U.S. Ediscovery and Cross-Border Ediscovery 101 for Civil Law Practitioners

In a speech given at the 3rd Annual European Data Protection and Privacy Conference, in Brussels on 12/4/12, Viviane Reding addressed the reasons for the global interest in the European Commission’s proposed reforms to the EU Data Protection Regime:

“Why is there so much interest in our data protection reform?

…, because data protection is a global challenge. In a world where borders are increasingly blurred, and where data moves at the speed of light, the Union’s rules matter beyond its borders. Our debate is a precursor of future debates in other parts of the world. Many countries have a new generation of data protection laws in the making, in Asia, in Latin America, in Africa. In the U.S., the voices of reform are growing louder. All across the world, people are realising that good data protection rules are good for growth. This is at the heart of our own proposals here in Europe.”

But, while the EU may be leading the global data protection reform movement, there is no doubt in my mind that the US remains the leader in global data collection technologies.

The U.S. Ediscovery industry originated from the very broad Common Law requirement of “Disclosure” or “Discovery” in civil litigation. As digital data became the overwhelming source of data in most companies and organisations, “discovery” became “e-discovery”, the “e” standing for “electronic”. This obligation to disclose is practically non-existant in Civil Law systems.

According to a recent report published by Transparency Market Research, the global e-discovery market was worth USD 3.6 billion in 2010 and is expected to reach USD 9.9 billion in 2017, growing at a CAGR of 15.4% from 2010 to 2017. In the overall global market, the U.S. is expected to maintain its lead position in terms of revenue with 73% of global e-discovery market share in 2017. Another report, published by Research and Markets,  forecasts the Global eDiscovery market to grow at a CAGR of 15.56 % over the period 2011-2015.

The globalization of trade and data flows have lead to an increase in international litigation, with, in Common Law based jurisdictions, the accompanying need for global data collections to satisfy the Common Law “Duty to Disclose” in civil litigation.

Just as the EU Data Protection reform has caused undeniable ripple effects worldwide, the U.S. Edsicovery boom has had an impact on the global practice of law.

For example, at the recent LawTech Europe Congress 2012  held in Prague, CZ, on 11/12/12, I was impressed by the overwhelming interest expressed in U.S. based Ediscovery technologies for application in local internal and Government investigations in bribery, corruption and fraud allegations within EU companies, and, to a lesser extent, for application in cross-border ediscovery procedures.

It is in the particular case of cross-border ediscovery, conducted in the context of U.S. civil litigation, that the clashes between local, EU-style data protection regimes and the need for transfer of data to the U.S., are the most acute and problematic.

In order to solve this very complex problem, I believe, in line with the Sedona Conference‘s philosophy, that dialogue is of the utmost importance. In the case of U.S. cross-border ediscovery in the EU, this dialogue takes on the additional dimension of a dialogue between two vasltly different legal systems: the Common Law system of the U.S. and the Civil Law system of the majority of EU member states. These different legal systems are cause for many misunderstandings between EU and US legal practitioners. On the one hand, U.S. attorneys and judges need to become more familiar with the EU Data Protection regime, and on the other hand, the EU member states’ attorneys, in-house counsel and Data Protection Authorities (DPAs) need to become more familiar with U.S. ediscovery obligations.

In the past, I have explained basic EU Data Protection concepts to U.S. legal practitioners.

At the  LawTech Europe Congress 2012, I attempted to explain U.S. Ediscovery principles to an audience, consisting mainly of Civil Law practitoners.

The presentation can be heard here:

 The Sedona Conference Working Group 6, of which I am an active member, has worked relentlessly to achieve a dialogue between the EU Data Protection Authorities and US attorneys, in-house counsel and Federal Judges. It has published The Sedona Conference International Principles on Discovery, Disclosure and Data Protection in December 2011, which is now open for public comment. The Principles were very well received by the Article 29 Working Party, the EU Data Protection Authorities’ Advisory Body, presided over by Jacob Kohnstamm.

It is the hope of The Sedona Conference that its International Principles will become accepted as best practices, as a code of conduct by U.S. litigants and Judges, as well as by EU member states’ DPAs.

To paraphrase Viviane Reding: ..because litigation is a global challenge. In a world where borders are increasingly blurred, and where data moves at the speed of light, U.S. ediscovery rules matter beyond their borders.

E-Discovery Legal Issues for IT

Lawyers are often labeled as “luddites” and their lack of understanding of technology is legendary.

In an era, where almost all business records are in the form of electronically stored information, it has become essential for lawyers to become more technologically savvy.

On the other hand, it is just as important for IT to understand legal and its requests.

Ediscovery is one area, where this has become an absolute necessity.

But how well do IT professionals understand the legal aspects of their work? Most probably, not very well.

Are you an IT professional?

Do you believe that all your company’s data should be deleted as quick as possible? Do you believe that none of your company’s data should ever be deleted?

Have you ever received an instruction from the legal department that sounded like: “Save all responsive documents” and scratched your head as to what documents legal was referring to?

Is your company moving its database to the cloud? Are you involved in acquiring new hardware or software for your company?

If you answered yes to any of the above questions, the newly published e-book “E-Discovery Legal Issues Guidebook” is for you. It was published on September 7, 2012, by PenTest Magazine, the “only magazine devoted exclusively to penetration testing”.

This seventy page e-book is specifically aimed at IT professionals who deal with ediscovery. With its collection of eleven articles, written by thought leaders in the  field of ediscovery, it aims to inform IT professionals of the basic legal issues surrounding ediscovery.

In it, you will find analyses of the major ediscovery cases, from the seminal Zubulake case to the more recent Apple v. Samsung case. Basic legal ediscovery principles, such as the duty to preserve and spoliation are explained without the usual legal jargon. More advanced topics, such as ediscovery of data stored in the cloud and ediscovery of personal data in the EU are covered as well.

This publication recognizes the essential part IT professionals play in the process of ediscovery, and aims to foster co-operation between the legal and IT departments.

Disclosure: This blogger has contributed to the publication with a chapter on international ediscovery and EU data protection.

U.S. Cross Border Ediscovery vs. EU Data Protection: Clash of the Titans

Thanks to my dual qualification as an attorney in the U.S., as well as in the EU, I am in a unique position to act as a bridge between the exclusively common law tradition of pre-trial ediscovery in civil litigation in the U.S.  and the EU tradition of data protection of personal data.

The Privacy Law Salon: Dialogue with Policymakers

Yesterday, the first Privacy Law Salon in Washington DC, took place at the National Press Club. The Privacy Law Salon: Dialogue with Policymakers, was “a unique meeting of the most experienced practitioners and corporate executives dealing with privacy law matters, and a unique opportunity to interact with the policymakers affecting the future of privacy.”

The purpose of the Salon was “to facilitate a high-level exchange of ideas and in-depth dialogue on cutting-edge and emerging issues that are vital to clients, corporations, government and the public interest.”

The Salon was held under the Chatham House Rule.

Some of the main points discussed included:

1. Do Not Track: The DNT system will be in place within a year from now.

2. EU and Global Privacy Interoperability:

• The global debate of the EU prescriptive system v. the US enforcement system will take center stage in the coming year.
• The global flow of information has been rephrased as a trade policy issue: the use of mutual recognition and enforcement arrangements, so information can flow freely.
• Many are uncomfortable with the notion of the US seeking “adequacy” status from the EU. The terms “interoperability” and “mutual recognition” are much preferred.
• The single most important action from the US towards “interoperability” with the EU would be the passing of the “Privacy Bill of Rights” proposed by The White House last February, but it is very questionable whether this bill will be passed within the next year.
• Instead, the Safe Harbor and BCR Frameworks will probably be expanded.

3. Context:

• The new “context of interaction “ standard, recommended in the FTC  report of last March, for establishing whether the consumer needs to be provided with privacy choice when personal data are collected, prompted a lot of participants to demand clarification as to exactly what that new standard meant: Is the new standard to be measured by the “Expectation of Privacy” from the consumer, or should the absence v. possibility of harm to the consumer be preferred as a measuring rod in order to determine whether the collection of personal data happened within the “context of interaction”? The latter seemed to be the more popular view.
• This lead to a request from participants for more clarity and guidance as to what exactly constitutes “privacy harm”.

4. Hot Topics: As current “hot topics” in Privacy were mentioned:

• Social Media Policies and their need for compliance with the NLRB rules.
• The need for coherence in policymaking and applications of the rules.
• The need for more technical knowledge from the regulators.
• The gaps in health data coverage by HIPAA. The example was cited of the physician who does not accept health insurance, and therefore is not covered by HIPAA.
• The “Cloud” and access to personal data by Governments.

5. FTC Enforcement Issues: Participants expressed a desire for more transparency and for more disclosure of standards used in FTC settlements. It was pointed out that, even though the right to appeal the FTC settlement decisions exists, it has never been exercised.

The lack of jurisprudence in this area was unanimously deplored.

U.S. – EU Safe Harbor Framework News and Views

In 2000, the EU and the U.S. agreed on the Safe Harbor Framework as a means to ensure adequate protection for personal data, transferred from the EU to be processed by U.S. companies.

At the recent EU Conference on Privacy and Protection of Personal Data, held in Washington DC,  the last panel took the opportunity for taking stock and discussing the way forward for this agreement. In this session, businesses and regulators presented their views and experiences with the U.S.-EU Safe Harbor Framework.

Francoise Le Bail, Director-General for Justice, European Commission, started by reassuring all stakeholders that the current reform in EU Data Protection Law would not put the Safe Harbor Framework at risk as one of accepted ways for adequate transfer of personal data between the EU and the US, as was mentioned in the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson.
“In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”.

The panelists considered the framework to be mostly a success story, with 3,000 US companies currently enrolled in the program, 50% of which are small and medium enterprises, but most agreed that the system could use some improvement.

David Smith of the British Data Protection Authority, the ICO, recounted the “absolutely awful” birth of the framework, the difficult young years and the current maturing into a working instrument for data protection interoperability between the US and the EU. “The mistrust is gone, as we believe the US is acting in good faith.” He did concede though, that a larger amount of audits would ensure better effective compliance by all companies.

Michelle O’Neill, of the Department of Commerce, added that in order to ensure better compliance, the supervising  departments needed more resources.

She announced that her department is currently discussing the expansion of the Safe Harbor Framework to non-profit organizations.

Hugh Stevenson, of the Federal Trade Commission, stressed the importance of enforcement and awareness raising in order to make compliance the norm, but deplored the lack of resources to achieve that goal. He appealed for more international enforcement cooperation as well.

Jan Philipp Albrecht, Member of the European Parliament, concurred that Safe Harbor was performing well but was in need of improvement on the compliance front. He suggested the granting of individual rights of action for consumers in order to ensure better compliance by the Safe Harbor certified companies. Currently, enforcement of Safe Harbor rests with the FTC, under section 5 of the FTC Act, which prohibits “unfair and deceptive trade practices”.

Nuala Kelly O’Connor, Senior Counsel – Information Governance & Privacy at General Electric, advocated for more global privacy interoperability, in addition to Safe Harbor, which is limited to the EU – US transfer of personal data.

For a complete overview of this panel, please watch this 4 Gigabyte HD video, which I taped and uploaded on my YouTube Channel EdiscoveryMap.

Moderator: Armgard von Reden, Lecturer at SRH and Quadriga University, Berlin
Participants, from left to right:
• Françoise Le Bail, Director-General for Justice, European Commission
• Michelle o’Neill, Deputy Under Secretary for International Trade,
US Department of Commerce
• Jan Philipp Albrecht, Member of the European Parliament
• David Smith, Deputy Information Commissioner, United Kingdom
• Hugh Stevenson, Deputy Director for International Consumer Protection, Federal Trade Commission
• Nuala O’Connor-Kelly, Senior Counsel – Information Governance & Privacy, General Electric

EU – US Privacy and Protection of Personal Data: Americans Are from Mars, Europeans Are from Venus

The High Level EU Conference on Privacy and Protection of Personal Data, held on March 19, was organized by the European Commission and hosted by the US Institute of Peace in Washinton D.C. The conference was held simultaneously in Brussels as well, via a video conference link.

This conference was meant to deepen transatlantic dialogue on commercial data privacy issues in order  to achieve further interoperability between the two systems at a time, when both the EU and the US have taken significant steps towards new data potection legislation.

On January 25, the European Commission had published a draft proposal for a new Data Protection Regulation , and on February 23, the White House had released its privacy blueprint, including the Consumer Privacy Bill of Rights.

On the occasion of this conference,  Commerce Secretary John Bryson and European Union Commissioner Viviane Reding announced in a joint statement a new commitment to collaborate on privacy issues and laws.

While most all panelists on the EU side insisted on the necessity of a binding set of laws, accompanied by individual rights of action in order to get significant privacy compliance from data controllers, most panelists on the U.S. side affirmed that voluntary codes of conduct, combined with enforcement by the FTC would achieve the same result, while allowing for more flexibility in adapting to the constantly changing technological landscape.

Even though the panelists went through great efforts to stress the common values and goals of the EU and U.S. policy makers, there is no denying that the European and American “privacy DNAs”remain vastly different. One major difference is the fact that, even in the commercial realm, privacy and data protection is a human and constitutional right in the EU, while in the U.S. it is at best considered a consumer right, if a right at all.

Did the conference achieve its goal of bringing the two sides a little bit closer together?

In order to enable those who could not attend the conference, either live or through video transmission, to judge for themselves, I wrote a “play” in three acts, based on the actual discussions that took place during three panels.

Americans Are from Mars, Europeans Are from Venus

Act 1: A Law or not a Law?

 Francoise Le Bail (EC): I realize I am in the Lion’s Den (giggle), but I shall be brave. It is critical to have a privacy LAW, so that people will TRUST the internet!

 Daniel Weitzner (White House): We will call on Congress to legislate in order to provide people with the necessary TRUST in the new information economy. But, meanwhile, we hope that the stakeholders will create their own little codes of conduct.

 David Vladeck (FTC): We all agree! Yay! By the way, did you know that in the U.S. Voluntary Codes of Conduct are just like Laws? We are so good, we even obey the law, when there is no law! And they are so flexible, to boot!

 Douwe Korff(EDRi): Waddya all talking about?? Did you know that in the EU, privacy is a human right? You need a CONSTITUTION to guarantee a human right! Voluntary codes of conduct, humph.

Mark Rothenberg (EPIC): I see a window of opportunity. I see legislation on the horizon.

Vivian Reding (EC): One-Stop-Shop!

John Bryson (White House): This will be a landmark year for data protection!

Ed Markey (D-MA): The Europeans are coming! I love them. We must legislate, especially my own very excellent proposal. Do it for the children, folks! It’s immoral not to.

APPLAUSE FROM THE EUROPEANS. END OF ACT 1.

Act 2: The Interoperability Dream

Lawrence Strickling (DoC): Yes, we can!

Jennifer Stoddart (Privacy Commissioner Canada): If the Europeans can do it with the Canadians, they can do it wit the Americans too!

Peter Hustinx (EDPS): Now wait, little children: first eat your voluntary codes, and make them binding, and then we shall see. I might have a surprise for you!

Daniel Pradelles (HP): Self Regulation Rocks! Plus, we at HP are the only ones to have BCRs approved by all DPAs of all the EU Member States.

Claus-Dieter Ulmer: (Deutsche Telekom): Will you make up your minds already?  The faster and the easier the solution, the better for us. Either way, we need to know.

Marie-Helene Boulanger (EC): First, second, third and finally, fourth. And if you Americans will get off your a..es and legislate already, well then, we might just become interoperable with you guys.

Axel Voss ((MEP): What we really need is global data traffic regulation.

Joe Alhadeff (Oracle): HOW on earth are you going to do all this?

END OF ACT 2. LUNCH.

Act 3: Let Me Count the Ways I Enforce Thee

Julie Brill (FTC): We at the FTC protect the Global Community with our fierce enforcement actions!

Cameron Kerry (DoC): The FTC is the Global Leader in enforcing privacy protection!

Paul Nemitz (EC): Global Leader?? Global Leader in P.R., ha!

Maneesha Mithal (FTC): Paul Nemitz, we make sure to publicize our daring dawn raids, so the bad guys will tremble in their board rooms, ha!

Jacob Kohnstamm (Dutch DPA) (with an inexplicable tired look on his face): We need to enforce to get compliance. And FYI, opt-out in OBA is NOT adequate. You give me explicit consent, I give you adequate, capice?

Kostas Rossoglou (BEUC): I wish we had class actions for data protection law suits.

Jeff Chester (CDD): The FTC enforces, and Google and Facebook are expanding their data collection like never before. Please listen to me, the entire world is analyzing the entire world!

Law Student Max Schrems (Europe v. Facebook) (fresh faced): I took Facebook to task, so why can’t you, old geezers?

Maneesh Mithal and Jacob Kohnstamm (in unison): if I were a rich man, lala lala lala la, all day long I’do nothing but enforce, la la la la la!

THE END

PANEL 3, moderated by Cedric Laurant, or where can be heard what really was said :

Safe Harbor, discussed during the fourth panel, will be the subject of a seperate post.

The EU Data Protection Reform: Viviane Reding’s 1/25/2012 Press Conference

I happened to be in Brussels as the European Commission (EC) announced the publication of its final draft for a new Regulation and a new Directive and decided on the spur of the moment to attend Viviane Reding’s Press Conference at the EC where I livestreamed her announcement

Click here for a complete coverage of the data protection reform. (legislative texts, fact sheets and more).

Attention EU Readers of EDiscoveryMap: We are bringing EDiscovery to Brussels on January 26

EDiscoveryMap is pleased to announce that Monique Altheim will moderate E-Discovery Sessions at the Computers, Privacy & Data Protection Conference (CPDP) in Brussels on January 26, 2012.

The panels will feature an international roster of thought leaders and practitioners in the field of Cross-Border E-Discovery and EU Data Protection:

Willem DEBEUCKELAERE, Privacy Commission (BE), Master Steven WHITAKER, Royal Court of Justice (UK), Chris DALE, e-Disclosure Information Project (UK), Amor ESTEBAN, Shook, Hardy & Bacon, LLP (USA), James DALEY, Daley & Fey LLP (USA), Nigel MURRAY, Huron Legal (UK), George RUDOY, Integrated Legal Technology LLC (USA), Monika KUSCHEWSKY, Van Bael & Bellis (BE), Natascha GERLACH, Cleary Gottlieb Steen & Hamilton (BE), Dr. David EVANS, Evans LLC (USA), Dominic JAAR, KPMG (CA), and Erik LUYSTERBORG, Deloitte (BE)

With the increased globalization of the economy, companies in the EU are often subject to litigation holds and requests for production of relevant data by US litigants. If those data contain personal information, there is a serious conflict with the EU Data Protection Laws, which deem preservation and production of such data in principle illegal.

Since the concept of pre-trial discovery is practically non-existent in the European Union member states with a Civil Code tradition, the session will start with a discussion of the general principles of the U.S procedure of discovery of electronically stored information (ESI) in civil litigation, for the benefit of EU attendees.

What triggers the duty to preserve data relevant to litigation? What are litigation holds? What is spoliation? What are the sanctions for non-compliant parties? These are some of the topics that will be addressed.

What happens when the data, relevant to U.S. litigation, contain personal information and are located in an EEA member state?

The second panel will explore these complicated conflicts between U.S. Ediscovery obligations and EEA Data Protection obligations and propose some practical solutions.

The just published Sedona Conference International Principles on Disclosure and Data Protection, as well as the draft EC Proposal for a Data Protection Regulation, and their impact on the future of Cross-Border Ediscovery will be discussed.

What technological innovations can be applied to minimize the personal data preserved and collected in EAA member states?

What happens when relevant data are located in the cloud, on social media sites or on mobile devices? Which national law applies to determine the applicable data protection regime?

These and other emerging topics in cross-border Ediscovery will be tackled by the last panel.

The CPDP Conference, titled “European Data Protection: Coming of Age” will run from Wednesday, January 25 until Friday, January 27. It will coincide with the official publication of the EC’s Proposal for EU Data Protection Regulation and with the European Privacy Day on January 28.

To take advantage of the early bird registration fee , register here before December 30.

How To Build Your Own Mobile App in Three Easy Steps: A Thanksgiving Primer

Which professional has not entertained the wish to stay informed and in the loop, without having to spend hours of valuable time scouring the Internet for relevant information on a daily basis?

The daily load of professional newsletters, email subscriptions, RSS feeds, real time Twitter feeds, Facebook news streams, and now Google plus feeds, has become so heavy, that many have expressed the desire to go on an information diet.

I too have suffered from information overload, and in searching for a solution, I stumbled upon a very simple answer: I developed my personal mobile, information management tool in the form of an iPhone/iPad mobile app, which I use on my iPhone.

The “AltheimLaw” app is custom made for my needs and delivers real-time news from a variety of hand-picked sources, including social media sites, video and slide presentation sites, as well as more traditional RSS feeds of news aggregator blogs.

This particular app can, of course, also be installed by anyone who shares my interest in the very specific topics of e-discovery, data protection, privacy, social media, tech and information governance. I also created an Android version for those who use that platform under the name “Monique Altheim Esq.”.

But if you wish to create your own, custom made app to suit your own specific needs, and if you would like to publish it to any of  the IPhone/iPad, or Android platforms, you can do so, without knowing a word of code.

The entire process takes just three steps:

1. Register as a “developer”
2. Build your app
3. Publish your app

Here’s a breakdown of the three steps for two popular mobile platforms: The iPhone/iPad, and the Android .

1. Register as a developer:

The first step is to register as a “developer”. This will grant you permission to submit your app to the relevant store.

Requirements for iPhone/iPad:

• Enroll at http://developer.apple.com/programs/start/standard/ as an individual developer.
• Pay a $99 fee for developing an unlimited amount of apps
• Get a developers’ certificate and create a development provisioning profile at http://developer.apple.com
• Since following all the required steps can be daunting, I recommend following Appmakr’s step by step instructional YouTube videos at http://www.youtube.com/user/AppMakr#p/u

Requirements for Android:

• Register at https://market.android.com/publish/signup
• Pay a $25 fee for developing an unlimited number of apps.

  2. Build your app:

Building an app is very easy, even if one doesn’t know a word of code, thanks to websites like www.appmakr.com

Just click on the “get started building your … version” on appmkr’s home page. You will see three icons, respectively for Apple, Android and Windows. Just click on the one you need.

You  may enter a keyword to start, so that Appmakr can find related icons and RSS feeds for your app, but you can disregard its suggestions and skip this step. It is better to use your own icons and RSS feeds.

The website basically gives you a template to work with, which it then translates into code.

Appmakr has a YouTube site where you can watch 13 instructional videos on how to buid an iPhone /iPad app, guiding you step by step through the creation of your app: http://www.youtube.com/user/AppMakr#p/u

You can test-publish your app to your iPhone to check out whether you like the end product, before you publish it to the App Store.

Once you have finished building your app, you will be able to download the file on your computer.

TIP 1: You will need some basic knowledge of Photoshop or other similar software to adapt your screenshots to the different size requirements for the iPhone and iPad.

The iPhone/iPad and Android have each different image size and file type requirements for the icons and screen shots. For example, the iPhone icon must be 512×512 pixels in .png format.

TIP 2:  Safari cannot download the appmakr files. I used Firefox instead.

If you wish to make the app available for devices using Android, you can transfer the app into the Android (as well as Windows) format by clicking on the appropriate icon underneath your finished iPhone app link.

  3. Publish your app

iPhone/iPad

To publish your app, go to https://itunesconnect.apple.com and click on “Manage Your Applications”. Then click on “Add New App” in the upper left hand corner and follow the instructions.

You should download the “application downloader” software (the link should be on the iTunesConnect site), install it, and then download your app in that program.

When you go back to your iTunesConnect account, you will see that the status of your app is “Waiting for Review”. In the next stage your app will be ”In Review”, until, hopefully, the status will read “Ready for Sale”, at which point your app should be searchable and ready for installation in the App Store.

The entire process takes between one or two weeks.

Android

To publish your Android version, go to https://market.android.com/publish/Home

Follow the instructions to upload your app file. It is as easy as uploading a YouTube file. Within an hour your app will be for sale and downloadable on the Android market.

As between the iPhone/oPad and the Android platforms, the clear winner is Android: It has a much lower registration fee and the publishing of the app is a breeze.

Either way, when you think of the many hours you will save by cutting out most of the noise online through the use your app, it is worth the registration fee and the afternoon you might spend creating it.

While there are other sites that will help you build your own app, Appmakr is the only one that offers it at no fee.

It is also important to update your app regularly, to keep it compatible with changes on the platform. When Apple updated its IOS to IOS5, I had to rebuild my iPhone/iPad App from scratch.

Since my law firm focuses on ediscovery, privacy and data protection, social media and information governance, these are the topics that are covered in my app.

If you want to keep informed on these topics, you can download the “AltheimLaw” app for iPhone/iPad here: http://itunes.apple.com/us/app/monique-altheim-esq/id454018900?ls=1&mt=8 and the “Monique Altheim Esq” app for Android here: https://market.android.com/details?id=com.appmakr.app296991

Once you install such an app on your mobile device, the latest real-time news that is relevant to you is always available at the click of a finger, during your commute or while waiting online at the post office or the supermarket, during a quick lunch break, before falling asleep or upon waking up in the morning.

Privacy and Data Protection Week in Mexico City

This past week was “Privacy Week” in Mexico City, where three seperate conferences were held back-to-back.

The Public Voice  conference, chaired by Lillie Coney of EPIC, had as its theme: “Privacy is Freedom”

One of the highlights was a discussion between David Benasar, Senior Legal Counsel Aticle 19 and Marc Rotenberg, President of EPIC, titled: Frame the Issues Related to Freedom of Expression. Here are some of the ideas that were expressed:

About the Right to Freedom of Expression claimed by business and Right to Privacy:

Right to Privacy is essentially a pre-requisite for Freedom of Expression: the right of anonymity, for example, is the right to withhold our identity so we can express our views. Think for example the Arab spring or the protests in London and Vancouver. On the other hand, to call the actions of businesses to do away with our privacy for the purpose of conducting business “a right to freedom of expression” is like putting a Halloween costume on something and calling it “the Right to Freedom of Expression.” (In other words, it is a travesty.)

About the Right to Freedom of Expression claimed by journalists and Right of Privacy:

There is in media law a tension between freedom of expression and privacy rights of public officials and private individuals. It is important to be able to talk publicly and critically, particularly about public officials. But on the other hand, newspapers which publish gossip in order to sell (like in the recent UK phone hacking scandals) have a less defensible case for breaching people’s privacy. Yes, the news may be “news”, but it is meaningless news. This should not be defendable as a “freedom of expression” excuse to breach privacy.

Another very interesting panel was “Cultures and Privacy around the World“, moderated by Alberto Cerda, ONG Derechos Digitales.

This panel considered whether privacy and data protection are culture dependent. From left to right: Jacob Kohnstamm, Chair Article 29 Working Party (EU), Moez Chakchouk, CEO, Tunisian Internet Agency (TUN), David Vladeck, FTC (USA), Alberto Cerda, moderator, Lara Ballard, Department of State (USA), Zhou Hanhua (CHN).
(Note: this video is edited; the moderator’s recap comments have been edited for lack of space.)

Interesting note: At around 11:00, David Vladeck declares that clicking through an opt-in consent without even reading the dozen or so pages of “gobbledygook” or “word barf”, (as most of us do), is not a meaningful “consent”.

The OECD Conference, held on November 1, had as its theme: “Current Developments in Privacy Frameworks: Towards Global Interoperability”

The international character of personal data flows have accentuated the cross-border dimension of privacy issues and the corresponding need for a truly global dialogue.

As the OECD Secretary-General Angel Gurriá noted in a videotaped message:

“We describe our activities on social networks. We disclose our interests through our Internet browsing habits and online purchases with credit cards. We are located in time and space through the mobile devices we use. Detailed digital profiles of each of us can be assembled, and they can affect our opportunities positively or negatively.

Secondly, today’s data flows are continuous and global. The hype around terms like “cloud computing” and “big data” remind us that we are facing dramatic transformations in the delivery of online services. These shifts challenge the governance mechanisms we created in the pre-Internet era.”

Three of the primary frameworks with an international dimension (OECD, European Union, and Council of Europe) are as a consequence currently under review, and a fourth (APEC) is developing new cross-border implementation arrangements.

The Terms of Reference of the review of the OECD Privacy Guidelines were released on November 1.

One of its primary objectives is to ensure the global interoperability of privacy frameworks. Although each national culture has its own vision and approach to privacy,  a level global playing-field is needed. Widespread agreement on core privacy principles is not sufficient. We also need to strengthen mutual recognition and co-operation in their implementation.

Finally, The 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011), was held on November 1 and 2 and was titled “PRIVACY: The Global Age.”

Diego Rivera Mural; picture by Monique Altheim

Peter Schaar, Federal Commissioner for Data Protection in Germany, explained the need for global standards well:

He said that the EU Data Protection framework was based on a model, in which data are collected by a data controller in a data base in the EU and then sent cross-border. Today, however, most data are collected directly from the end-user by data collectors outside of the EU, which creates enforcement issues for the EU authorities.

The buzz words at the conference were: accountability, privacy by design, privacy by re-design, education, information governance, the obsolescence of “consent” in the age of “big data”. The term “global interoperability by design” was coined.

One of the livelier discussions occurred during the panel titled “How does the growth of data, its mining and application challenge the way privacy enforcement agencies protect individuals”.

Peter Schaar, Federal Commissioner for Data Protection in Germany, pointed to the need to protect consumers from automatic and algorithmic decision making from big data. For example, should credit institutions be allowed to predict the likelihood of someone paying back a loan, based on who his/her Facebook friends are?

There were a few points of agreement during the conference: There was unanimous consensus that the user/consumer/ customer/citizen should have control over the use of his/her data. The discussions turned more on how to achieve that goal. Most data protection authorities seemed to agree that, in the age of big data, and re-purposed uses of big data, the consent-model of control has become obsolete, because it has become impossible to give a truly informed consent concerning the uses of one’s data: it is today impossible to predict what use our data will be put to. For example, when one uses Google’s search engine, does one consent that, if one searches for a certain chronic disease, one’s insurance premium might go up because of those search terms? Or that no employer will hire someone, based on the presumption of chronic disease as created by the use of that search term? This has led some to push for more regulation of the use of data, as opposed to regulation of the collection of data.

Another point of agreement was the need for data protection authorities to avail themselves more of IT and forensic expertise as wel as the need to educate the ignorant masses.

A very interesting term was coined by Jose Clastornic from the DPA of Uruguay: Global interoperability by design; Global privacy interoperability by design means the incorporation of international privacy standards into a national privacy legislation. This will guarantee that nation a boomig service industry, since it will become the go-to place because of its interoperable, international standards of privacy protection. This seems to be a trend in most Latin American countries, as well as China and other Asian countries.