today we re going to talk about
play

Today were going to talk about The different ways we view online - PowerPoint PPT Presentation

Today were going to talk about The different ways we view online privacy Why this matters for us in open source How to bridge these divides in our work Who am I? (possibly a bad question for 9 AM on a Saturday morning) Glasgow, Scotland


  1. Today we’re going to talk about The different ways we view online privacy Why this matters for us in open source How to bridge these divides in our work

  2. Who am I? (possibly a bad question for 9 AM on a Saturday morning)  Glasgow, Scotland  Designed my first web site in 1997  Professional web designer from 2007-2015  Now work exclusively in digital law and tech policy  Exhaustive/exhausting work on GDPR in the two year leadup  Not a lawyer!

  3. Privacy is changing, and so are we.

  4. Europe’s privacy overhaul GDPR: 25 May 2018 • Replaced the Data Protection Directive of 1995 • Maintains original principles, expands and modernises • Data at rest: collection, usage, retention ePrivacy Directive: TBD (autumn/winter?) • Replaces the ePrivacy Directive of 2002 • Data in transit: cookies, telemetry, advertising beacons, marketing

  5. America is waking up Balancing the Rights Of Web Surfers Equally and Responsibly (BROWSER) Act of 2017 Social Media Privacy and Consumer Rights Act of 2018 Secure and Protect Americans’ Data Act (SPADA) of 2017 Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act of 2018 Internet Bill of Rights of 2018

  6. Why does that matter?

  7. Because we have very different cultural approaches to privacy.

  8.  Privacy is a fundamental human right  Data belongs to the subject European  Opt-in culture cultural  Culture of constructive approach to work through regulators, privacy with fines or court action a rare last resort  People trust governments and fear businesses

  9.  Free speech is a fundamental human right  Data belongs to the American owner cultural  Opt-out culture approach to  Culture of adversarial privacy courtroom litigation  People fear governments and trust businesses

  10. We also have very different legal approaches to privacy.

  11.  Privacy is regulated through hard law  One overarching law for all member states and sectors European  Data protection legal approach regulators to privacy  Not tied to citizenship or nationality  Privacy is its own law  Litigation is the last resort

  12.  Privacy is governed through soft law  No overarching DP law; piecemeal approach across sectors and states  No data protection American regulator legal approach  Tied to citizenship and to privacy nationality  Privacy is a subcategory of contract, tort, or property law  Litigation is the first resort

  13. And when it comes to privacy, we don’t agree to disagree.

  14. Things Europeans say about the American approach to privacy… “Their tone is still far from “Even before GDPR acknowledging the “Wild West” starts, they are violating serious concerns people the rules” have” “A lack of progress may challenge the “We thank you for effectiveness of self- appearing to testify regulation in this area before our committee and may increase the today” pressure to legislate.”

  15. …and things Americans say about the European approach to privacy “It could significantly “The European interrupt transatlantic approach runs the risk “Jack-booted thugs” commerce and create of being insensitive to unnecessary barriers context” to trade” “I don't understand how we've reached a point “There should be no where we, in the United government States, are reliant on a involvement” foreign regulation to protect our data”

  16. We all have a different understanding of “privacy”.

  17. …and who are we?

  18. We make the software that runs the open web. We are people of enormous power and influence over privacy on the internet.

  19. And we’ve never acknowledged our differences.

  20. What happens when our differences meet? We structure our projects with different cultural approaches to privacy We write our code with different legal approaches to privacy We assume everyone we code with works and thinks like we do We create the open web with no common standard for privacy We fail to do enough protect the people in the data We don’t learn from our mistakes.

  21. That changes today.

  22. Today we start the journey to an open source best practice standard for privacy.

  23. But how do we do that?

  24. What you need to have Definitions and principles Documentation and resources Leadership Community

  25. Definitions and principles What is “privacy” about, as a principle and not as a law?

  26. Two kinds of privacy rules Hard law and regulation Soft law and regulation  GDPR  Industry codes of conduct  the ePrivacy Directive  ISO standards  COPPA / HIPPA  International conventions  Autoriteit Persoonsgegevens  Frameworks (PbD) Hard laws build their foundations on the standards defined in soft laws. This is certainly the case for online privacy.

  27. Definitions and principles Let’s use soft law to identify common privacy values.

  28. International privacy frameworks 1. OECD Privacy Principles (1980) 2. Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data (1980/two weeks ago 2018) 3. ISO/IEC 2001 International Standard on Information Technology / Security Techniques / Privacy Framework (2011) 4. APEC Privacy Framework (2005) 5. FTC Fair Information Practice Principles (2000)

  29. OECD COE ISO APEC FIPP Collection Limitation Legitimacy of data Consent and choice Preventing harm Notice/Awareness Principle processing and quality of data Data Quality Principle Special categories of data Purpose legitimacy and Notice Choice/Consent specification Purpose Specification Data security Collection limitation Collection limitation Problems with Principle Choice/Consent Use Limitation Principle Transparency of Data minimization Uses of personal Access/Participation processing information Security Safeguards Rights of the data subject Use, retention and disclosure Choice Integrity/Security Principle limitation Openness Principle Accuracy and quality Integrity of personal Enforcement/Redress information Individual Participation Openness, transparency and Security safeguards Principle notice Accountability Individual participation and Access and correction Principle access Accountability Accountability Information security Privacy compliance

  30. OECD COE ISO APEC FIPP Collection Limitation Legitimacy of data Consent and choice Preventing harm Notice/Awareness Principle processing and quality of data Data Quality Principle Special categories of data Purpose legitimacy and Notice Choice/Consent specification Purpose Specification Data security Collection limitation Collection limitation Problems with Principle Choice/Consent Use Limitation Principle Transparency of Data minimization Uses of personal Access/Participation processing information Security Safeguards Rights of the data subject Use, retention and disclosure Choice Integrity/Security Principle limitation Openness Principle Accuracy and quality Integrity of personal Enforcement/Redress information Individual Participation Openness, transparency and Security safeguards Principle notice Accountability Individual participation and Access and correction Principle access Accountability Accountability Information security Privacy compliance

  31. Standards and definitions Common privacy values

  32. Data Collect only the data you minimisation need and no more

  33. Ensure that the data is true, Data integrity authentic, and up to date

  34. Use the data only for the Purpose purpose you collected it for minimisation and nothing else

  35. Do not use the data for other purposes, keep it Lifecycle longer than you need, or limitation share it with others without reason

  36. Take adequate technical Human and and human measures to technical protect the data from misuse and its subjects from security harm

  37. Make public what data you Transparency hold, why you hold it, and and notice what you do with it

  38. Give people rights to access User their data, correct mistakes, participation and the ability to ask you to and rights stop using their data

  39. Fix problems when things Accountability, go wrong, make it right enforcement, when people are hurt, and face the consequences for and redress misuse.

  40. Give people choices, Choice, control, options, and rights over how and consent you use their data at any time

  41. Take care with sensitive Special data which could result in categories of the people it is about being data hurt

  42. Work cooperatively and Legal productively with compliance regulations, laws, and supervisory bodies

  43. 11 universal privacy principles Data Purpose Lifecycle Data integrity minimisation minimisation limitation Human and User Accountability, Transparency technical participation enforcement, and notice security and rights and redress Special Choice, control, Legal categories of and consent compliance data

  44. Creating and following “soft regulation” principles for user privacy lessens the chances of “hard regulation” being imposed onto your project.

  45. Documentation and resources Map your privacy principles to your development workflows

Recommend


More recommend