You are here: Home / Archives for protection

EU’s Data-Protection Reform Should Inspire U.S., Reding Says – Businessweek

December 6, 2011 By Leave a Comment

European Union reforms of 16-year-old data-protection rules should inspire the U.S. to strengthen its privacy regime, the EU’s justice chief said.

The EU data privacy reforms, which the European Commission plans to present by the end of next month, should be “an inspiration for changes in the U.S. and elsewhere,” EU Justice Commissioner Viviane Reding said today. Referring to cloud companies that lure clients by promising to protect their data from the U.S. government, she urged for the free flow of information.

“I do encourage cloud computing centers in Europe. We need more innovation, more research and more investment in the ICT industry,” Reding said in prepared remarks for a speech in Brussels. “But this cannot be the only solution. We need free flow of data between our continents. It doesn’t make much sense for us to retreat from each other.”

Deutsche Telekom AG’s T-Systems information technology unit is pushing regulators to introduce a certificate for German or European cloud operators to help companies shield data from U.S. government access through the Patriot Act. Some of the surveillance powers of the act, passed after the Sept. 11, 2001, terrorist attacks, have been opposed by lawmakers and outside groups, including civil liberties activists.

via EU’s Data-Protection Reform Should Inspire U.S., Reding Says – Businessweek.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , , , ,

Global Data Privacy in a Networked World (Graham Greenleaf) | SSRN

November 8, 2011 By Leave a Comment

Abstract:

This article analyses the global growth of data privacy (‘data protection’) laws over 40 years from a number of perspectives. After outlining the extent of global expansion, the influence of international agreements concerning privacy is identified as one reason for their relative consistency and stability. The nature of United States exceptionalism is discussed briefly, as is the failing APEC alternative. The fundamental elements of data privacy principles, and data privacy enforcement, as seen through these agreements and national legislation, is summarized. The points on which the European Union is proposing to strengthen both principles and enforcement are noted. The extent to which these principles and enforcement mechanisms can cope with the new challenges of a networked world are illustrated through two examples: social networking systems (SNS) and cloud computing.

Bennett and Raab (2006), in the most systematic global review of data privacy regulation, presented their ‘main research question’ as whether there was a ‘race to the bottom’, a ‘race to the top’, or something else, in the global development of data privacy protection. They correctly caution that the existence and formal strength of a data privacy law is only one factor by which we should measure data privacy protection in a country, and two other key dimensions are the effectiveness of enforcement and the extent of surveillance (discussed below). Therefore, globally, there is more than one race to the top or bottom. They concluded that the most plausible future scenario (the Bennett-Raab thesis) was ‘an incoherent and fragmented patchwork’, ‘a more chaotic future of periodic and unpredictable victories for the privacy value’. So Bennett and Raab found some ‘upward’ global trajectory influenced significantly by the EU Directive, but sufficiently weak in the mid-2000s that the countervailing weakness of the APEC approach was enough to make the future quite unpredictable.

Half a decade later, it can be argued that there is now a clearer ‘upward’ global trajectory than Bennett and Raab found, provided we keep clear that we are only talking about the existence and formal strength of data privacy laws, not the other factors. The article shows that by mid-2011 there are 27 data privacy laws outside Europe (as many as there are EU member states), and a handful of further Bills expected to be enacted soon. Of course, the number of data privacy laws can only be part of the measure, but in Africa, Latin America and even in Asia the European Directive has become the single most significant influence on the content of those laws, and leads to them embodying a relatively high standard of data protection principles. The lower standards of the APEC Privacy Framework have not served to ‘slow or even reverse’ this trend as Bennett and Raab and others (myself included) feared. A handful of new data privacy laws across the globe each year, with EU-influenced privacy principles, and revisions of some existing weaker laws to strengthen them, does not constitute a ‘race’ in most uses of the term, but nor does it any longer look like such a ‘halting and meandering walk’ as Bennett and Raab found. It may not be a race, but data privacy laws do have a global trajectory, namely expansion at an increasing rate with principles more commonly influenced by the EU Directive than any other source.

But as Bennett and Raab conclude, there is not one race to the top or bottom that we must consider. It is better to say that the various dimensions on which we must measure the health of privacy as a value, including data privacy principles, their enforcement, and surveillance practices. These dimensions, as they say, differ from place to place and time to time, and are not readily ‘balanced’ into one overall measure. Nevertheless, considered solely on the dimension of the global spread of EU-like data privacy laws, the Bennett-Raab thesis no longer appears correct. On the other dimensions of effective enforcement and limiting surveillance, there are no obvious global trajectories which could give rise to similar optimism.

download @  Global Data Privacy in a Networked World by Graham Greenleaf :: SSRN.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , , ,

Google: Microsoft uses patents when products “stop succeeding” | Ars Technica

November 7, 2011 By Leave a Comment

A Google patent lawyer says that the patent system is broken, and he accuses Microsoft of abusing the system. Speaking to the San Francisco Chronicle on Sunday, Google’s Tim Porter pointed to Microsoft’s attacks on Linux as an example of its broader corporate strategy.

“When their products stop succeeding in the marketplace, when they get marginalized, as is happening now with Android, they use the large patent portfolio they’ve built up to get revenue from the success of other companies’ products,” he said.

Microsoft has argued that the patent royalties it seeks from Android vendors are part of the natural evolution of a new industry. Porter disagrees.

“Microsoft was our age when it got its first software patent,” he said. “I don’t think they experienced this kind of litigation in a period when they were disrupting the established order. So I don’t think it’s historically inevitable.”

Of course, the reason Microsoft didn’t have to worry about patents during its first dozen years was because the courts and the patent office didn’t allow patents on software until the 1980s. Indeed, the idea of patents on software alarmed Bill Gates, who wrote in 1991 (when Microsoft was already older than Google is now) that “the industry would be at a complete standstill” if software had been eligible for patent protection in the early days of the industry. He worried that “some large company will patent some obvious thing,” enabling the company to “take as much of our profits as they want.”

Today, Google finds itself in exactly the predicament Gates warned about 20 years ago. The Chronicle asked Porter the obvious question: should software be patentable? Porter refused to give a straight answer “There are certainly arguments” that copyright protection is “more appropriate” for the software industry, he said. But he would only say that “the current system is broken,” and that there has been “a 10- or 15-year period when the issuance of software patents was too lax.”

via Google: Microsoft uses patents when products “stop succeeding”.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , , , ,

Facebook may track users who leave service, data agency says | The Detroit News

November 2, 2011 By Leave a Comment

Facebook Inc. may be tracking users’ Internet activity even after they cancel their accounts with the social-networking site, a German privacy watchdog said.

An in-depth probe of the way cookies are installed after a user opens and then closes their Facebook account has made the Hamburg Data Protection agency “suspicious” the company is unlawfully tracking users, the watchdog said on its website today. While rejecting Facebook’s justifications for the use of cookies, the agency welcomed the company’s offer to explain the technical processes.

“Arguments that all users have to remain recognizable after they leave Facebook to guarantee the service’s security can’t stand up,” Johannes Caspar, the Hamburg data protection representative, said on his agency’s website. “The probe raises the suspicion that Facebook is creating user tracking profiles,” which would be unlawful if users aren’t alerted.

The German regulator’s action adds to probes of Facebook by the Irish data-protection agency and Norway’s privacy watchdog. A group of EU regulators has said they will look for possible privacy violations in Facebook’s facial-recognition feature.

The social network “does not track users across the Web,” and instead uses cookies to personalize content or for safety and security reasons, Palo Alto, California-based Facebook said in an e-mailed statement. The company said it deletes account-specific cookies when a user leaves Facebook and doesn’t receive personally identifiable data when logged-out users browse the Web.

Remaining cookies are used in “identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked,” and blocking underage users from re-registering with a different birth date, Facebook said.

The German privacy regulator said that, while Facebook gave detailed explanations of how it uses cookies — small data files that track browsing habits — the company’s arguments don’t justify its practices.

via Technology | Facebook may track users who leave service, data agency says | The Detroit News.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: Tech Bytes Tagged With: , , , , , , ,

No Friends In Ireland: Probe Begins Into Facebook Privacy Issues | Fox News

October 26, 2011 By Leave a Comment

Privacy watchdogs began an on-site investigation Tuesday of Facebook’s regional office in Ireland, FoxNews.com has learned, following sensational accusations that the company is creating extensive “shadow profiles” of non-users.

The eye-popping assertion came in a complaint filed in August by Ireland’s Data Protection Commissioner, which alleges that users are encouraged to hand over the personal data of others. That includes “sensitive data such as political opinions, religious or philosophical beliefs, sexual orientation and so forth” — and Facebook is storing it all up in its databases.

Despite the company’s firm denials, the Data Protection Office began hunting for evidence on Tuesday, Oct. 25, to back up those claims.

“The on-site element started on Tuesday,” Lisa McGann, a spokeswoman for the Office of the Data Protection Commissioner, told FoxNews.com. The search will take a number of days, she said, but she could not address questions about what specifically the commissioner hoped to find or had already discovered.

In such investigations, the office has the power to inspect the building, question employees, and take away copies of any files stored on local computers, according to the Commissioner’s audit guidelines. The agency will then pore over that data for the next few weeks.

“It is the intention of the commissioner that the investigation will be completed by the end of the year,” McGann told FoxNews.com. The organization conducts few such reports each year; according to the Data Protection Commissioner’s 2010 annual report, the office opened 231 formal complaints under the Privacy in Electronic Communications Regulations act — but only conducted 32 “comprehensive privacy audits.”

via No Friends In Ireland: Probe Begins Into Facebook Privacy Issues | Fox News.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Facebook could face €100,000 fine for holding data that users have deleted | The Guardian

October 22, 2011 By Leave a Comment

Facebook could face a fine of up to €100,000 (£87,000) after an Austrian law student discovered the social networking site held 1,200 pages of personal data about him, much of which he had deleted.

Max Schrems, 24, decided to ask Facebook for a copy of his data in June after attending a lecture by a Facebook executive while on an exchange programme at Santa Clara University in California.

Schrems was shocked when he eventually received a CD from California containing messages and information he says he had deleted from his profile in the three years since he joined the site.

After receiving the data, Schrems decided to log a list of 22 separate complaints with the Irish data protection commissioner, which next week is to carry out its first audit of Facebook. He wrote to Ireland after discovering that European users are administered by the Irish Facebook subsidiary. A spokeswoman for the commissioner confirmed its officers would be investigating alleged breaches raised by Schrems as part of the audit. If the commissioner decides to prosecute and Facebook or any employees are found guilty of data protection breaches, the maximum penalty is a fine of €100,000.

Among the 1,200 pages of data Schrems was sent were rejected friend requests, incidences where he “defriended” someone, as well as a log of all Facebook chats he had ever had. There was also a list of photos he had detagged of himself, the names of everyone he had ever “poked”, which events he had attended, which he hadn’t replied to, and much more besides.

The information was broken down into 57 categories, including likes, log-ons (a list of when he logged on and which IP address he used) and emails, which included some email addresses Schrems had never personally uploaded to the site but which he assumes were discerned from another user’s profile.

via Facebook could face €100,000 fine for holding data that users have deleted | Technology | The Guardian.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: Tech Bytes Tagged With: , , , , , , ,

French Data Protection Authority Launches Public Consultation on Cloud Computing : : Privacy and Information Security Law Blog

October 18, 2011 By Leave a Comment

On October 17, 2011, the French Data Protection Authority (the “CNIL”) launched a public consultation on cloud computing (the “Consultation”). The Consultation seeks to gather opinions from stakeholders (clients, providers, consultants) regarding cloud computing services for businesses, to identify legal and technical solutions that address data protection concerns while taking into account the economic interests involved.

  • The Consultation addresses several specific topics about personal data protection in the cloud computing context, including:
  • The definition of cloud computing
  • Cloud computing providers as data processors
  • Applicable law (i.e., what law applies to cloud computing stakeholders?)
  • Regulation of data transfers (e.g., what legal instruments are best suited to regulate cloud computing? Would binding corporate rules for data processors be an appropriate legal mechanism for transferring personal data to cloud computing service providers?)
  • Data security (e.g., cloud-specific risks and proposed security measures)

via French Data Protection Authority Launches Public Consultation on Cloud Computing : : Privacy and Information Security Law Blog.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , , ,

E-Discovery: What increased data protection means for the global economy | insidecounsel.com

October 10, 2011 By Leave a Comment

As our economy and companies become more digital and global, digital information outside the U.S becomes increasingly relevant to resolving civil disputes within our nation.

Digital information will be governed by a set of laws and values many U.S. companies and their lawyers are not familiar with , because the U.S. trades more heavily with nations outside the EU. While most industrialized (e.g., Canada, the United Kingdom and Australia) and newly industrializing (e.g., Singapore and South Africa) nations have developed laws compelling the transfer of relevant electronically stored information (ESI) in civil disputes, none has laws as liberal and far reaching as U.S. civil discovery procedures.

Many nations also impose restrictions on when ESI can be gathered, processed, used and transmitted beyond borders. Indeed, “In many non-U.S. jurisdictions, including the European Union member states, some Asian nations and a few Latin American nations, data privacy is viewed as a fundamental right and ‘personal data’ is afforded greater protections than we are accustomed in the U.S.” (Gibson Dunn, “E-Discovery Basics: Cross-Border E-Discovery,” Vol. 1, No. 11). In addition, certain countries have privacy laws designed to protect information about their state-run companies (e.g., China) or even the identity of their banking clients (e.g., Switzerland).

Data protection hits the BRICS

Recently, the world’s largest emerging economies, collectively known as “BRICS” (Brazil, Russia, India, China and South Africa), have become more protective of electronic data. Most U.S. litigators have some passing familiarity with the somewhat longstanding and oft-discussed EU Data Protection Directive 94/46/EC, which restricts the processing and transferring of “personal data” about EU member-state citizens. However, they are not generally familiar with the restrictions that emerging economies are placing on data transfer. As recently as July 2011, two BRICS members (Russia and China) passed laws strengthening data protection in their countries.

Every BRICS member nation has stricter data privacy laws than those of the U.S. and none officially authorizes the transfer of “private” data to the U.S. On July 25, 2011, Russia amended its data privacy laws to require written consent to transfer any “personal data” and to grant Russian officials the exclusive authority to determine which sovereignties may receive such data. China also strengthened its protection of “personal information” on July 27, 2011, when it amended the “Provisions on the Administration of Internet Information Services,” preventing Internet service providers from collecting and using personal data without individual consent.

via E-Discovery: What increased data protection means for the global economy.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , , , ,

Data Protection in Dubai: The DIFC Data Protection Law | iitr.us

September 27, 2011 By Leave a Comment

Articles 8 to 16: General Regulations

This section can be described as the general portion of data protection law. DPL-DIFC 07, Article 8, governs data protection principles, such as the principles of restricting the appropriation of data, and of data accuracy. Similarities to the wording of Great Britain’s DPA 1998 are noteworthy. Moreover, one can ascertain that the data protection principles in certain sections were taken partially verbatim from those of the EU Directive 95/46/EC of the European Parliament and European Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Thus, DPL-DIFC 07, Article 8, governs the following data protection principles:

Processing according to law and legislation, and in good faith (Article 8 (1)(a))

Principle of limitation to specified purpose (Article 8(1)(b))

Data accuracy (Article 8(1)(c)(d); (2))

Data minimization (primarily from a chronological perspective (Article 8(1)(e))

 

Ban with reservation to grant permission

DPL-DIFC 07, Article 9, establishes the ban with reservation to grant permission. The wording of the provision reads: “Personal Data may only be processed if…” Thus, here as well, the European tenet of the exception-to-the-rule principle applies: accordingly, data processing actions are basically illegitimate and justified only on an exceptional basis, namely if the affected party has granted permission or the law has allowed such processing.

 

Permission must be granted in writing

According to data protection law in Dubai, permission is only deemed to be on an authorized basis if it was granted in writing (DPL-DIFC 07, Article 9(1)(a)).

 

Data processing without permission

Irrespective of the aforementioned, there are four circumstances that are not contingent on the granting of permission (DPL-DIFC 07, Article 9(1)(b)-(f)). These can be summarized to the effect that processing data without permission is only legitimate if the preponderant interests of a third party or the common welfare justify such acts. DPL-DIFC 07, Article 10, confines these permissible circumstances to the category of sensitive data, as is found under the system of European data protection guidelines.

 

Regulation of technical data protection

Article 16 of DPL-DIFC 07 is additionally of paramount importance. According to this article, each responsible office commits to establish “appropriate technical and organizational measures to protect Personal Data against willful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing, in particular where the Processing of Personal Data is performed pursuant to Article 10 or Article 12 above.” The parallels to the European standards here are obvious.

 

Rights of the affected party

The rights of the affected party are governed in DPL-DIFC 07, Articles 17 to 18. They cover the right to information, correction, deletion and blockage (DPL-DIFC 07, Article 17). The conditions essentially correspond to European standards (Data Protection Guideline Section 12 et seq.). Deletion is required in any case if storage is not permitted.

via Data Protection in Dubai: The DIFC Data Protection Law.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News Tagged With: , , , ,

Study: Cybercrime Costs Jump 56 Percent | PCMag.com

August 3, 2011 By 1 Comment

The cost of dealing with cyber crime went up 56 percent this year, with organizations paying anywhere from $1.5 million to $36.5 million a year for protection and recovery, according to a study.

The “Second Annual Cost of Cyber Crime, conducted by the Ponemon Institute and funded by Hewlett-Packard, revealed that the median annualized cost of cybercrime is $5.9 million a year, which is 56 percent higher than the year before.

During a four-week period, organizations surveyed were hit with 72 successful cyberattacks a week, up 45 percent from the year before. Most of the attacks were in the form of distributed denial of service (DDoS), malicious code, stolen services, and Web-based attacks.

On average, each attack took 18 days and $416,000 to fix, which was 70 percent higher than last year, when it took an average of 14 days and $250,000 to recover.

“As the sophistication and frequency of cyberattacks increases, so too will the economic consequences,” Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement. “Figuring out how much to invest in security starts with understanding the real cost of cybercrime.”

Cybercrime incurs costs for detection, protection, containment, and recovery. Companies also have to shell out extra for consumer compensation.

via Study: Cybercrime Costs Jump 56 Percent | News & Opinion | PCMag.com.

LinkedInPinterestEvernoteWordPressBlogger PostEmailShare
Filed Under: From The News, Tech Bytes Tagged With: , , , , , ,
« Older Posts
Newer Posts »