“Privacy is Freedom”: Public Voice Event in Mexico City (31 Oct. 2011)

"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011).

Two days before the 33^rd International Conference of Data Protection and Privacy Commissioners takes place in Mexico City, The Public Voice, an international coalition of NGO’s, and nonprofit organizations, is organizing this Monday a full-day event to discuss the views of Civil Society representatives from Latin America, Europe and North America, but also with several government officials and industry speakers.  The issues featured are the same as the ones that will be discussed for the following three days in the Mexican capital: privacy and data protection, and how they relate to broader issues such as freedom of expression and consumer protection.

The stated goals of the conference are to:

• review the status of the two Madrid Declarations (Civil Society’s Madrid Privacy Declaration (“Global Privacy Standards for a Global World”) and the Data Protection Commissioners’s International Standards on Privacy and Personal Data Protection.
• assess cultures and privacy perspectives from around the world;
• raise public awareness on surveillance technologies and its consequences to consumers, freedom of expression and human rights;
• explore the ongoing policy and legal issues at stake in Latin America about privacy and freedom of expression.
• establish networking opportunities between Mexican civil society and consumer rights advocates and members of the Public Voice.

The event hosts are the Electronic Privacy Information Center and the Federal Institute for Access to Information and Data Protection (IFAI), the Mexican Data Protection Authority.  Some of the government speakers they invited include:

• Marie-Hélène Boulanger, Head of the Data Protection Unit of the Directorate General “Justice” at the European Commission,
• Jacob Kohnstamm, Chair of the European Article 29 Data Protection Working Party,
• Jacqueline Peschard, IFAI’s President,
• Peter Schaar, the Federal Commissioner for Data Protection and Freedom of Information of Germany, and
• David Vladeck, Director of the Bureau of Consumer Protection of the United States Federal Trade Commission.

The full list of speakers is available here.

If you wanted to attend the meeting physically, unfortunately at this time it is not possible anymore to register to attend the meeting in person.  If you plan on following the event online, just go to the webcast page at the start of the event: today at 08:00am GMT-6.

Several people have already offered to tweet about the event in several languages (currently English, French, Portuguese and Spanish).  If you want to make comments about the panels or even ask questions directly to speakers, you will be able to do so by using the #tpv11 hashtag in your tweets and the speaker’s Twitter username (speakers list on Twitter).  I will be tweeting in English and French from my Twitter account (@cedric_laurant).

Public Voice event in Mexico City (Oct. 31, 2011)

Emerging Data Protection Laws in Latin America and Doing Business in the EU

Late August I wrote an interview for Nymity for their “Privacy Interviews with Experts” series that covers the recent and emerging developments in data protection in Latin America.  The whole interview is also available here and here (pdf).

Latin America

As Latin America increases its attention to data protection legislation and regulation, a number of questions arise. Why now? What is the impetus behind their actions? What will implementation entail? Where do these countries start from in their implementation journeys?  What challenges will they face, especially keeping pace with the EU and at the same time satisfying the demands of other economies, including the US, Russia, China and others with no data protection regulation?

Cedric Laurant, attorney and consultant and founding partner of Cedric Laurant Consulting, provides us with a summary of the privacy challenges coming ahead in Latin America.

Cedric received his legal training in Belgium and the United States, taught courses and seminars in international privacy, data protection law and comparative law as a Visiting Law Professor at the Universidad de los Andes in Colombia between 2007 and 2008, and has talked at various conferences and seminars in Latin America about privacy and related issues.  He directed the publication of the Privacy & Human Rights survey between 2002 and 2006, increasing its scope to cover most Latin American countries.

Cedric speaks about about the current challenges for data protection in Latin America during his presentation at the next IAPP Privacy Academy conference on September 15 in Dallas, TX and at the Public Voice conference preceding the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City next October 31st.

Nymity: Why data protection law and regulation in Latin America today? Is it the same in all economies, or does it differ country by country?

Laurant: Latin America is the next big region after Asia that will see major changes occur in its data protection regulatory landscape.  Several countries have recently gotten their act together by enacting or drafting new data protection laws. Is it a coincidence or the intent to follow the “mode du jour”? None of the above: data protection has been on the agenda of many Latin American countries at least for the past 10-15 years. What we are seeing now is an increasing political will among all states in the region to catch up with their neighbours, and a growing realization that adopting strong data protection laws will help their economies by increasing their commercial transactions outside and within their borders.

Although all countries in Latin America that currently have a data protection law or are drafting one largely follow the European data protection model, with a few differences here and there, the lack of a harmonized and integrated regional legal system like in the European Union has led countries to adopt laws or draft bills that feature many differences among each other, which creates a diverse patchwork of legal frameworks or regulatory initiatives.

In turn, a common characteristic that appears in many Latin American privacy regimes is the constitutional right of “habeas data”, which despite variations from country to country, enables individuals to complain before a constitutional court to protect their image, privacy, honor, informational self-determination or freedom of information by providing them with the right to access the registries that hold their personal data, the way to amend or correct obsolete data, to insure their personal information remain confidential, and to provide means to remove sensitive personal information.  Lacking from that seemingly rosy perspective is the fact that habeas data only provides an after-the-fact remedy for individuals and through the courts: when it requires a lawyer, it stays out of reach for most plaintiffs, to show damage may be arduous, and it relies on case law and offers poor legal certainty.

Nymity: What are the emerging regulatory highlights, by economy and what is the timeline for their regulatory implementation?

Laurant: Several Latin American countries have recently enacted, or are drafting, a comprehensive legislative framework to protect individuals’ personal information. Starting with Mexico that, since last summer 2010, regulates at the federal level the processing of personal data by businesses, and is working on implementing decrees that should become enforceable early 2012.

Follows Peru with a new data protection law that was enacted last July and now must be detailed in an implementing decree. The Peruvian law establishes a data protection authority, the “National Register of Personal Data Protection” that will keep a record of private and public databases and have the power to levy fines for violations of the law.

Colombia is still waiting for the approval of its recently enacted and first comprehensive data protection law by the Constitutional Court, which according to local counsels, should come during the last trimester of this year.

The Brazilian Ministry of Justice is working on enacting a comprehensive data protection law modeled after the European Data Protection Directive and the Canadian Data Protection Law (PIPEDA). The draft bill, which has been subject to public discussion for several months, guarantees a list of citizens’ basic rights regarding their personal data: the right to access one’s data, correct inaccurate or wrong data, delete them, object to their processing, be compensated for their misuse, and not be subject to purely automated decisions.

Costa Rica is on the verge of adopting a law that is also modeled after the EU Data Protection Directive: it regulates almost all types of personal data processing activities and requires express written consent for many of them. It would also create a new data protection authority that would be competent to issue sanctions for violations of the law. After the Supreme Court of Justice found the law to be free of constitutional defects in April of this year, the bill has made its way back to the Legislative Assembly.

Uruguay is waiting this year for the approval of its data protection law as offering adequate protection pursuant to the European data protection legal framework, after the European body of the Article 29 Data Protection Working Party issued an affirmative opinion late October 2010. Mexico and Peru might wish to obtain that European “seal of approval”, but should they follow that route, they will probably have to wait for 3 or 4 years, especially as the European Union is currently focussing its efforts on reviewing its own data protection framework.

A development worth to notice is the growing number of countries in Latin America (Brazil, Uruguay and Mexico) that have added data breach notification clauses in their data protection law, similar to the ones that exist in almost all US State statutes and are burgeoning in some EU Member States.

Nymity: What challenges will those economies face?

Laurant: A major hurdle for these countries is the questionable level of independence of their data protection authorities and the effectiveness of their enforcement means: will they obtain enough means – financial, human and material – entrusted to them by their governments to fine the companies that do not comply with the rules, and will they get the true authority necessary to enforce the new rules?

Another obstacle is the pervasive lack of awareness about data protection by the vast majority of the population: it may take quite some time before companies learn about their new obligations and implement them into their data processing activities.  It will also take efforts for individuals to understand their new rights and for the authority to educate stakeholders about the new law.

At a broader level, where cross-border data transfers among all countries in the region will be at stake, the lack of an integrated regional data protection framework will give headaches to companies willing to transfer data to each other while following the legal mandates.

Nymity: How long might their journey take?

Laurant: As it is the case of all the economies that have already adopted data protection or information privacy rules around the world, it will take several years for Latin American states to fully implement them in the ground and get a high enough rate of compliance.  One example might illustrate the challenges ahead: it took 20 years for Colombia, after it recognized the right to privacy in its Constitution of 1991, to come up with its first comprehensive data protection bill. It will probably take as much time for its data protection framework to reach maturity and satisfy awareness, compliance and implementation levels similar to the ones in Europe and the United States.  However, to use again the example of Colombia, changes are gradual and cannot only be assessed based on changes in the law, but also through case law. In this regard, the Colombian Constitutional Court’s decisions have shown exceptional clarity by building since 1992 a comprehensive case law about habeas data that already embodies most of the data protection principles of international data protection instruments – something some of the biggest developed economies have not achieved yet.

Among the foreseeable factors that are likely to impede the path to successful implementation of data protection rules are: a higher level of corruption than in developed economies, a much weaker public sector with limited budgets for administrative and judicial bodies, a deficit in technical expertise, a poor level of trust in the justice system and consumer protection, and a lesser degree of reliability in commercial transactions.

Nymity: What are the key challenges each economy will face from Europe? What do you recommend these economies do about these challenges?

Laurant: If these economies intend at some point in time to get the adequate protection ‘seal of approval’ from the EU, they will have to demonstrate that the law that exists in their books is enforced in practice and effectively protects individuals. It will probably prove harder to obtain than in the case of Argentina that was the first Latin American country to get the approval but has not delivered yet on all its promises. One of the difficulties comes from how they will protect their transborder data flows after receiving personal data from EU countries. However, the EU recognition will definitely help them with increased prospects of European investments, in particular in the business process outsourcing sector and in data and call centers.

In this context, a growing conflict has already reared its head between the United States and the European Union, each of them trying to influence Latin America in adopting its own data protection model, and multiplying commercial initiatives or courting them individually with unilateral trade agreements. Most of the progress to be done in data protection in those countries will come indeed from the economic incentives to develop commercial transactions with the rest of the world and attract investment from foreign companies, especially with the regions that already impose strict rules on international data transfers to protect their consumers. But it may not come by making each of them sign unilateral trade agreements. The European Union got started thanks to the brilliant idea of European states forming a group around a purely economic objective – build a common market and a community of countries around the production of coal and steel – then promoting within their united territory the circulation of goods, services and capital.  Likewise, the same idea could be a leading factor in fostering Latin American economies to make progress on increasing international data transfers and commercial transactions: through the building of economic alliances among themselves. The best for the region is most likely to build up its own data protection model, based in part on its strong habeas data heritage and its civil law system, then to agree over multilateral trade treaties that would highlight the protection of international data flows as a key requirement.

Nymity: What recommendations do you have for companies that do business in Latin America? What might they begin to do to anticipate the upcoming data protection changes?

Laurant: I would advise international companies doing business throughout Latin America to embrace the upcoming data protection standards coming along in the region. Even though it will turn out to be a more costly business proposition for them, it will only be in the short term. The advice is: get an edge over your domestic and international competitors by adopting the highest data protection standards available throughout the region, and right from the start. Translating these standards to fit into the Latin American regional context means:

1. be as transparent as possible towards your prospective customers in how you will use their personal information;
2. do not be seen as following the herd of domestic companies that will probably have a harder time to comply with the new rules than you will;
3. being seen as an early adopter will be good for business and the building of your reputation;
4. in some of the countries where trust between businesses and consumers is particularly low, trust your consumers even more: it will breed reciprocal trust in your products, services, brand and reputation;
5. follow all consumer protection and data protection regulations, and go even beyond strict compliance by doing better than domestic companies;
6. develop a reputation for being fully reliable for your customers.

Nymity: What recommendations do you have for companies in Latin America that want to do business outside of Latin America? What data protection measures might they consider, perhaps in addition to their emerging laws and regulations?

Laurant: If your country does not have a clear and binding data protection legal framework, lobby your Parliament members to work on one; if business is mainly with European countries, encourage your government to start the process of the “adequate protection” recognition with the European Commission. In the meantime, you will have to demonstrate that you protect well enough the personal data transferred from the EU and comply with administrative procedures and contractual steps such as signing standard contractual clauses, adopting rules that apply throughout the company everywhere it does business (“ binding corporate rules”) or obtaining approval for individual transactions by national data protection authorities.

Hey Browser, Don’t Expect Your Users to Know All About “OBA” and Cookies

A recent Wall Street Journal blog article (“Hey EU, Don’t Expect the Browser to Solve All Your Privacy Issues” by Ben Rooney of 26 May 2011) highlights the point of view of some in the browser industry (in the article, Mozilla’s Global Privacy & Policy Leader, Alex Fowler) by arguing that it should not be for browser companies to solve EU “privacy issues” with online cookies, and it would not be fair for the EU legislator to put all the burden on the browsing technology to comply with the new EU legal requirements that affect how browsers manage cookies.  According to that industry representative’s opinion, privacy is not only a browser problem, and it cannot solve the cookie issue only through technology.  The problem would not be so much the cookie but what companies do with the data they collect.  “By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture.”

“According to Mr. Fowler, the problem is not so much the cookie, it is about what people do with the data that they collect. By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture, he said.

And as a browser manufacturer, and especially one that was built by an open-source community, their first duty was to the user, not to helping out websites comply with legislation.”

"Accept cookie?" (Photo by "ansik")

If browsers make online profiling possible by design…

Although I do agree that it is too simplistic to put all the compliance burden (in particular Directive 2009/136/EC, which came into force last 25 May) on a single actor, the article evades some essential facts.

First, it’s the browser that is making it easier for online advertisers, publishers and other online tracking companies to collect users’ personal data.  If the browser makes that tracking possible in the first place, it is logical that they should help find a solution to prevent it, or at least bring back more effective control for its users.

… they should share its compliance burden

Second, compliance is not only on the browser manufacturers’ shoulders, but also on all the companies that receive users’ information thanks to browsers.  It is not a “tech mandate” but it is confronting all stakeholders to their obligations to comply with laws (like the already cited European Directive) that aim at protecting browser users and consumers from online tracking without their awareness and consent.

A reader (Kimon Zorbas, VP IAB Europe)’s comment under the post states:

“We share the concerns of Alex Fowler on the risk of technology mandates. A focus on browsers is also problematic as it pushes potential (compliance and not only) liabilities to the browser manufacturers. That can’t be right. The internet industry will strongly oppose tech mandates. What users want is knowledge – once they know and have a choice they are comfortable. We recognise this and accept it and those are the guiding principles for good self-regulation. On OBA or other areas.”

“OBA” you said?

I would have to complete this statement (“What users want is knowledge – once they know and have a choice they are comfortable”) since it lacks a crucial piece of information.  Assuming users know about “OBA” (which, it should be explained, means online behavioural advertising (more explanations here) and what OBA does (track users on an individual basis, mine their data – even very sensitive personal data such as financial and health information – and make decisions about that profiling without their being aware of it); assuming then that users are equipped with adequate tools to understand what the Internet tracking industry truly learns about them; assuming also that they can prevent the tracking from effectively taking place,… – that’s a whole lot of assumptions, don’t you think? – then you could say that users would have made a “choice” because they would have made it based on truly transparent information.  Until that actually happens, it is difficult to pretend that there is any “choice” at all for the regular browser user.

But what kind of “cookie” are you talking about?

Mr. Fowler is right: “the problem is not so much the cookie, it is about what people do with the data that they collect.” However, one can’t put all the cookies in the same basket: there is a big distinction to make among them.  Knowledgeable people talking about them should not entertain the confusion.  There are the ones – let’s call them, for simplicity’s sake – the “good cookies” – that make the browsing experience swift and fluid, remember your username or the content of your online shopping cart.  And the legislator has never opposed their use, neither in the European Union nor in the United States.  Then, there are the cookies – let’s name these the “bad” ones – whose purpose is completely different from what the “good” cookies were originally meant for: marketing companies, publishers and other OBA actors use them to surreptitiously track users and profile them at a level most of them probably would not imagine nor expect.  These are the cookies browsers should block to offer their users a first line of defense against online tracking that a vast majority of people browsing the Internet, were they aware of it, would never accept.  And surveys have showed this time and time again.

If the industry is confused about cookies…

The new “Do Not Track” HTTP header-based browser feature is a step in the right direction.  However, browser manufacturers should implement it in a way that does not rely on users’ previous knowledge of “OBA”, “bad cookies” and other forms of online tracking, especially if they know that most of them are not even aware of the extent of the profiling information their browser helps third party advertisers to compile about them.  Now, is the browsing industry ready to effectively put their money where their mouth is when they proclaim that “their first duty [is] to the user”?

… why should they expect the regular online user not to be?

For the browser-savvy Internet users, those who do know fully well about what OBA and cookies do, it would be up to them to change their browser settings to accept them. If the companies using online tracking tools are so keen about the benefits of online behavioural advertising for consumers, it should not be difficult to convince them to accept being tracked.  For the rest of us, cookie diet is recommended, but of the online kind.

A panel will explore the topic of “Do Not Track” in the context of online behavioral advertising at the upcoming Computers, Freedom & Privacy Conference on 14 June in Washington, DC.  I invite you to check it out.

 

“Educating” about Facebook’s recent privacy policy changes

In response to the Washington-based Electronic Privacy Information Center (EPIC)’s recently filed complaint against Facebook for its new privacy policy changes, Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, wrote the following comment:

“How Facebook handles user reaction is more important than even an FTC complaint. Certainly the new privacy setting changes will lead to some Facebook users sharing information more widely, and that warrants privacy scrutiny and debate. Other users may use the new controls to make case by case decisions about what they share. The key question is whether users are aware of the settings and whether they are using them. So far, many users seem to be aware of the changes and are adjusting the privacy controls as they see fit. As people react to the new options, Facebook should continue to respond as they have done by continuing to add educational information and to adjust to ensure they meet user expectations.”

(“Statement in Response to FTC Complaint Filed Regarding Facebook Privacy Settings“)

One cannot object that a company intend to make profits when, like in Facebook’s case, the company aims at monetizing its users’ profile information by making some of it fully public, and selling it to advertisers, search engines and other businesses. However, it’s a big no no for a company to mislead its users. Firstly by leading them to think that the latest change to its privacy policy is an “upgrade” when it should instead be called a “downgrade” — much more information is now considered “publicly available” like contacts and friends’ list, geographic region and profile picture). Secondly, by disregarding its users’ previous privacy settings by, e.g., making their profiles available for indexing by search engines.

If, as Jules Polonetsky writes, “how Facebook handles user reaction is more important than even an FTC complaint”, then the company should, first of all, have been straighforward by telling its users the truth: that its business model is based on extensive data mining and targeting of users; that users should carefully review all of their privacy settings; that its formerly acclaimed granular privacy settings are now a thing of the past; and that the main aim of the changes are to make even more personal information available publicly or to the company’s API (application programming interface) developers and advertisers. This would then have been properly called “educational information”. Instead it cannot be called otherwise than misinformation and deception (a “representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment”, as the U.S. Federal Trade Commission’s definition goes), especially when considering that many of Facebook’s users are still in high school, or even younger than that.

Consumer privacy and the protection of personal information are an essential value of the online social networking experience. It cannot be a hostage to a constantly changing privacy policy that does not have any other (business, not educational) purpose than monetizing its user base. Like in the offline world, in the online one, you are ready to share certain types of information depending on whom you address the information to, be they friends, colleagues or strangers. Facebook by changing, from one day to the other, the basic assumption on which many people relied upon when they signed up for the service — that your list of contacts and friends is not public information — is deceiving its users.

For all these reasons, the complaint to the Federal Trade Commission is well-founded and will be very educational for the general public and Facebook’s 350 million users.

Here are a few links truly educative for Facebook’s users, detractors and apologists alike about the nature and implications of its recent privacy policy changes:

– Kevin Bankston (Electronic Frontier Foundation), Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly (9 Dec. 2009)

– Jason Kincaid (TechCrunch), The Looming Facebook Privacy Fiasco (1 July 2009)

– EPIC’s complaint with the U.S. Federal Trade Commission (17 Dec. 2009)

Here is a detailed legal analysis of the Facebook website under Canadian data protection rules:

– Elizabeth Denham (Office of the Privacy Commissioner of Canada), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act (16 July 2009)

and a legal analysis of social networking websites under European Union data protection rules:

– Article 29 Data Protection Working Party, Opinion 5/2009 on online social networking (12 June 2009)