Archive for the ‘Binding Safe Processor Rules’ Category

A New ISO Standard for Cloud Computing

Posted on November 5th, 2014 by



The summer of 2014 saw another ISO Standard published by the International Standards Organisation (ISO). ISO27018:2014 is a voluntary standard governing the processing of personal data in the public cloud.

With the catchy title of “Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO27018“), it is perhaps not surprising that this long awaited standard is yet to slip off the tongue of every cloud enthusiast.  European readers may have assumed references to PII meant this standard was framed firmly on the US – wrong!

What is ISO27018?

ISO27018 sets out a framework of “commonly accepted control objectives, controls and guidelines” which can be followed by any data processors processing personal data on behalf of another party in the public cloud.

ISO27018 has been crafted by ISO to have broad application from large to small and from public entity to government of non-profit.

What is it trying to achieve?

Negotiations in cloud deals which involve the processing of personal data tend to be heavily influenced by the customer’s perceptions of heightened data risk and sometimes very real challenges to data privacy compliance. This is hurdle for many cloud adopters as they relinquish control over data and rely on the actions of another (and sometimes those under its control) to maintain adequate safeguards. In Europe, until we see the new Regulation perhaps, a data processor has no statutory obligations when processing personal data on behalf of another. ISO27018 goes some way to impose a level of responsibility for the personal information it processes.

ISO27018’s introductory pages call out its objectives:

  • It’s a tool to help the public cloud provider to comply with applicable obligations: for example there are requirements that the public cloud provider only processes personal information in accordance with the customer’s instructions and that they should assist the customer in cases of data subject access requests;
  • It’s an enabler of transparency allowing the provider to demonstrate why their cloud services are well governed: imposing good governance obligations on the public cloud provider around its information security organisation (eg the segregation of duties) and objectives around human resource security prior to (and during employment) and encouraging programmatic awareness and training. Plus it echoes the asset management and access controls elements of other ISO standards (see below);
  • It will assist the customer and vendor in documenting contractual obligations: by addressing typical contractually imposed accountability requirements; data breach notification, imposing adequate confidentially obligations on individuals touching on data and flowing down technical and organisation measures to sub-processors as well as requiring the documentation of data location. This said, a well advised customer may wish to delve deeper as this is not a full replacement for potential data controller to processor controls; and
  • It offers the public cloud customer a mechanism to exercise audit and compliance rights: with ISO27018’s potential application across disparate cloud environments, it remains to be seen whether a third party could certify compliance against some of the broader data control objectives contained in ISO27018. However, a regular review and reporting and/or conformity reviews may provide a means for vendor or third party verification (potentially of more use where shared and/or virtualised server environments practically frustrate direct data, systems and data governance practice audit by the customer).

ISO27018 goes some way towards delivering these safeguards. It is also a useful tool for a customer to evaluate the cloud services and data handling practices of a potential supplier. But it’s not simple and it’s not a substitute for imposing compliance and control via contract.

A responsible framework for public cloud processors

Privacy laws around the world prescribe nuanced, and sometimes no, obligations upon those who determine the manner in which personal information is used. Though ISO27018 is not specifically aimed at the challenges posed by European data protection laws, or any other jurisdiction for that matter, it is flexible enough to accommodate many of the inevitable variances. It cannot fit all current and may not fit to future rules. However, in building this flexibility, it loses some of its potential bite to generality.

Typically entities adopting ISO27001 (Information security management) are seeking to protect their own assets data but it is increasingly a benchmark standard for data management and handling among cloud vendors. ISO27018 builds upon the ISO27002 (Information technology – Security technique – Code of practice for information security controls) reflecting its controls, but adapting these for public cloud by mapping back to ISO27002 obligations where they remain relevant and supplementing these controls where necessary by prescribing additional controls for public cloud service provision (as set out separately in Annex A to ISO27018). As you may therefor expect, ISO27018 explicitly anticipates that a personal information controller would be subject to wider obligations than those specified and aimed at processors.

Adopting ISO27018

Acknowledging that the standard cannot be all-encompassing, and that the flavours of cloud are wide and varied, ISO27018 calls for an assessment to be made across applicable personal information “protection requirements”.  ISO27018 calls for the organisation to:

  • Assess the legal, statutory, regulatory and contractual obligations of it and its partners (noting particularly that some of these may mandate particular controls (for example preserving the need for written contractual obligations in relation to data security under Directive (95/46/EC) 7th Principle));
  • To complete a risk assessment across its business strategy and information risk profile; and
  • To factor in corporate policies (which may, at times, go further than the law for reasons of principle, global conformity or because of third party influences).

What ISO27018 should help with

ISO27018 offers a reference point for controllers who wish to adopt cloud solutions run by third party providers. It is a cloud computing information security control framework which may form part of a wider contractual commitment to protect and secure personal information.

As we briefly explained in an earlier post in our tech blog, the European Union has also spelled out its desire to promote uniform standard setting in cloud computing. ISO27018 could satisfy the need for broadly applicable, auditable data management framework for public cloud provision. But it’s not EU specific and lacks some of the rigour an EU based customer may seek.

What ISO27018 won’t help with

ISO27018 is not an exhaustive framework. There are a few obvious flaws:

  • It’s been designed for use in conjunction with the information security controls and objectives set out in ISO27002 and ISO27001 which provide general information security frameworks. This is a high threshold for small or emerging providers (many of which do not meet all these controls or certify to these standards today). So more accessible for large enterprise providers but something to weigh up – the more controls there are the more ways there are to slip up;
  • It may be used as a benchmark for security and, coupled with contractual commitments to meet and maintain selected elements of ISO27018, it won’t be relevant to all cloud solutions and compliance situations (though some will use it as if it were);
  • It perpetuates the use of the PII moniker which, already holding specific US legal connotation (i.e. narrower application) is now used is a wider defined context under ISO27018 (in fact PII under ISO27018 is closer to the definition of personal data under EU Directive 95/46/EC). This could confuse the stakeholders in multi-national deals and the corresponding use of PII in the full title to ISO27014 potentially misleads around the standard’s potentially applicability and use cases;
  • ISO27018 is of no use in situations where the cloud provider is (or assumes the role) of data controller and it assumes all data in the cloud is personal data (so watch this space for ISO27017 (coming soon) which will apply to any data (personal or otherwise)); and
  • For EU based data controllers, other than constructing certain security controls, ISO27018 is not a mechanism or alternative route to legitimise international data transfers outside of the European Economic Area. Additional controls will have to be implemented to ensure such data enjoys adequate protection.

What now?

ISO27018 is a voluntary standard and not law and it won’t entirely replace the need for specific contractual obligations around processing, accessing and transferring personal data. In a way its ultimate success can be gauged by the extent of eventual adoption. It will be used to differentiate, but it will not always answer all the questions a well-informed cloud adaptor should be asking.

It may be used in whole or in part and may be asserted and used alongside or as a part of contractual obligations, information handling best practice or simply a benchmark which a business will work towards. Inevitability there will be those who treat the Standard as if it is the law without thought about what they are seeking to protect against and what potential wrongs they are seeking to right.  If so, they will not reap the value of this kind of framework.

 

Challenges in global data residency laws – and how to solve them

Posted on September 13th, 2014 by



Whoever would have thought that, in a world where it seems nearly everything is connected, we would still have laws requiring that data be held within specific territories or regions?  Yet it seems that as more and more data moves online, is stored in the cloud, and gets transmitted all around the world and back in the blink of an eye, governments become ever more determined to introduce territorial restrictions limiting the movement of data.

The best known example of this is the EU’s Data Protection Directive which forbids movement of personal data outside of Europe to territories that do not provide “adequate” data protection – or, in layman’s speak, territories that the EU doesn’t consider to be safe.  This rule can be dated back to a technological world where data sat in a single database on a single server, and legislators sought to guard against businesses moving data outside of the EU in an attempt to circumvent European data protection laws.  Against that backdrop, it was a very sensible rule to introduce.  20 years on from its adoption, it now starts to look a little long in the tooth.

The problem is that legislative and regulatory thinking hasn’t advanced a great deal in that time.  Within those communities, there’s still a perception that data can, somehow, be kept within a single territory or region and not accessed or transmitted beyond those boundaries – or that, if it must, then implementing a standard form data protection agreement (so-called “model clauses”) between the ‘data exporter’ and the ‘data importer’ somehow solves the problem.

But here’s the thing: it doesn’t.  Denying that international data movements are an integral and necessary part of the global data economy is like denying that the earth moves round the sun.  Spend any time dealing with cloud vendors, or social media platforms, or interest based advertising providers, and you’ll quickly learn that data gets stored in multiple geographic locations, often through chains of different subcontractors, and tens, hundreds and perhaps even thousands of different databases.  With that knowledge, legislating that data should be kept in-territory or in-region is at best pointless.  At worst, it’s economically disastrous.

More than that, thinking that a ‘one size fits all’ set of model clause terms will somehow prove relevant across the multiplicity of different online business models that exist out there – or (and let’s be honest) that businesses executing those terms can and will actually comply with them – is nothing but a bad case of denial.

But despite this, these so-called ‘data residency’ laws only seem to be growing in favour – inevitably spurred in part through both post-Snowden mistrust of other countries’ data protection regimes and in part through misguided economic self-interest.  Other than the 31 countries in the European Economic Area that have adopted data residency requirements, other countries including Israel, Russia, Switzerland and South Africa (in EMEA), Argentina, Canada, Mexico and Uruguay (in the Americas), and Australia, India, Malaysia, Singapore and South Korea (in APAC) all have there own data residency rules.

The great irony here is that these rules will not prevent international movements of data.  They won’t even hamper them to the slightest degree.  Data will move beyond boundaries just as it always has, only at an ever quicker and more voluminous rate.  All of which begs the question: if data residency rules are to have this head on collision with increasingly globalised use of data, what can businesses do to comply?

For any large multinational organisation, there really in only one solution: Binding Corporate Rules.  Model clauses contain too many stiff and unworkable provisions that any commercial organisation would be very hesitant to sign – and, once the business reaches any sort of global scale, the prospect of regularly signing exponential numbers of model clauses becomes quickly very unattractive indeed.  Safe harbor is a fine solution, but only for transfers of data from Europe and Switzerland to the US and, with the future of safe harbor currently in doubt, doesn’t offer the longevity on which to build a robust compliance platform.

So that leave Binding Corporate Rules, which are specifically designed for large multinationals moving large volumes of data and for whom safe harbor and model clauses are not options.  More than that, Binding Corporate Rules have a regulatory recognition that extends beyond Europe – being expressly recognised in many non-EU countries as a valid solution for overcoming strict national data residency rules (Canada, Israel, South Africa, Singapore and Switzerland all being good examples).  And even in territories where Binding Corporate Rules don’t have express regulatory recognition, they’re at least generally tolerated as compliant with local data export regimes.

In the current political climate, it’s highly unlikely that data residency rules will relax in the short- to mid-term.  At the same time, data protection rules are only set to get stricter and carry greater risk (interesting fact: in 2011 there were 76 countries with data protection laws; by 2013 there were 101; and there are currently another 24 countries with new incoming privacy laws). Businesses with any kind of global footprint need to prepare for this and build out their data governance programs accordingly, with Binding Corporate Rules offering the most widely recognised and future-proofed solution.

Processor BCR have a bright future

Posted on July 8th, 2014 by



Last month, the Article 29 Working Party sent a letter to the President of the European Parliament about the future of Binding Corporate Rules for processors (BCR-P) in the context of the EU’s ongoing data privacy legislative reform.

The letter illustrates the clear support that BCR-P have – and will continue to have – from the Working Party.  Whilst perhaps not surprising, given that the Working Party originally “invented” BCR-P in 2012 (having initially invented controller BCR way back in 2003), the letter affirms the importance of BCR-P in today’s global data economy.

“Currently, BCR-P offer a high level of protection for the international transfers of personal data to processors” writes Isabelle Falque-Pierrotin, Chair of the Working Party, before adding that they are “an optimal solution to promote the European principles of personal data abroad.” (emphasis added)

As if that weren’t enough, the letter also issues a thinly-veiled warning to the European Parliament, which has previously expressed skepticism about BCR-P: “denying the possibility for BCR-P will limit the choice of organisations to use model clauses or to apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P.

The Working Party’s letter notes that 3 companies have so far achieved BCR-P (and we successfully acted on one of those – see here) with a further 10 applications on the go (and, yes, we’re acting on a few of those too).

Taking the helicopter view, the Working Party’s letter is representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions: back in 2012, just 19 organizations had secured controller BCR approval; two years later, and today that figure stands at 53 (both controller and processor BCR).

There are several reasons why this is the case:

1.  BCR are getting express legislative recognition:  The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules.  To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future.  Express legislative recognition ensures the future of BCR – they’re here to stay.

2.  Safe harbor is under increasing strain:  The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably.  US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution.  Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.

3.  BCRs have entered the customer lexicon:  If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about.  Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.

4.  BCRs are simpler than ever before:  Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities.  Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority.  The simplification of the BCR approval process has been instrumental in increasing BCR adoption.

So if you’re weighing up the pros and cons of BCR against other data export solutions, then deliberate no longer: BCR, and especially BCR-P, will only grow in importance as the EU’s data export regime gets ever tougher.

 

Legislative realism needed

Posted on November 25th, 2013 by



One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

This article was first published in Data Protection Law & Policy in November 2013.

The conflicting realities of data globalisation

Posted on June 17th, 2013 by



The current data globalisation phenomenon is largely due to the close integration of borderless communications with our everyday comings and goings. Global communications are so embedded in the way we go about our lives that we are hardly aware of how far our data is travelling every second that goes by. But data is always on the move and we don’t even need to leave home to be contributing to this. Ordinary technology right at our fingertips is doing the job for us leaving behind an international trail of data – some more public than other.

The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

This article was first published in Data Protection Law & Policy in June 2013.

BCR for processors get EU regulators’ vital endorsement

Posted on May 1st, 2013 by



The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

How to solve BCR conflicts with local law

Posted on March 13th, 2013 by



A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Technology issues that will shape privacy in 2013

Posted on December 13th, 2012 by



Making predictions as we approach a new year has become a bit of a tradition.  The degree of error is typically proportional to the level of boldness of those predictions, but as in the early days of weather forecasting, the accuracy expectations attached to big statements about what may or may not happen in today’s uncertain world are pretty low.  Having said that, it wouldn’t be particularly risky to assume that during 2013, the EU legislative bodies will be thinking hard about things like whether the current definition of personal data is wide enough, what kind of security breach should trigger a public disclosure, the right amount for monetary fines or the scope of the European Commission’s power to adopt ‘delegated acts’.  But whilst it is easy to get distracted by the fascinating data protection legislative developments currently taking place in the EU, next year’s key privacy developments will be significantly shaped by the equally fascinating technological revolution of our time.

A so far low profile issue from a regulatory perspective has been the ever growing mobile app phenomenon.  Like having a website in the late 90s, launching a mobile app has become a ‘must do’ for any self-respecting consumer-facing business.  However, even the simplest app is likely to be many times more sophisticated than the early websites and will collect much more useful and clever data about its users and their lifestyles.  That is a fact and, on the whole, apps are a very beneficial technological development for the 21st century homo-mobile.  The key issue is how this development can be reconciled with the current data protection rules dealing with information provision, grounds for processing and data proportionality.  Until now, technology has as usual led the way and the law is clumsily trying to follow, but in the next few months we are likely to witness much more legal activity on this front than what we have seen to date.

Mobile data collection via apps has been a focus of attention in theUSAfor a while but recent developments are a clue to what is about to happen.  The spark may well have been ignited by the California Attorney General who in the first ever legal action under the state’s online privacy law, is suing Delta Air Lines for distributing a mobile application without a privacy policy.  Delta had reportedly been operating its mobile app without a privacy policy since at least 2010 and did not manage to post one after being ordered by the authorities to do so.  On a similar although slightly more alarming note, children’s mobile game company Mobbles is being accused by the Center for Digital Democracy of violating COPPA, which establishes strict parental consent rules affecting the collection of children’s data.  These are unlikely to be isolated incidents given that app operators tend to collect more data than what is necessary to run the app.  In fact, these cases are almost certainly the start of a trend that will extend toEuropein 2013 and lead EU data protection authorities and mobile app developers to lock horns on how to achieve a decent degree of compliance in this environment.

Speaking of locking horns, next year (possibly quite early on) we will see the first instances of enforcement of the cookie consent requirement.  What is likely to be big about this is not so much the amount of the fines or the volume of enforcement actions, but the fact that we will see for real what the regulators’ compliance expectations actually are.  Will ‘implied consent’ become the norm or will websites suddenly rush to present their users with hard opt-in mechanisms before placing cookies on their devices?  Much would need to change for the latter to prevail but at the same time, the ‘wait and see’ attitude that has ruled to date will be over soon, as the bar will be set and the decision to comply or not will be based purely on risk – an unfortunate position to be in, caused by an ill-drafted law.  Let that be a lesson for the future.

The other big technological phenomenon that will impact on privacy and security practices – probably in a positive way – will be the cloud.  Much has been written on the data protection implications of cloud computing in the past months.  Regulators have given detailed advice.  Policy makers have made grand statements.  But the real action will be seen in 2013, when a number of leaders in the field start rolling out Binding Safe Processor Rules programmes and regulators are faced with the prospect of scrutinising global cloud vendors’ data protection offerings.  Let us hope that we can use this opportunity to listen to each other’s concerns, agree a commercially realistic set of standards and get the balance right.  That would be a massive achievement.

 

This article was first published in Data Protection Law & Policy in December 2012.

Article 29 Working Party pushes for Binding Safe Processor Rules

Posted on December 9th, 2012 by



 

The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).

 

Privacy in the global village

Posted on September 4th, 2012 by



There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.