47
International Law Congress 2010 Ankara Bar Association Ankara,Turkey 11-15 January 2010 Jon M. Garon Professor of Law Regulating Data: The Implications of Informatics on International Law

Regulating Data: The Implications of Informatics on International Law

Embed Size (px)

DESCRIPTION

Description: Because of the increasing ease of digitization, all information has the potential to be digitized and as such, all information is becoming part of a single, incomprehensibly large, multinational, multicultural data system. The resulting data ecosystem is subject to local regulation by state and national laws which have often been drafted to address a conflicting set of jurisdictional rules and normative expectations regarding the creation, ownership, collection, storage and dissemination of information. The laws vary from country to country, resisting efforts at bringing international harmony because of deeply rooted historical differences. The presentation is an overview of the steps necessary for developing a comprehensive informatics regulatory system that protects privacy, telecom policy and copyright.

Citation preview

Page 1: Regulating Data: The Implications of Informatics on International Law

International Law Congress 2010 Ankara Bar Association

Ankara,Turkey11-15 January 2010

Jon M. GaronProfessor of Law

Regulating Data: The Implications of Informatics

on International Law

Page 2: Regulating Data: The Implications of Informatics on International Law

What is Informatics - How to conceptualize the field

Informatics has been described as “the art and science of information,”or “the science of information, the practice of information processing, and the engineering of information systems.

Informatics studies the structure, algorithms, behavior, and interactions of natural and artificial systems that store, process, access and communicate information.”

The field of informatics looks beyond the science of informationsystems to embrace the ecology of information within its environmental context. Most importantly, because a second level of data, or metadata, is created by the very study of data, informatics mustprovide methodologies to embrace a highly dynamic environment.

Introduction

Page 3: Regulating Data: The Implications of Informatics on International Law

Intersection of key rights IP Rights – Patent, Trademark, Copyright, Trade Secret

Anti-piracy efforts Control of offensive content (immoral, scandalous,

pornographic, etc.)

Rights of Persons – Privacy, Protection from Commercialization Anti-defamatory efforts

Databases and Software – Rights related to Copyright Computer Security – anti-intrusion, digital protection measures Data Integrity efforts, laws and practices Telecommunications – integrity of telephony, Internet telephony

Integration of broadband, cable, satellite and terrestrial regulation

Harmonization – National laws, EU Directives, GATT, TRIPS, WIPO The very first steps to see these disparate systems as an

information ecosystem

Small steps toward integration of informatics

Jon M. Garon3

Page 4: Regulating Data: The Implications of Informatics on International Law

Internet Management - ICANN ICANN a semi-autonomous NGO

Developing policies to protect trademarks and IP

UDRP - The Uniform Domain Name Dispute Resolution Policy: a relativelyfast, inexpensive procedure to resolve domain name disputes Dispute proceedings arising from alleged abusive registrations of domain

names (for example, cybersquatting) may be initiated by a holder of trademark rights.

The UDRP is a policy between a registrar and its customer and is included in registration agreements for all ICANN-accredited registrars

Expansion of character set Addition of Chinese characters, Arabic characters for domain names will have

much greater international impact on commerce than most other changes IDNs are domain names that include characters other than the currently

available set of the English alphabet Internet extensions are expected to come online in many countries in 2010

With expansion of gTLDs and character names greater streamlining and expansion is needed and being developed

Page 5: Regulating Data: The Implications of Informatics on International Law

Coverage of Copyright Laws

Summary of the Berne Convention for the Protection of Literary and Artistic Works (1886)

The three basic principles National Treatment: Works originating in any of the contracting

States must be given the same protection as provided to nationals in that state

Automatic Protection: No conditions or formalities Independence or Minimum Standards: A State can provide for a

longer term than the minimum prescribed by the Convention (but awork may lose protection once protection in the country of origin ceases).

Page 6: Regulating Data: The Implications of Informatics on International Law

Copyright & Digital Expression

WIPO Implementation – December 1996 Beginning of the Internet revolution Need to thwart emergence of IP rogue states Need to create “effective legal remedies” for developing countries Need to create legislation to encourage enforcement in high-piracy

states (rules on the books not enough) US Implementation – October 1998

Need to comply with International Law, under TRIPS Need to simplify evidentiary issues related to copyright Need to shore up the “digital deadbolts” so companies will put their

content onto disks EU Implementation – May 2001

The European Union passed the EU Copyright Directive bringing itinto compliance

Page 7: Regulating Data: The Implications of Informatics on International Law

Copyrights and Digital Information Turkish accession bills to the WCT and the WPPT submitted to

parliament in May 2005 Both of the bills were put on the parliamentary agenda

after affirmative reports were submitted by the relevant commissions

Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846 Turkey is a party to the Berne Convention, the Rome

Convention and the TRIPs Agreement The Turkish Copyright Law became compliant with these

treaties after its 1995 and 2001 amendments WIPO Copyright Treaty came into force on November 28,

2008

Page 8: Regulating Data: The Implications of Informatics on International Law

Copyrights and Digital Information

Within the scope of the legal regulations adopted in relation to EU law, the accession bills to the WCT and the WPPT were submitted to parliament in May 2005. Both of the bills were put on the parliamentary agenda after affirmative reports were submitted by the relevant commissions

Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846 Turkey is a party to the Berne Convention, the Rome Convention and

the TRIPs Agreement. The Turkish Copyright Law became compliant with these treaties

after its 1995 and 2001 amendments WIPO Copyright Treaty came into force on November 28, 2008

Source: Ugur Aktekin, Mehmet Gün & Partners

Page 9: Regulating Data: The Implications of Informatics on International Law

Copyrights and Digital Information Computer programs and databases

Council Directive 91/250/EEC of May 14 1991 on the Legal Protection of Computer Programs within meaning of Art. 2 of Berne

Protection of databases and computer software was introduced into the Turkish Copyright Law in 1995

Rights of reproduction includes digital rights Rights of digital distribution –Communication by wire or wireless means

Adopted in Turkey to include all copyrighted works Makes great sense given growth of e-books and digitization of other media

Technological measures and rights management WCT Art. 11 requires adequate legal protection and effective legal remedies

against the circumvention of technological measures WCT Art. 12 prohibits removing or altering any electronic rights management

information, or distributing, importing for distribution, broadcasting or communicating to the public works or copies of works knowing that electronic rights management information has been removed or altered

Source: Ugur Aktekin, Mehmet Gün & Partners

Page 10: Regulating Data: The Implications of Informatics on International Law

U.S. DMCA Comparison: Section 1201 – protecting from circumvention of copy protection provisions

“No person shall circumvent a technological measure that effectively controls access to a [copyrighted] work….” Protects from unauthorized decryption of a work’s security or

picking of any virtual lock. Section 1201(a)(1)(A)

prohibits trafficking in black box technology “produced for the purpose of circumventing a technological measure that effectively controls access to a work….” §1201(a)(2)

prohibits trafficking in anticircumvention technology “that allow some forms of ‘access’ but restrict other uses of the copyrighted work.” Internet streaming audio player was tweaked or circumvented to

permit the downloading of that content §1201(b)(1)

Page 11: Regulating Data: The Implications of Informatics on International Law

U.S. Telecom Strategic Goals

BROADBAND - All Americans should have affordable access to robust and reliable broadband products and services. Regulatory policies must promote technological neutrality, competition, investment, and innovation to ensure that broadband service providers have sufficient incentive to develop and offer such products and services.

COMPETITION - Competition in the provision of communications services, both domestically and overseas, supports the Nation’s economy. The competitive framework for communications services should foster innovation and offer consumers reliable, meaningful choice in affordable services.

SPECTRUM - Efficient and effective use of non-federal spectrum domestically and internationally promotes the growth and rapid deployment of innovative and efficient communications technologies and services.

MEDIA - The Nation’s media regulations must promote competition, diversity and localism, and facilitate the transition to digital modes of delivery.

Page 12: Regulating Data: The Implications of Informatics on International Law

Heavy focus on impact of privacy in broadband

In order to inform the Commission’s development of a National Broadband Plan, the Commission has inquired about the relevance of online privacy protections to broadband adoption and deployment. For example, in the Notice of Inquiry initiating the National Broadband

Plan proceeding, the Commission asked “[w]hat are consumer expectations of privacy when using broadband services or technology and what impact do privacy concerns have on broadband adoption and use?”

The Commission has also solicited responses to questions about online privacy as it relates to cloud computing.

The inquiry highlights the importance of privacy and the public private balance as telecom policies integrate traditional over-the-air cable, satellite and broadband into a single format.

Page 13: Regulating Data: The Implications of Informatics on International Law

the U.S. and European expectations of privacy have different doctrinal roots which significantly influence informatic data protection It follows that since the U.S. and Europe have substantially different

frameworks for understanding the notions of personal privacy, they have different understanding of the relation of privacy to theirrespective data policies

Privacy has very long, distinguished protection in Europe “whose history dates well back into the early nineteenth century.

It bears a close and evident connection to concepts of personal honour,” focused on the autonomy of the individual “to keep one’s name and photograph out of the newspapers.”

These values center on image, name, and reputation

Identity – Protection of Autonomy and Personal Dignity

01/14/10 Jon M. Garon13

Page 14: Regulating Data: The Implications of Informatics on International Law

The Council of Europe has identified privacy as co-equal with that of expression and news dissemination. 11. The Assembly reaffirms the importance of every person’s right

to privacy, and of the right to freedom of expression, as fundamental to a democratic society. These rights are neither absolute nor in any hierarchical order, since they are of equal value.

12. However, the Assembly points out that the right to privacy afforded by article 8 of the European Convention on Human Rightsshould not only protect an individual against interference by public authorities, but also against interference by private persons orinstitutions, including the mass media.

Council of Europe Resolution 1165 of 1998 at 11-12 Very different than approach afforded to expression in U.S.

Continental value of privacy

01/14/10 Jon M. Garon14

Page 15: Regulating Data: The Implications of Informatics on International Law

“To the Europeans, indeed, it often seems obvious that Americans do not understand the imperative demands of privacy at all.”

U.S. privacy law of privacy rests on a stool of three imperfectly balanced and unequal legs: Implied constitutional protections common law traditions (along with their state statutory

adornments) and federal legislation

Provisions of Constitution implying privacy rights: First Amendment, guaranteeing the right to free speech, freedom of

religion, and the right to association; Fourth Amendment, protecting against unlawful search and seizure; Fifth Amendment, guaranteeing freedom from self-incrimination; Ninth Amendment, addressing general liberties.

U.S. value of privacy

01/14/10 Jon M. Garon15

Page 16: Regulating Data: The Implications of Informatics on International Law

The Fourth Amendment jurisprudence provides that a “search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable” while a “search does not occur … unless the individual manifested a subjective expectation of privacy in the object of the challenged search, and society is willing to recognize that expectation as reasonable.” This leads to a two-part inquiry of whether there is an actual,

subjective expectation of privacy and “whether the individual’s subjective expectation of privacy is “one

that society is prepared to recognize as ‘reasonable.’” Kyllo v. United States, 533 U.S. 27, 33 (2001)

Fourth Amendment Criminal Jurisprudence

16

Page 17: Regulating Data: The Implications of Informatics on International Law

Technology cases have held Phone booths - placing a listening device in a closed telephone

booth violated the reasonable expectation of privacy, while information about the telephone numbers called from a personal phone did not

E-mails and user generated content is similarly posted to third party recipients and does not receive constitutional protection

Telecom records and activities require warrants to view Pen registers - no reasonable expectation of privacy in information

– the logs of phone numbers called – because that information was provided freely to the telephone company

Social media and other websites - no reasonable expectation of privacy in information – the logs of phone numbers called –because that information was provided freely to the telephone company

U.S. constitutional privacy from technology

01/14/10 Jon M. Garon17

Page 18: Regulating Data: The Implications of Informatics on International Law

Stored Communications Act Requires a subpoena for an ISP to give subscriber information, a statutorily

defined order (the 2703(d) order) for non-content records (a combination of subpoena and notice) for stored records and other documents, while a search warrant will give the government access to everything.

The only affects the ability of the government to compel disclosure of ISP’s customer e-mails and stored content. It does not affect the rights of the ISP or the customer.

Driver’s Privacy Protection Act of 1994, requires assent for resale of motor vehicle driver information by states

Family Educational Rights and Privacy Act protects some student information from disclosure

Viewing, subscribing and reading records protected Financial services data, credit reporting records, and health care

records each protected by separate laws

U.S. Federal statutory privacy laws

01/14/10 Jon M. Garon18

Page 19: Regulating Data: The Implications of Informatics on International Law

Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows ofPersonal Data in 1980

EC directive 95/46, (the EC Privacy Directive) The key aspects of the EC Privacy Directive protect personal

data, very broadly defined. Establishes quality controls over the data, requiring that reasonable

steps are taken to keep the information accurate and current The retention of the data is for only as long as is necessary and the

person identified must give unambiguous consent to the collection and use of the data

Identified individual has the right to know what information is mandatory and what information is voluntary, how to object to the collection and use of the data, and how to correct the data

From Privacy to Personal Data

01/14/10 Jon M. Garon19

Page 20: Regulating Data: The Implications of Informatics on International Law

As part of the balancing between the public’s right to public information and the control of private data, the Directive provides for member states to accommodate journalism and free expression “solely for journalistic purposes or the purpose of artistic or literary

expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”

The Directive does not apply to public security and defense.

EC Privacy Directive at Art. 1, § 2 (a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or

indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

Balance with other fundamental rights

01/14/10 Jon M. Garon20

Page 21: Regulating Data: The Implications of Informatics on International Law

Directive 2002/58/EC of the European Parliament and of the Council, cleared for adoption

In the years since the initial EC Privacy Directive has been in operation, concerns have grown regarding the theft of private data and the intrusions suffered as a result of unwanted e-mail or spam. For the first time in the EU, a framework for mandatory notification

of personal data breaches. Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.

Notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches.

Update of the Privacy Directive

01/14/10 Jon M. Garon21

Page 22: Regulating Data: The Implications of Informatics on International Law

The Federal Trade Commission is the primary enforcement agency in the area of consumer privacy protection in the U.S.

The FTC bases its jurisdiction on the obligation of companies to refrain from operating in an unfair or deceptive manner. “Under the FTC Act, the Commission guards against unfairness and

deception by enforcing companies’ privacy promises about how they collect, use and secure consumers’ personal information.”

Under the statute, a practice is unfair and deceptive if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC has been quite aggressive in finding that the failure tomeet a company’s self-imposed privacy and data security policies are just such an unfair and deceptive practice.

U.S. Federal Trade Commission (FTC)

01/14/10 Jon M. Garon22

Page 23: Regulating Data: The Implications of Informatics on International Law

EC Data Privacy Guidelines prohibit transborder data transfers unless the party receiving the data provides contractual protections in place to achieve similar levels of privacy protection

Countries may be barred from receiving EC data Participating U.S. organizations must certify that they meet guidelines Organizations must comply with the seven safe harbor principles. Notice - Organizations must notify individuals about the purposes for

which they collect and use information about them. They must provide information about how individuals can contact

the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.

EU/U.S. Safe Harbor

01/14/10 Jon M. Garon23

Page 24: Regulating Data: The Implications of Informatics on International Law

Choice - Organizations must give individuals the opportunity to choose (opt in or opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must

be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Security - Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data integrity - Personal information must be relevant for the purposes for which it is to be used. An organization should takereasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

EU/U.S. Safe Harbor Principles

01/14/10 Jon M. Garon24

Page 25: Regulating Data: The Implications of Informatics on International Law

Onward Transfer (Transfers to Third Parties) - To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party

that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding.

As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Access - Individuals must have access to personal information about themthat an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

EU/U.S. Safe Harbor Principles

01/14/10 Jon M. Garon25

Page 26: Regulating Data: The Implications of Informatics on International Law

Enforcement - In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse

mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;

(b) procedures for verifying that the commitments companies maketo adhere to the safe harbor principles have been implemented; and

(c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization.

Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

EU/U.S. Safe Harbor Principles

01/14/10 Jon M. Garon26

Page 27: Regulating Data: The Implications of Informatics on International Law

Informatics implications for the infosystem

Resource Description Framework (RDF) Metadata data

model subject-predicate-

object descriptions to make the data independent of its database

RDF Linked Data -Connect Distributed Data across the Web

This model requires that data be coded in some standardized way

Automated coding All data has potential to

be cross-linked in this way

Even better if the software understands the content

Page 28: Regulating Data: The Implications of Informatics on International Law

Deep searching and the semantic web

James Geller, et. al., IEEE Computer Society: “Many organizations generate backend data that is … not indexed by conventional search engines.” “This hidden, invisible, and nonindexable content is called the Deep

Web, and its size is estimated to be tens of thousands of times larger than the surface Web.”

“Software agents (softbots) with rich semantic knowledge and reasoning capabilities automatically roam the Web, find data andservices, and combine them to achieve business goals.”

“Goals to improve deep searching are “gaining acceptance of an “open source attitude” in the e-commerce realm to make building Deep Web ontologies easier by accessing currently securely locked data sources; [and] creating libraries of semantic crawlers for the purpose of extracting back-end database information…”

Deep searching can be used to increase cross-referenced of personally identified information and expand behavior tracking for behavioral advertising or other identity searches

Page 29: Regulating Data: The Implications of Informatics on International Law

What else will the deep web find Public records include arrests, initial charges, convictions, divorces, civil

commitments, administrative files, etc. Add disparate impact (e.g. in MN, African American men arrested at

approximately 10X general population) Many employers (and lenders, landlords, schools, etc.) will not hire

those with criminal record, and these historic disparities become integrated into the information economy infrastructure

Deep web search will find blogs, posts, comments, cyber-bullying, etc. that are too difficult to get taken down or sue

Page 30: Regulating Data: The Implications of Informatics on International Law

Tracking user information can move past the net RFID: These online suggestions do not even get to the next

step - adding RFID and other physical world tracking data (yet)

GPS data Used to manage traffic; develop toll systems Available for sighting roadside restaurants and stores? Testing billboard efficacy?

Tracking: To demand advertising fees, companies are looking to make the advertising increasingly relevant to the consumer This can only be done by tracking the behavior (or

“advertising channels, like Travel, Finance, or Luxury cars.” -Webwise.Phorm.com)

Behavioral ads will track, predict, and offer ‘just-in-time’ The ads will relate to everything we do, everywhere we’ve

been

Page 31: Regulating Data: The Implications of Informatics on International Law

The device has a reader enabled

The RFID chip provides information on the clip to load

By proximity, the device will respond and play the media

Toys will respond to owners Ads & coupons will appear

on device Police can issue warnings or

even citations if they can trigger the device to read the phone number

RFID Enabled iPhone

01/14/10 Jon M. Garon31

Page 32: Regulating Data: The Implications of Informatics on International Law

Consumer advertising – tracking clicks Contextual Advertising – ads

that relate to the content on a particular site (e.g. a coupon for luggage on a travel site) draws its relevance to the content available to every viewer Relevance of advertising is

preferable No consumer information is

sought or used FTC sees no need to regulate

Online Behavioral Advertising – “Online behavioral advertising involves the tracking of consumers’ online activities in order to deliver tailored advertising.” (FTC) “The practice, which is typically invisible to consumers, allows

businesses to align their ads more closely to the inferred interests of their audience.”

Behavioral media brings the content sought by the audience to the audience – even before they know they want it

New York Times Online

Page 33: Regulating Data: The Implications of Informatics on International Law

Facebook users care – about ownership Facebook is a premiere social site for content and

personal information sharing (360 million) The recent flash over Facebook came from

copyright modifications to the user agreement (not privacy concerns)

Modifications allowed Facebook to retain rights to use content even after accounts were closed shocked the community

EPIC brings complaint to FTC over policy changes

Page 34: Regulating Data: The Implications of Informatics on International Law

EU studies anticipating issues with RFID and the Internet of Things that can combine the online activities with the behavioral information In U.S. and many countries, the access of data available

to the governments also raises some concerns Need to balance the privacy interests with the economic

opportunities created by those companies who harness this knowledge and media Are U.S. companies at an advantage because of lower privacy

concerns? When the gTLDs recognize Chinese, Hindi, Arabic and other

characters, will the most populace countries have Internets of their own?

Where we go next

01/14/10 Jon M. Garon34

Page 35: Regulating Data: The Implications of Informatics on International Law

Regulating the Data rather than its Origin Data Should Not Be Regulated by Source

Sources of data not a particularly useful tool to understand itspotential for individual interference with copyright, IP or privacy

The source of the data may not actually have the appropriate rights anyway

Data Should be Regulated by Usage & Management Very important to apply increasingly strict rules on how data is

used The greater the focus on safety, security and use, the less relevant

source becomes Sensitive Data may be Afforded Heighted Protection

Collection of highly personal information may offend, implicating rights of autonomy and dignity

Economically sensitive information like account numbers and passwords are more likely to be stolen, so need greater protections

Suggest Principles for future regulation

01/14/10 Jon M. Garon35

Page 36: Regulating Data: The Implications of Informatics on International Law

Covered information includes Personally Identifiable Information and Copyrighted materials By combining the two types of information into a single

standard, there will be more consistent protection and better public understanding of the relationship

Duties of the bailee Reasonable Diligence Enforcement through norms, much higher standard

required to win court cases Establish data quality standards Balancing data quality with the rights of content creators

Establish a digital fiduciary standard

01/14/10 Jon M. Garon36

Page 37: Regulating Data: The Implications of Informatics on International Law

Greatest threats to infosystem Identity Theft – actionable standard for failure to take

steps to stop unauthorized access to information Copyright and digital rights management protections –

commercial attacks on content owners has tremendous economic implications But individuals downloading for their own interests should be

treated separately from commercial thieves

Industrial Espionage, Trade Secrets and other Business Torts Laws already provide protection against these actions Laws must be integrated into informatics framework for greater

consistency and efficacy

Preventing Misuse from Unauthorized Data Users – Pirates and Thieves

01/14/10 Jon M. Garon37

Page 38: Regulating Data: The Implications of Informatics on International Law

Information and copyright abuse Any individual may both have data, privacy and copyrighted works

exploited without permission and exploit the rights of others without permission

Despite the cumulative effect, non-commercial and personal violations must not be criminalized and instead treated separately from thecommercial piracy

Three strikes law Bars from Internet for repeat offenders French law revised after initial law deemed unconstitutional U.S. universities provide notice, which may prove almost as effective to

change behavior Beyond illusory informed consent

As provided in EC Privacy Directive, individuals must be given useful information about the purpose for which information is gathered,meaningful opportunities to accept or reject use, and public policy should limit some areas for consent

Balancing Interests of the Individual

01/14/10 Jon M. Garon38

Page 39: Regulating Data: The Implications of Informatics on International Law

Although it is beyond the scope of this presentation, a comprehensive informatics policy must also reach into the governmental police power What the protections will be afforded to protect privacy What access will be permitted to law enforcement for national security,

general police powers, and regulatory authority The balance between the rights of the individual and the state are

quintessentially set by normative expectations. The U.S.A. Patriot Act provides stark evidence of the willingness of

society to reduce its civil liberties in the wake of real or perceived terror

London’s cameras makes it the most heavily observed city in Europe Governments are working to integrate their existing databases. Governments have the potential to integrate surveillance information taken

in public places, voluntary disclosures, licensure data, and other records to create highly comprehensive profiles of an individual’s interests, associates and activities

Balancing the Interests of the State

01/14/10 Jon M. Garon39

Page 40: Regulating Data: The Implications of Informatics on International Law

End User License Agreements (The Law of the ISP) Often no meaningful choice of ISPs Often adhesion contracts Regulation may be needed to assure public interest in

agreements that are increasingly like those with common carriers

Protecting Data in the Clouds Cloud computing puts information in massive server farms

rented to companies by Google, Amazon, etc. Risk of data security issues if one customer exceeds authority

to attack or attempt to obtain other customer data Presently unclear what standards of care are legally

enforceable against the hosts

Balancing the Interests of the Bailee

01/14/10 Jon M. Garon40

Page 41: Regulating Data: The Implications of Informatics on International Law

Issues of data de-identification and behavioral advertising that targets individuals

FTC Guidelines must become federal law, not merely best practices

New laws must reach any storage of content from the use of targeting individuals

New law may be needed to protect PII from deep web searching Control: Allowing deep web searching should require

same notice and opt-in consent as disclosure by site operator Fiduciary Duties: Content repositories should have fiduciary

obligations to assure that private data is protect from third party use in a manner consistent with the site’s own obligations and rules for third party usage

Balancing the Interests of the Bailee

01/14/10 Jon M. Garon41

Page 42: Regulating Data: The Implications of Informatics on International Law

FTC Behavioral Advertising Principles(Voluntary Guidelines February 12, 2009)

1. Transparency and Consumer ControlEvery website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the

site for use in providing advertising about products and services tailored to individual consumers’ interests, and

(2) consumers can choose whether or not to have their information collected for such purpose.

2. Reasonable Security, and Limited Data Retention, for Consumer Data Any company that collects and/or stores consumer data for

behavioral advertising should provide reasonable security for that data.

Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Page 43: Regulating Data: The Implications of Informatics on International Law

FTC Behavioral Advertising Principles(Voluntary Guidelines February 12, 2009)

3. Affirmative Express Consent for Material Changes to Existing Privacy PromisesAs the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes [so] before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affectedconsumers.

4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral AdvertisingCompanies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.

Page 44: Regulating Data: The Implications of Informatics on International Law

New laws need not break new ground New laws may be modeled after COPPA requirements that website

operators obtain verifiable consent regarding information sharing and allow distribution only with express consent. See 16 C.F.R. §312.4

A European model would be preferable to voluntary guidelines, but it is unlikely to create affirmative fiduciary duties from deep web searching or cross-referencing RFID data – new laws needed in all jurisdictions

Recognize that DRM need not be proprietary and lack of interoperability should be presumptively anti-competitive

All governmental use of PII must meet same opt-in requirements or be accessed only after meeting applicable standards Phishing for criminals and profiling should be restricted Honey traps must be narrowly built to avoid entrapment

Page 45: Regulating Data: The Implications of Informatics on International Law

Harnessing the research for good Data trends will be increasingly important in product design

and politics Essential for affinity relationships and subjectively relevant

products Outline of data tracking policy

Release data to researchers in truly de-identified form. Review data size to assure no re-identification practical Combinations of non-personal data may be sufficient to reveal

identity Establish Institutional Review Boards or the equivalent so that

good practices are followed All human subject research affects autonomy and dignity even if

done using de-identified data. Most research is beneficial, but the step of review should always be done

Utilize researcher agreements, providing some contractual protections against misuse of the data

Limit the retention of data, particularly data in its identified form

Page 46: Regulating Data: The Implications of Informatics on International Law

Digital information beyond the box

Owner of the database regarding sale of the product protected The data in the sales information The information about who purchased Payment information

Protection of techniques to keep the database safe No decrypting the data No selling/trafficking a device that can eliminate the

encryption or digital rights management No selling/trafficking a device that changes how the data

can be read (e.g. change it from read-only to copyable)

Page 47: Regulating Data: The Implications of Informatics on International Law

International Law Congress 2010 Ankara Bar Association

Thank you

Jon M. GaronProfessor of Law

Regulating Data: The Implications of Informatics

on International Law