Tuesday, February 16, 2016

New ACLU Guide: Tips for Tech Companies on Protecting User Privacy and Free Speech in 2016

This third edition addresses new challenges facing businesses today and shows how to avoid missteps while building privacy and free speech into products and company culture. The lessons include:

Respect your data. Avoid Magna Carta-level mistakes by collecting only the data you need for your product and making sure that your algorithms and data use protect users andavoid replicating real world biases. 
Create a secure data ecosystem. Security isn’t just about outside threats – companies need to limit internal access to data to avoid Uber-embarrassment, incorporate encryption for data collection and storage to prevent disastrous breaches, and collaborate with security researchers to protect users.
Be transparent about practices. Clear descriptions of privacy practices are essential to avoiding PR disasters, whether the product is a music streaming service, a useful app, or a connected “Internet of Things” device.
Encourage speech by empowering users. Companies can create cohesive communities and avoid harmful, speech-chilling harassment by creating platforms with tools that empower users, account policies that respect user identities, and narrow rules focused on bad behavior rather than content censorship.
Fight for your users. Companies that support user privacy and speech protections routinely receive praise, while those that seek to limit how products are used or that fold to legal demands lose the trust of users and public alike. 

By Nicole A. Ozer
read full article at ACLU

EU’s ‘Right to Be Forgotten’ policy sets bad precedent for free expression

Last week’s announcement that Google will begin suppressing links to URLs not only for searches on EU country-level domains, but also for searches conducted from within EU countries, is bad news, write Jens-Henrik Jeppesen and Emma Llansó.

Jens-Henrik Jeppesen is director for European affairs and Emma Llansó is director for the Free Expression Project at the Center for Democracy and Technology.

The move is the latest development in the debate over the “right to be forgotten”. In 2014, the Court of Justice of the European Union found that under the data protection directive, people in the EU have a right to demand that search engines de-list URLs linking to information that is “inadequate, irrelevant or no longer relevant, or excessive.”

We are sympathetic to people distressed by information about them in the public domain, we understand the desire to suppress such information in certain contexts, and we support targeted and proportionate policies to protect individuals’ right to privacy.

But our overriding concern with the Google Spain v AEPD Mario Costeja Gonzales ruling that triggered the right to be forgotten is that it enables broad restriction of access to lawful, public information, inevitably curbing free expression. 

By Emma Llansó, Jens-Henrik Jeppesen
read full article at EurActiv

Article 29 Working Party lays out GDPR action plan

Last week, in a highly anticipated presser, the Article 29 Working Party shared its preliminary assessment of the proposed EU-U.S. Privacy Shield agreement. Lost amidst this anticipation, however, was an equally significant announcement from the regulatory collective’s head, Isabelle Falque-Pierrotin, regarding the group’s action plan for the implementation of the General Data Protection Regulation.

While the mandatory DPO doesn't come into force until 2019 at the earliest, and mechanisms like the European Data Protection Board and the one-stop shop won't be operational until 2018, look for guidance to be released on what those efforts will look like, along with guidance for controllers and processors on high-risk assessments and the operationalizing of data portability, before the end of the year. 

by Jedidiah Bracy, CIPP/E, CIPP/US
read full article at IAPP

‘I have nothing to hide’ is killing the privacy argument

The newfound interest in privacy is similar to previous debates on the same topic. What causes outrage today is quelled tomorrow and then ultimately forgotten until something else stirs the waters.

In the 2000s we had Echelon and Carnivore, two covert programs used by government agencies to monitor communications.

Later, we had Julian Assange and Wikileaks helping to further the fight by bringing attention to similar programs.

More recently, it was Edward Snowden detailing the newest incarnations of government spy tools known as XKeyscore and PRISM.

Today, we have GCHQ fanning the flames, the NSA continuing its spying programs (only this time, with transparency) and politicians waxing poetic about the dangers of this newfound tool that facilitates terrorism, encryption. 

by Bryan Clark
read full article at The Next Web

The Business Implications of the EU-U.S. “Privacy Shield”

Last week, the U.S. and EU announced a tentative agreement to allow U.S. companies to continue sending and receiving personal information about EU residents across EU borders — everything from an online employee directory for a multinational company to a Facebook profile stored in the cloud.

An earlier agreement, known as the Safe Harbor Privacy Principles, which went back 15 years and was relied on by some 4,000 companies, was declared illegal last year based on concerns, highlighted by the Edward Snowden disclosures, that compliance with surveillance requests from U.S. government agencies, notably the NSA, may have put U.S. companies into conflict with the EU’s broadly written privacy directives. 

by Larry Downes
read full article at Harvard Business Review

ISPs want “flexible” privacy rules that let them “innovate” with customer data

Broadband industry lobby groups urged the Federal Communications Commission on Thursday not to impose privacy rules that dictate "specific methods" of protecting customer data, since that would prevent "rapid innovation."

ISPs should have "flexibility" in how they protect customers' privacy and security, said the letter from the American Cable Association, Competitive Carriers Association, Consumer Technology Association, CTIA, the Internet Commerce Coalition, the National Cable & Telecommunications Association, and USTelecom. Together, these groups represent the biggest home Internet service providers and wireless carriers such as Comcast, AT&T, Verizon, Time Warner Cable, Charter, Sprint, T-Mobile, and many smaller ones. 

by Jon Brodkin
read full article at The Register

FCC poised to flex new privacy powers

Before the net neutrality ruling, the Federal Trade Commission policed privacy at both Internet service providers and online companies like Google and Facebook, using the same standards.

“Well, I think essentially, the key point is that consumers have certain expectations as to how their private information will be treated,” said Lynn Follansbee, a vice president for law and policy at USTelecom, which represents broadband providers.

“And we just take a position that no matter, across the whole Internet ecosystem, no matter what kind of technology is involved, consumers shouldn’t be surprised."

The privacy fight stems from the net neutrality rules approved in a party-line vote by the FCC a year ago.

The commission treated Internet service providers like traditional phone service to apply new rules requiring all Web traffic to be handled in the same way. That left the FCC in the difficult spot of applying privacy regulations for phone companies to broadband providers. Those rules protected information on whom a customer called and when, for example.

But applying those regulations directly to new technology would have been a tall order for the agency. The commission decided last year to instead create new regulations exclusively for broadband service.

By David McCabe
read full article at TheHill

Instagram’s multi-account feature has a privacy bug on Android

Users welcomed Instagram’s new multi-account feature earlier this month but it seems that there are some teething problems.

Some people using Android phones have reported that they are receiving private notifications and DMs intended for the other people who have mutual access to an account. 

by Amanda Connolly
read full article at TheNextWeb

8 Ways To Secure Data During US-EU Privacy Fight

The EU-US Safe Harbor that governed the flow of data between the US and European Commission countries is dead, and there's no formal framework text to replace it yet. The result is a lot of legal uncertainty for many organizations when it comes to transatlantic transfers of data. It may be weeks or months before the dust settles. What do enterprises need to know now?

First, some background. On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor framework in the Maximilian Schrems v Data Protection Commissioner case. A couple of weeks later, the Article 29 Working Party issued a statement about the practical effects of the ruling. The group urged businesses to proceed very carefully. Then on February 2, 2016, the European Commission (EU) announced it and the US had agreed on a new framework for transatlantic data flows called the EU-US Privacy Shield, but because no text is yet available, the framework cannot be interpreted. 

by Lisa Morgan
read full article at InformationWeek

How the new EU privacy regulations will help consumers

I’ve recently asked hundreds of people whether they knowingly allow their smartphones to be tracked and mined for data on their movements, and only two have so far said yes.

Even a recent meeting of 25 data scientists from the UK Geospatial Institute found only one person who knew about this. This small finding highlights how unaware most people are that their location privacy is being intruded upon by big tech companies every moment of every day. 

By Gary Flood
read full article at ITproportal

Justice Scalia: Underappreciated Fourth Amendment Defender

In addition to his many judicial bona fides, Justice Antonin Scalia was an underappreciated defender of the Fourth Amendment. With his typical thoroughness and deep textualism that reshaped American judging, the late conservative icon threw out convictions of individuals who were arrested as a result of unconstitutional violations. In Kyllo v. United States (2001), police illegally took thermal images of a man’s home to find a marijuana grow operation. In United States v. Jones (2012), a man had his Jeep tracked with GPS devices without a warrant, leading to a drug trafficking conviction. And in Florida v. Jardines (2013), police brought a drug dog onto a man’s porch to indicate drug activity inside, again, a marijuana grow operation. To Justice Scalia, the sanctity of a person’s home and property—beyond the “reasonable expectation of privacy” standard that dominates Fourth Amendment jurisprudence—was to be held above the governmental interests in fighting crime.

In Kyllo, Scalia wrote for a divided 5-4 majority that included Justices Clarence Thomas, Ruth Bader Ginsburg, David Souter, and Stephen Breyer: “The Fourth Amendment’s protection of the home has never been tied to the measurement of the quality or quantity of information obtained….In the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes.” In Jardines, another non-traditional 5-4 split in which he was joined by Justices Thomas, Ginsburg, Sonia Sotomayor, and Elena Kagan, Scalia affirmed this dedication to the home, writing “[W]hen it comes to the Fourth Amendment, the home is first among equals.” 

By Jonathan Blanks
read full article at CatoInstitute

Solving disputes online: New platform for consumers and traders

The Online Dispute Resolution (ODR) platform offers a single point of entry that allows EU consumers and traders to settle their disputes for both domestic and cross-border online purchases. This is done by channeling the disputes to national Alternative Dispute Resolution (ADR) bodies that are connected to the platform and have been selected by the Member States according to quality criteria and notified to the Commission..

Key features of the platform:
The platform is user-friendly and accessible on all types of devices. Consumers can fill out the complaint form on the platform in three simple steps.
The platform offers users the possibility to conduct the entire resolution procedure online.
The platform is multilingual. A translation service is available on the platform to assist disputes involving parties based in different European countries. 

read full article at EuropeanCommission

Thursday, February 4, 2016

EU privacy rules may hit Internet giants hard

U.S. Secretary of Commerce Penny Pritzker assured attendees at the World Economic Forum in Davos, Switzerland, last week that the two sides were working hard on a comprehensive agreement, but she conceded that stumbling blocks remained over mass surveillance by U.S. security agencies and the right of European citizens to review their personal information.

Without a new deal, U.S. Internet companies could be forced to keep European customer data separate, adding complexity to their already far-flung operations and raising their costs. This week Facebook announced it was setting up its second data center in Europe, possibly positioning itself in case it needed to segregate European customer data. In addition, the French newspaper Le Monde reported Thursday that Google was also taking steps to allow European citizens to delete their information, meeting an EU demand that consumers be given a right to be "forgotten."

Talks have been under way for two years to revise the 15-year-old Safe Harbor Agreement, which gave U.S. companies blanket legal protection to transfer European customer information across the Atlantic. However, negotiations became more urgent last October when the European Court of Justice unexpectedly ruled that Irish authorities (where Facebook and other U.S. tech companies have European headquarters) had failed to adequately protect the privacy of European citizens. 

by Joel Dreyfuss 
read full article at CNBC 

EU Privacy Regulators Delay Possible Crackdown on Data Transfers to U.S.

European Union privacy regulators said Wednesday they will postpone a possible crackdown on trans-Atlantic transfers of personal details about Europeans until March or April, offering a temporary reprieve that still leaves thousands of companies on uncertain legal footing in Europe.

A body representing the EU’s 28 national data protection authorities said they would take time to evaluate a last-minute, data-sharing accord, agreed by the EU and the U.S. on Tuesday, to determine whether the U.S. has made binding commitments that protect the privacy of EU residents when their data is stored on servers located on U.S. soil. The regulators had previously said they would begin enforcing a landmark court ruling that invalidated a prior data-sharing framework if the EU and U.S. couldn’t arrive at a new deal.

The court had argued the prior framework exposed Europeans to mass surveillance by the U.S. government, but regulators decided Wednesday that the new agreement—dubbed Privacy Shield—meant they had to take a fresh look. 

By Sam Schchner and  Natalia Drozdiak 
read full article at Wall Street Journal 

European Privacy Regulators Want Details on ‘Safe Harbor’ Data Deal

Europe’s national privacy agencies demanded more details on Wednesday about whether the European Union’s new data transfer agreement with the United States would adequately protect individuals’ personal information.

The move by the privacy regulators, which represent individual countries within the 28-nation European Union, indicates an unwillingness to accept the word of officials in Brussels that they can adequately safeguard citizens’ personal data.

The group asked the European Commission, the executive arm of the European Union, to provide a fuller explanation of how safeguards would work and to explain how Europeans could seek legal redress in the United States if they believed their data was misused. 

By Mark Scott 
read full article at NY Times 

EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29

A mote of certainty for US businesses that export EU data for processing and are wondering whether or not they are in compliance with EU law right now, given the legal quagmire of EU-US data protection relations. The Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has said today that it will not be taking enforcement action against companies that are using alternative transfer mechanisms in the wake of last year’s Safe Harbor strikedown.

The European Court of Justice invalidated Safe Harbor last October, following a legal challenge brought by European privacy campaigner Max Schrems, but the European Commission pointed companies to alternative transfer mechanisms they could use in the interim, such as standard contractual clauses and model contracts.

The WP29 has been assessing these mechanisms for the past few months, and said today that it does have concerns about their legality, in light of US government agencies’ access to European citizens’ data for surveillance purposes. However it is suspending these concerns temporarily while it waits to see details of the new data transfer deal, the EU-US Privacy Shield, announced yesterday by the European Commission. 

by Natasha Lomas
read full article at Tech Crunch

The new transatlantic data “Privacy Shield”

THE EUROPEAN Union and America have reached a deal on data protection. The “EU-US Privacy Shield” allows companies to store Europeans’ personal data on American computers. This ends a three-month hiatus since the European Court of Justice struck down the previous agreement, “Safe Harbour”, on the grounds that it gave insufficient protection against snooping by American spy agencies. Failure to reach a deal could have sparked a damaging legal spat, in which some European national data protection agencies could have ruled illegal all transfers of data across the Atlantic.

A transatlantic gulf separates ideas about data privacy: EU law sees it as a cherished human right; in America, it is more about consumer protection. Moreover, America’s National Security Agency (NSA)—the biggest and most powerful electronic-intelligence agency in the world—sparks fears in Europe of untrammelled snooping. The EU has no intelligence agencies of its own—so the tradeoffs between security and privacy which exist at national levels (where spymasters cooperate gladly and gratefully with the NSA) are invisible. Caught in the middle are the internet and technology companies: big ones could set up Europe-only data centres; small ones might find that doing business across the Atlantic was just too much trouble. 

read full article at The Economist

New privacy notices code 'developed with compliance with the General Data Protection Regulation in mind', says ICO

The UK's data protection watchdog has proposed updates to its privacy notices code of practice which it said accounts for near-finalised new EU General Data Protection Regulation (GDPR).03 Feb 2016

In its draft new privacy notices code of practice, the Information Commissioner's Office (ICO) advocates that companies use a "blended approach" to informing consumers about how they intend to use their personal data.

The ICO said that to meet obligations set out under data protection laws on the fair processing of personal data businesses should only use data "in a way that people would reasonably expect" and after thinking about the impact such data use would have on those individuals. In addition, businesses must ensure "people know how their information will be used". 

read full article at Out Law

Goodbye Safe Harbour, hello Privacy Shield – but what does that really mean for your data?

Privacy Shield, rebranded to prevent any association with its predecessor, is designed to offer new safeguards around access to data by public authorities and give citizens the right to take legal action against companies using their data. It will also create an independent ombudsperson role and have an annual review procedure.

The commissioner said in a press conference today that this will take just three months to implement. She also made assurances that the rules would still be suitable when new data protection regulations come into force in 2018.

Although this appears to offer some guarantee for big tech companies like Facebook, Amazon and Google that they will still be able to move data freely and therefore not have to increase costs to the public, it still has political hurdles to clear first. 

by Kirtsy Styles
read full article at The Next Web

Looks Like Data Will Keep Flowing From the EU to the U.S. After All

The European Union and United States have struck a last-minute deal on keeping transatlantic data flowing — and it should mean tough new obligations for both American companies and intelligence services.

This really went down to the wire: An end-of-January deadline for agreeing on the successor to the struck-down Safe Harbor agreement passed with no deal, and EU privacy regulators are meeting today and tomorrow to discuss their crackdown on companies that are sending EU citizens’ data to the U.S. without legal backup. 

by  David Meyer
read full article at Fortune

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield Strasbourg, 2 February 2016

The College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses. 

The new arrangement will include the following elements: 
Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs. 
Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it. 
Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created. 

read full article at European Commission