Privacy and Security TidBits

Computer, Privacy & Data Protection: European Data Protection: In Good Health? Part 2

According to its mission statement, the annual conference “Computers, Privacy and Data Protection“ in Brussels aims to create a bridge between policy makers, academics, practitioners and activists, and aims to become Europe’s most important forum for the discussion of data protection and privacy issues.

This goal was certainly reached during the panel on Bahavioural Targeting and Profiling, where technologists, privacy advocates and attorneys each presented their own take and solutions for this very pertinent privacy issue.

All parties agreed that data collection is at the core of the online marketing business model and therefore had to be dealt with. One technologist suggested introducing the creation of a “cloudbroker”, who would be an intermediary between the consumer and the advertising agencies and would only pass on data of the consumer’s choosing.

Another IT professional repeated the old mantras of Do Not Track, more transparency, monitoring tools, privacy certifications and Privacy by Design.

A third one, Paul Francis, working for the Max Planck Institute in Germany, proposed a very sophisticated privacy based advertising model, called the PRIVAD project whereby a “dealer” would propose “software agents” for downloading in users’ computers. The user would then create their own data and profile with that software and pass it on to the dealer, who, after anonymizing the data, would pass it on to a broker. The broker and the ad agencies would thus only come into possession of separate bits of anonymous data, and would not be able to build profiles of users. The targeted ads would then be sent back to the user via the same anonymized paths.

One attorney on the panel drew attention to price discrimination as a result of profiling. One way this is happening today is via Groupon coupon offers, and he predicted this will happen more pervasively in closed networks like Facebook. He questioned the legality of such practices.

Privacy activist Alexander Hanff of PrivacyInternational proposed that, regardless of the claimed  billions at stake for the ad industry, privacy is a human right and not for sale. He proposed straightforward opt-in for all.

One very good point was made in the audience that even when a consumer gives consent to the collection of a particular information, he/she does not necessarily give consent to the collection of multiple data into aggregated data and profiles. Therefore it seems that the concepts of PII and private data are outdated and need to be replaced by “aggregated data” and “identity”.

Jeff Chester of The Center for Digital Democracy stated that in the US, leading brands have built a pervasive commercial surveillance society and that they are selling individuals to the highest bidder. He warned the audience that the next frontier would be “neuromarketing’, whereby the advanced knowledge of how our brain functions would be put to use to influence consumers on a subconscious level.

Jeff conveyed how the ad industry is afraid of the EU data protection model, and instead is pushing towards a “make believe” regulation and self-regulation.

Another very interesting panel discussed Surveillance in the Netherlands.

The panelists portrayed a “surveillance” society, where people are watched by omnipresent CCTVs, where biometric passports are stored in central data bases, where pat downs and house searches occur without probable cause or warrant, where everyone is deemed guilty until proven innocent and where the citizens are so trusting of their government that they don’t even protest to these privacy invasive practices.

A very hot topic was the discussion of the EU Data Retention Directive, that is up for review. For more background on this matter, see this recent post on this blog.

Chris Soghoian spoke of the state of data retention in the US. He explained how, except for certain areas like finance, there is no mandatory retention requirement , but that a system of voluntary retention has developed. For example, ATT and Verizon are paid $ 8 million a year by the FBI to provide real time access to two years of stored records. Microsoft, Google, Sprint  MySpace and Facebook all have retention policies in place for voluntary help to law enforcement. The public is largely unaware of these practices, since they are never disclosed in the privacy policies of these companies. Apparently TMobile is the only telecom NOT logging their customer’s information.

I suppose that at the time of the conference, Chris had not heard of the most recent rumors in the House concerning a possible imminent retention bill.

The most popular and widely attended panel was the one discussing the Revision of the EU Data Protection Directive consisting of

(from left to right): Achim Klabunde of the European Commission, Giovanni Buttarelli of the European Data Protection Supervisor’s office, Marie-Helene Boulanger of the European Commission, Jim Halpert of DLA Piper LLP, Jacob Kohnstamm, Chairman of the Article 29 Working Party & Dutch Data Protection Authority and Daniel Guagnin of the Technische Universitat Berlin (DE).

Marie-Helene Boulanger repeated the objectives of the revision: Strengthening of  individual rights, enhancing harmonization, reinforcement of the data controller’s responsibility, a better integration of the 3rd pillar ( police and judiciary), and improvement of international data transfers.

The most interesting and provocative statement was made by Jacob Kohnstamm. He warned against puttng a disproportionate burden on the consumer by requiring his/her consent in a increasingly complex online ecosystem, that the consumer does not fully understand. He asked instead for more responsibility and accountability of the data controllers. He was very passionate about the fact that there is no other area in law where those selling products are not responsible for those products, and does not see why the sale of data should be an exception.

Jim Halpert drew attention to the fact that the EU model is slowing down business ( four months to receive the authorities’ approval for model contracts) and suggested Privacy by Design solutions to prevent problems at the front end.

In the audience, Tanguy Van Overstraeten of Linklaters suggested that a regulation instead of a directive would provide businesses with the legal certainty they need for global operations. While a regulation would be directly and equally binding on all member states,a directive would have to be implemented by each state individually and would inevitably lead to lack of harmonization and applicable law problems.

Peter Hustinx, in his recent opinion reviewed in this post , indeed recommended a regulation and not a directive.

Cloud Computing and Privacy Impact Assessments were other topics that provoked lively discussions on the panels as well as in the audience.

During the conference, EPIC presented the 2011 International Privacy Champion Award to European Parliament Member Sophie in’t Veld and the 2011 Domestic Privacy Champion Award to Jeff Chester, founder and executive director of the Center for Digital Democracy. In’t Veld was recognized for her work as “leading defender of fundamental freedoms,” Chester as a “tireless champion of consumer rights.”

Privacy International, EPIC , and the Center for Media and Communications Studies (CMSC) released “European Privacy and Human Rights (EPHR) 2010,” during the CPDP conference. The EPHR is a report investigating the scope of privacy and data protection laws a in Europe. The study includes 33 individual reports covering issues from privacy enforcement to ID cards, biometrics, and data-sharing and video surveillance The study ranks privacy protection across the European Union (EU). This blog posted a few months ago an interview of Cédric Laurant, one of the contributors to the massive report.

The conference ended with an inspiring address by Peter Hustinx, the European Data Protection Supervisor.