Mirror, mirror on the wall, who is the ugliest one of them all?

Many years ago, a legal journal called me a man on a "crusade" to protect users' privacy against government surveillance.  That was back in 2007, and since then, the scale and scope of government surveillance has increased dramatically, just as the total amount of data circulating on the Internet has too.  I've been blogging about it for years:  Should you cover your tracks from government snooping?.  

Government surveillance is a worldwide phenomenon.  The purposes of government surveillance vary from country to country, from the conventional to the creepy:  fighting crime, preventing terrorism, spying on political opponents, stealing trade secrets.  In short, everyone does it.  

There's always been more focus on government surveillance conducted by the US government, compared to surveillance conducted by other countries.  That's understandable, because the US is a big country, with big companies, and big technology resources, but also because the US is comparatively transparent about its surveillance programs and the laws governing them, notwithstanding the recent revelations about certain secret programs.  

Transparency is the best answer to worldwide queasiness about government surveillance.  Various companies are already publishing data (to the extent that the governments let them) about how and when they respond to government requests.  However, I'm not aware of a single government that publishes credible statistics about its own surveillance programs.  Governments are not telling their citizens what or how much data they're collecting, why they're doing it, or how long they're keeping it.  

In Europe, it's become a parlour game to debate and decry US government surveillance programs.  By contrast, there's far less debate or transparency about European government surveillance programs.  I can't even count the number of EU Parliament debates about US government surveillance, but I can't remember a single meaningful debate in that chamber about EU governments' surveillance programs.  Similarly, media coverage focuses heavily on US government surveillance, and rarely asks hard questions about what other countries are up to, aside from the routine Chinese-hack-a-day stories.  And side-lined, the data protection regulators are largely excluded from scrutinizing their own countries' surveillance programs.  One of the few exceptions, Richard Thomas, UK Information Commissioner some years ago, tried valiantly to raise the alarm about the risks of "sleep-walk into a surveillance society".  More typical, when the French CNIL was created four decades ago, it focused almost entirely on French government data collection and privacy, but today, the CNIL has shifted its focus 180 degrees and focuses almost entirely on private sector privacy issues.  

We need more transparency about government surveillance programs, not just in the US, but worldwide.  As unsettling as some revelations about the US programs prove to be, it's even worse to know almost nothing about what all these other countries are up to.  I understand that a public scandal a day keeps media coverage in play, but the super-secret surveillance programs in Europe and around the world need scrutiny.  Thankfully, some legal experts, including privacy scholars at Hogan Lovells, are adding sober analysis of the global dimensions of this challenge to an otherwise shrill and polemical debate.  There's no hope of getting transparency about government surveillance programs in China or Russia or Turkey, but there should be vastly more transparency in democratic, privacy-sensitive countries like Europe.  For example, we know almost nothing about what the German spy agency collects, and there's very little public discussion of it, despite Germany being one of the most privacy-sensitive countries on earth.  

I've spent many years advocating for privacy protections against excessive government surveillance, in a global context.  For example, in 2007, I was blogging about government surveillance issues in Sweden.  Only governments themselves can provide real transparency.  Asking a company like Apple to explain US government surveillance is like asking a fish to explain what the fishing boat is doing.   

First, we need more transparency from governments.  Then, we can ask the tough questions:  Mirror, mirror on the wall, who is the ugliest one of them all?

My favorite holiday photos, and a trillion others

The two-centuries-long evolution of photography has constantly pushed the boundaries of privacy.  At each stage of its evolution, photographing the world has become easier, quicker, more mobile, more ubiquitous, more systematic, and sometimes more furtive.  And in parallel, technology has constantly evolved, to make it easier to store, share, tag, identify and analyze photographs at great scale.  Throughout the evolution of photography, privacy has always depended on social etiquette to regulate what people should and should not photograph, and should and should not share.  

Some places, like my swimming club, have long had rules against photographing.  But all the rules in the world will do almost nothing, unless individuals exercize self-restraint in what they choose to photograph, or not, and what they choose to share with other people, or not.  

This process has been going on a long time, and it will continue.  In the near future, can individuals lifeblog photos or videos of everything and everyone they see?  Technology will enable it.  Some people will love it.  So, once again, the question will be how social etiquette evolves in parallel to the technological evolutions.  

In privacy terms, we generally look to consent from data subjects to legitimize data collection.  But what about random people photographed in public places?  Practically speaking, it's not possible to obtain their consent to photograph them.  We live in a world with literally billions of people carrying cameras, built into small devices, with instant Internet connections.  Our world is becoming more transparent:  do the math, with billions of people, all snapping thousands (or someday, millions?) of photos.  

You can debate, and to some extent regulate, the collection of photos by large entities, like governments and companies, using drones or surveillance cameras, but you can't control what billions of free human beings will photograph and share.  Over time, governments and companies will try to figure out how they can analyze these mountains of crowd-sourced user-generated photos for their own purposes.  

As always, expectations of privacy are heavily cultural.  Technology will continue to evolve.  Expectations of privacy will sometimes collide with the technology, and each will influence the other.  Sometimes, technology will just be a few years ahead of the social consensus evolving to accept it.  Sometimes, it will be a generation ahead.  We're quickly moving from a world where billions of photos are published online, to a world of trillions.  Technology will follow its ineluctable and unpredictable logic.

As humans, we learn when it's rude to peep.  That's a super-subtle human-cultural contextually-dependent evolving social convention.  You can't (yet) teach a machine to know when it's rude to peep, or when it's rude to photograph someone's private moment in a public place.  But you can teach fellow humans.   

Smile!, as you think of 5 billion humans who will be roaming the earth photographing everything and everyone they see.  

The Saga Continues...now to the Italian Supreme Court

In December of last year, an Italian Court of Appeals overturned my conviction—as well as that of two other Googlers—for violating Italian privacy law in a case that stemmed from a user-uploaded video.  I was pleased that well-reasoned legal principles had prevailed, and was hopeful that that would be the end of this long saga.  Last week, however, the Italian prosecutor appealed the Court’s decision to the Court of Cassation (the Italian Supreme Court).  This case, unfortunately, is not over.  In its appeal to the Court of Cassation, the Italian prosecutor asserts—in addition to arguing that employees like me can be held criminally responsible for user-uploaded videos that we had no knowledge of and nothing to do with—that platforms like YouTube should be responsible for prescreening user-uploaded content and obtaining the consent of people shown in user-uploaded videos.  I, and the many others who have voiced their support, view this as a threat to freedom of expression on the Internet.  I’m disappointed that this case is not over, but continue to believe that ultimately justice will prevail. 

What people in the know now know that you don't know

When I was on Rhodes recently, I marveled at how virtually every building was designed with one principle in mind:  security.  What's the biggest threat to privacy in the world today?  It's security breaches!  People in the know now worry how vulnerable the world's databases have become to security breaches.  

Shadowy armies of hackers around the world, especially in China and Russia, sometimes loosely affiliated with the governments, are succeeding in hacking the world's most sophisticated corporate and government databases.  Security experts know that it's often hard to know that you've been hacked.  I'm more worried about the companies and governments that blithely think (probably wrongly) that they have not been hacked, rather than those that have identified security breaches.  

Real people, year after year, say that identity theft is their number one privacy concern.  And usually, people become victims of identity theft after their personal data has been hacked from a legitimate controller's database, e.g., from your local hospital..  

The risks of security breach are getting worse, and will continue to get much worse for several reasons.  First, the hackers continue to get more sophisticated.  Second, there's just more and more data being collected and stored everywhere.  Third, there's a proliferation of devices being used to collect, store and share data.  Fourth, the lines are being blurred between public and private databases, e.g., between what's behind a firewall and what is not.  Fifth, the rise of social networking and mass-sharing of data.
How should the laws respond to these threats?  

First, security breach notification laws are a good thing.  They bring transparency and help people take precautions, after being told that their personal data may have been compromised.  The US has had these laws for over a decade, and Europe proposes to adopt similar laws soon.  

Second, controllers need to be held to account for having adequate security.  But we also have to be careful not to punish the victim.  In most cases of security hacks, the company/government that has been hacked is the victim of a crime.  They have often been hacked by highly sophisticated organized criminals.  The laws need to be careful not to punish the victims of such crimes, unless it can be demonstrated that they had failed in their duties to maintain adequate security.  If you are the victim of a burglary in your home, you don't expect the police to fine you for not having had adequate security protecting your house.  Ex post, you could always have had more security.  The challenge is figuring out what an appropriate level of security should be, or should have been.  

Third, governments and law enforcement need to step up their games in finding, punishing and dissuading hackers.  The Obama Administration has raised the issue of Chinese hackers at the highest levels of the Chinese government.  Today, sophisticated hackers successfully evade identification and punishment.  

Fourth, individuals need to be helped to protect themselves better.  For example, they can be educated and prodded to use stronger passwords, learn to use privacy settings, keep their systems' security up to date, etc.  

Fifth, ask yourself who's protecting you from the risks of cyberwarfare and cyberterrorism and industrial espionnage.  Are the people who are supposed to be protecting you working together effectively?

It's pretty obvious that most government and corporate controllers have weak security.  I was recently in the offices of a French government agency processing a lifetime of my personal sensitive data, and it was operating a computer system from the 1990's!.  Romanian hackers would probably need 5 minutes to steal every piece of my personal sensitive data from that system, and neither the French government nor I would ever know it had happened.  

If you care about privacy, and you're not worried about security, then you're like a baby turtle, just hatched, hurtling your way to the sea, oblivious to the seagull that's about to extinguish your young life. 

Stretch Goals for Privacy Lawyers

The global trends in privacy are crystal clear:  more privacy laws, more litigation, more regulation, more compliance obligations, more enforcement actions, bigger sanctions.  These trends are in place in almost all countries around the world, so the cumulative global impact of these trends on companies is dramatic.  So, want to guess which profession will profit from these trends?:  yes, the lawyers.  (In full disclosure, I'm a lawyer.) 

Historically, privacy leaders at companies have come from different backgrounds.  Some were lawyers, some were engineers, some were compliance managers.  At most companies, lawyers are already filling the roles of chief privacy officers (or data protection officers, as they're called in Europe).     

Privacy has changed over the years.  It is becoming an increasingly litigious matter.  A few years ago, privacy class actions hardly existed.  Now they're as common as locusts in Egypt.  

A few years ago, the sanctions for privacy breaches were relatively small, generally in line with the fact that the "harm" from them was often negligible, or difficult to define or measure.  Now, fines are increasing rapidly, and indeed, Europe plans to introduce fines in the range of 2% of global turnover, for rather routine privacy mis-steps.  Companies will have no choice but to fight threats of billion-dollar fines with teams of lawyers.  Europe is proposing billion-dollar fines for having a privacy policy that is "too vague", or for failing to properly document data processing, or for security breaches, or for riding a bicycle without a helmet.   In other words, you can face mega-fines for just about everything and anything, so you'll need plenty of lawyers to defend you. 

Lawyers are trained in reading, understanding, interpreting and advising on laws and legal compliance programs, and defending their clients from litigants and regulators.  Privacy laws, everywhere in the world, are vague, so they leave much room for legal interpretations.  The lawyers' skill set is becoming more and more central to the role of privacy leadership.  Moreover, lawyers benefit from attorney-client privileged communications internally, which is becoming an absolutely essential mechanism for privacy lawyers to have deep, unfettered, unfiltered exchanges of information and advice with their clients.  

Of course, non-legal disciplines will always play an essential role in safeguarding privacy at companies, e.g., the vital role played by security engineers.  Privacy will always be a cross-disciplinary project.  I'm not saying that the rise of the lawyer-privacy-leader is necessarily the best thing for "privacy".  Yet in the face of rampant litigation, discovery orders, vague laws, political debates, regulatory actions,  threats of billion dollar fines, companies will be looking to their privacy lawyers for a lot more than drafting a privacy policy.  It's a great profession, if you like stretch goals.  

Why Johnny can't read...a privacy policy

Why can't Johnny read a privacy policy?  It's because privacy policies aren't being written for Johnny to read.  They're being written for regulators and lawyers to read.  Or well, more fairly, they're being written for Johnny, in the ways that regulators and lawyers think they should be written.  

Today, privacy policies are being written to try to do two contradictory things.  Like most things in life, if you try to do two contradictory things at the same time, you end up doing neither well.  Here's the contradiction:  should a privacy policy be a short, simple, readable notice that the average end-user could understand? Or should it be a long, detailed, legalistic disclosure document written for regulators?  Since average users and expert regulators have different expectations about what should be disclosed, the privacy policies in use today largely disappoint both groups.  

On the one hand, privacy policies are supposed to be disclosure documents for the average end user.  In other words, privacy policies are supposed to be simple, readable notices that are used by any entity that processes personal data to tell their users basic stuff, like what data they collect, how they use that data, whether they transfer that data to any third parties, etc.  In addition, privacy policies are the main mechanism for entities to obtain consent from end users to process their data, even if that consent is often implicit.

On the other hand, regulators around the world, with good intentions, continually call for longer and longer privacy policies (not in those words, of course), by demanding that X, Y, and Z be disclosed.  Whether Johnny cares about X, Y, and Z is irrelevant.  Companies have to disclose X, Y, and Z, or they'll risk regulatory sanctions.  Johnny probably couldn't understand X, Y, and Z anyway, and X, Y, and Z are probably privacy-legal terms of art.  HIPPA is a famous example of legally-required privacy notices that Johnny can't read.  

The time has come for a global reflection on what, exactly, a privacy policy should look like.  Today, there is no consensus.  I don't just mean consensus amongst regulators and lawyers.  My suggestion would be to start by doing some serious user-research, and actually ask Johnny and Jean and Johann.

We Need a Better, Simpler Narrative of US Privacy Laws

Ask yourself why a European privacy regulator can propagate the preposterous view publicly that the US has "no effective privacy laws."  And lots of people seem to believe that.  And why does it matter?

On the global stage, Europe is convincing many countries around the world to implement privacy laws that follow the European model.  The facts speak for themselves:  in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws.  Not a single country, anywhere, has followed the US-model.

Indeed, what is the US model?  People in the privacy profession know that the US has a dense "patchwork" model of privacy laws:  every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other "non-privacy" laws, like consumer protection laws, are regularly invoked in privacy matters.  Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.   

How on earth do you explain US privacy laws to an international audience?  How do you explain the role of class action litigation to people in countries where it doesn't even exist?  The US privacy law narrative is convoluted.  That's a pity, since almost all of the global privacy professionals with whom I've discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy.  (I didn't say "perfect", since laws never are, and I'm not grading them either.)

By contrast, Europe's privacy narrative is simple and appealing.  Its laws are very general, aspirational, horizontal and concise.  Critics could say they're also inevitably vague, as any high-level law would have to be.  But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world.  And they are enforced (at least, on paper) by a single, identifiable, specialist regulator. 

Europe does a great job explaining (or marketing, if you prefer).  The US has to figure out how to explain its privacy laws on the global stage. There's more at stake than just prestige.  There's more at stake than just asking why Uruguay, to take a random recent example, looked to Spain, rather than the US, for inspiration as it wrote its recent privacy laws.  What is at stake are important things:  first, trust in US-based companies and trust in the US Government around the world.  People will trust them less if they believe the story-line that they operate in a country with "no effective privacy laws".  And second, hopes to include digital trade in President Obama's initiative for a grand new US-Europe Trade Pact.  The lack of "adequate" US privacy laws is cited by Europeans as a reason why it is illegal to transfer personal data from Europe to the US, which is quite obviously, at least in part, a free trade issue.  Privacy will prove a serious roadblock to any such future trade pact, as long as some people in Europe can argue that the US has no effective privacy laws.  

Privacy is not alone among complicated subjects in need of a simple narrative. Visit a cathedral, if you need inspiration.   

A Glorious Day for a Free Internet in Italy

Just before Christmas, an Italian Appeals Court over-turned the convictions of three Googlers, including myself, for allegedly violating Italian privacy law.  Now, after roughly 2 months, the Court has issued its written opinion to explain its decision.  The Court's opinion is a lucid and ringing endorsement of the principles Google and I have been defending since the beginning of this prosecution 6 years ago:  

• Intermediary Liability:  The Court held that Internet platforms, like Google Video or YouTube, are not responsible for user-uploaded content, absent notice of inappropriate content.  These platforms also cannot—and should not—be required to pre-screen content that is uploaded to them.  Any efforts to pre-screen content would raise serious risks to users’ freedom of expression.  In the Court's own words:   “Imposing a duty on or granting the power to, an internet provider to carry out prior screening seems to be a step that is to be afforded particularly careful consideration, given that it is not entirely free of risk due to the possibility of a conflict arising with the principles of freedom of expression of thought”.
• Privacy:  The Court held that people who film and upload videos are responsible for compliance with data privacy laws.  Internet platforms cannot possibly obtain the consent of people appearing in user-uploaded videos.   In the words of the Court:  "it is patently clear that any assessment of the purpose of an image contained in a video, capable of ascertaining whether or not a piece of data is sensitive, implies a semantic, variable judgement which can certainly not be delegated to an IT process".
• Criminal Responsibility:  The Court recognized the basic legal principle that employees like me could not have the required criminal intent to violate data privacy laws when they had nothing to do with, and weren't even aware of, the alleged criminal data privacy violation.  

This case was never about me at all, as I was just a random and unfortunate vehicle for a broader judicial test of  intermediary liability.  Obviously, I'm relieved personally to be acquitted.  But I'm delighted that this case has generated a clarion legal precedent in favor of freedom of expression.  In particular, I'd like to thank the many people who expressed their support for me throughout these six years, in particular, my numerous colleagues at Google and my stellar team of outside counsel, all of whom worked tirelessly to see these principles prevail.  And I'd like to thank the many people who realized that there were important principles at stake in this prosecution, who added their voices to the policy debate, in Italy and beyond.  This saga is (probably, hopefully) over for me.  

Together today, we can celebrate and applaud this step forward towards a brighter digital future in Italy.  

Don Quixote

Re-read Don Quixote as you follow the debate about revising Europe's privacy laws. Is it more noble to pursue the glory of fantasy over the indignities of the real world? Do we want to defend an obsolete chivalric code, while the rest of the world looks on with derision?  Do we want a strong privacy law that can be operationalized or a glorious piece of literature? 

 

American companies are starting to freak and shriek about Europe's upcoming new privacy laws. In turn, various European politicians are publicly posturing about how all this is required to rein in American companies, while feigning resentment that American companies are lobbying for their interests in Brussels. In reality, of course, the new proposed EU laws are full of flaws, in particular imposing lots of pricey new compliance-bureaucracy obligations, and threatening minor compliance violations with absurdly-high fines in the range of 2% of a company's global turnover. But let's not let reality sully this tale. Don Quixote is defending privacy against the American-mega-corporate-privacy-slayers. Don Quixote is defending the Right to be Forgotten.

 

Sadly, things don't end well for the noble knight, unsettling and unsaid...American companies will come out big winners, compared to their European rivals. European companies face decades of innovation-paralysis under the new rules. American companies will just reorganize and relocate certain operations out of Europe to mitigate risk.

 

Like many people in the privacy profession, throughout my career, I had always thought it was sensible to apply Europe's privacy laws worldwide, in the interests of maintaining one, consistent worldwide standard. I'm changing my mind now. As the proposals to revise the privacy laws in Europe become whackier by the day, I am starting to believe that the "world" will have to watch Europe do its own thing in its own backyard, while maintaining a different, faster, more innovative pace in the "rest of world". Granted, Europe is a market that is just too big to ignore, but that's no reason why special compliance rules for it should be exported globally. No one applies Chinese censorship rules outside of China, so this would hardly be the first time that companies apply special rules in one particular country/region.

 

Europe's proposed rules will end up costing a lot, if you care about innovation in Europe. I'm a technophile, in the sense of believing that fast innovation is the only hope to maintain high rich-world living standards for our aging Western societies in the future. But I am troubled by how many roadblocks are being put in place to drag down the speed of innovation. Don't get me wrong: I'm all for serious privacy ethics, for privacy sensitivity, for privacy by design. But I'm not a fan of privacy-bureaucracy-drag. Europe, as one would expect, developed the world's most extreme form of bureaucracy-drag, when it invented the notion of bureaucratic "prior approval" for new technologies. That means that a new technology is dependent on a bureaucracy's prior approval before being launched. Or prior approvals for international data transfers (how absurd, in the age of the Internet!). Or prior approvals for binding corporate rules, and a thousand other bureaucratic hills and hurdles. Reality, again, is often a rather dis-spiriting affair.

 

Despite all its good intentions, Europe is also giving the world hopelessly vague privacy laws, sometimes enforced with criminal penalties. For example, what does it mean to impose jail time on someone for "processing sensitive personal data without the data subject's consent"? Does that justify jail time for posting a photo to a social networking site, given that a photo will reveal a person's race and sometimes health conditions (all, "sensitive" categories)? I have faced personal criminal prosecutions on flimsier privacy-law grounds than that, so these are hardly hypothetical risks. In short, Europe is making it increasingly risky to pursue innovation in the field of Big Data, in Europe.

 

The cynical realists will see that Europe's innovation-inhibiting privacy laws will simply drive more Big Data and Internet innovation to move increasingly outside of Europe. Will we see companies choose to move their research arms elsewhere, for example, to the US or India or Singapore? Ask yourself whether US or European companies will turn out to be more hobbled by Europe's rules? The answer is obvious: European companies will have to swallow these new rules entirely, while non-European companies can simply ring-fence their slower, less innovative operations in Europe. Companies may end up offering a series of slower, less-cutting-edge services in Europe, given the significant risks that cutting-edge data-services could be smacked with massive fines.

 

I say all this with sadness, as the world moves on. Who am I to deride Don Quixote's dream? Who am I to celebrate the demise of his delusions?

Talking Privacy to the Guys in the Pool

I'm in Florida for a few days, joining the Privacy Law Salon, and a chance to talk about privacy with a lot of experts in the field. But I usually think it's more fun to talk about privacy with the guys in the pool. Ft Lauderdale is the home of the International Swimming Hall of Fame, so it's a change of scene from my usual Paris pool. We don't hang on the walls long, so conversations are short.

   

Privacy is more important than security? Not true. Without security, you drown. You're either being hacked and know it or being hacked and don't know it. Imagine drowning without even realizing it. All of privacy is a wobbly edifice built on the foundations of security. If the foundations aren't solid, then the edifice will crumble.

 

Privacy is contextual: We live in Speedos, but can't wear one to the office. Online screws up context, because it takes data from one context and re-uses in another. People peek, machines record. You can't attribute human motives to a machine, or teach it that it's rude to stare.

 

Privacy is about losing it: We never give a thought to privacy, until it's gone.  Like breathing, you don't think about it, but in a lungbuster set, breathing on stroke 3, 5, 7, by 9 you will explode if you don't breathe.

 

Privacy requires discipline: 6 am, get up, go to pool. People expect anyone who holds their data to have fault-proof privacy, in particular iron-tight security, no excuses, no days-off. But in reality, nothing is perfect and people are only human. Like a cramp in the middle of your swim. You younger start-up guys are faster, but you're half my age. Sure, you can swim 50 free faster, but can you sustain it for a lifetime?

 

Privacy requires transparency: Coach sees your stroke. Privacy should be as transparent as possible. But privacy processing on the modern Internet has become so complicated, technically and in terms of scale, that human brains can scarcely comprehend it anymore. How can I grasp machine learning algorithms, when I can barely count laps? And you're supposed to explain every aspect of online processing to the average user, like explaining a flip turn in words to a non-swimmer?

Privacy is not a team sport: Even if you swim in a team, you still swim alone. Privacy is a social construct about one individual identifiable human being. Nothing in the Age of Big Data is going to change the fact that privacy is about the individual. And conversely, if it's not about an individual, then it's not about privacy. The team doesn't have privacy, it's about each of us individually, just like a team medley is really four individual swims in a row.

 

There's no place called privacy. There's no destination in swimming either, you just go round and round until your mind or body gives up. Most of my work in the field of privacy and technology is like a sandcastle on the beach, washed into irrelevance by the next tide of technology. And yet, I never doubt its importance.

The zone is furtive. A lifetime of work and setbacks, 10K per day, and then for a fleeting moment in the pre-dawn darkness, my mind goes blank and everything disappears except the sensation of an ecstatic wave chasing a vision of the perfect fly.

Why is Bing calling me a "Google Criminal"?

It's always a good idea, from time to time, to search on your own name.  When I searched on my own name, here's what Bing suggested:

RELATED SEARCHES

• Peter Fleischer
• Google Criminal
• Google Public Policy Blog
• Google Location-Based Services
• Google People Search Milan Italy
• Location-Based Service Companies

Search engines like Bing, offer auto-complete and related-search suggestions.  These help people find what they're looking for faster.  Auto-completion is determined algorithmically, largely based on the search queries that the largest number of searchers have typed in the past.  If you start to search on the term "New York City", auto-complete may suggest "New York City weather" or "New York City subway".  Related search suggestions will show query terms that are most likely to return content to be relevant to the original query term.

The algorithmic principles are the same for searches on individual names.  Use a search engine to start typing in your own name, or any name, and you'll often see auto-complete suggestions that can border on the offensive.  It's therefore a common reaction for some people to say:  I demand that the search engine block this term from searches on my name.  

Take my personal example.  I know that lots of people and sites have reported on my criminal conviction on behalf of Google in an Italian court, for which I was later acquitted on appeal.  Of course, I recognize that search engines are not really calling me a "criminal".  They are not exercizing editorial control over the association.  They are using algorithms to associate my name with what other people have searched for in the past, or with the related search query likely to generate the most number of relevant search results.  The underlying content may just as well be saying:  his criminal conviction was overturned on appeal.  So, I haven't asked Bing to block the word "criminal" from searches on my name.  I don't believe that they should, or should have to, and I'm sure Bing would refuse even if I asked them. 

Over and over again, especially in Europe, I see "privacy" being used as a justification to censor free speech.  The poorly-defined "right to be forgotten" is a much-discussed example.  I don't understand how we could protect notions of freedom of speech, and the neutrality of search engines, if people could decide themselves which terms they did not want associated with their names.  Practically, who would decide which terms were acceptable and which are not?  I think it's very dangerous to try to use search engines to censor search suggestions from reflecting content on the web, or to manipulate the algorithms to prevent them from objectively reflecting what users search for. 

There are a lot of people who don't want to see search engines make common suggestions after their names with terms like "Jew" or "gay" or..."criminal".  In a nutshell, that's the question:  Should some sensitive words simply be filtered from such results, or is that a step too far down the slippery slope of censorship?  

MSFT goes forum shopping to...Luxembourg

Microsoft has very large operations all over Europe, in particular in Dublin, London and Paris.  So, it came as a bit of a surprise to me to learn that Microsoft has forum shopped Luxembourg, as its governing law and lead regulator for the roll-out of its new privacy policy, as reported by Bloomberg Businessweek.  Indeed, as a lawyer, I tried to decipher Microsoft's Services Agreement:  "13.3. Europe. If you live in (or, if you are a business, you are headquartered in) Europe, you are contracting with Microsoft Luxembourg S.à.r.l., 20 Rue Eugene Ruppert, Immeuble Laccolith, 1st Floor, L-2543 Luxembourg and the laws of Luxembourg govern the interpretation of this agreement and apply to claims for breach of it, regardless of conflict of laws principles,..." 

This runs contrary to the entire ethical premise of a "main establishment" in Europe, built on the idea that the laws/regulators of that European Member State should govern companies where they have their main establishment.  That's why Facebook is operated in Europe under Irish laws and why the Irish regulator is leading the European privacy reviews into it.  Facebook clearly has established its main establishment in Ireland, in terms of governance, headquarters, employees, etc, in other words, in the real world, rather than just a legal mailbox fiction.  

So, could Luxembourg possibly be the "main establishment" in Europe for Microsoft?  Of course not.  Microsoft has forum shopped a tiny European country, for whatever legal, tax, or regulatory advantages it thought it could gain from "locating" there, without of course, "locating" hardly anything there at all.  

I have long supported the need to create the concept of "lead regulators" and "main establishment", in order to bring more efficiency and predictability to privacy in Europe.  But my advocacy has always been based on the belief that the selection of "main establishment" should be based on objective criteria, like having a large workforce and real-world activities located there. 

A shrewd company like Microsoft goes forum shopping and claims that its dealings with nearly half a billion people in Europe are governed by the laws and regulators of the tiny Grand Duchy of Luxembourg.  Blimey.   

Acquitted in Italy, finally

Finally, after 6 years of criminal prosecutions and appeals, my colleagues and I have been acquitted of a “privacy crime” in Italy.  

This case generated significant interest in the broader legal and Internet communities.  Some dismissed the entire proceedings as absurd.  Others viewed it as a seminal test of freedom of speech and the liability of Internet platforms for user-generated content.  I want to share a few thoughts, both on the procedural next steps, and on the broader significance of the verdict, from my personal perspective.  

Procedural Next Steps:  The Milan court announced its decision to acquit us on December 21, but it has until February 19 to issue its written decision.  The Public Prosecutor will have until roughly April 5 to decide whether or not to appeal the acquittal to the top Court of Cassation.  So, things are not quite finished...

Why is the case important?  Well, first, my colleagues and I were on trial personally.  Indeed, Google Inc was never on trial here.  Under Italian law, you can’t put a corporation on criminal trial, so the prosecutors had to find some “responsible” humans instead.  The lower-court judge imposed 6-month (suspended) jail sentences on three of us defendants.  I was always baffled by the conviction, because the Italian Privacy Code’s Article 13, on which my conviction was based, doesn’t carry a criminal penalty and I had no connection, direct or indirect, with the incident or conduct of affairs of Google Italy.  As a lawyer, I would have thought:  case closed!

For many years, I simply refused to set foot in Italy.  Criminal law is a blunt instrument that is inappropriate as a regulatory tool.  My criminal prosecution in Italy is a terrible example of a court trying to make Internet/privacy policy in a very dynamic field through criminal prosecution. Let the Garante, the Italian Parliament and the European Union resolve such issues.  

Globally, this case resonated, because people quickly understood that this has a direct impact on free speech and freedom of the Internet. The Internet is an incredibly valuable resource that provides services to the worlds’ population not even imaginable a decade ago. It can only function in an open and free environment, and intermediary liability is a critical issue.

This case also affected the global perceptions of Italy, in terms of business and e-commerce.  Italy was simply viewed as out of step with how other advanced countries are dealing with these issues, or as one journalist put it more colorfully:  “Italy risks internet Stone Age with trial of Google Executives.”  By maintaining this aggressive use of its criminal privacy laws, it moved itself further outside of the area of risk that e-commerce businesses are willing to take on to do business in Italy. Why would anyone locate an EU e-commerce headquarters or major data center in Italy given this risk?  

The case dealt with the unfortunate ways that vulnerable victims can be injured by users of the Internet. The Italian courts had already dealt with the students who abused the victim here and their teacher who made this unfortunate incident possible.  But the appeal by us three Google employees raised far different issues. Billions of photos and videos are uploaded to Internet platforms around the world every day.  Is it fair or right to prosecute employees of the internet company that provides the forum and search capabilities for a single bad photo or video that is later found amongst those billions of others?  

I am relieved that justice was finally served in Italy.  I hope the prosecutor does not choose to appeal this case to the top Court of Cassation.  Enough is enough.  I have no idea how much Italian public resources have been wasted on this mis-guided 6-year prosecution.  This prosecution served no public interest, and least of all, Italy’s.  Justice has now finally been done, and it’s time to let this entire sorry saga rest in peace.     

My Resolutions on Privacy Day

January 28 is Privacy Day.   I love the privacy profession.  Privacy Day is a good day to reflect a bit, and January is the time for new resolutions.  Here are mine:     

1)  Take the high road:  I've chosen a career built on the fault lines of privacy, and it's my job to help people cope with them.  This stuff matters, real people get hurt every day, and I should try to be worthy of it. Can you imagine the anguish of a teenager who would jump off a bridge when his privacy was invaded?  

2)  Respect governments:  Governments are full of contradictions.  One arm regulates privacy while another arm operates vast surveillance systems.  Show respect for governments by fighting every day for the rule of law, especially where the rule of law is weak.   

3)  Streamline:  Privacy is a field that has spawned a complicated compliance bureaucracy.  Meet your compliance obligations, but paperwork is not your life's mission.  Don't become entangled in it like a turtle in a fishnet.    

4)  Be a lawyer, not a martyr:  don't let people hold you accountable for stuff over which you have no control.   I've been through years of criminal prosecution for not stopping a single video upload, in a world of billions of videos.  I'm a lawyer and a privacy professional.  I'm not a scapegoat for the sins of the Internet.       

5)  Stay pragmatic:  Privacy law has always been a tussle between two schools:  the realist/pragmatists and the aspirational/fundamentalists.  Follow the pragmatists' lead:  take a look at the eminently reasonable and pragmatic leadership shown by the UK Information Commissioner's Office new cookie disclosure:.  Leave privacy-as-a-beautiful-fiction to the poets.  

6)  Strong backbone:  emulate people who have the backbone to deny requests for users' data from law enforcement, when law enforcement doesn't follow the rules.  Admire the backbone it takes to make these statistics public.  

7)  Help the courts resolve the law's conundrums:  you're not a court, and don't try to resolve real-world conflicts between the Right to be Forgotten and Freedom of Expression.  The world will throw these knots into your lap and ask you to untangle them.   Throw them back to the courts where they belong. 

8)  Operationalize:  Privacy is a field full of reality-divorced rhetoric, and it always has been.  The legislative debate in Brussels over revising the EU privacy laws is wandering through whacky, weird wonderland.  As privacy professionals, our job is to operationalize privacy rules.  If the law-composers in Brussels are writing a score that no human musician can play, what good is that?

9)  Cherish your private zen-zone:  I swim a lot.  It helps me focus and stay calm.  Privacy issues are becoming more intense, laws and lawsuits are proliferating, criminal laws are being invoked more frequently.  I start most days with intense swim training:  After 8X50 descending set fly, I can face just about anything.  

10) The best is yet to come:  Tech will evolve, faster than you think.  Internet services will get more personalized.  Big Data will get bigger.  Government surveillance is increasing.  Security attacks will become more dangerous and sophisticated.  Machines and nanotech will be able to record and remember everything.  

And you, dear privacy professional, should steel yourself to stare into the luminous face the future.  

Happy Privacy Day!  

   

My Italian Appeal

My Google colleagues David Drummond, George De Los Reyes (now retired) and myself were convicted in Milan, Italy in 2010 for violating Italian privacy law.  We have appealed these convictions.  The first appellate hearing took place in Milan on December 4.  I attended the hearing in person.  The next hearing will take place on December 11.  I want to describe this appeal, and the broader issues at stake in this appeal, from my personal perspective.

First, a review of the facts:  in 2006, students at a school in Turin, Italy filmed and then later uploaded a video to Google Video that showed them bullying an autistic schoolmate.  Google Video was a predecessor to YouTube.  The video was totally reprehensible and violated Google Video’s terms and conditions of service.  Google took it down within hours of being notified by the Italian police of the presence of the offensive video, consistent with its policy to remove any content that violates the terms and conditions of service. Indeed, Google had clear policies and processes in place to help ensure that objectionable content was dealt with swiftly and effectively. Google also worked with the local police to help identify the person responsible for uploading it and she was subsequently sentenced to 10 months' community service by a court in Turin. Several other classmates who were involved, as well as the teacher who failed to stop the offensive conduct, were also disciplined.

In these rare but unpleasant cases, that's where Google’s involvement would normally end.  Under European law, hosting platforms that do not create content, such as Google Video, YouTube, Bebo, Facebook, and even university bulletin boards, are not legally responsible for the content that others upload onto these sites. But in this instance, a public prosecutor in Milan decided to charge us with criminal defamation and a failure to comply with the Italian privacy code.  None of us, however, had anything to do with this video. We did not appear in it, film it, upload it or review it. None of us knew the people involved or were even aware of the video's existence until after it was removed.  

Nevertheless, in 2010 a judge in Milan convicted the three of us for failure to comply with the Italian privacy code and sentenced us to six-month suspended jail sentences.  We were all found not guilty of criminal defamation. This ruling means that employees of hosting platforms like us can be held criminally responsible for content that users upload, even if we’re completely unaware of the content. We are now appealing this extraordinary decision both to clear our names and because it represents a serious misunderstanding of privacy law online and a threat to freedom on the web.  European Union law gives hosting providers protection from liability so long as they remove illegal content once they are notified of its existence in order to provide protection for hosting providers and their employees in exactly this circumstance.  Sweeping aside this important principle and attacking the very freedoms on which the internet is built threatens the continued availability of sites that accept user generated content.

Although we were convicted of violating the student’s privacy, it is the bullies who took the video and put it up on the site, in violation of the representations that they made to Google regarding the content of the video.  It is those bullies who should be, and have already been, held legally responsible for failing to comply with their obligations under the privacy law.

The European Union's Electronic Commerce Directive, enacted in 2000, sets a clear legal framework for establishing liability for unlawful content on the Internet. It prevents liability for those who merely provide the forum for sharing user generated videos, drawing a clear line between those who develop and control content for the Internet, and those who, in their capacity as technological intermediaries, provide the means and the tools to make this content publicly available.

By establishing legal certainty and creating a single EU-wide standard, the E-Commerce directive allows the development of open platforms that promote free expression on an unprecedented scale and has played a crucial role in speeding the rapid growth of the Internet and the development of the new economy in Europe.

How does the E-Commerce prescription work in real life? Say an Internet user uploads a video filled with illegal hate speech or violence. When notified of this illegal content, the hosting platform is obliged to take it down. The hosting platform, however, is not obliged to monitor and prevent the upload. The guilty party is the Internet user who posts the content. In this case, Google did exactly what the E-Commerce directive requires - it removed the content upon notification, and took the further step of cooperating with law enforcement requests, helping to bring the wrongdoers to justice.

If Google and companies like it were responsible for every piece of content on the web, the Internet as we know it today – and all of the economic and social benefits it provides –could not continue.  Without appropriate protections, no company or its employees would be immune: any potentially defamatory text, inappropriate image, bullying message or video in which third parties appear would have the power to potentially shut down the platform that had unknowingly hosted it.

Google and other Internet hosting platforms require legal certainty with respect to their liability. By retroactively creating new obligations for hosting platforms – and attaching criminal penalties for employees like us – this conviction destabilizes the certainty of law.

The judgment also criticizes Google’s terms and conditions of services included in its agreements with users of its video sharing service, suggesting that Google buried it in difficult to understand privacy clauses characterized as a “prefabricated alibi.” Yet all types of businesses, from financial and retail to Internet companies operate with consumers on the basis of similar contractual terms of service.

The judgment’s reasoning subjects hosting providers and their employees to uncertain and progressively higher standards as technology advances. What new legal obligations might be imposed in the next case before a criminal court? It is this uncertainty which menaces Internet freedom. In his closing lines, the judge himself raises this dangerous possibility -  “There is no doubt that the amazing speed with which technology is advancing will allow the managers of web sites to control the uploading of content,” he writes. “The existence of increasingly sophisticated pre-screening filters will imply great responsibility for operators. Criminal liability (negligent or willful as the case may be) for omitting to carry out checks will be a lot easier to find.” While this may have been the view of the trial judge, it was not the view of the Italian Parliament when it implemented the EU directives providing for protection for hosting intermediaries like Google. We do not share the judge’s view of a future internet where hosting companies monitor and prescreen all of the content uploaded by its users and unilaterally determine what will be available for sharing with others.

By criminally prosecuting individuals like us who were not connected to the video at issue, this case represents a dangerous precedent. To seek criminal penalties against employees just because they work for a company that provided a hosting platform is a chilling prospect, and threatens to have a substantial impact on the future development of the Internet.

The real culprits, the teenagers who bullied their classmate and uploaded the video of it, and the teacher who permitted it to occur have already been identified and punished. The entire matter should end there.  

Should you cover your tracks from government snooping?

Most of us store a lot of stuff in the cloud.  For example, most of us keep lots of old emails in the cloud, since storage is free, they're easily searchable, and it's always possible that those old emails could come in handy some day.  In fact, there are a lot of practical reasons to keep stuff like old emails forever.  Yet it's worth taking a moment to consider the risk that governments can access data that you choose to keep. 


Governments are in a unique category, since they can simply pass laws to give themselves the rights to access data.  Some of these laws are wildly out of date, and simply no longer fit for purpose, in particular the US law from 1986, called the Electronic Communications Privacy Act.  For some years now, there have been many calls to Congress to update these laws.  Perhaps the Petraeus scandal will give this movement new impetus, since the privacy debate usually advances only when abstract privacy concepts are given a human face and a story that people can empathize with.  

As a normal user of email, it's fair to ask whether there's any reasonable risk that a government would be interested in accessing my emails.  After all, most of us are not Director of the CIA or cybercriminals.   As a matter of civil liberties, it's important for everyone to have some sense of the balance between privacy and surveillance that the government has chosen.  As a user, I want to know which governments are accessing data, and how often.  I know that published metrics will be imperfect, but I want to have more transparency, so that I can make my own decisions, as a user and as a citizen.  

Seen from a global perspective, it's important to realize that most governments around the world are accessing user data.  It's not just one or two governments.  I can't count the number of times privacy advocates in Europe have warned users that the US government could potentially access their data in the cloud, without mentioning the risks that their own governments could do the same thing.  In fact, to take the French example, the French government is trying to launch a "French cloud", explicitly to try to evade US government surveillance, even though this taxpayer-funded initiative is based on "bad assumptions about cloud computing and the Patriot Act", and even though France's own anti-terrorism law "has been said to make the Patriot Act look "namby-pamby by comparison", as reported on ZDNet.  I think it's fair to assume that most people would be far more uncomfortable with foreign governments, rather than their own governments, accessing their data.  That points to one of the hardest issues in the cloud, namely, that multiple governments can (and do) have the power to demand access to user data, if they follow appropriate legal procedures. 

In light of all this, I believe that it's an ethical imperative for companies that are entrusted with user data to publish statistics on governments' requests for access to user data.  A number of web companies are now publishing data on all this, in addition to Google, which started this trend of reporting on governments' request for user data.  I strongly encourage you to take a look at those statistics, which may challenge some of your long-held intuitions about which governments are most active in trying to access user data.  Other companies have also started publishing statistics:   Dropbox, LinkedIn, Sonic.net and Twitter  But most companies are still not publishing any such statistics.  

A lot of companies are failing their users now.  The Electronic Frontier Foundations ranked companies "When the government comes knocking, who has your back?"  There are a lot of big names on that list doing very little to give their users transparency.  

In the meantime, as users, we all have to decide if we want to keep thousands of old emails in our inboxes in the cloud.  It's free and convenient to keep them.  Statistics published by some companies seem to confirm that the risks of governments seeking access to our data are extremely remote for "normal people".  But the laws, like ECPA, that are meant to protect the privacy of our old emails are obsolete and full of holes.  The choice is yours:  keep or delete.  I'm a pragmatist, and I'm not paranoid, but personally, I've gotten in the habit of deleting almost all my daily emails, except for those that I'd want to keep for the future.  Like the rule at my tennis club:  sweep the clay after you play. 

Book Burning, updated for the Digital Age

We're so much more enlightened than prior Book Burning Generations, aren't we?  Book burning has a long and inglorious history.  History also teaches us that the book burners usually end up getting burned themselves.  

Think of Savanarola in 1497, in the famous Bonfire of the Vanities, burning books and objects that were deemed temptations to sin.  Two years later, Savanarola was himself burned at the stake.

Think of the Nazis in 1933, burning "un-German" books.  Twelve years later, they left Germany burning, along with much of Europe.  

Book burning has been with us in every age.  Books were burned to protect the faith, or to protect the nation, or to protect the regime.  Now, in order to protect "privacy", Europe is creating a poorly-defined, poorly-conceived "Right to be Forgotten", on which I've blogged before.  Are we re-igniting the long tradition of book burning?   

In the digital age, we don't burn physical books.  Instead, we delete data.  

The Right to be Forgotten is more pernicious than book burning.  The Right to be Forgotten attempts to give to individuals the legal rights to obliterate unpalatable elements of their personal data, published in third-party sources, whether they are social networking sites, or newspapers, or books, or online archives.  In the real world, these can be things like a report on a politician taking a bribe.  Or a doctor put on trial for medical malpractice.  Or a person filing for bankruptcy.  You can easily see how the person concerned could have an interest in obliterating any reference to these embarrassing facts, while other people might have a very legitimate interest to know about them. 

Historically, book burning was usually a symbolic, political protest act.  No one burning books was under the illusion of destroying the text of a book being burned.  Only the physical copy of the text was being burned.  The text would survive elsewhere.  But the Right to be Forgotten is attempting to obliterate the text, the source, the facts themselves, and not merely some copy of those facts circulating in a physical book or newspaper or online site.  

Deleting data in the name of the "right to be forgotten" is only the tip of the privacy-ideology iceberg.  One of the core tenets of this ideology is that all personal data should be deleted, as soon as it is "no longer necessary".  This ideology is based on the fear that any personal data could be mis-used to invade someone's privacy, and that the risk of an invasion of privacy should automatically outweigh any potential future benefits of retaining the data.  This is a deeply pessimistic ideology, which concludes that retaining data can give rise to future risks and to future benefits, but since we don't yet know what they are, we should default to deleting the data to prevent the risks, rather than retaining them to enable the benefits.  

As Savanarola might say, in an outburst of data deletion demogoguery, let's burn all those "vanities", those databases of personal data, which are nothing but temptations to sin against someone's privacy.  But the opposite may prove true, that these vanities are databases of great value and beauty, and we will someday learn it would be a sin to obliterate them.  Botticelli is believed to have burned some of his paintings, as he was caught up in Savanarola-fever.  A few years later, Botticelli renounced Savanarola's worldview.  

I can understand that databases should be protected, secured, analyzed responsibly, yes...but obliterated?, just because something could go wrong?   If we took that approach in the rest of our lives, what would be left?  How bizarre that this destructive pessimistic philosophy on data deletion has become conventional wisdom, at least in Europe.  Well, for now.  In the long run, book burning has never been a winning strategy.  If you think our age is more enlightened than prior ages of book burners, why do you think burning books in the name of privacy is more legitimate than burning books in the name of race, religion, or regime?

The Marketplace of Privacy Compliance Programs

The data protection establishment, worldwide, has been inventing a lot of new privacy compliance programs.  All these different, well-intentioned initiatives are meant to serve the same purpose:  improve privacy protections.  All of them are, or likely will soon be, mandatory for most big companies.  I can hardly keep track of all the different initiatives, but here are the ones I have struggled to understand:

• Accountability
• Privacy by Design
• Privacy Impact Assessments
• Consent Decrees
• Audits (internal and external)
• Regulatory reviews
• Data Processing Documentation
• Database notifications/registrations
• Binding Corporate Rules
• Safe Harbor Compliance programs

Lots of my acquaintances in the privacy field have asked me what I think about all this:   Are these programs meant to run independently, even if they overlap and cover the same ground?  Does anyone have a clue how much all this will cost?   Where do you turn for help to implement these programs?  Can one solid privacy compliance program be implemented to meet all of these goals?  Clearly, all of us privacy professionals are struggling to understand this. 

I'm sure we all believe that privacy programs need a solid compliance-program foundation to be effective.  Most of also probably believe that different actors should have the freedom to develop programs that fit their cultures.  Nimble Internet companies have very different cultures than government bureaucracies, so naturally, these different cultural worlds must have the freedom to design programs that works in their respective cultures.  Clearly, one-size-does-not-fit-all.  Programs have to be customized for the size and sensitivity of the processing.  A government database of child-abuse records is more sensitive than a database of some web site's analytics logs, so it's wrong to try to run the same compliance programs for both. 

On cost:  despite all the good intentions motivating these compliance initiatives, no one has even begun to figure out what all these compliance programs are going to cost.  Take Europe as an example:  I've read some statements from politicians that future EU privacy laws will reduce business' compliance cost.  That is simply not credible.  On the one hand, under the new rules, businesses in Europe will save a little money, once they no longer have to fill out national database notification forms across Europe.  In the scheme of things, that is peanuts.  On the other hand, imposing new compliance obligations (mandatory privacy impact assessments, mandatory data protection officers, mandatory security breach notifications, mandatory data processing documentation) will cost a lot.   The problem is that nobody knows how much all this will cost.  I'm working on the educated guess that the current EU privacy compliance proposals will increase the privacy compliance costs on businesses in Europe ten-fold, starting around 2015.  Yes, ten-fold.  That excludes the costs of fines and sanctions for non-compliance, now proposed to run up to some percentage(s) of a company's worldwide turnover.  This massive increase in compliance costs is largely the result of the proposed EU sanctions for failing to adequately document compliance programs.  I'm still hopeful that more realistic compliance obligations will be created for Small and Medium sized Enterprises, but the big trend is clearly towards costly new compliance obligations in Europe.  

I get the feeling that the many people debating privacy laws have no idea (and perhaps don't care) how much all this ends up costing.  I also haven't read any classic regulatory cost/benefit analysis on these new obligations.  As a lawyer trained at Harvard in the cost/benefit analysis of government regulations, I am surprised to see that there's been essentially zero academic or economic analysis to decide which privacy compliance rules are effective and which are pointless red tape.    

At the writing of this blog, I really don't know how all the compliance initiatives above are supposed to fit together.  I don't know which are superfluous.  All this has yet to be worked out.  While each of the programs above overlaps with the others in some ways, each is also slightly different too.  We've got to figure out how to minimize duplication among these programs, or we're all going to waste our time and money on re-inventing the wheel.  

Privacy compliance initiatives today remind me of the early days of the railroad, when each railroad line had its own track width, meaning trains could only travel on one track.  Eventually, all this will get sorted out, just as railroad track width was eventually standardized, but in the meantime, I fear we're all going to be running around in circles.  Like the early days of the railroad, we're still in the early, experimental, inefficient, non-standardized, frontier-age of duplicative privacy compliance programs.