concerns with this new law that I will have to address them in a series of blog posts. The first of these will be posted tomorrow.
UPDATE 6/30
As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come. The more I pull the string on this new law, the more potential issues I uncover with it. So stand by…
Safe Harbor...or Disaster? 02/19/2010
Marcus Morissette, Managing Director and Privacy Practice Lead, Concise Consulting Group
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
Why “Gap” is a 4-letter word (part 1) 01/13/2010
One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle. For many organizations, this state seems to be receding ever further into the distance. Each year bring more controls that need to be implemented and monitored. Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.
Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing. A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance. Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns. With a ‘gap analysis’ the framing works like this: Gaps are bad. Analyzing and fixing gaps is good. Having no gaps is best of all. However, in practice there are always more gaps to be found. Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps. But seeking to identify weak areas is good. It shows that we care about what is wrong. Therefore we should do gap analyses.
Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense. It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant. And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.
Privacy After Death 11/02/2009
Does someone's right to privacy end once they are dead? In the US, we do not have a constitutional right to privacy in the same way that Europeans do (yet!), but explicit provisions in HIPAA (Health Insurance Portability and Accountabilty Act) maintain that information about an indivudual should be maintained as private after their death, but other regulations such as the Freedom of Information Act may conflict in certain situations, in addition to free speech rights guaranteed under the First Amendment.
In the EU, the right to personal privacy explicitly survives death
Some interesting links around this subject can be found at:
Is there privacy after death?
Privacy after death debated.
Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
In the EU, the right to personal privacy explicitly survives death
Some interesting links around this subject can be found at:
Is there privacy after death?
Privacy after death debated.
Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
Interesting report in Wired (http://www.wired.com/threatlevel/2009/10/delta/) The Register (http://www.theregister.co.uk/2009/10/14/delta_flyersrights_hacking_lawsuit/) and probably other tech news outlets about allegations that a large corporation accessed an activists private email accounts as part of an effort to derail some legislation that could cost them up to $40m per year.
While this blog still believes in the principle of "innocent until proven guilty" - we will be watching this case with interest. In many cases, people's private and work lives are closely intertwined, and there aren't many people who can claim that their work email is 100% separate from their personal email (*cough* Sarah Palin *cough*).
If proven, this case could impose punitive damages and may certainly cause other organizations to think twice about using similar tactics. Until then - we'll be keeping an eye on how this progresses as it goes to court.
While this blog still believes in the principle of "innocent until proven guilty" - we will be watching this case with interest. In many cases, people's private and work lives are closely intertwined, and there aren't many people who can claim that their work email is 100% separate from their personal email (*cough* Sarah Palin *cough*).
If proven, this case could impose punitive damages and may certainly cause other organizations to think twice about using similar tactics. Until then - we'll be keeping an eye on how this progresses as it goes to court.
How Safe is Safe Harbor? 10/07/2009
The Federal Trade Commission (FTC) has settled with 6 organizations that claimed falsely that they complied with Safe Harbor (Sidenote: I still have to stop myself from spelling it "Harbour" even though I've lived in the US for a few years...).
For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place. There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution - http://www.edri.org/edrigram/number12/privacy-eu-constitution
Safe Harbor is a self-certification process. Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant". So far, so subject to abuse? Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information. I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.
I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify". Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.
FTC statement regarding the settlement http://www.ftc.gov/opa/2009/10/safeharbor.shtm
Much more detailed analysis of the case and some possible implications at http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/index.html
For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place. There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution - http://www.edri.org/edrigram/number12/privacy-eu-constitution
Safe Harbor is a self-certification process. Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant". So far, so subject to abuse? Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information. I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.
I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify". Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.
FTC statement regarding the settlement http://www.ftc.gov/opa/2009/10/safeharbor.shtm
Much more detailed analysis of the case and some possible implications at http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/index.html
