Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
v AgendaØIntroduce speakersØFrame the problemØDiscuss Galway Accountability Project
outcomesØLayout changes in both data flows and
data managementØConclusionsØQ & A
Martin Abrams The Centre for Information Policy Leadership
Paula BrueningThe Centre for Information Policy Leadership
Richard PurcellThe Privacy Projects.org
Paul SchwartzUC Berkeley School of Law
ATM network
fraudpreventionservices
personal bank
ATM Cash Withdrawalvv I go to the Dallas I go to the Dallas
Airport to start Airport to start my vacation in my vacation in Thailand. Thailand.
vv I stop for dollars I stop for dollars at an ATM.at an ATM.
merchant
network
fraud service
merchant’s bank
personal bank
Credit Card Purchase
vv I buy magazines I buy magazines at the airport with at the airport with my credit card.my credit card.
vv The merchant, The merchant, his bank, the his bank, the network, a fraud network, a fraud service, and my service, and my bank each touchbank each touchthe transaction.the transaction.
vv The airline shares The airline shares data about my flight data about my flight with the with the Transportation Transportation Security Security Administration Administration (TSA).(TSA).
vv I use my credit card I use my credit card to purchase from to purchase from duty free on the duty free on the flight. flight.
vv My data cuts new My data cuts new paths involving paths involving many new players many new players as the charge is as the charge is processed in flight.processed in flight.
vv I change planes in Tokyo. I change planes in Tokyo.
vv I use my credit card again I use my credit card again cutting new, cutting new, unpredictable paths.unpredictable paths.
vv I land in Thailand and I land in Thailand and immediately use my immediately use my ATM card. ATM card.
vv New players and New players and processes jump in. processes jump in.
vv My data takes a detour My data takes a detour to determine whether to determine whether the person in Thailand the person in Thailand could logically be me.could logically be me.
Dallas Tokyo
Thailand
vv I get into the taxi and go to the hotel. I get into the taxi and go to the hotel.
vv My credit card is used for the 4My credit card is used for the 4thth time in a time in a completely new geography. completely new geography.
vv New processors see my data and fraud checks New processors see my data and fraud checks calculate whether the card could logically be calculate whether the card could logically be used in all these different locations in less used in all these different locations in less than 24 hours.than 24 hours.
vv The fact is that my travel is generating The fact is that my travel is generating continuing data transfers with continuing data transfers with unpredictable locations. unpredictable locations.
vv All require speed, high levels of security All require speed, high levels of security and rules that cover who can do what and rules that cover who can do what with the data.with the data.
vv Each data transmission is a data breach waiting to Each data transmission is a data breach waiting to happen.happen.
vv Each new processor adds risk for the consumer Each new processor adds risk for the consumer that he will be harmed.that he will be harmed.
vv Each new location creates jurisdictional Each new location creates jurisdictional complexity for the consumer.complexity for the consumer.
vv The fact is that travel is The fact is that travel is just an example of a just an example of a process that generates process that generates almost continuous data almost continuous data transfers with many transfers with many players.players.
vv It is not possible for the It is not possible for the consumer to read the consumer to read the policies of every player. policies of every player.
vv It is not possible for the players to define It is not possible for the players to define with certainty what path will be on any given with certainty what path will be on any given day at any given moment.day at any given moment.
vv Instead we expect a chain of accountability Instead we expect a chain of accountability that begins with the players we know.that begins with the players we know.
vv The players we know create accountability The players we know create accountability with those we donwith those we don’’t.t.
vv Yet the legal structures that facilitate Yet the legal structures that facilitate accountability are unfinished.accountability are unfinished.
vv Only in the last year have we begun to Only in the last year have we begun to define how accountability: define how accountability: ØØ Protect consumersProtect consumersØØ Create legal certainty for businessCreate legal certainty for businessØØ Be trusted by regulatorsBe trusted by regulators
ProtectProtect
TrustTrustCreateCreate
AccountabilityAccountability
What Is Accountability?v An accountable organization takes
responsibility for the risks raised by the collection and use of information --- and is answerable for protecting and securing that information.
v An accountable company manages to the risks not just compliance.
v First mentioned in International guidance in 1980.
v Never fully defined until the Galway process.
The Essential Elements of Accountability
v Organizational Commitmentv Policies and Processes v Internal Oversightv Consumer Participationv Recourse and Redress
Accountability Project ParticipantsJoseph AlhadeffRosa BarceloJennifer BarrettMarcus BelkeBojana BellamyDaniel BurtonEmma ButlerFred H. CateMaureen CooneyPeter CullenGary DavisElizabeth DenhamMichael DonohueLindsey Finch
Giusella FinocchiaroRafael Garcia GozaloConnie GrahamBilly HawkesDavid HoffmanJane HorvathGus HoseinPeter HustinxTakayuki KatoChristopher KunerBarbara LawlerArtemi Rallo LombarteRocco PanettaDaniel Pradelles
18
Florence RaynalStéphanie RegnieManuela SianoDavid Smith Hugh StevensonScott TaylorBridget TreacyK. Krasnow WatermanArmgard von RedenJonathan WeeksMartin AbramsPaula J. Bruening
Managing Global Data Privacy
A Report From The Privacy Projects
The Privacy Projects• Dedicated to developing and contributing
‘evidence-based’ information to the ongoing dialogue for enhancing and improving personal information privacy and data protection– Independent non-profit
– Board of noted experts in privacy and data protection
• www.theprivacyprojects.org
The Project – Cross-border Data Flows• Examine the processes and controls implemented for
cross border data flows– Six case studies from North American companies
– Practices of companies actively seeking responsible data protection practices
• Case Studies - Confidential– Pharma, Marketing, Technology, Financial Srvcs
• Paul M. Schwartz– Professor of Law, University of California, Berkeley
– Noted author re: data protection law in US and EU
A Flat World is Not a Simple World
Major Changes• The scale of data flows, individually and in the
aggregate, has increased massively
• Processing involved in data flows has expanded to include highly complex and process-oriented steps implemented within systems of networks
• Oversight over data flows has evolved into a model of collaboration, professionalization, and resource commitments
Prior Basis for Regulation• Centralized Databases
– Segmented customer files
• IT Controls– Technical drivers, not policy
• Point-to-Point Transfers– Discrete, scheduled, occasional
• Proprietary transfer protocols– Tapes in boxes– Specialized communications lines
• Non-networked
A Change in Scale
• Discrete Events
• Localized Content
• Point 2 Point
• Temporal
• Continuous Process
• Dynamic Needs
• Routing by Algorithm
• Ongoing
A Change in Processing
• Centralized Db’s
• Controller Sourced
• Discrete Actions
• Geographical Basis
• Networked Processes
• Sourcing Flexibility
• Distributed Computing
• Needs Basis
A Change in Management
• Primary Driver: IT
• Low Investment
• Vague Ownership
• Ad Hoc Knowledge
• Primary Driver: Policy
• High Investment
• Privacy/Security Officers
• Professional Certification
New Challenges – New Controls• Data transfers are complex, involving numerous processes and
parties
– Consumer informed consent unsustainable
• Algorithms determine the path and destination for specific data types
– ‘Controller’ and ‘processor’ definitions outdated
• Processing occurs in data centers AND on the network itself
– ‘Personal information processing’ definition outdated
• Global networks interoperate with regional data sets
– Database registrations cannot control or manage networked series of
processes
Regulatory Control Changes?• The transformation of global data transfers
– Simple to complex– Ad hoc to managed– Occasional to ubiquitous– Single process to a series of networked processes– Point to point to globally-networked
• The need for transformation of regulatory controls– Basis on informed consent needs to yield to corporate
accountability that avoids risks to individuals– Meaningful standards and expectations applicable to
globally-operating companies– Personal information as a key corporate asset requiring
respect and protection
A State of Constant Change “Data protection regulations, whether in
national or in supranational sectors, are never
static or even completed regulations. They
react to information and communications
technologies that are developing ever more
quickly.”Spiros Simitis, Einleitung, in Bundesdatenschutzgesetz 147
(Spiros Simitis, ed., 6th ed 2006)
Progressing Forward“The key to the merits of an accountability regime will
be in the details of any regulation. Nonetheless, it is
possible to say that leading corporations have
developed the kind of preconditions for a data
protection regime whose safeguards and
requirements concentrate on institutional privacy
outputs rather than managerial inputs.”
Paul M. Schwartz, “Managing Global Data Privacy”, a report from The Privacy Projects
Contact Us
© 2009 The Centre for Information Policy Leadership at Hunton & Williams LLP. The content of this presentation contains the views of the Centre for Information Policy Leadership and does not represent the opinion of either its individual members or Hunton & Williams LLP. The views expressed in any attached represent the views of the individual correspondents reporting on behalf of the Centre for Information Policy Leadership and should not be construed as the views of Hunton & Williams LLP or any of its clients. These materials have been prepared for informational purposes only. Visit us at www.informationpolicycentre.com
Martin Abrams Executive [email protected]
Paula BrueningDeputy Executive [email protected]
Richard PurcellExecutive [email protected]
Paul SchwartzProfessor of [email protected]
www.informationpolicycentre.com
www.theprivacyprojects.org