Fri, 23 Mar 2012 07:03:10 -0800WeeblyTue, 12 Jul 2011 09:28:18 -0800http://www.chiefprivacyofficers.com/1/post/2011/07/why-information-security-infosec-differs-from-information-technology-security-it-security.htmlAaron Weller, CEO We live in an information age, where the answer to almost anything we think of (or *can* think) of is instantly available to us wherever we are. I am an Information Security Officer. My goal is to ensure as best as I can that data important to my users is available when required, has integrity and is only made available to people with a need to know, in line with laws and regulations and the assurances that my company has made to our customers and employees.

Most organizations these days have very complex technology “plumbing” that connects applications and systems and enable business processes. This plumbing consists of many “pipes”, “connections” and “faucets” (i.e. Technology Components), and “water” passing through this plumbing (i.e. Data).

Although ensuring that the pipes are in good order is important, these days every organization’s plumbing is very complex and relies on pipes owned by third parties, some which are located in places that we do not control, and with many opportunities for leaks.

My job as an Information Security professional means that I need to care not only about the infrastructure but also about where the water is and who has access to it. In my role where the water is building up behind a dam, and who is drinking it are just as important as the pipes that it passed through to get into the reservoir.

In practical terms, this means that an Information Security professional needs to know not only where all of the “pipes” (networks), “reservoirs” (data stores) and “faucets” (access points) are and how they are protected and maintained, but also about the type and quality of water in each place. Just focusing on the technology often misses the context of what the organization has collected the information for in the first place.

In this context, personal information is be water that is not immediately drinkable but could be either cleaned (sanitized / scrubbed) or only used for certain purposes. Just like grey water can be used to water your garden, you wouldn’t want to drink it, or have others drink it by mistake!

IT Security is just a part of the overall Information Security picture. It is a very important one, particularly for IT departments, but Information Security (and to an even greater extent, Information Privacy) focus on business processes and how data flows through them, whether in electronic or paper form. This helps Information Security professionals to understand where to spend their limited IT Security budgets to protect certain systems and types of devices where the most sensitive data resides or is processed.

Why should information be protected by a million dollar access system when it is on a server, but a dump of that same information into a spreadsheet can be downloaded onto a mobile device which is not owned by the organization and which may have very basic, or no, security controls at all?

I see it as absolutely vital that someone within organizations that I work with is available to have their primary focus on IT Security (or there is ready access to good consultants or outsourced services with those skills). But having a great suite of well configured tools and technical controls is not enough to manage the risks to organizations that are caused by their capture, processing and usage of sensitive data.

Getting the whole organization to understand what data is collected and why, how it can be used, and that it should be disposed of as soon as the costs of storing and protecting it exceed the business value of retaining it is vital to reducing the damage that could be done in the event of a data breach.

There have been many recent examples of organizations that retained sensitive data long past the point that it was of little value. This same data represented a significant (and avoidable) liability when a breach occurred. IT may be able to control access to a database, but by and large they are not able to impose tighter retention periods, or force tokenization, hashing or other controls on the business without either a regulatory or legal mandate, or a clear explanation of why the additional cost and effort is worth it.

So, if you are an IT Security professional, think about whether becoming an Information Security professional would be a good move, both for you and your organization. And if this isn’t something that appeals to you, at least consider raising the point that someone should be looking at the water while you’re running around fixing the pipes.

My biggest satisfaction has been when I start to hear that business leaders and other executives have started to ask the same questions that I do “why are we capturing that data, and what are we going to do with it?” Your customers are waking up and starting to ask similar questions. If you’re going to be able to meet their changing expectations, you should have the answers ready.

This article was originally published on www.roer.com .  Reproduced with permission.

Aaron Weller ]]>Tue, 19 Apr 2011 20:16:30 -0800http://www.chiefprivacyofficers.com/1/post/2011/04/working-partys-opinion-132011-on-the-current-eu-personal-data-breach-framework-and-recommendations-for-future-policy-developments.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional

On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184.  The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions). 

The document has three goals:

1)      The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States.  This exercise may even be a way to align the laws of all the Member States;

2)      To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;

3)      To advice as to future policy in the area of data breach reporting.

The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches.  The Working Party feels the development of policy should emphasize two areas

a)      Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive.  This is a newly created power under the authority of the Lisbon treaty.  The Working Party anticipates the Commission will exercise its power only in some well defined areas.

b)      To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.

PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE

The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services.  (In this area, the EU should look at the way data breaches are handled and regulated in the USA).

The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services.  One also may argue that data controller activities and electronic communication activities should be considered independently from each other.

The e-Privacy Directive’s core elements are simple. 

-          It includes the definition of data breach. 

-          The required legal thresholds for the reporting of breaches to users and governments,

-          Content and time for notification

-          The exemption of notification requirements when the data is protected by technological devices such as encryption.

The core elements do not seem to be a preoccupation for the Working Party.  Rather, the Working Party believes there are three areas which will be problematic.

1) The scope of the application of the obligation is the first identified problematic area.  Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry.  The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).

2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States.  However, this could be easily solved if the Commission issues implementation guidelines.  The Commission’s guidelines will always trump over all guidelines adopted by the Member States.

3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States.  Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.

STATUS OF THE TRANSPOSITION

According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet.  The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th.  Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.

SUGGESTIONS

The Working Party also makes several suggestions for the future:            

A)    The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.

B)    When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.

C)    Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States.  The drafting should take into consideration six areas proposed by the Working party.  The areas mostly deal with the harmonization and exercise of regulations by the commission

Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.

If you would like to contact Raul, either email raulmendez1@earthlink.net  or call 206.264.0849. ]]>Wed, 06 Oct 2010 21:08:01 -0800http://www.chiefprivacyofficers.com/1/post/2010/10/uk-and-germany-interception-actions.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
The European Commission referred the UK to the Court of Justice for non-conforming rules in the confidentiality of electronic communications.  It is alleged that Electronic Communications are intercepted and the UK law condones the practice.

The Commission’s contention is that the UK law does not meet the consent to interception requirements and the supervision necessary by its DPA’s.  Due to the UK’s failure to comply with directives 2002/58/EC and directive 95/46/EC internet providers are engaging in behavioral advertising without the users’ knowledge or consent.  The targeting is based on the users’ browsing history and e-mail activity. 

This action did not take place in a vacuum.  The Commission’s infringement procedure started in April 2009.  Since April 2009 there have been two prior releases made public by the Commission (IP/09/570) and (IP/09/1626) regarding this action. 

The action submitted to the court lists three different violations:

·         There is no independent national authority to supervise the interception of some communications.

·         The UK’s current law fails to provide an accurate definition for consent.  

·         Under UK law it is only illegal to intercept the communications when it is limited to ‘intentional’ interception only.   Whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception.

Interception has emerged as a point of contention in other member States. On October 2nd, 2010 the German “Düsseldorfer Kreis” announced that WebPages, which participate in Google Analytics, are violating the privacy laws.  Google Analytics is designed to intercept and transfer users’ IP addresses. 

It is fit to point out that Google has engaged in negotiations with the “Düsseldorfer Kreis” for many months.  Google has also created a Google Analytics Opt-out Browser Add-on in response to the authorities concerns.  With the add-on partial IP address are transferred rather than the entire address.  However, the authorities have said it is not enough.

The “Düsseldorfer Kreis” has given Google an eight week deadline for compliance.  If Google does not change the tactics, the authorities will take action against operators who condone Google analytics.

In the UK referral and the Google analytics case, action is not brought directly against Google or other parties operating outside of the European Union.  Those present in the jurisdiction are made to respond.  I believe the privacy authorities are trying to change the industry by applying pressure to providers.

If you would like to contact Raul, either email raulmendez1@earthlink.net  or call 206.264.0849 begin_of_the_skype_highlighting206 264 0849]]>Thu, 29 Jul 2010 08:53:28 -0800http://www.chiefprivacyofficers.com/1/post/2010/07/responsibility-for-privacy-violations-in-user-generated-content-providers-google-case-in-italy.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

On April 12th, 2010, the Honorable Judge Oscar Magi, Judge for the Tribunale Ordinario de Milano, in composizione Monocratica, Sezione 4 Penale (Milan Court) filed a document entitled Sentenza N. 1972/2010.  

 This Sentenza may be regarded as the most shocking event in the field of privacy duties imposed on Data Controllers (DC) and data controller's officers, since the enactment of Directive 95/46/EC of the European Parliament and of the Council of the 24 October 1995 (privacy directive).

The document created by Judge Magi was in direct result to a guilty verdict imposed on : a) David Carl Drummond, b) George De Los Reyes, and c) Peter Fleischer under Legge 31 Diciembre 1996 n. 675 as punishable under article 167, comma Secondo del DLgs 30 Giugno 2003 n. 1996 (criminal charge).The guilty verdict was handed down by the Honorable Judge Magi on February 24th, 2010.

A fourth person, named Arvind Desikan, was accused under the same cause number for the same crimes, but was found not guilty of all charges.7 When the Sentenza was filed, Judge Magi had already sentenced, in absentia, all of the defendants to a six months prison term with all of the time suspended.

The sentenza handed down by Judge Magi raises a multiplicity of issues. Problematic are the exposure to criminal liability and the freezing effect this decision will bring.

The attached thesis analyzes the following areas:

 Nature of the Charges: This section will explain the three different charges brought against the defendants and the ultimate resolution for each of the charges.

 The Facts of the Case: This section will discuss the facts as they were found by the court. The role for each defendant and Google Inc. will be presented in different sections.

 Background For User Generated Content Providers (UGCP's): This section will explore the roots of the movement and the technologies behind the movement.

 Conflict Of Laws: This section will discuss the specific issues created when one or more countries' laws affect the outcome of a dispute. This discussion will be divided in two sections 1) jurisdiction and 2) choice of law.

 The Privacy Directive: This section will explore the roots of the privacy directive, the inherit struggle between United States laws and European Union directives, and the amalgamation of laws. Most importantly, this author will explain the basis of jurisdiction for wholly non European Union based Data Collectors.

 Jurisdictional Issues: Should Italian law and European Union Directives be applied to the Google case, even though Google's servers and data uploaded are located outside of the jurisdiction of Italy and the European Union.

 Personal Data: Did the Italian court apply the wrong criteria for the classification of personal data, and would it make any difference in the outcome. 

 Exemption Under Host-Service Provider Classification: Does the European Union directive 2000/31/EC (e-commerce directive)protect Google from liability. 

If you would like to contact Raul, either email raulmendez1@earthlink.net  or call 206.264.0849

thesis.pdf
File Size:	915 kb
File Type:	pdf

Download File

---

]]>Fri, 23 Jul 2010 08:38:43 -0800http://www.chiefprivacyofficers.com/1/post/2010/07/the-united-states-of-mexicos-privacy-law.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
On the 29th of this month, IAPP will have a webcast regarding the newly enacted Mexican privacy law.  The speakers will have a more in depth discussion.

THE UNITED STATES OF MEXICO’S PRIVACY LAW

On April 27th, 2010, the Senate for the Republic of the United States of Mexico (Mexico) enacted their first Personal Privacy Protection Law.  It is entitled Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (Law).[1]    According to Professor Lina Ornelas, General Director for Classified Information and Personal Data (IFAI, Mexico)[2], the law is the culmination of restless efforts.[3]   

THE GOAL

The law’s goal is to provide individuals with the tools needed to enforce their right to protect their personal data.  The right to protect one’s Personal data is considered a Third Generation right.[4]   Third Generation Rights emanate from a framework of multi-national Human Rights declarations and treaties.  Examples are: The Declaration of the United Nations Conference on the Human Environment (Stockholm Declaration)[5]  and the 1992 Rio Declaration.[6]

The concept of Third Generation Right was coined in Europe and is considered “Soft Laws” by many.  Experts and scholars in the Human Rights field disapprove of the term “Soft Laws.”   They are called “Soft Laws” because they are not formally part of any written Statute.  However, countries have actually codified some Third Generation Rights.  Privacy is the perfect example of former “Soft Law” which has been codified.

THE RIGHT TO PROTECT ONE’S PERSONAL DATA

Mexico, just like the European Union, has codified the privacy rights of individual persons.  There are two concepts which are included in the right to protect one’s Personal Data:

1)     Protection of the fundamental right of individuals to protect their own person in the context of the processing of personal data.

2)     The power of determining who is able to receive and access one’s personal data, where the Personal Data will be stored, and for what reason.[7]

The European Union Privacy Directives and the Privacy Law in Mexico aim at including the above mentioned concepts.  It could be said that countries that adequately protect an Individual’s Privacy share these concepts.     

THE MONTEVIDEO MEMORANDUM

One of the major driving forces in the shaping and forming of the Privacy Law in Mexico may be attributed to the commitment of Professor Lina Ornelas.  Professor Ornelas obtained her Law Degree from the Faculty of Law at the University of Guadalajara, Mexico. She then obtained her Masters in Law and International Cooperation from the Vrije Universiteit Brussel in Belgium.  Professor Ornelas has also developed her professional skills in the public sector in Mexico and Europe.  She has successfully held positions in the Ministry of Economy, the State Department in Mexico and in the European Commission.[8]  Due to her educational background and professional experience, one may state that she is an expert in the field of Personal Privacy Data Protection and International Human Rights.  Additionally, she is in agreement with the protection of Third Generation Privacy Rights.

 

On March 2010, Professor Ornelas, published an article in the Privacy Advisor for the International Association of Privacy Professionals.  In this article, Professor Ornelas discussed many issues regarding the Montevideo Memorandum.[9]  Professor Ornelas was one of the creators of the memorandum.

The Montevideo Memorandum is a project sponsored by the Canadian Government through an agency called Centro Internacional de Investigaciones para el Desarrollo and the Agencia Canadiense de Desarrollo Internacional, Ottawa, Canadá.[10]  The Memorandum composed of  recommendations.[11]   The recommendations are meant to increase the protection of children who use Social Networks on the internet.

 

Other memorandum participants included Brazil, Spain, Uruguay, Ecuador, Chile, Colombia, Argentina and Mexico.  Neither the FTC nor any agency of the U.S. sponsored or participated in the drafting of the Memorandum.  However, representatives for Microsoft and Google and other members of the industry attended the workshop. 

 

According to Professor Ornelas,  Microsoft and Google pledged that they fully supported any initiative that ensured the creation of a safer internet for children.  She also indicated that the Congress of the Republic of Mexico, at the time, emphasized that Mexico needed a Federal Law which protected personal data.  The Congress expressed that the Federal Law would include the Montevideo Memorandum's principles  and it would include other international privacy standards.

 

Thus, it could be said that the protection of children may had been one of the many catalyst which made Congress create the Privacy law.  The framework is one that seeks to protect children and adolescents within a larger general law a Lex Generalis.  A perfect example of such generalized law is the European Union Privacy Directive.[12]

THE EUROPEAN INFLUENCE

On page 27 of the Montevideo Memorandum, under the heading "General Considerations,"  it states that in order to find consensus, rationality and a balance of privacy rights, and the risks involved in the information and knowledge society, it considered the following documents:

1)     Settlement of the judicial conflict between the Federal Public Ministry of Brazil and Google (dated July 1st, 2008);

2)     the Child Online Protection Initiative of the International Telecommunication Union (dated 18 May, 2009);

3)     Opinion 5/2009 on online social networking, by the Article 29 of the European Working Group (dated June 12th, 2009);

4)     the Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. (dated July 16th, 2009).[13]

COPPA was not included as one of the documents considered. 

MADRID RESOLUTION

On November the 6th, 2009, fifty DPA's from around the world announced the Madrid Resolution.  The resolution was created in a closed door meeting.  All country's DPA's agreed with the resolution.  Additionally ten different Multi National corporations agreed to implement the resolution.[14]  The Mexican Privacy Law is almost a mirror image of the Madrid Resolution.  Presumably, all 50 members will have to make their laws support the resolution. 

The Working party has called upon the European Union Commission to reform the European Union Privacy Directives.  The Working Party expressed that "[t]he basic principles for data protection, as laid down in the ‘Madrid Resolution’, should be the universal basis for such legislation."[15]  It is fair to conclude that the Madrid Resolution will eventually become the standard for Privacy throughout the world.  In theory, if ad networks, software makers and hardware makers create products, which comply with the Madrid Resolution, there will be no conflict.

SIMILARITIES BETWEEN THE MEXICAN LAW AND THE EUROPEAN UNION PRIVACY DIRECTIVE

When the Mexican Privacy Law and the European Union Directives are compared, there are many similarities present.  For example; Chapter 1, Article 3. V, defines personal data in the same manner the European Union Privacy Directives define personal data.  Under the same chapter and article VI, Sensitive Personal Data is defined in the same manner it is defined in the European Union Privacy Directives.

Additionally, the promotion of an “Information Society” is of great importance.  The Law's concern for the “Information Society” appears to be as consistent as it is in the European Union Directives.  Unfortunately, the definition of  an "Information Society" is not included in the Law or the European Union Privacy Directives.

Article 1 commences by describing the purpose of the Law.  The last sentence of Article 1 indicates that one of the objectives of the Law is to ensure privacy.  Privacy is not defined in the law, and it is mentioned thirty four times.  The European Union Directives also fail to provide a definition for privacy.

One other similarity is the Corporate Binding Privacy Rules.  The law allows the use of Corporate Binding Privacy Rules for the transfer and sharing of Protected Data.  Data controllers are not required ask for permission from the Data Protection Authority when using Corporate Binding Privacy rules.  The flow of information within a corporation and third parties may take place freely, as long as the corporation and third parties adhere to the Law and the Privacy Notice provided and authorized by the user.  The user must be fully informed and must agree by his own volition to the dissemination, use and storage of his Personal Data.

After reviewing the Law, one may conclude that the Privacy Law of Mexico is influenced by human rights opinions and treaties, the Madrid Resolution, the European Union Privacy Directives, Working Party’s opinions, Working Party’s adopted documents, and case law developed in the European Union.

Presumably, Mexico’s privacy law will be applied just as consistently as it has been applied today by the European Union and governments who have decided to protect privacy as a fundamental right.

EXPECTATIONS FROM THE DATA CONTROLLERS AND DATA PROCESSORS

The Privacy law requires strict adherence to the following principles:

• legality
• consent
• notice
• quality
• purpose
• fidelity
• proportionality
• Accountability under the law

 Under these principles, all Data Controllers and Processors must promote full transparency.  When transparency is used as a core concept, Data Controllers and Processors may be considered to be in the right path to full compliance.

I found some of the principles to be more problematic than others.  For example, there is a need to have a written document if Sensitive Data will be processed.  This document may be a physical document with the signature of the User, but it is also acceptable to use an electronic signature or any other method of authentication.

When sensitive personal data is processed, there has to be a justification for the processing.  There have to be concrete and lawful reasons for the processing of the data.  Data Controllers and processors shall afford users the same level of protection data Controllers and Processors use for their own data.

WHAT MAY BE ENCOURAGING ABOUT THE LAW

I do not believe that this law may be more restrictive than laws currently used by some of the European Union Members.  Most importantly, THERE IS NO COOKIE DIRECTIVE.[16]  However, it remains to be seen if the Law assumes that the cookie directive is already built into the Law as written.

As stated above the exchange of information may be seamless when Data Controllers and processors adhere strictly to the privacy policies authorized by the user.  Corporations may communicate data with all other branches located in Mexico or abroad if they subject themselves to Binding Corporate Rules, but there is no need to request approval or file any document with the Institute.  Whether or not this will be allowed under the administrative rules, it is not known.

Additionally, the law supports self regulation.  It encourages industry to create rules and regulations that may be adopted into a deontological code.  Copies and issuance of symbols of conformity may be issued and communicated to the authorities.

RIGHTS OF THE USERS

Users shall have the right to access, rectification, cancelation and objection of the data which is held by a controller.   Nonetheless, this is subject to verification of identity.  The rights of users are also extremely similar to the Madrid resolution.[17]

PENALTIES

CIVIL penalties are varied and the law lists a total of nineteen possible infractions.  Whether or not the violations are all inclusive, I am not sure.  What I know with certainty is  the possible fines that may be imposed.  Fines will vary between 100 minimum daily wages and 640,000 minimum daily wages.  The minimum wage rate used shall be the one applied in Mexico City.   The current minimum wage is about $6.00 dollars a day.  Thus, the minimum fine is $600.00 dollars and the maximum is $3,880,000.00 dollars.

When it come to criminal penalties, the grid below explains the possible criminal sanctions for violations of the law.  The only criminalized offense is the illegal processing of protected data.  The actual processing must take place for guilt to be found.

CONCLUSION

All things considered, the Mexican Privacy Law is not as strict as some of the European Union member's privacy law.   One benefit is that nothing has to be kept in file with the Institute.  The only instance when something must be filed is when a complaint is launched, or there is an action taken by any authority.  
Currently, it is difficult to make accurate predictions how the law will be enforced since rules and regulations are yet to be known by the public in general.  Let's just hope that other countries, who choose to follow the Madrid Resolution, will enact laws that are not stricter.  If you want to contact me, you may email me at raulmendez1@earthlink.net or call 206.264.0849. 

[1] http://www.ifai.org.mx/pdf/pot/marco_normativo/LFPDPPP.pdf

[2]Federal Institute of Access to Public Information (IFAI)

[3] Ms. Lina Ornelas is general director of classified information and data protection at the Federal Institute of Access to Public Information in Mexico. https://www.privacyassociation.org/publications/2010_04_30_mexico_passes_federal_data_protection_act/

[4] http://www.youtube.com/watch?v=zE0G7q7DrbA

[5] http://www.unep.org/Documents.multilingual/Default.asp?DocumentID=97&ArticleID=1503

[6] http://www.un.org/geninfo/bp/enviro.html

[7] Supra, Footnote 3.

[8]As Deputy General Director of the Unit for Legislative Studies at the State Department, she was part of the group that first wrote the initiative of the Access to Information Act presented by President Fox to Congress, and then negotiated for its approval. She was later Deputy General Director for the Promotion and Defense of Human Rights at said State Department. Since 2003, Mrs. Ornelas is the General Director of Classified Information and Personal Data at the Federal Institute of Access to Public Information (IFAI), where she jointly drafted with the National Archives the general archival standards that apply to the federal government in Mexico. She currently is member of the Ibero-American Net for the Protection of Personal Data.

[9] http://www.iijusticia.org/esp_port_eng_fran.pdf

[10] Id..

[11]Memorandum sobre la protección de datos personales y la vida privada en las redes sociales en Internet, en particular de niños, niñas y adolescentes

[12] Directive 95/46/EC

[13] Supra, Footnote 1 at 27

[14]www.gov.im/lib/docs/odps//madridresolutionnov09.pdf

[15]The Future of Privacy Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP 168

[16] http://www.chiefprivacyofficers.com/1/post/2010/07/analysis-of-the-ec-cookie-directive.html

[17] Supra Footnote 14

]]>Wed, 14 Jul 2010 09:22:24 -0800http://www.chiefprivacyofficers.com/1/post/2010/07/hb1149-part-ii-who-needs-to-worry-about-hb1149-or-whos-who-in-the-zoo.htmlMarcus Morissette, Managing Director, Concise Consulting

In a follow-on from an earlier post on this blog, Marcus Morissette continues to dig into the interpretation and applicabity of Washington State HB1149.

In order to understand who should be concerned about the provisions contained in this law, and who benefits from this law, we must identify the cast of characters. The following entities are defined in the law:
·         Financial Institutions
·         Businesses
·         Processors
·         Vendors

Let us review its definitions first, and then compare them with the legal definitions/obligations contained in the PCI DSS.  I am going to list the definition from HB1149 and then follow it with the definition from PCI DSS.

Who benefits?
HB1149 leverages the definition of a financial institution contained in RCW 30.22.040, which states that a "Financial institution" means a bank, trust company, mutual savings bank, savings and loan association, or credit union authorized to do business and accept deposits in this state under state or federal law.

PCI DSS: In the context of the damage recovery language contained in bill, it can be assumed this means primarily issuing banks (i.e. those financial institutions that, in the event of a breach, would have damages relating to the reissuance of cards).

Who pays?
HB1149 defines a “business” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington [emphasis added]. 

PCI DSS – Level 1 Merchants
HB1149 defines a “processor” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.

PCI DSS: Level 1 and 2 Service Providers
Vendor is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.

So, who really should be concerned?

So only “businesses” that are subject to these provisions are Level 1 Merchants as defined by the PCI DSS (based on a transaction volume of 6,000,000).  Further, it means that all Level 1 merchants across the country that provide, sell or even “offer” goods or services to Washington residents are subject to liability, if they fail to use reasonable care to guard against unauthorized access to account information. However, the law contains a Safe Harbor provision for PCI DSS compliance, which would seem to exclude every Level 1 Merchant with an ounce of business sense and self-preservation.  This is because Level 1 merchants are required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. (See next week’s post for a discussion of Reasonable Care and Safe Harbor.)

However, as defined in HB 1149, vendors and processors of all sizes and transaction levels are liable to financial institutions for their failure to use reasonable.  This means that Level 1 and 2 Service Providers as defined in the PCI DSS are subject to potential liability under this new law. However, Level 1 Services providers (300,000 transactions or VisaNet processors) are also required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. They should be well within the Safe Harbor provisions. Level 2 service providers are allowed to validate their compliance with the PCI-DSS via a Self-Assessment Questionnaire (SAQ).

Vendors who develop payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.  Such application vendors would have their development procedures and their products reviewed under the PA-DSS.  Vendors that comply with the PA-DSS, should also be “compliant” and protected by the Safe Harbor provisions (again, HB1149’s Safe Harbor will be discussed in detail later).

So, a summary of these “definitions” would seem to make it about as clear as mud who is actually liable for damages under HB1149.  It would appear that likely candidates are:
·         Level 2 Service Providers who failed to submit a valid SAQ
·         Application Vendors that were somehow able to sell, distribute or license a payment application without somehow obtaining PA-DSS compliance.
·         Level 1 Merchants and Level 1 Service providers that have made the decision to not comply with the PCI-DSS, and/or who have somehow been unable to comply with it.

The liability provisions would seem to be another very good reason for all merchants and service provides to comply with the PCI DSS and to properly validate such compliance as required by the brands.

UPDATE: 8/25: Our conclusion after talking to colleagues regarding this law is that a logical next step is to engage with the legislators who drafted the law, and who are in a position to collate and present changes so that a future version may appear with these issues resolved.  This may be a lengthy process, but if we make progress, it will be posted here.

]]>Thu, 08 Jul 2010 21:57:13 -0800http://www.chiefprivacyofficers.com/1/post/2010/07/what-does-the-bavarian-lager-case-signify-for-privacy.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

The Bavarian Lager case could possibly represent the biggest hurdle in achieving transparency for European Union institutions. 
If transparency is to be achieved, the Access to Documents Regulation[1] must be amended.  The amended regulation should take into consideration the Opinion issued by the European Data Privacy Supervisor (EDPS) on June of 2008. [2]

TRANSPARENCY
Article 255 of the Treaty establishing the European Community, as amended by the treaty of Amsterdam gave any resident or citizen of the Member States the right to access all documents from the parliament, the Commission and the Council.  This right was set to be regulated by Regulation (EC) No 1049/2001.[3] 

There were two additional important features included in Regulation1049/2001:
1)     The EU institutions are assigned the same rights and obligations as the member state’s Institutions have in the context of access to all documents;
2)     The EDPS, an independent Officer, is created.  His duties include the monitoring and the implementation of access to European Union documents.
It is fit to recognize that before 2001, the EU institutions were not required to have an open records regulation.

THE AMENDMENT
By 2007, a body of law had been formed.  The agencies also gained the necessary experience in handling document requests. 

The Commission then proposed the rewording of the regulation.  The aim was to require more transparency.  The intention was an effort to have a better informed society with better processes. 

The EDPS issued an opinion regarding the changes.  The EDPS disagreed with the wording of several parts of the regulation.  The opinion was partially based on the body of law that had been developed so far.

POWER TO INTERVENE
One of the rights the EDPS has is the power to intervene in any privacy related lawsuit.  The EDPS has intervened in Bavarian Lager and in at least 13 other cases.

Thus, the EDPS has been highly influential in the interpretation of the law.  It is the position of the EDPS that the standard used, when evaluating the release on information against the Data Protection Directives, should be one of harm of privacy rather than the requirement of necessity for the release of the data.  The standard set by the court creates a big hurdle for applicants.

IMPORTANCE OF TRANSPARENCY
Transparency was provided by the Amsterdam Treaty amendments.  Before the inception of the treaty, the European Union Institutions were exempted from the release of information requirements. 

Transparency is a right that must be protected.  It is a corner stone of a good government.

HOW TRANSPARENCY HAS BEEN SUCCESSFUL IN SWEDEN
In Sweden, Governmental Agencies are required to release any document in their possession, free of charge, when requested.  These documents include electronic data bases or documents’ meta-data.

If agencies are of the opinion that the data should not be released, there is a court mandated review.  The request and objection to the release are reviewed by a special court which applies the right to access in a broad and liberal manner.  If the court finds for the applicant, the decision is final and it may not be appealed.

The system has allowed for a better Government.  Agencies can be scrutinized and held accountable for their actions.  Sweden’s system has allowed the citizenry to discover wrongful actions and cover ups.  Transparency allows citizens to feel more confident in trusting their government.

The European Union should follow Sweden’s lead.  The review of the regulations has to be revisited.  The Commission is currently assessing the language and possibly the rewording the regulation.[4]  Balance between privacy and transparency has to be achieved, and there must be consistency.

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.

[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43).
[2] Opinion of 30 June 2008 on the Proposal for a Regulation regarding public access to European Parliament, Council and Commission documents, OJ C 2, 7.01.2009, p. 7
[3]Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, which became applicable on 3 December 2001.
[4]http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=en (last visited on July 6th, 2010) 

]]>Thu, 01 Jul 2010 15:13:24 -0800http://www.chiefprivacyofficers.com/1/post/2010/07/analysis-of-the-ec-cookie-directive.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
e-Privacy Directive 2009/136/EC (cookie directive)[1]
The Cookie Directive is the most recent amendment of  Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation.  This particular directive has to be included into the member States' laws by May of 2011.
Even though the cookie directive is yet to be enforced and adopted by all of the Member States, it is necessary for all Data Controllers and Data Processors to be prepared.  It is imperative and urgent that ad networks, publishers and browser makers coordinate their efforts at reaching a solution which complies with the cookie directive.

 THE COOKIE DIRECTIVE'S ORIGINS
In this author's opinion, the cookie directive may be traced from two events:
1) the enactment of the Lisbon Treaty.[2]
2) the Working Party's contentions.

THE LISBON TREATY.
The Lisbon Treaty became fully enacted on 1 December 2009, and the Charter of Fundamental Rights is now binding upon all European Union Members. Article 8 of the Charter provides a right of protection of personal data.   Thus, it is the duty of European Parliament and the Council to enact rules relating to the protection of individuals when their personal data is processed by Union institutions, bodies, offices, agencies, and Member States.
The European Union has a strong tradition for the protection of Human Rights.  This tradition has been embedded in the directives.  Before the enactment of the Lisbon Treaty, the Working party had expressed that the Privacy Directive had a broader protection than the Charter of Human Rights in the fields of private and family life.[3]  The Working Party has also expressed that the " Charter of Fundamental Rights of the European Union enshrines the protection of personal data in Article 8 as an autonomous right, separate and different from the right to private life."[4]

WORKING PARTY'S CONTENTIONS
One may say that the cookie directive is the latest attempt, by the European Union, to make Data Controllers and Data Processors comply with the privacy directives.[5]  Since its inception, the Working Party has insisted that the use of cookies is regulated by the Privacy Directives.  The Working Party has also tried to rally cooperation between the hardware and software makers in order to adapt their products to the European Union Privacy Directives.

On February 23rd, 1999 the Working Party adopted Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware."[6]  The recommendation  was a polite call for the software and hardware industry to adapt their products to do the following :

" 1. The Working Party encourages the software and hardware industry to work on Internet privacy-compliant products that provide the necessary tools to follow the European data protection rules;"[7]

 "2. Internet software and hardware products should provide the Internet users information about the data that they intend to collect, store or transmit and the purpose for which they are necessary."[8]

 "3. The configuration of hard- and software products should not, by default, allow for collecting, storing or sending of client persistent information;"[9]

"4. Internet hard- and software products should allow the data subject to freely decide about the processing of his/her personal data by offering user-friendly tools to filter (i.e. to reject or to modify) the reception, storage or sending of client persistent information following certain criteria (including profiles, the domain or the identity of the Internet server, the kind and the duration of the information being collected, stored or sent and so on)."[10]

 "5. Internet software and hardware products should allow the users to remove client persistent information in a simple way and without involving the sender."[11]

Recommendation 1/99 is almost a mirror image of the new cookie directive, and it was solely directed to the hardware and software industry.  The new cookie directive, on the other hand, is a direct demand for compliance made to Data Controllers and Data Processors.  The cookie Directive creates a series of rights obligations and specific duties applied to the Data controllers and Data Processors.  Before analyzing the specific requirements of the cookie directive one must evaluate what are the current duties and obligations are for Data Controllers and Data Processors.

DUTIES REQUIRED BEFORE THE COOKIE DIRECTIVE
Generally, before the cookie directive, the owner of a webpage had to inform the user of the following:
 1)  without any jargon, explain to the user that cookies were about to be installed and fully explain  how the cookies are used and for what purposes the cookies were about to be installed.  This information was supposed to be included in the Privacy Policy;
2) request permission to install the cookies in the of user's computer;
3) inform the user about her right to refuse the cookies, and explain how to refuse them using the browser.
 Of course, all the requirements only applied when there was an exchange of data which was protected by the Privacy Directives.

 DUTIES REQUIRED BY THE NEW COOKIE DIRECTIVE
The new Cookie Directive applies in a addition to the privacy directives.  It does not matter if protected data is exchanged or not.  Thus the new directive applies at all times.
The most problematic aspect of the new directive is that there has to be consent before any Cookie is sent.  Today, the cookie is sent, and then the permission is requested.  Under the new directive, the consent has to be provided before any cookie is sent.  Article 5(3) states that:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.  This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”[12]

Thus, the visitors of a webpage must now be advised of their privacy rights in a two tier framework designed to protect the privacy rights of the users.  The first one requires the clear and comprehensive waiver of the cookie refusal rights.

The elements of valid cookie consent are :
 i) it has provided the user with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing and;
ii ) it has obtained the user's consent to the storage of or access to information on his or her terminal equipment, after having provided the information requested under i).[13]

Assuming that the user waived her rights in the first step, the user must still be informed of her privacy rights if any protected data is to be exchanged.

RECITAL 66 (browser privacy settings)
 It is necessary to point out that there is a way a user may express an implied waiver of the first tier requirement.   Recital 66, of the new cookie directive says that the browser filter settings may be sufficient indication of consent.  The caveat is that this may only apply when technically possible.[14]
 According to the Working Party, in WP171, browser settings is not an exception.  It is just a presumption that could not be solely replied upon.  The WP indicates that, from all the four major browsers, only one may qualify under the provisions of recital 66.[15] 
Assuming that the browser settings are technologically available, and set by the user to allow all cookies, consent under the Privacy Directives still has to be requested.
 The browser settings' possible assumption of acceptance is only good for the first phase.  The Working Party still holds the position that further waivers have to be requested for the exchange of protected data.  On page 14, of WP171, the Working Party expressed, "[t]he responsibility for [cookie] processing cannot be reduced to the responsibility of the user for taking or not taking certain precautions in his browser settings."[16]  Additionally, the Working Party requests that browser makers and advertising agencies take urgent action before May 2011. [17]

CHILDREN ARE NOT CAPABLE OF GIVING INFORMED CONSENT
THEREFORE: NO MORE BEHAVIORAL ADVERTISING FOR CHILDREN

One disturbing factor expressed by the working Party is the one found in 4.1.4.  In this section, the working party indicates that " In the light of the above and also taking into account the vulnerability of children, the Article 29 Working Party is of the view that ad network providers should not offer interest categories intended to serve behavioural advertising or influence children."[18]

Today, ad networks request parents' consent when the child will engage in some Social Network or the like.  This comment seems to say that behavioural  advertising can only be used when interest category are those which are not intended for children.  In addition, no more influencing of children.  Potentially one may no longer be able to create campaigns which influence children to say no to drugs, no to smoking and no to drinking and driving.

PARTIES

According to the Working Party, there are several possible actors, Ad Networks, publishers and advertisers.  WP 171 is solely directed at Ad networks, and Publishers.
The Working Party states the following:

"• Ad network providers are bound by the obligations of Article 5(3) of the ePrivacy Directive insofar as they place cookies and/or retrieve information from cookies already stored in the data subjects' terminal equipment. They are also data controllers insofar as they determine the purposes and the essential means of the processing of data.

• Publishershave certain data controller related responsibilities regarding the processing that takes place in the first phase of the processing, i.e., when by virtue of the way they set up their web sites they trigger the transfer of the IP address to ad network providers (which enable the further processing). Such responsibility entails"[19]

TORTS AND CONSUMER PROTECTION ADDITIONAL OBLIGATIONS
The Working Party has also expressed that the failure to provide adequate notice and permission may create liabilities.  These liabilities are in the tort, contract and consumer protection areas.  The Working Party specifically mentions "Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive)."[20]

WHAT THE FUTURE HOLDS
The Working Party has advised that that "[a]t the end of a certain "discussion" period, the Article 29 Working Party will evaluate the situation and take the necessary and appropriate measures."[21]
The appropriate measures are difficult to imagine since the Working Party does not have any Judicial, Prosecutorial, or legislative powers.
For the time being, the Working Party proposes the following courses of action
I      to limit the scope of the consent in terms of time;
II    mitigation by providing additional information;
III  freely given consent can always be revoked.

Let us hope that all the issues may be resolved.

[1]Directive 2009/136/EC of the European Parliament and of the Council (of 25 November 2009) amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
[2] Supra, Footnote 90.
[3]  Opinion 4/2007 on the concept of personal data, Page 7 "On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life."
[4] Id..
[5] Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010, WP171
[6] Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware"
[7] Id..
[8] Id..
[9] Id..
[10] Id..
[11] Id..
[12] Supra, Footnote 5, at 48.
[13] Supra, Footnote 5, at 14.
[14] Supra, Footnote 5, 48
[15] Supra, Footnote 5
[16] Supra, Footnote 5
[17] Supra, Footnote 5, at page 15.
[18] Supra, Footnote 5, at page 17
[19] Supra, Footnote 5, at 22
[20] Supra, Footnote 5, at Footnote 29.
[21] Supra, Footnote 5, at 22

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.

]]>Wed, 30 Jun 2010 13:58:45 -0800http://www.chiefprivacyofficers.com/1/post/2010/06/privacy-implications-of-bavarian-lager.htmlBy Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

Background
On the 29th of this month, the European Court of Justice declared a judgment in Case C-28/08 P Commission v Bavarian Lager.  The Court upheld the Commission's decision to blank out the names of 5 members of a meeting that settled matters regarding the importation regulation set by the Guest Beer Provision (GBP).

When I first read the case, I failed to see the relevance regarding the protection of personal data.  I actually doubted whether any significant decision had taken place.  Upon reading it again, I realized that the judgement allows for identities of public employees' to be blanked out from any public document if the employee declines to give consent.  The requirement of consent may not be ignored,  "Unless the recipient establishes that the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority."

Particulars of Case

In Commission v Bavarian Lager, Bavarian Lager was created for the sole purpose of selling German bottled beers to public houses in the United Kingdom.  The sales were difficult because public houses were subject to the exclusive purchasing of bottled beers from United Kingdom breweries.  The sale of imported beers could take place, but the beers were subject to a cask-condition limitation.   This was known as the Guest Bottle Provision (GBP). 

Bavarian Lager filed a complaint with the Commission, and the Commission started an action against the United Kingdom.  Representatives of the Community and British administrations, and of the Confederation des Brasseurs du Marche Commun (‘CBMC’) took part in a meeting held on 11 October 1996.  Bavarian Lager sought to participate, but the Commission denied the request.

At the October 1996 Meeting the British authorities represented to the commission that they were going to amend the GBP to allow the sales of bottled beers.  The Commission then dismissed proceedings against the United Kingdom.

Bavarian Lager then requested the minutes of such meeting.  The minutes were provided, but 5 names were deleted since three of the members refused to give consent and two others were not found.  Bavarian Lager sought a judgment, but the Court found in favor of the Commission.

The decision does not make sense to me, but the Commission was held to be right.  According to the Court, the identity is protected by the Privacy Directives.  It sounds wrong, but this decision is actually consistent with the Working Party's interpretation of what Personal data should be considered. WP 136 Opinion 4/2007 on the concept of personal data, June 20th, 2007.

On page 12 of WP 136, the Working Party included  "Example No. 9: information contained in the minutes of a meeting."  I recall, when I read this example for the first time, I thought this example could never be an issue.  Well, it turns out that it was.  As a practicing attorney in the USA, I feel extremely dissatisfied with this outcome, but now the precedent has been set.  The legal systems in the USA and the EU are, at times, so opposite to each other that from a perspective in the US, it is hard to predict what kinds of decision will be next.  Perhaps the Cookie Directive will be an inevitable action by the Commission?

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.

]]>Tue, 29 Jun 2010 22:17:58 -0800http://www.chiefprivacyofficers.com/1/post/2010/06/hb-1149-did-anyone-involved-in-drafting-this-legislation-actually-read-the-pci-dss.htmlMarcus Morissette, Managing Director, Concise Consulting

HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. 

HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.

Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.

I have so many concerns with this new law that I will have to address them in a series of blog posts.  The first of these will be posted tomorrow.

UPDATE 6/30

As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come.  The more I pull the string on this new law, the more potential issues I uncover with it.  So stand by…

]]>