The recent IAPP Congress in Brussels provided a platform to bring out the “big guns” on privacy. Needless to say, the said “big guns” did not always agree with each other. Here is our “30,000 feet” view of their privacy perspectives:
Isabelle Falque Pierrotin (IFP) is the Chairperson of the Article 29 Working Party and President of the CNIL (French DP Regulator). Julie Brill (JB) is a Federal Trade Commissioner responsible for privacy and other enforcement in the US. How did they get on? We have scored the exchanges as to how likely they will bridge the gap!
Safe Harbor: IFP reminded us that the Commission had made 13 recommendations for cleaning up Safe Harbor and still wants “clear answers”. She said that there had, as a result of the Edward Snowden story, been a “crisis of confidence” in Safe Harbor. She said that the A29 Working Party will be “very vigilant” as to the output of the Safe Harbor upgrade process. JB said that she remained “deeply hopeful” that Safe Harbor would be sorted out. She said that “like any tool, it can re-examined”. She also reminded the audience that the FTC had just taken enforcement action against Truste in relation to inappropriate re-certification of Safe Harbor companies. JB said this is “something that we, at the FTC, take tremendously seriously”. (Chances of Bridging the Gap: 4/10)
Big Data: JB said that there were “benefits but also risks” in relation to big data. In particular, there is the risk that we collect all data now and worry about the detail later. JB said that companies should adopt “use risk based frameworks” to assess the risk. She also saw value in bringing the public into the debate and that the “re-identification risk” should be linked to the social contract not to re-identify individuals. So this is an issue of “trust”. IFP said that she shares some of the views expressed in the Podesta report and that it is important that the individual should “stay in control” of his/her data. Ultimately, the concept of big data and what it can achieve does not require any change to the EU privacy principles. Expect continued debate in relation to how to collect consent or comply with profiling rules and the uncertainties the meaning of “anonymised data”. (Chances of Bridging the Gap: 6/10).
Data Breach: IFP said that she recognised the US experience given its many data breach notification laws. She also recognised that individuals should not be flooded with notifications and the issues with notification fatigue. JB reminded the audience that the US have 47 states with data breach notification law and that the FTC will examine unreasonable practices. She also referenced the “long tail of App providers” who may have less effective security in place. (Chances of Bridging the Gap: 8/10)
RTBF (Right to be Forgotten): IFP said that this is an important fundamental right. She said that RTBF is not, actually, a new right and that it has been in the Data Protection Directive since 1995. She admitted that there had been enormous public expectations following the ruling and that the A29 Working Party will shortly publish guidance (now published!) on how to implement this right. But JB said that the RTBF is “controversial”. She said that there are some elements in US law which include concepts of erasure, like erasure of credit records. She also said that the “right to be forgotten” is also a misnomer as it is not an unfettered right to have information removed from public sources. JB also had significant concerns about the worldwide reach of the ruling. As we now know, the EU does want search engines to apply the right to be forgotten to .com addresses in addition to EU country specific domains. (Chances of Bridging the Gap: 0/10!)