The process began in October 2008 when Uruguay petitioned to have its data protection laws recognized as “adequate” by the European Commission, the body which governs the European Union. The request required analyzing Uruguayan data protection laws and procedures to assess whether they satisfy the requirements on processing and international transfers of personal data established in Article 25(6) of the 1995 EU Directive on Personal Privacy (95/46/EC) encapsulated in seven governing principles of: notice, purpose, consent, security, disclosure, access, and accountability.

Uruguay’s 2008 request was reviewed at depth by the Article 29 Working Party, a group composed of one member from each EU member state which advises on data privacy and protection issues. Since the Working Party has experience investigating corporate practices – they have investigated data practices by companies including Facebook, Yahoo!, Microsoft – so investigating a history of practice, digging through layers of data, and balancing economic interests against privacy practices meet broadly defined technical standards is familiar territory. In evaluating Uruguay, the Working Party reviewed national laws including the Constitution, the statement of Habeas Data as stated in Ley No 18.331 de Protección de Datos Personales y de Acción de “Habeas Data,” administrative and judicial remedies, and relevant international agreements such as the American Convention of Human Rights.  Between 2008 and 2010, the Working Party commissioned research and discussed enforcement questions with Uruguay’s data protection authorities.

Based on their findings, the Working Party released a 2010 opinion letter (pdf) detailing Uruguays management of data transfers, direct marketing, and sensitive data to remain aligned with EU protections.  While the letter concluded that “the Working Party considers that the Eastern Republic of Uruguay ensures an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC of the European Parliament,” it noted that “as part of any decision taken by the Commission, [the Working Party] will closely follow the evolution of data protection in Uruguay and the way in which the Data Protection Authority” continues to enforce the laws.  No adequacy determinations have been revoked, but persistent monitoring may notify all countries that the Working Party expects even more consistent enforcement of existing laws.

As a result of the adequacy finding, a data controller in France can now transfer personal data to Uruguay as simply as transferring the data to Spain, without any additional protections requirements such as binding corporate rules, which only allow transfers between different branches of the same company, or model contract clauses that lock companies into substantial liabilities.  This creates a great opportunity for Uruguay to expand its economy to further embrace technology as the second country in South America eligible to receive personal data without restriction.

One of the more interesting issues raised at the conference came from developers: they want clear guidelines from lawyers explaining what they can or cannot do. The challenge, however, is that technology is constantly changing. Nonetheless, there are some constants that will not change which lawyers can communicate to developers to keep in mind to design for privacy.

Notice

Although the privacy policy is the “gold standard” required by law, lawyers can go a step further in providing notice to both consumers and developers. By putting a company’s privacy practices in an easy to read format, similar to a “nutrition label,” map, or chart, consumers and developers will be given better notice.

This approach enables consumers to easily understand what data is being collected and make more informed choices. Additionally, developers will be able to understand what they are permitted to do under the privacy policy and code accordingly. If the developer notices a practice that runs afoul the easy to read privacy policy when creating the product, the developer can bring attention to the lawyers to update accordingly or fix the collection practice. In sum, all parties will have a more clear understanding of company privacy practices and where to adjust for business and legal needs.

Choice

Choice is very important, but sometimes too much choice can confuse users. Developers, entrepreneurs, attorneys, or whichever party within a company is responsible for the privacy policy must collaborate with other stakeholders to make a strategic decision on how to present choice to users and strategically select the aspects of the product users may choose.

Data Context and Sensitivity

The context in which data is collected and the sensitivity of data are two essential areas to address. Prioritize notice and choice for more sensitive data based on context of data collection. Convey this importance to developers so they may appropriately respond to legal needs and provide users with choice or ensure security.

Be Consistent

Unfortunately, there is not much consistency across the industry on the meaning of important terms for privacy. However, attorneys have the ability to use consistent terms across different policies in a single company. If developers understand what terms mean in one policy, they will more easily be able to later design in line with other relevant policies as well.

Search Engine Study

The Search Engine Use* (click here for the study) project is part of the Pew Research Center, an independent research organization that conducts and studies trends among Americans. The study examined the extent to which consumers use search engines and their general satisfaction with the results.

The results of this survey generally demonstrated which groups of people were more inclined to use search engines. Despite any demographic differences, however, search engine use and satisfaction with search engine use has generally increased in the last ten years. Indeed, results showed that since the survey was last conducted, consumer perception of search engines has greatly increased. In general, the results indicated that consumers have more positive than negative perceptions about search engines.

From a privacy perspective, however, the most fascinating responses in the report were participants’ perceptions about the personal information being collected. Although participants noted that their search engine results have gotten increasingly relevant, sixty-five percent of the participants do not like personalized search results because they feel that it invades their privacy. Although these concerns seemed to be greatest among older participants, participants across demographic groups all expressed some level of discomfort with targeted advertising.

Concern Over Privacy

That consumers are increasingly expressing their concern over privacy should not be surprising. Consumers are increasingly becoming aware of privacy issues. For example, just one month ago, the Pew Internet and American Life Project released a separate study on social media sites where they found that consumers across the board of all demographics have been taking measures to manage the amount of private information is visible to the public.

Corporate actions are also likely to have influenced consumer perception as well.  As noted in the Pew report, the participants’ concern over targeted search results may have been influenced by the controversy over the major changes in Google’s privacy policy. And, of course, the number of high privacy breaches of private information in the last few years may have helped increase this concern. For instance, just a few months ago, the online vendor Zappos informed its customers of a major data breach and advised them to change their passwords.

Perhaps equally unsurprising was the number of participants who were unsure of how to control the flow of their information. According to the study, only about thirty percent of the participants knew how to take measures to protect their privacy while using search engines. The previously mentioned social media study only produced marginally better results. While the numbers were smaller for younger demographics, many participants mentioned their inability to manage their private information on social media sites as well.

Whether one is comfortable with the distribution of their information online is a personal matter. People will inevitably place different value on their personal information. However, if this study reflects the concerns of the majority of Americans, then it would suggest that many people are concerned about their privacy but do not know what to do about it. This may be a result of factors like inability to manage privacy policies and privacy settings. Likewise, it could also be attributed to the fact that most participants who expressed their concern about behavioral tracking on search engines were older and may not be as technologically savvy as the younger “digital native” generations.

Taking Control

Although there are currently ways for consumers to exert control over the use of their own information, these measures should be easier to use, not just for people who have used computers their entire lives, but for all people. These controls could come in the form of more streamlined and easy to read instructions. Some organizations have already developed some measures to educate consumers. Mozilla, for instance, has worked with the idea of using simple icons that indicate the nature of the information being used on the website.

Perhaps the changes need to be made within the search engines themselves. Understanding privacy policies, let alone finding ways to opt out of disclosing personal information, is often a cumbersome experience.  For example, Google released a fairly plain language version of their new privacy policy but they might also have brought more attention to ways in which consumers can opt out of certain programs if they are uncomfortable with the use of their information.

Finally, perhaps the change needs to be made with the consumers themselves. As privacy issues continue to permeate online culture, there have been an increasing number of resources that can assist consumers in managing the use of their private information.

Conclusion

Pew’s recent reports have provided some interesting insight into how consumers perceive certain privacy issues online. That consumers are starting to find ways to manage the use and flow of their personal information is a hopeful thought. As the most recent study indicates however, there are still some serious issues that must be addressed.

* This study follows up on an earlier study that had been conducted in 2002. To collect the data, researchers conducted telephone interviews with a random sample of over 2000 residents in January and February of 2012.  Participants ranged in all demographics and consisted of people of different ages, races, and genders. To further cover demographics, surveys were also conducted in Spanish as well as English.

Conforming without planning

Generally speaking, startups follow industry practices; but they do so without realizing consequences they face for failing to disclose their practices or make clear their privacy philosophy.  In addition to legal ramifications, the consequences for not properly designing for privacy can harm a company by decreasing user trust and generating negative PR.

One recent example is the mobile application Path, which copied iPhone users’ address book information without telling them and failed to encrypt this information uploaded to their servers.  Path treated the act as an accepted industry practice and failed to disclose its actions to its users, creating a privacy nightmare.

What can startups do to avoid such a problem? 

Design for privacy.  Designing for privacy is not the same as “privacy by design.”  Privacy by design consists of promoting consumer privacy at every stage of the development of new products and services.  This is a best practice that in reality sometimes conflicts with business needs for privacy, but should be followed as much as possible.  Privacy by design is particularly important in light of the Google and Facebook enforcement actions, making it a requirement that the FTC believes that all businesses should implement.  Failure to adopt privacy by design could amount to a deceptive or unfair act that results in a violation of the FTC Act.  Therefore, startups should design for privacy – integrate privacy by design as much as possible while taking into account business needs.

Startups can design for privacy in many different ways.  Below are a few five key takeaways from SXSWi to help companies design for privacy.

1.  Help users understand your privacy philosophy.

Every company has a different privacy philosophy because every company has different needs.  Take stock of the personal information that you collect and make sure that users understand how and why you use it.  Don’t make promises you will not keep and be transparent about your practices.

2.  Make things simple.

Avoid generating “privacy anxiety” via legalese.  Companies strive for simplicity with their UI, yet many fail to achieve the same simplicity when telling users about data collection, opt-outs, and privacy controls.  Simple words can help create or increase trust.

3.  Leave room to grow.

Leave room to grow in policies.  Your policies should take into account future company plans and not restrict usage only to particular data.  If your company needs to collect information to increase usability or user experience, make sure that it is reflected in your policy and your privacy philosophy.

4.  Reach out to your lawyer.

Don’t make your lawyer your last stop.  Letting a lawyer understand your design process and examine your UI during development could help ensure a smooth launch for your product.

5.  Privacy by Design

Privacy by design is a best practice, so it may be difficult to achieve.  However, if you empathize with your users, you may have a better likelihood of understanding how to treat privacy as you develop your product.

The above factors are just a few to consider while designing for privacy – every business has different needs.  Privacy is a business decision, so startups should integrate privacy but make sure to account for practical business needs.

Professor Andrews is a law professor at the Illinois Institute of Technology Chicago-Kent School of the Law, where she is also the direct of the Institute for Science Law and Technology. In addition to work her as a professor, she also has advised the US Government on emerging technology, most notably on the effects of the Human Genome Project.

Professor Andrews employs compelling case studies and stories to illustrate some of the negative effects of social media and to demonstrate the courts’ current inability to address it. The issues presented by Professor Andrews range from freedom of speech to social networks’ effects on the legal system. While all of the issues present challenges of their own, the three most fascinating themes dealt with her discussion of the “Second Self,” how to find a balance between often competing policy issues, and the general loss of control of our private data. Professor Andrews ultimately presents a Social Network Constitution that consists of the rights that we as consumers should demand. For the most part, Professor Andrews’ book is a thought-provoking read, one that should be read by more social network users. However, although the Social Network Constitution is a good eventual solution to these problems, the book offers few suggestions on what consumers can do in the meantime to achieve that goal.

1. The Real versus the “Second Self”

Many consumers are aware that when they post information about themselves on sites like Facebook, they are making that information available to the public. For the most part, social networking sites would not function well without at least some recognition of that truth. Professor Andrews, however, raises the deeper concern posed by social networks – that when we post information online, we are not only posting information about our actual selves, but are also creating a “second self.” This “second self” is the persona assembled from the data mined from the information we share about ourselves. Although these two selves may seem similar, the “second self” consists of a collection of information that may seem inane in context, but imply personas that may be inaccurate or based on stereotypes. For instance, two people’s searches of real estate listings may yield different results based on information about that person’s race or gender. Professor Andrews also poses the concern that this Second Self may affect health insurance policies or credit ratings.

2. Creating a Balance with Competing Policy Issues at Stake

Throughout the book, Andrews discusses many important questions and issues raised by the rise of social media and the law’s inability to address those issues. These discussions touch upon issues ranging from cyberbullying to the use of social media postings as evidence in criminal or custody cases. In doing so, Andrews recognizes and tries to reconcile the thin line that one must use to balance these issues and achieve the most proper and fair result. For instance, although governments should recognize one’s freedom of speech and association on the Internet, limitations should also be put in place to allow people to remove potentially defamatory or otherwise private information online. Similarly, although Andrews argues that a right to connect to the Internet should exist, she also questions whether certain users who abuse the Internet should be prevented from accessing it at all.

3. Losing Control

Perhaps the most powerful theme of the book is the lack of control that Internet users currently have over the use and distribution of their private information.  As Professor Andrews illustrates, even where consumers do want to remove their information, the law itself or loopholes in the law often prevent or make it difficult for consumers assert any control. Additionally, many social networks, such as Facebook, frequently change their privacy policy to allow for more widespread use of consumer information or make the privacy controls of the website more difficult to manage. This sometimes leads to a range of negative consequences. For one self-conscious girl, this meant that for months after she decided to lose a few pounds, she was constantly bombarded with weight loss advertisements whenever she was online (Chapter 3). For one high school teacher, this meant that the photo posted to her private Facebook page displaying her drinking a beer on vacation were ultimately used to get her fired (Chapter 9). Finally, for one grieving family, this lead to their battle with various major search engines to remove the gory pictures of the scene of their daughter’s accident (Chapter 9).

Creating a Social Network Constitution

The book’s overarching theme is that the world needs a Social Network Constitution and the final chapter of the book is the culmination of this concept. This Constitution pulls together each of the issues put forth in Professor Andrews’ book and creates certain digital rights that would better protect the rights of all those who use social networks. It pieces together and creates a balance between some of the competing problems created by social networks. And while many solutions to digital issues look at privacy the national level, Professor Andrews’ Social Network Constitution applies globally.

Andrews fails to provide actionable steps

Although the rights protected by Professor Andrews’ Social Network Constitution are important, other than the proposal of the actual Constitution, there is little information in the book about how to achieve that goal and how to effectuate change. A book such as this has the potential to push consumers to action: to demand that they be able to maintain better control over the user of their information. The book, however, lacks in providing resources for how and where consumers can participate in the current debate about data privacy. For instance, Professor Andrews mentions the many advocates and advocacy groups working on these issues, but there is little mention of where and how to connect with those groups. While  consumers themselves can find avenues through which to voice their concerns, there is still a disconnect on how we as a society can get from the problems posed in this book to being able to create a Social Network Constitution. Furthermore, while a Social Network Constitution may be an ideal solution down the line, there is little discussion of whether and to what extent the privacy laws of various nations must be reconciled in order to address these issues across the globe.

Final Thoughts

Overall, Professor Andrews’ book is a fascinating read.  While the message of the book is not for the world to shun the Internet and social networks, it raises awareness of these issues and urges consumers to demand more control over the use of their information.  As such, this book is one that should not only be read by those already interested in consumer privacy, but more importantly, the average social networks user who may not be aware of the pervasive loss of their privacy.

Changes from previous EU data protection law

In addition to harmonization, the proposed data protection law contains a number of key changes.  The Proposed Regulation strengthens regulatory authority and contains changes that affect consumers and companies.

Consumers

The Proposed Regulation gives consumers greater online privacy rights.

• The “right to be forgotten” allows for the deletion of unnecessary personal data.
• Opt-in consent for data processing.
• Easier transfer and portability of personal data.
• Easy access to redress for consumers to handle issues through their home national data protection authorities, even if their personal data is processed in another country.

Through these changes, the Proposed Regulation attempts to give users greater choice and control over their data.

Companies and Organizations

Companies and organizations will also face significant changes for compliance with data protection law.  Some aspects of the Proposed Regulation will soften compliance and administrative requirements.  For example, companies would only have to deal with the national data protection authority in the EU country where they have their main establishment.  The Proposed Regulation also attempts to ease the rules for international data transfers through less administrative requirements. The Proposed Regulation replaces some existing requirements for data processing with similar requirements to be conducted differently (ex. data processing reporting).

Other aspects of the Proposed Regulation increase responsibility and accountability.  In addition to integrating privacy and “privacy by design” into products and services, many companies would face significant changes in the law.

• Independent national data protection agencies will have greater enforcement power, including the ability to fine companies that violate EU data protection rules up to 5% of a company’s global annual turnover.
• In addition, companies will have to give notification of serious data breaches without undue delay; if feasible, within 24 hours.
• The Proposed Regulation will also apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behavior of citizens.
• Companies with more than 250 employees will have to hire a data protection officer.

In sum, the Proposed Regulation seeks to simplify existing data protection law for companies yet strengthen enforcement against violations.

Initial Responses to the Proposed Regulation

The Proposed Regulation has faced mixed initial responses from EU national data protection authorities.  National data protection authorities welcome the efforts of the Proposed Regulation to harmonize rules and increase online privacy rights, but have already criticized the Proposed Regulation.  German Data Protection Commissioners (“DPAs”) criticized the Proposed Regulation for possibly adversely affecting the ability of German data subjects to enforce their constitutional rights in German Federal Constitutional Court.  The German DPAs also stated that it was “unacceptable” to give unelected European Commissioners ultimate authority with respect to data protection.[2]  The United Kingdom’s Information Commissioner’s Office (ICO) criticized the Proposed Regulation for being overly prescriptive and failing to recognize the reality of international data transfers in today’s globalized world.[3]

Although the Proposed Regulation has faced criticism, it represents a step towards increasing online privacy rights and harmonizing data protection law for companies.  Therefore, it includes valid points that are embraced by many in the EU and privacy community and should not be dismissed.  At this point, the Proposed Regulation is entering the EU legislative process.  The Proposed Regulation will likely be significantly debated and modified over the next couple of years before its possible adoption and another two years before it is effective.

Links

European Commission Data Protection Reform

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

European Commission Press Release

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=EN&guiLanguage=en

1995 EU Data Protection Directive

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT

The Project’s mantra is Empowering Individuals to Protect Their Data with Implementable Solutions.  The Project pursues this goal by advocating a technical and paradigmatic shift to forge collaboration between those who develop the technology and those who craft the legal regimes that incentivize and shape those developments.

Operating at the intersection of technology and the law, our audience includes attorneys, technologists, policy makers, not-for profits, and society at large. Equally important, because our work focuses on implementable solutions, we strive to work with established companies, startups, government entities, and other organizations in the field.  As a result, the Project speaks to a wide ranging audience.

Finally, the Project would like to thank HSTLJ for allowing us to use their blog as a platform. And, we would like to thank Hastings for its support.

For more information about the Project please visit our website or contact the Executive Director *protected email*.

Double Blind Justice (hereinafter “DBJ”) applies a scientific and experimental approach to outstanding issues in the areas of intellectual property and science law.  For each issue presented, two practitioners, professors or other interested parties will be given the opportunity to provide a test or standard that they believe balances interests and provides sound policy.  Our “subjects” will then apply the test to approximately five to ten hypothetical examples.  The hypos will be provided by journal members and also sourced from the legal community through ongoing “calls for hypos.”

Each installment will publish the two tests and the outcomes of the hypotheticals alongside each other.  We will typically select subjects with somewhat different interests so our “results” may be slightly different.  Or they may have complete agreement.  Nobody knows.  You will have to check in with DBJ to find out.

We are doing this for many reasons.  We believe that most of the commentary on current issues is polemicized, predictable and can be adequately addressed by amicus briefs.  We think a fresh, fun, and creative approach to legal scholarship is needed.  Although we intend to publish the results in our journal, we recognize that internet publishing has superceded traditional media for legal scholarship and feel that this change in media provides us the freedom to experiment with new and different formats for presenting analysis.

Chief Justice Roberts has recently commented that there is a disconnect between legal scholarship and the profession of law and that the subject matter presented in law reviews is of not of much help to the bar.*  We intend to address his concerns by providing a practical (and sporting) approach to legal scholarship that draws upon the experience of the profession.

*http://lawprofessors.typepad.com/adjunctprofs/2011/07/chief-justice-roberts-comments-on-legal-scholarship-today.html