Wednesday, April 17, 2013

The Saga to the Italian Supreme Court

In December of last year, an Italian Court of Appeals overturned my conviction—as well as that of two other Googlers—for violating Italian privacy law in a case that stemmed from a user-uploaded video.  I was pleased that well-reasoned legal principles had prevailed, and was hopeful that that would be the end of this long saga.  Last week, however, the Italian prosecutor appealed the Court’s decision to the Court of Cassation (the Italian Supreme Court).  This case, unfortunately, is not over.  In its appeal to the Court of Cassation, the Italian prosecutor asserts—in addition to arguing that employees like me can be held criminally responsible for user-uploaded videos that we had no knowledge of and nothing to do with—that platforms like YouTube should be responsible for prescreening user-uploaded content and obtaining the consent of people shown in user-uploaded videos.  I, and the many others who have voiced their support, view this as a threat to freedom of expression on the Internet.  I’m disappointed that this case is not over, but continue to believe that ultimately justice will prevail. 

Saturday, April 6, 2013

What people in the know now know that you don't know

When I was on Rhodes recently, I marveled at how virtually every building was designed with one principle in mind:  security.  What's the biggest threat to privacy in the world today?  It's security breaches!  People in the know now worry how vulnerable the world's databases have become to security breaches.  

Shadowy armies of hackers around the world, especially in China and Russia, sometimes loosely affiliated with the governments, are succeeding in hacking the world's most sophisticated corporate and government databases.  Security experts know that it's often hard to know that you've been hacked.  I'm more worried about the companies and governments that blithely think (probably wrongly) that they have not been hacked, rather than those that have identified security breaches.  

Real people, year after year, say that identity theft is their number one privacy concern.  And usually, people become victims of identity theft after their personal data has been hacked from a legitimate controller's database, e.g., from your local hospital..  

The risks of security breach are getting worse, and will continue to get much worse for several reasons.  First, the hackers continue to get more sophisticated.  Second, there's just more and more data being collected and stored everywhere.  Third, there's a proliferation of devices being used to collect, store and share data.  Fourth, the lines are being blurred between public and private databases, e.g., between what's behind a firewall and what is not.  Fifth, the rise of social networking and mass-sharing of data.
How should the laws respond to these threats?  

First, security breach notification laws are a good thing.  They bring transparency and help people take precautions, after being told that their personal data may have been compromised.  The US has had these laws for over a decade, and Europe proposes to adopt similar laws soon.  

Second, controllers need to be held to account for having adequate security.  But we also have to be careful not to punish the victim.  In most cases of security hacks, the company/government that has been hacked is the victim of a crime.  They have often been hacked by highly sophisticated organized criminals.  The laws need to be careful not to punish the victims of such crimes, unless it can be demonstrated that they had failed in their duties to maintain adequate security.  If you are the victim of a burglary in your home, you don't expect the police to fine you for not having had adequate security protecting your house.  Ex post, you could always have had more security.  The challenge is figuring out what an appropriate level of security should be, or should have been.  

Third, governments and law enforcement need to step up their games in finding, punishing and dissuading hackers.  The Obama Administration has raised the issue of Chinese hackers at the highest levels of the Chinese government.  Today, sophisticated hackers successfully evade identification and punishment.  

Fourth, individuals need to be helped to protect themselves better.  For example, they can be educated and prodded to use stronger passwords, learn to use privacy settings, keep their systems' security up to date, etc.  

Fifth, ask yourself who's protecting you from the risks of cyberwarfare and cyberterrorism and industrial espionnage.  Are the people who are supposed to be protecting you working together effectively?

It's pretty obvious that most government and corporate controllers have weak security.  I was recently in the offices of a French government agency processing a lifetime of my personal sensitive data, and it was operating a computer system from the 1990's!.  Romanian hackers would probably need 5 minutes to steal every piece of my personal sensitive data from that system, and neither the French government nor I would ever know it had happened.  

If you care about privacy, and you're not worried about security, then you're like a baby turtle, just hatched, hurtling your way to the sea, oblivious to the seagull that's about to extinguish your young life. 

Thursday, April 4, 2013

Stretch Goals for Privacy Lawyers

The global trends in privacy are crystal clear:  more privacy laws, more litigation, more regulation, more compliance obligations, more enforcement actions, bigger sanctions.  These trends are in place in almost all countries around the world, so the cumulative global impact of these trends on companies is dramatic.  So, want to guess which profession will profit from these trends?:  yes, the lawyers.  (In full disclosure, I'm a lawyer.) 

Historically, privacy leaders at companies have come from different backgrounds.  Some were lawyers, some were engineers, some were compliance managers.  At most companies, lawyers are already filling the roles of chief privacy officers (or data protection officers, as they're called in Europe).     

Privacy has changed over the years.  It is becoming an increasingly litigious matter.  A few years ago, privacy class actions hardly existed.  Now they're as common as locusts in Egypt.  

A few years ago, the sanctions for privacy breaches were relatively small, generally in line with the fact that the "harm" from them was often negligible, or difficult to define or measure.  Now, fines are increasing rapidly, and indeed, Europe plans to introduce fines in the range of 2% of global turnover, for rather routine privacy mis-steps.  Companies will have no choice but to fight threats of billion-dollar fines with teams of lawyers.  Europe is proposing billion-dollar fines for having a privacy policy that is "too vague", or for failing to properly document data processing, or for security breaches, or for riding a bicycle without a helmet.   In other words, you can face mega-fines for just about everything and anything, so you'll need plenty of lawyers to defend you. 

Lawyers are trained in reading, understanding, interpreting and advising on laws and legal compliance programs, and defending their clients from litigants and regulators.  Privacy laws, everywhere in the world, are vague, so they leave much room for legal interpretations.  The lawyers' skill set is becoming more and more central to the role of privacy leadership.  Moreover, lawyers benefit from attorney-client privileged communications internally, which is becoming an absolutely essential mechanism for privacy lawyers to have deep, unfettered, unfiltered exchanges of information and advice with their clients.  

Of course, non-legal disciplines will always play an essential role in safeguarding privacy at companies, e.g., the vital role played by security engineers.  Privacy will always be a cross-disciplinary project.  I'm not saying that the rise of the lawyer-privacy-leader is necessarily the best thing for "privacy".  Yet in the face of rampant litigation, discovery orders, vague laws, political debates, regulatory actions,  threats of billion dollar fines, companies will be looking to their privacy lawyers for a lot more than drafting a privacy policy.  It's a great profession, if you like stretch goals.