Upload
jon-garon
View
538
Download
1
Embed Size (px)
DESCRIPTION
Description: Because of the increasing ease of digitization, all information has the potential to be digitized and as such, all information is becoming part of a single, incomprehensibly large, multinational, multicultural data system. The resulting data ecosystem is subject to local regulation by state and national laws which have often been drafted to address a conflicting set of jurisdictional rules and normative expectations regarding the creation, ownership, collection, storage and dissemination of information. The laws vary from country to country, resisting efforts at bringing international harmony because of deeply rooted historical differences. The presentation is an overview of the steps necessary for developing a comprehensive informatics regulatory system that protects privacy, telecom policy and copyright.
Citation preview
International Law Congress 2010 Ankara Bar Association
Ankara,Turkey11-15 January 2010
Jon M. GaronProfessor of Law
Regulating Data: The Implications of Informatics
on International Law
What is Informatics - How to conceptualize the field
Informatics has been described as “the art and science of information,”or “the science of information, the practice of information processing, and the engineering of information systems.
Informatics studies the structure, algorithms, behavior, and interactions of natural and artificial systems that store, process, access and communicate information.”
The field of informatics looks beyond the science of informationsystems to embrace the ecology of information within its environmental context. Most importantly, because a second level of data, or metadata, is created by the very study of data, informatics mustprovide methodologies to embrace a highly dynamic environment.
Introduction
Intersection of key rights IP Rights – Patent, Trademark, Copyright, Trade Secret
Anti-piracy efforts Control of offensive content (immoral, scandalous,
pornographic, etc.)
Rights of Persons – Privacy, Protection from Commercialization Anti-defamatory efforts
Databases and Software – Rights related to Copyright Computer Security – anti-intrusion, digital protection measures Data Integrity efforts, laws and practices Telecommunications – integrity of telephony, Internet telephony
Integration of broadband, cable, satellite and terrestrial regulation
Harmonization – National laws, EU Directives, GATT, TRIPS, WIPO The very first steps to see these disparate systems as an
information ecosystem
Small steps toward integration of informatics
Jon M. Garon3
Internet Management - ICANN ICANN a semi-autonomous NGO
Developing policies to protect trademarks and IP
UDRP - The Uniform Domain Name Dispute Resolution Policy: a relativelyfast, inexpensive procedure to resolve domain name disputes Dispute proceedings arising from alleged abusive registrations of domain
names (for example, cybersquatting) may be initiated by a holder of trademark rights.
The UDRP is a policy between a registrar and its customer and is included in registration agreements for all ICANN-accredited registrars
Expansion of character set Addition of Chinese characters, Arabic characters for domain names will have
much greater international impact on commerce than most other changes IDNs are domain names that include characters other than the currently
available set of the English alphabet Internet extensions are expected to come online in many countries in 2010
With expansion of gTLDs and character names greater streamlining and expansion is needed and being developed
Coverage of Copyright Laws
Summary of the Berne Convention for the Protection of Literary and Artistic Works (1886)
The three basic principles National Treatment: Works originating in any of the contracting
States must be given the same protection as provided to nationals in that state
Automatic Protection: No conditions or formalities Independence or Minimum Standards: A State can provide for a
longer term than the minimum prescribed by the Convention (but awork may lose protection once protection in the country of origin ceases).
Copyright & Digital Expression
WIPO Implementation – December 1996 Beginning of the Internet revolution Need to thwart emergence of IP rogue states Need to create “effective legal remedies” for developing countries Need to create legislation to encourage enforcement in high-piracy
states (rules on the books not enough) US Implementation – October 1998
Need to comply with International Law, under TRIPS Need to simplify evidentiary issues related to copyright Need to shore up the “digital deadbolts” so companies will put their
content onto disks EU Implementation – May 2001
The European Union passed the EU Copyright Directive bringing itinto compliance
Copyrights and Digital Information Turkish accession bills to the WCT and the WPPT submitted to
parliament in May 2005 Both of the bills were put on the parliamentary agenda
after affirmative reports were submitted by the relevant commissions
Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846 Turkey is a party to the Berne Convention, the Rome
Convention and the TRIPs Agreement The Turkish Copyright Law became compliant with these
treaties after its 1995 and 2001 amendments WIPO Copyright Treaty came into force on November 28,
2008
Copyrights and Digital Information
Within the scope of the legal regulations adopted in relation to EU law, the accession bills to the WCT and the WPPT were submitted to parliament in May 2005. Both of the bills were put on the parliamentary agenda after affirmative reports were submitted by the relevant commissions
Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846 Turkey is a party to the Berne Convention, the Rome Convention and
the TRIPs Agreement. The Turkish Copyright Law became compliant with these treaties
after its 1995 and 2001 amendments WIPO Copyright Treaty came into force on November 28, 2008
Source: Ugur Aktekin, Mehmet Gün & Partners
Copyrights and Digital Information Computer programs and databases
Council Directive 91/250/EEC of May 14 1991 on the Legal Protection of Computer Programs within meaning of Art. 2 of Berne
Protection of databases and computer software was introduced into the Turkish Copyright Law in 1995
Rights of reproduction includes digital rights Rights of digital distribution –Communication by wire or wireless means
Adopted in Turkey to include all copyrighted works Makes great sense given growth of e-books and digitization of other media
Technological measures and rights management WCT Art. 11 requires adequate legal protection and effective legal remedies
against the circumvention of technological measures WCT Art. 12 prohibits removing or altering any electronic rights management
information, or distributing, importing for distribution, broadcasting or communicating to the public works or copies of works knowing that electronic rights management information has been removed or altered
Source: Ugur Aktekin, Mehmet Gün & Partners
U.S. DMCA Comparison: Section 1201 – protecting from circumvention of copy protection provisions
“No person shall circumvent a technological measure that effectively controls access to a [copyrighted] work….” Protects from unauthorized decryption of a work’s security or
picking of any virtual lock. Section 1201(a)(1)(A)
prohibits trafficking in black box technology “produced for the purpose of circumventing a technological measure that effectively controls access to a work….” §1201(a)(2)
prohibits trafficking in anticircumvention technology “that allow some forms of ‘access’ but restrict other uses of the copyrighted work.” Internet streaming audio player was tweaked or circumvented to
permit the downloading of that content §1201(b)(1)
U.S. Telecom Strategic Goals
BROADBAND - All Americans should have affordable access to robust and reliable broadband products and services. Regulatory policies must promote technological neutrality, competition, investment, and innovation to ensure that broadband service providers have sufficient incentive to develop and offer such products and services.
COMPETITION - Competition in the provision of communications services, both domestically and overseas, supports the Nation’s economy. The competitive framework for communications services should foster innovation and offer consumers reliable, meaningful choice in affordable services.
SPECTRUM - Efficient and effective use of non-federal spectrum domestically and internationally promotes the growth and rapid deployment of innovative and efficient communications technologies and services.
MEDIA - The Nation’s media regulations must promote competition, diversity and localism, and facilitate the transition to digital modes of delivery.
Heavy focus on impact of privacy in broadband
In order to inform the Commission’s development of a National Broadband Plan, the Commission has inquired about the relevance of online privacy protections to broadband adoption and deployment. For example, in the Notice of Inquiry initiating the National Broadband
Plan proceeding, the Commission asked “[w]hat are consumer expectations of privacy when using broadband services or technology and what impact do privacy concerns have on broadband adoption and use?”
The Commission has also solicited responses to questions about online privacy as it relates to cloud computing.
The inquiry highlights the importance of privacy and the public private balance as telecom policies integrate traditional over-the-air cable, satellite and broadband into a single format.
the U.S. and European expectations of privacy have different doctrinal roots which significantly influence informatic data protection It follows that since the U.S. and Europe have substantially different
frameworks for understanding the notions of personal privacy, they have different understanding of the relation of privacy to theirrespective data policies
Privacy has very long, distinguished protection in Europe “whose history dates well back into the early nineteenth century.
It bears a close and evident connection to concepts of personal honour,” focused on the autonomy of the individual “to keep one’s name and photograph out of the newspapers.”
These values center on image, name, and reputation
Identity – Protection of Autonomy and Personal Dignity
01/14/10 Jon M. Garon13
The Council of Europe has identified privacy as co-equal with that of expression and news dissemination. 11. The Assembly reaffirms the importance of every person’s right
to privacy, and of the right to freedom of expression, as fundamental to a democratic society. These rights are neither absolute nor in any hierarchical order, since they are of equal value.
12. However, the Assembly points out that the right to privacy afforded by article 8 of the European Convention on Human Rightsshould not only protect an individual against interference by public authorities, but also against interference by private persons orinstitutions, including the mass media.
Council of Europe Resolution 1165 of 1998 at 11-12 Very different than approach afforded to expression in U.S.
Continental value of privacy
01/14/10 Jon M. Garon14
“To the Europeans, indeed, it often seems obvious that Americans do not understand the imperative demands of privacy at all.”
U.S. privacy law of privacy rests on a stool of three imperfectly balanced and unequal legs: Implied constitutional protections common law traditions (along with their state statutory
adornments) and federal legislation
Provisions of Constitution implying privacy rights: First Amendment, guaranteeing the right to free speech, freedom of
religion, and the right to association; Fourth Amendment, protecting against unlawful search and seizure; Fifth Amendment, guaranteeing freedom from self-incrimination; Ninth Amendment, addressing general liberties.
U.S. value of privacy
01/14/10 Jon M. Garon15
The Fourth Amendment jurisprudence provides that a “search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable” while a “search does not occur … unless the individual manifested a subjective expectation of privacy in the object of the challenged search, and society is willing to recognize that expectation as reasonable.” This leads to a two-part inquiry of whether there is an actual,
subjective expectation of privacy and “whether the individual’s subjective expectation of privacy is “one
that society is prepared to recognize as ‘reasonable.’” Kyllo v. United States, 533 U.S. 27, 33 (2001)
Fourth Amendment Criminal Jurisprudence
16
Technology cases have held Phone booths - placing a listening device in a closed telephone
booth violated the reasonable expectation of privacy, while information about the telephone numbers called from a personal phone did not
E-mails and user generated content is similarly posted to third party recipients and does not receive constitutional protection
Telecom records and activities require warrants to view Pen registers - no reasonable expectation of privacy in information
– the logs of phone numbers called – because that information was provided freely to the telephone company
Social media and other websites - no reasonable expectation of privacy in information – the logs of phone numbers called –because that information was provided freely to the telephone company
U.S. constitutional privacy from technology
01/14/10 Jon M. Garon17
Stored Communications Act Requires a subpoena for an ISP to give subscriber information, a statutorily
defined order (the 2703(d) order) for non-content records (a combination of subpoena and notice) for stored records and other documents, while a search warrant will give the government access to everything.
The only affects the ability of the government to compel disclosure of ISP’s customer e-mails and stored content. It does not affect the rights of the ISP or the customer.
Driver’s Privacy Protection Act of 1994, requires assent for resale of motor vehicle driver information by states
Family Educational Rights and Privacy Act protects some student information from disclosure
Viewing, subscribing and reading records protected Financial services data, credit reporting records, and health care
records each protected by separate laws
U.S. Federal statutory privacy laws
01/14/10 Jon M. Garon18
Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows ofPersonal Data in 1980
EC directive 95/46, (the EC Privacy Directive) The key aspects of the EC Privacy Directive protect personal
data, very broadly defined. Establishes quality controls over the data, requiring that reasonable
steps are taken to keep the information accurate and current The retention of the data is for only as long as is necessary and the
person identified must give unambiguous consent to the collection and use of the data
Identified individual has the right to know what information is mandatory and what information is voluntary, how to object to the collection and use of the data, and how to correct the data
From Privacy to Personal Data
01/14/10 Jon M. Garon19
As part of the balancing between the public’s right to public information and the control of private data, the Directive provides for member states to accommodate journalism and free expression “solely for journalistic purposes or the purpose of artistic or literary
expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”
The Directive does not apply to public security and defense.
EC Privacy Directive at Art. 1, § 2 (a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
Balance with other fundamental rights
01/14/10 Jon M. Garon20
Directive 2002/58/EC of the European Parliament and of the Council, cleared for adoption
In the years since the initial EC Privacy Directive has been in operation, concerns have grown regarding the theft of private data and the intrusions suffered as a result of unwanted e-mail or spam. For the first time in the EU, a framework for mandatory notification
of personal data breaches. Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.
Notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches.
Update of the Privacy Directive
01/14/10 Jon M. Garon21
The Federal Trade Commission is the primary enforcement agency in the area of consumer privacy protection in the U.S.
The FTC bases its jurisdiction on the obligation of companies to refrain from operating in an unfair or deceptive manner. “Under the FTC Act, the Commission guards against unfairness and
deception by enforcing companies’ privacy promises about how they collect, use and secure consumers’ personal information.”
Under the statute, a practice is unfair and deceptive if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The FTC has been quite aggressive in finding that the failure tomeet a company’s self-imposed privacy and data security policies are just such an unfair and deceptive practice.
U.S. Federal Trade Commission (FTC)
01/14/10 Jon M. Garon22
EC Data Privacy Guidelines prohibit transborder data transfers unless the party receiving the data provides contractual protections in place to achieve similar levels of privacy protection
Countries may be barred from receiving EC data Participating U.S. organizations must certify that they meet guidelines Organizations must comply with the seven safe harbor principles. Notice - Organizations must notify individuals about the purposes for
which they collect and use information about them. They must provide information about how individuals can contact
the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
EU/U.S. Safe Harbor
01/14/10 Jon M. Garon23
Choice - Organizations must give individuals the opportunity to choose (opt in or opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must
be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Security - Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data integrity - Personal information must be relevant for the purposes for which it is to be used. An organization should takereasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
EU/U.S. Safe Harbor Principles
01/14/10 Jon M. Garon24
Onward Transfer (Transfers to Third Parties) - To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party
that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding.
As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
Access - Individuals must have access to personal information about themthat an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
EU/U.S. Safe Harbor Principles
01/14/10 Jon M. Garon25
Enforcement - In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse
mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;
(b) procedures for verifying that the commitments companies maketo adhere to the safe harbor principles have been implemented; and
(c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization.
Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.
EU/U.S. Safe Harbor Principles
01/14/10 Jon M. Garon26
Informatics implications for the infosystem
Resource Description Framework (RDF) Metadata data
model subject-predicate-
object descriptions to make the data independent of its database
RDF Linked Data -Connect Distributed Data across the Web
This model requires that data be coded in some standardized way
Automated coding All data has potential to
be cross-linked in this way
Even better if the software understands the content
Deep searching and the semantic web
James Geller, et. al., IEEE Computer Society: “Many organizations generate backend data that is … not indexed by conventional search engines.” “This hidden, invisible, and nonindexable content is called the Deep
Web, and its size is estimated to be tens of thousands of times larger than the surface Web.”
“Software agents (softbots) with rich semantic knowledge and reasoning capabilities automatically roam the Web, find data andservices, and combine them to achieve business goals.”
“Goals to improve deep searching are “gaining acceptance of an “open source attitude” in the e-commerce realm to make building Deep Web ontologies easier by accessing currently securely locked data sources; [and] creating libraries of semantic crawlers for the purpose of extracting back-end database information…”
Deep searching can be used to increase cross-referenced of personally identified information and expand behavior tracking for behavioral advertising or other identity searches
What else will the deep web find Public records include arrests, initial charges, convictions, divorces, civil
commitments, administrative files, etc. Add disparate impact (e.g. in MN, African American men arrested at
approximately 10X general population) Many employers (and lenders, landlords, schools, etc.) will not hire
those with criminal record, and these historic disparities become integrated into the information economy infrastructure
Deep web search will find blogs, posts, comments, cyber-bullying, etc. that are too difficult to get taken down or sue
Tracking user information can move past the net RFID: These online suggestions do not even get to the next
step - adding RFID and other physical world tracking data (yet)
GPS data Used to manage traffic; develop toll systems Available for sighting roadside restaurants and stores? Testing billboard efficacy?
Tracking: To demand advertising fees, companies are looking to make the advertising increasingly relevant to the consumer This can only be done by tracking the behavior (or
“advertising channels, like Travel, Finance, or Luxury cars.” -Webwise.Phorm.com)
Behavioral ads will track, predict, and offer ‘just-in-time’ The ads will relate to everything we do, everywhere we’ve
been
The device has a reader enabled
The RFID chip provides information on the clip to load
By proximity, the device will respond and play the media
Toys will respond to owners Ads & coupons will appear
on device Police can issue warnings or
even citations if they can trigger the device to read the phone number
RFID Enabled iPhone
01/14/10 Jon M. Garon31
Consumer advertising – tracking clicks Contextual Advertising – ads
that relate to the content on a particular site (e.g. a coupon for luggage on a travel site) draws its relevance to the content available to every viewer Relevance of advertising is
preferable No consumer information is
sought or used FTC sees no need to regulate
Online Behavioral Advertising – “Online behavioral advertising involves the tracking of consumers’ online activities in order to deliver tailored advertising.” (FTC) “The practice, which is typically invisible to consumers, allows
businesses to align their ads more closely to the inferred interests of their audience.”
Behavioral media brings the content sought by the audience to the audience – even before they know they want it
New York Times Online
Facebook users care – about ownership Facebook is a premiere social site for content and
personal information sharing (360 million) The recent flash over Facebook came from
copyright modifications to the user agreement (not privacy concerns)
Modifications allowed Facebook to retain rights to use content even after accounts were closed shocked the community
EPIC brings complaint to FTC over policy changes
EU studies anticipating issues with RFID and the Internet of Things that can combine the online activities with the behavioral information In U.S. and many countries, the access of data available
to the governments also raises some concerns Need to balance the privacy interests with the economic
opportunities created by those companies who harness this knowledge and media Are U.S. companies at an advantage because of lower privacy
concerns? When the gTLDs recognize Chinese, Hindi, Arabic and other
characters, will the most populace countries have Internets of their own?
Where we go next
01/14/10 Jon M. Garon34
Regulating the Data rather than its Origin Data Should Not Be Regulated by Source
Sources of data not a particularly useful tool to understand itspotential for individual interference with copyright, IP or privacy
The source of the data may not actually have the appropriate rights anyway
Data Should be Regulated by Usage & Management Very important to apply increasingly strict rules on how data is
used The greater the focus on safety, security and use, the less relevant
source becomes Sensitive Data may be Afforded Heighted Protection
Collection of highly personal information may offend, implicating rights of autonomy and dignity
Economically sensitive information like account numbers and passwords are more likely to be stolen, so need greater protections
Suggest Principles for future regulation
01/14/10 Jon M. Garon35
Covered information includes Personally Identifiable Information and Copyrighted materials By combining the two types of information into a single
standard, there will be more consistent protection and better public understanding of the relationship
Duties of the bailee Reasonable Diligence Enforcement through norms, much higher standard
required to win court cases Establish data quality standards Balancing data quality with the rights of content creators
Establish a digital fiduciary standard
01/14/10 Jon M. Garon36
Greatest threats to infosystem Identity Theft – actionable standard for failure to take
steps to stop unauthorized access to information Copyright and digital rights management protections –
commercial attacks on content owners has tremendous economic implications But individuals downloading for their own interests should be
treated separately from commercial thieves
Industrial Espionage, Trade Secrets and other Business Torts Laws already provide protection against these actions Laws must be integrated into informatics framework for greater
consistency and efficacy
Preventing Misuse from Unauthorized Data Users – Pirates and Thieves
01/14/10 Jon M. Garon37
Information and copyright abuse Any individual may both have data, privacy and copyrighted works
exploited without permission and exploit the rights of others without permission
Despite the cumulative effect, non-commercial and personal violations must not be criminalized and instead treated separately from thecommercial piracy
Three strikes law Bars from Internet for repeat offenders French law revised after initial law deemed unconstitutional U.S. universities provide notice, which may prove almost as effective to
change behavior Beyond illusory informed consent
As provided in EC Privacy Directive, individuals must be given useful information about the purpose for which information is gathered,meaningful opportunities to accept or reject use, and public policy should limit some areas for consent
Balancing Interests of the Individual
01/14/10 Jon M. Garon38
Although it is beyond the scope of this presentation, a comprehensive informatics policy must also reach into the governmental police power What the protections will be afforded to protect privacy What access will be permitted to law enforcement for national security,
general police powers, and regulatory authority The balance between the rights of the individual and the state are
quintessentially set by normative expectations. The U.S.A. Patriot Act provides stark evidence of the willingness of
society to reduce its civil liberties in the wake of real or perceived terror
London’s cameras makes it the most heavily observed city in Europe Governments are working to integrate their existing databases. Governments have the potential to integrate surveillance information taken
in public places, voluntary disclosures, licensure data, and other records to create highly comprehensive profiles of an individual’s interests, associates and activities
Balancing the Interests of the State
01/14/10 Jon M. Garon39
End User License Agreements (The Law of the ISP) Often no meaningful choice of ISPs Often adhesion contracts Regulation may be needed to assure public interest in
agreements that are increasingly like those with common carriers
Protecting Data in the Clouds Cloud computing puts information in massive server farms
rented to companies by Google, Amazon, etc. Risk of data security issues if one customer exceeds authority
to attack or attempt to obtain other customer data Presently unclear what standards of care are legally
enforceable against the hosts
Balancing the Interests of the Bailee
01/14/10 Jon M. Garon40
Issues of data de-identification and behavioral advertising that targets individuals
FTC Guidelines must become federal law, not merely best practices
New laws must reach any storage of content from the use of targeting individuals
New law may be needed to protect PII from deep web searching Control: Allowing deep web searching should require
same notice and opt-in consent as disclosure by site operator Fiduciary Duties: Content repositories should have fiduciary
obligations to assure that private data is protect from third party use in a manner consistent with the site’s own obligations and rules for third party usage
Balancing the Interests of the Bailee
01/14/10 Jon M. Garon41
FTC Behavioral Advertising Principles(Voluntary Guidelines February 12, 2009)
1. Transparency and Consumer ControlEvery website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the
site for use in providing advertising about products and services tailored to individual consumers’ interests, and
(2) consumers can choose whether or not to have their information collected for such purpose.
2. Reasonable Security, and Limited Data Retention, for Consumer Data Any company that collects and/or stores consumer data for
behavioral advertising should provide reasonable security for that data.
Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
FTC Behavioral Advertising Principles(Voluntary Guidelines February 12, 2009)
3. Affirmative Express Consent for Material Changes to Existing Privacy PromisesAs the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes [so] before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affectedconsumers.
4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral AdvertisingCompanies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
New laws need not break new ground New laws may be modeled after COPPA requirements that website
operators obtain verifiable consent regarding information sharing and allow distribution only with express consent. See 16 C.F.R. §312.4
A European model would be preferable to voluntary guidelines, but it is unlikely to create affirmative fiduciary duties from deep web searching or cross-referencing RFID data – new laws needed in all jurisdictions
Recognize that DRM need not be proprietary and lack of interoperability should be presumptively anti-competitive
All governmental use of PII must meet same opt-in requirements or be accessed only after meeting applicable standards Phishing for criminals and profiling should be restricted Honey traps must be narrowly built to avoid entrapment
Harnessing the research for good Data trends will be increasingly important in product design
and politics Essential for affinity relationships and subjectively relevant
products Outline of data tracking policy
Release data to researchers in truly de-identified form. Review data size to assure no re-identification practical Combinations of non-personal data may be sufficient to reveal
identity Establish Institutional Review Boards or the equivalent so that
good practices are followed All human subject research affects autonomy and dignity even if
done using de-identified data. Most research is beneficial, but the step of review should always be done
Utilize researcher agreements, providing some contractual protections against misuse of the data
Limit the retention of data, particularly data in its identified form
Digital information beyond the box
Owner of the database regarding sale of the product protected The data in the sales information The information about who purchased Payment information
Protection of techniques to keep the database safe No decrypting the data No selling/trafficking a device that can eliminate the
encryption or digital rights management No selling/trafficking a device that changes how the data
can be read (e.g. change it from read-only to copyable)
International Law Congress 2010 Ankara Bar Association
Thank you
Jon M. GaronProfessor of Law
Regulating Data: The Implications of Informatics
on International Law