How old is your facebook picture? (No, don't tell me, I don't care.) How much of our privacy obsession is related to truth? For example, the weight on your driver's license was absolutely true, twenty-five year ago. Is misrepresenting ourselves part of privacy or an American obsession with creating an illusion of identity?
Data in the Cloud - Explicit consent, Right of portability, Right to be forgotten
In an honest society, what harm can really come of truth?
First, I'd like to plug JD Supra, a free resource to LinkedIn communities. I read their updates every day, and they do a fantastic job of bringing valuable legal content forward and ensuring that it comes from highly reputable sources. So Thanks!
In today's update, I learned about the European Commission proposed changes for a General Data Protection Regulation. It got me thinking about our own bill of rights, and what it might be if it were written today. Perhaps we would add Explicit consent, Right of portability, Right to be forgotten.
At some point, we have to wonder when the laws will simply be superseded by actual conscientiousness. To be conscientious, according to Wikipedia, is the trait of being painstaking and careful, or the quality of acting according to the dictates of one's conscience. Sounds sort of Golden Rule.
As shared by Morgan, Lewis & Bockius LLP, and pertaining to the "Overhaul of European Data Protection Law Announced European Commission proposal for a new General Data Protection Regulation aims to strengthen and harmonize data protection law across Europe", the key proposals are as follows:
- Harmonization: A single set of rules will apply across Europe. It has been suggested that introducing a collective set of rules to replace the current assortment of European data protection legislation will save businesses around €2.3 billion a year.
- Scope of Regulation: The new rules will apply to businesses based in Europe as well as to businesses based outside the European Union that process European citizens’ personal data for the sale of goods or services, or the monitoring of their behavior. The new rules will, therefore, affect a large number of US and other international businesses.
- Fines: The penalties for noncompliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organization is an ‘enterprise’).
- Explicit consent: The new definition of ‘consent’ under the proposed Regulation includes a requirement that consent must be explicitly obtained. Businesses will not, therefore, be able to assume an individual’s consent.
- Right of portability: Accessibility to data will be improved, and individuals will have the right to freely transfer data from one electronic processing system to another.
- Notification requirements: Organizations will be required to notify their supervisory authority of a security breach without undue delay, which means within 24 hours if that is feasible. If the notification is not made with 24 hours, it will need to be accompanied by a reasoned justification.
- Right to be forgotten: Individuals will have the right, at their request, to be forgotten by a specific organization and their data deleted from its files unless there is a legitimate ground for keeping it.
- Data protection officers: Organizations that employ more than 250 people will be required to have a designated data protection officer. The data protection officer will have specific duties in relation to advising and monitoring the organization and ensuring compliance.
EU requirements for processing personal information include:
- Collection and Use Limitations: Personal data must be “processed fairly and lawfully,” collected for “specified, explicit and legitimate purposes,” and not processed incompatibly with these purposes.
- Accuracy: Personal data must be accurate and, where necessary, up to date.
- Retention: Personal data shall not be kept in an identifiable form for longer than is necessary.
- Consent: Processing of personal data requires the unambiguous consent of the data subject or it must qualify for certain exceptions.
- Duty to Inform: The data subject must know who is collecting the data, why they are collecting it, and to whom it is going.
- Right of Access: The data subject has the right to access the data undergoing processing and, where appropriate, to rectify, erase, or block its processing.
- There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
- The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
- Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
- with the consent of the data subject; or
- by the authority of law.
- Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
- There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- An individual should have the right:
- to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
- to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
- to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
- to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
- A data controller should be accountable for complying with measures which give effect to the principles stated above.
So how does this change the way we conduct business today? How do we define privacy in our own backyard?
If your company is using third party data, or if you gather customer information, do you have an accurate inventory of everything you collect and more importantly, what your company is doing with it? Even if you are certain that your information has no association with a specific identity, have you considered what the long term impact of compiling that information might potentially pose to groups of people in our society? Have you evaluated all potential long term and compilated uses of that information?
My bias is toward security. This means using technology to find criminals, prevent exploitation and guiding appropriate choices is a basic expectation. I should also mention that I don't want ALL of my personal activities broadcasted, just the one's that reflect me in a positive light. Doesn't that just go without saying? Go ahead and tell everyone I read 25 articles, but not that 10 were youtube videos starting with "Sh#!... people say".
A big fear for me, and perhaps you too, is when we have to censor the truth, have to worry that religion, orientation, grade point average or other details of our lives would be used to unfairly restrict or exploit us.
I want to feel free, to be honest, share only the best parts of myself, and still go after the dream. If I have to lie to get what I want, however, is the problem the lie or that society makes that a norm?
How much of our privacy obsession is related to truth? For example, the weight on your driver's license was absolutely true, twenty-five year ago. Is misrepresenting ourselves part of privacy or an American obsession with creating an illusion of identity.
In an honest society, what harm can really come of truth?
A LOT - and thank goodness for THE ELECTRONIC PRIVACY INFORMATION CENTER, EPIC
It's just naive to treat information in one country as if it would not, or could not be exploited by another. It's even more naive to think that the same information protected by HIPAA when created and stored in medical institutions, is okay when freely entered into online questionnaires. If someone could use the information to limit the freedom or choices of an individual, you know they will. We can't continue to create uncovered man holes and argue that those who fell in should have looked where they were walking. It's not fair. It's not conscientious.
No matter the state of legislation, users need transparency over the information is being collected about them, how it is used, and the downstream implications of that disclosure. If A+B=C, and C doesn't qualify for healthcare, then let's be sure kids get the impact of posting their dorm party video. We have warning labels on Cigarettes. How about warning labels on any image uploads?
Look at the pretty baby!
If you knew that loading your baby's birthday pictures would be the first step in government profiling of facial characteristics, cross-referenced to social demographics like religion, income, voting practice, would you do it? What's more outrageous about that question, that you need to hide those details, or that they could be used against you?
Again, my bias is the valid use of information, not the information itself. I want pictures to equal people, and people to have political preferences, and for that to have no consequences other than making a grandma smile. But that's not reality. We can't control use, so we need to create responsibly.
EPIC Calls for Moratorium on Facial Recognition Technology is a report that literally made my heart stop. You have to read it.
The paragraph that left me breathless revealed that facial recognition is now being used in China to catch employees who are not smiling sufficiently when interacting with customers. O-M-G! Do you recall the scenes of people in the streets publicly crying over the death of Dictator Kim Jong? Did you know that facial recognition software was able to rapidly "out" anyone who was caught smiling?
This report is only 24 pages long and should be understood by anyone involved in business or technology, so that mean, everyone.
"III. Privacy and Security Concerns Raised by the Implementation of Different Facial Recognition Technologies
A. Facial Recognition Technology
Facial recognition technology allows commercial and government entities to use software that automates the detection and recognition of human faces and to identify people in circumstances in which they may not choose to reveal their actual identity. To detect human faces, the software searches images for identifiers including the position, size, and shape of facial features. Three-dimensional facial recognition systems, which use multiple photographs to create 3-D feature maps, are beginning to emerge and promise even greater accuracy. (24) "
[...] "There are four primary risks associated with the increased commercial use of facial recognition technology. First, ubiquitous and near-effortless identification eliminates our ability to control our identities.31 It will no longer be possible to remain anonymous in public – a legal right that the Supreme Court has recognized carries free speech and liberty implications. (32) Second, there are privacy and security concerns associated with the collection, use, and storage of the facial geometry measurements used for identification. The International Biometrics and Identification Association stated that these measurements, called faceprints, are personally identifiable information.(33) The storage and control of this data must remain secure. Third, a fundamental understanding of the right of privacy is the ability of individuals to decide for themselves when to disclose their actual identity to others.(34) Fourth, an essential aspect of personal security, commonly described as “Basic Access Control,” is the ability of the individual to know what circumstances others are seeking access to his or her identity and to make a determination as to whether to reveal actual identity. In the proposed e-Passport, for example, it became clear that to allow a remote read of Passport by a person unknown to the passport holder would raise significant security risks for Americans traveling d.(35) The use of facial recognition techniques raises similar threats to personal safety.
The storage of personally identifiable information and the unmasking of a person’s identity are especially at risk with facial recognition technology. When there is no storage of faceprints and no identification, facial detection technology has far fewer security and privacy risks.(36) This report focuses largely on facial recognition technology.
The report concludes by saying: As more than 100 hundred privacy organizations and privacy experts stated in the Madrid Declaration.(109) There should be A moratorium on the development or implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers, and RFID tags, subject to a full and transparent evaluation by independent authorities and democratic debate>"
Let me be one of the many to say Thank you to Marc Rotenberg, EPIC Executive Director and David Jacobs, EPIC Consumer Privacy Fellow, and Maria Elena Stiteler, EPIC Legal Intern, Electronic Privacy Information Center is located at 1718 Connecticut Ave. NW Suite 200, Washington, DC 20009 with telephone 202-483-1140 and fax 202-483-1248
Isn't information and protection great! Don't smart people have an obligation to do good?