While the Supreme Court has taken some heat in the past for seeming to misunderstand technology and how it impacts the normal person’s life, with Riley v. California the Court demonstrated not only an unexpected fluency with how mobile phone technology has evolved, but also with how it has caused our daily sphere of privacy

The White House released a set of reports this month on Big Data and the privacy implications of Big Data. While a number of folks have been discussing the President’s Council of Advisors on Science & Technology (“PCAST”) report, I would offer that the Office of Science and Technology Policy (“OSTP”) report needs to be read in conjunction with the PCAST report. They do two different things. One is a report on the technical state of affairs, and the other is more of a policy direction piece, which is driven by the technologically-oriented findings. Various points-of-view have been put forth as to the relative merits of each report, but there seems to be an important element missing from both reports. Both reports discuss the need for policy decisions to be based on context and on desired outcomes. Unfortunately, neither report really gives a good taxonomy around the informatics ecosystem to allow for a clear path forward on “context” and “desired outcomes”. What I mean by this is best summed up in the comment in the PCAST report which states: “In this report, PCAST usually does not distinguish between “data” and “information”.”. “Data” and “Information” are very different things, and one really can’t have a coherent policy discussion unless the distinction between the two is recognized and managed.
Continue Reading How to Talk About Big Data: A Framework

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Continue Reading Legitimate Interests – Alternative to Notice & Choice?

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Continue Reading On Balance – the Legitimate Interest of a Controller

A recurring criticism of Australian privacy law has been that the Privacy Act 1988 (Cth) (the Act) lacked any real bite – the enforcement powers of the privacy watchdog, the Information Commissioner, were limited. However, recent amendments to the Act, which introduced a new set of privacy principles, have increased the Commissioner’s enforcement powers. Employers should familiarise themselves with the changes in order to ensure they are compliant with the new regime.


On 12 March 2014, significant amendments to the Act came into operation. The changes affect all private sector organisations and government agencies covered by the Act, which will include most Australian employers except for “small businesses” with less than $3 million in annual turnover.

In brief, the Act deals with how organisations are to manage “personal information”. The scheme of the Act works by subjecting organisations that it covers to a series of “privacy principles” that govern how personal information is to be collected, stored, handled and used.
Continue Reading Changes to privacy law: does the “toothless tiger” finally have some bite?

The Institute of Access to Information and Data Protection (“IFAI”) has made it known that it is going to be aggressive in enforcing the Mexican data protection law. While some commentators warn about the willingness to “show its teeth”, the basic question is still how to avoid being bitten.

Considering the allowable penalties can be in excess of US$1 Million, it is worthwhile to understand how one can effectively work with the law.
Continue Reading Mexican Privacy Enforcement – Options for Compliance

And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk

The next set of recommendations seeks to improve how the individual can directly seek resolution to a potential violation of their privacy rights.

5.         The privacy policies on companies websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

Many companies who participate in the safe harbor framework already comply

The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.

1.         Self-certified companies should publicly disclose their privacy policies.

This is a foundational requirement for any Trustmark providing certification services around the US-EU