Embed Size (px)
Citation preview
Interna'onal*Privacy*Law*Enforcement*
Regulators*and*business*coming*together*
The*plan*• The privacy regulators’ vision and normative framework for
international cooperation on global issues :The why and how of international compliance action
• The regulators’ operational measures for cooperation (International investigations, coordinated internet sweeps…)
• International standards on cloud The universality of ISO
THE$STORY$OF$PRIVACY$REGULATORS’$COOPERATION$
Chantal$Bernier$Former$Interim$Privacy$Commissioner,$Office$of$the$Privacy$Commissioner$of$Canada$(OPC)$Counsel,$Dentons$LLP$$
How*it*all*started*–*Issue*defini'on*• Fragmenta'on*of*norma've*development*
and*compliance*through*uncoordinated*approaches*– Eg*Sony*Playsta'on*2009**
• Duplica'on*of*efforts*with*separate*interven'ons*– Eg*Google*Streetview**
• Asymetric*strength*of*na'onal*authori'es*in*the*face*of*mul'na'onal*issues*– Eg*Security*on*the*cloud*
A*Vision*for*Response*• The*rise*of*a**common*view:**
– Resolu'on*on*Development*of*Interna'onal*Standards,*29th*Interna'onal*Data*Protec'on*and*Privacy*Authori'es*Conference,*Montreal*2007*
• Laying*the*grounds*for*norma've*harmoniza'on*–*Coopera'on*with*ISO**– Resolu'on*on*Privacy*Enforcement*CoRordina'on*at*the*Interna'onal*Level,*
Mexico*2011***• Developing*an*infrastructure*for*coopera'on*–*Legisla've*amendments*and*MoUs*
– Global*Cross*Border*Enforcement*Coopera'on*Arrangement,*2014*• Agreeing*on*modali'es*of*coopera'on*–*Model*arrangement*for*mul'na'onal*coopera'on*
**
The*Challenges*• Varied*authori'es’*scope*of*
mandate*– Privacy*specific*or*not*– Including*or*excluding*public*safety*maYers*
– With*or*without*enforcement*powers*
• Differences*in*approach*– The*fundamentalists*vs*the*func'onalists*
• The*impact*of*culture*
The*Strengths*• A*sense*of*urgency*from*reality*of*global,*
ubiquitous*privacy*issues*– Mul'na'onal*impact*of*privacy*prac'ces*
• The*expansion*of*the*digital*economy*– The*privacy*'cket*to*economic*growth*
• Parallel*globaliza'on*efforts*and*allegiances*
– Coopera'on*with*the*Interna'onal*Standards*Organiza'on*(ISO)*
– Crea'on*of*5*Regional*Data*Protec'on*Authori'es*
• The*European*engine**– The*adequacy*requirements*to*trade*with*Europe**
• The*personal*rela'onships*and*the*shared*commitment*
– Annual*Interna'onal*Conference*of*Data*Protec'on*Authori'es*
*
7*
Coming*together*1.*An*enabling*norma've*framework*
*=*Bilateral*MoUs*and*model*for*Mul'lateral*MOU***2.*Ac've*interna'onal*working*group*of*data*protec'on*authori'es*mee'ng*twice*a*year*
*=Coordinated*or*joint*compliance*ac'on***3.*Contribu'on*to*ISO*privacy*standards**
*=*ISO/IEC*27018*Code%of%prac+ce%for%PII%protec+on%on%public%clouds%ac+ng%as%PII%processors*
INTERNATIONAL$COLLABORATION$IN$ACTION$
Brent$Homan$Director$General,$PIPEDA$InvesKgaKons$Office$of$the$Privacy$Commissioner$of$Canada$April$9,$2014$*
10
$$$
Sharing$ConfidenKal$Info*$(via*MOU,*Regional*etc.)*
*
$$
Coordinated$Enforcement$(linking*specific*enforcement*ac'vi'es,*including*the*sharing*of*confiden'al*
informa'on)*
$
Sharing$NonUconfidenKal$Info*$$(e.g.,*research,*policy/guidance,*
enforcement*prac'ces*R*GPEN*website*or*teleconferences)*
$
Coordinated$compliance$AcKon*$(e.g.,*GPEN*Sweep*or*Webcam*LeYer)*
*
CooperaKon$
Non
-con
fiden
tial
and
non-
pers
onal
da
ta
Con
fiden
tial o
r pe
rson
al d
ata
Non-coordinated Coordinated
InternaKonal$Enforcement$CooperaKon$Matrix$
Sharing*NonRConfiden'al*Informa'on**• Type$of$informaKon$
• Research,*guidance,*prac'ces,*findings,*etc.*
• Global$Privacy$Enforcement$Network$(GPEN)$• Over*50*Privacy*Enforcement*Authori'es*(up*100%*since*2013)*
• Website,*teleconferences*and*mee'ngs*$
• What$does$this$mean$for$stakeholders?$• We*are*keeping*on*top*of*emerging*privacy*issues*
• Greater*consistency*in*approaches*across*authori'es*
$
Coordinated*Compliance*Ac'vi'es*• GPEN$Sweep$2014$–$Mobile$Apps$
• 151*apps*“swept”*by*OPC;*over*1200*globally*
• 85%$of*apps*lek*sweepers*with*ques'ons*about*how*their*data*would*be*used*(key*concerns*included*a*lack*of*preRinstalla'on*privacy*explana'ons*and*a*failure*to*tailor*communica'ons*to*the*small*screen)*
• But*–*many*popular*apps*are*embracing*the*poten'al*to*build*trust*through*clear,*easyRtoRread,*'mely*privacy*informa'on*
• Where*concerns*were*iden'fied,*compliance*leYers*issued,*resul'ng*in*proRprivacy*changes*in*over*100*apps**
Coordinated*Compliance,*cont’d*
• Webcam$Website$
• EasternREuropean*website*pos'ng*links*to*unsecured,*remoteRaccessible*webcams*(including*some*in*Canada)*
• Within*24*hours*of*becoming*aware,*a*joint*leYer*was*draked*by*Canada,*United*Kingdom,*Australia,*Macao,*Quebec,*Alberta,*B.C.,*urging*takedown*of*the*site*
• Shortly*aker,*website*stopped*broadcas'ng*this*footage,*and*the*site*is*now*opera'ng*with*limited*video*feeds,*mainly*of*public*areas**
Coordina'on*Examples*• Breaches*offer*an*ideal*opportunity*to*coordinate*informa'on*
gathering*and*assessment*rela'ng*to*technological*safeguards*
• Example$1:$LinkedIn$Breach$• Mul'ple*authori'es*(including*the*OPC)*coordinated*queries*through*
Irish*DPA*• Through*dialogue*in*collabora'on*with*domes'c*counterpart*agencies*
(BC,*Alberta,*Québec)*ul'mately,*obtained*comfort*regarding*breachRrelated*risk*and*proposed*remedial*ac'on*without*a*formal*inves'ga'on*
• Example$2:$Living$Social$Breach$• OPC,*along*with*provincial*authori'es*and*the*UKRICO*coordinated*
ques'oning*and*teleconferences*• Authori'es*were*able*to*assess*breachRrelated*risk*and*obtain*comfort*
regarding*remedial*measures*without*a*formal*inves'ga'on
• Whatsapp Investigation with the Dutch DPA
• Each authority’s findings based on analysis pursuant
to its own legislation
• Coordinated most aspects of investigation -
information gathering, analysis, reporting and
follow-up
• Allocated resources and tasks to share workload,
take advantage of specific competencies and
expedite process
• Further coordinated matters ongoing with Irish DPA
Joint*Inves'ga'ons*
Privacy*Considera'ons*in*“the*Cloud”**• Key Considerations
• Consider the risks and benefits of moving to the Cloud
• Think about Accountability – what does the contract say?
• Assess the security of the cloud
• Ensure consent and establish limits with the Cloud provider
• Understand how the law applies when the Cloud crosses borders
• Maintain control!
ACCOUNTABILITY$IN$A$CLOUD$WORLD$
Mike$Yeh$Assistant$General$Counsel$Microsob$Worldwide$Public$Sector$Business$*
“Our*customers*and*society*expect*us*to*maximize*the*value*of*technology*while*also*preserving*the*values*that*are*'meless.”**
RSatya*Nadella*
Comply$Ensuring*you*meet*your*compliance*needs*when*using*our*cloud*service*
Protect$Ensuring*we*remain*commiYed*to*the*
protec'on*of*your*data*in*our*cloud*services*
Control$Ensuring*you*maintain*control*of*your*data*in**our*cloud*services*
Accountablity*in*the*Cloud*
Signs*of*Compliance*
Clauses*as*draked*by*the*EU*Commission*and*have*they*been*approved*or*viewed*by*the*local*Data*Protec'on*Authority?**
$ $
* *
Key
Offices, associate officesx and facilities* Associate firms and special alliances*
Kansas*City*
Edmonton*
Calgary*Vancouver*
San*Francisco*
Silicon*Valley*Los*Angeles*
Phoenix* Dallas*
Toronto*
Atlanta*
Montreal*OYawa*
New*York*Short*Hills*
Washington,*DC*St.*Louis*
Chicago*
London*Milton*Keynes*
Madrid*Barcelona*
Paris*
Brussels*Berlin*
St.*Petersburg*
Moscow*
Kyiv*
Warsaw*
Istanbul*
Prague*Bra'slava*
Budapest*Frankfurt*
Bucharest*Zürich*
Baku*Ashgabat*
Tashkent*
Almaty*
Algiers*
Tripoli*
NouakchoY*Praia*
Bissau*
Accra*
São*Tomé*
Luanda*
Cape*Town*
Maputo*
Port*Louis*
Lusaka*
Nairobi*
Kampala*
Kigali*
Beirut*
Cairo*
Muscat*Dubai*
Doha*
Abu*Dhabi*
Singapore*
Hong*Kong*
Beijing*
Shanghai*
New*Orleans* Miami*
Boston*
Amman*
Riyadh*
Lagos*
Tbilisi*
Krasnodar*Rostov*on*Don*
Astana*
Houston* Casablanca*
Minsk*
Johannesburg*
Tysons*Corner**
Ques'ons?*Thank*you*
