Privacy, Drones, and IoT

Laura Vivet Lawyer, CIPP/E/US

June 2016

What is Privacy?

Different Meanings & Regulations Worldwide

• Has Omnibus Data Protection Law • Omnibus Law in Proces • No Law or Sectorial Coverage Only

Privacy in the United States

1. Sectorial approach

2. “Right to be left alone”

3. Multiple definitions of personal data or sensitive data:

• Common law

• Federal and state laws

• FTC consent decrees -unfair and deceptive practices

Common Law Kyllo vs United States

Federal & State Laws

What is covered? Risk

FCRA Applies to CRA

Limits the use of consumer reports

Protects consumer reports (any information pertaining to 7 factors)

Civil/criminal penalties

Damages

Private right of action

COPPA Operators of commercial websites/online services directed to children <13

Places parents in control

PII = name, SSN, video, audio, geolocation, cookies, etc

Civil penalties (up to $16,000 per violation)

Damages

Reputation

GLBA Applies to financial domestic institutions

Addresses privacy & security

NPI

Civil penalties up to $1.1M

Private right of action in some states

HIPPA Covers health related entities

Protects health information

PHI

Civil/criminal penalties Fines up to $250,000

• Unfair acts and deceptive practices • PII/Sensitive information: name, etc; consumer data linked to a

specific consumer, computer or device; live feeds • RISK: Up to $100 M. Other requirements: security measures,

training programs, disclosures, etc.

FTC consent decrees

Privacy in Europe• Comprehensive approach • Fundamental right (Art. 8 CFR) • Directive 95/46/EC —> GDPR • Enforcement: Independent DPA in each MS • Other Privacy provisions: E-commerce,

telecommunications, health information • “Personal data”: Broad definition • Applies to any entity, public or private • Processing of PD —> Anything! • Extraterritorial scope —> Applicable outside EU! • Exceptions • RISK: Up to €20 M or 4% total

worldwide annual turnover

In Europe everything is

forbidden unless

allowed.

United States ≠ Europe

In United States everything is allowed unless forbidden.

• Between US and EU • Co-regulatory framework • “Personal data”: Broad definition • Public Sector —> Privacy Act • Private Sector —> PIPEDA (+ AL, BC, QB) • Enforcement: Independent DPAs • Statutory torts, anti spam, criminal code, etc.

RISK • (2015: Penalties $17,800) • Data breach < $100,000 • Anti spam: Civil/criminal < $10M

Privacy in Canada

Drones

Drones & Privacyin the United States

Key concepts:“Reasonable expectationof privacy” and the limits of“private property”

No federal law addresses privacy

Tools: • Common Law

• State & local regulations

• Voluntary Best Practices UAS

Common Law Causby vs United States

State & Local Regulations (some examples)

California Responds to the use of UAS by the paparazzi

Florida Protects against surveillance activities

Arkansas Prohibits the use of UAS to commit voyeurism

New Hampshire Conduct video surveillance of citizens who are lawfully hunting, fishing or trapping

• NTIA Multistakeholder Process(May 18, 2016)

• Commercial and private

• Private industry and privacy advocates

• Privacy and security

• US DHS Best Practices in UAS Programs (December 18, 2015)

• DHS and local, state and federal government

• Privacy and security

Voluntary Best Practices UAS

Drones & Privacy by Design

What is covered? Risk

GDPR Commercial operations

Government operations (except outside scope of Union law)

Up to €20 M or 4% total worldwide annual turnover

Member States Laws

Household activity (hobbyists)

Freedom of expression and information

Outside scope of Union Law: Public security, defense

Civil/criminal penalties

Damages

Drones and Privacy in the EU

The Internet of Things (IoT)

IoT creates 3 kinds of risk:

• Malfunction

• Hacking

• Privacy and security can create economic harm

Internet of Things Risk

Factors that shape the risk equation:

• Vulnerability

• Intent

• Consequences

Metrics to assess IoT risk:

• Value and sensitivity of the data

• Criticality of a function

• Scalability of failure

Measures • Autonomy

• Authentication and encryption

• Differentiate important vs unimportant and define criticality

• Consider failure

• Critical systems not linked to the internet

Minimize Risks for the IoT

Problems • Limited ability to patch

& update software

• Management difficulties

• Computing resources limited on IoT devices

• Cost and complexity

• Wireless

Risk is dynamic Will be greatest for the 1st generation of IoT devices

Identify and minimize privacy risks

Privacy Impact Assessment

General Steps

1 Describe the project

2 Describe the information lifecycle

3 Identify privacy and related risks

4 Identify and evaluate privacy solutions

5 Integrate PIA solutions into the project plan

References

Daniel Solve, “Privacy Law Fundamentals”, 2013, IAPP https://iapp.org/news/a/iapp-books/

DLI Piper, “Data Protection Laws of the World”, June 28, 2016 https://www.dlapiperdataprotection.com/#handbook/world-map-section

Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change”, FTC Report, March 2012 https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf

European Charter of Fundamental Rights http://www.europarl.europa.eu/charter/pdf/text_en.pdf

General Data protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Current UAS Landscape, NCSL http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

Department of Homeland Security, Best Practices re UA, onlineS https://www.dhs.gov/sites/default/files/publications/UAS%20Best%20Practices.pdf

NTIA Multistakeholder Process re commercial and private UAS, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems

James Andrew Lewis, “Managing Risk for the Internet of Things”, CSIS, February 2016. https://www.csis.org/analysis/managing-risk-internet-things

Michael Garcia, Naomi Lefkovitz, Suzanne Lightman, “Privacy Risk Management for Federal Information Systems”, NIST, May 2015 http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf

M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 https://www.whitehouse.gov/omb/memoranda_m03-22

Canada, Privacy Impact Assessment: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308

Art. 29 WP, Opinion 7/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering System http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf

ICO, Privacy Impact Assessment Code of Practice, UK, online: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

References

MapofIsraeliteCamp: http://emp.byui.edu/satterfieldb/Tabernacle/TabernacleCampIsrael.html

Differentmeaningsandregulationsworldwide: https://iapp.org

FTCandTrendNetsettleclaimoverhackedsecuritycameras,CNET: http://www.cnet.com/news/ftc-and-trendnet-settle-claim-over-hacked-security-cameras/

Drones: http://www.suasnews.com/2014/10/drones-fly-into-south-park-episode/

CommonLawCausbyvsUnitedStates: http://www.thehappychickencoop.com/a-history-of-chickens/

DronesandPbD:http://www.dezeen.com/2014/10/30/ambulance-drone-alec-momont-emergency-uav-tu-delft/

InternetofThings: http://www.computerweekly.com/news/4500260406/Top-10-internet-of-things-stories-of-2015

Riskisdynamic,itwillbegreatestforthefirstgenerationofIoTdevices: http://blog.orbitahealth.com/bebaio/8-iot-cartoons-that-will-add-some-humor-to-your-day

Thank you!

Laura Vivet www.lauravivet.com ı lv@lauravivet.com