ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

Transcription

1 ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

2 Data Flows and Data Mirroring Martin Abrams September ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

3 We Are In the Infancy Of An Information Revolution Volume of information is expanding geometrically. We talk of exabytes of data today vs. terabytes yesterday and gigabytes the day before. Data processes are expanding the data that we can understand using computers. So usable data is expanding geometrically as well. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

4 We Are in the Infancy of an Information Revolution (Cont.) Analytics are also improving at geometric rates. Information yields more value. Emerging economies generate growth via knowledge based employment. Communications improvements mean that work will be done where it may most effectively be done. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

5 1997 Data Flows Over a Ten Year Period Data transferred via tape or disk Data located and processed in same location Access and location the same Small network of controllers and processors Fairly simple regulatory challenge ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

6 2007 Data Flows Over a Ten Year Period Data flows electronically Data processed remotely and in many locations at the same time Access maybe anywhere Long chain of controllers and subcontractors all adding value Complex challenge ÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

7 What Is A Transfer Today? 24/7/365 customer service Processing a payment for a purchase in China with a card issued in Germany from a phone in a Canadian hotel room Business process re-engineering in India Global project teaming in Spain, Russia, China, Australia, US and Canada Social networking in a global community ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

8 An Example of Global Teaming Team created to address a medical problem Doctors and scientists in 10 countries with various expertise working as a virtual team New members might be added All need to look at the same data sets ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

9 An Example of Global Teaming (Cont) Data sets comprised of Clinical data Epidemiological data Data on compounds and materials Data located in servers in all ten countries, but mirrored on every screen What regulatory scheme covers this teaming? ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

10 Nature of Privacy Compounds Our Issue Privacy is local Personal information protection Domain for autonomy Security Data flows are global Yet individuals demand and expect that their local expectations be met in an increasingly networked world ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

11 Emerging Model of Governance Privacy is local Data flows are global Obligations are universal Accountability based systems of governance Binding Corporate Rules Cross Border Privacy Rules Growth of accountability agents and methods Linkages based on common principles ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

12 Conclusion Data transfers and mirroring are a simple reflection of information and communications revolution. Information will drive growth and change. Individual expectations must be met no matter where the data is seen. That means governance structures that are consistent with privacy being local, data flows being global, and obligations being universal. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

13 Data Flows and Data Mirroring Benjamin S. Hayes Americas Data Privacy Compliance Lead Accenture, LLP ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

14 Data Flows and Data Mirroring What data is flowing across borders, and where is it going? Why is the data moving? What are the trends? Predictions for the future Outsourcing myth and reality ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

15 Example 1: Commercial website Content / functionality modules (not including web advertisements) supplied by various third parties: Dell Careerbuilder.com Google People magazine Yahoo Accuweather.com Time.com AOL Fortune Etc., etc., etc. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

16 Commercial Website (cont.) Each module, in turn is likely powered by a service provider to Google, Time, AOL, etc. These service providers may outsource part or all of the functionality to a subcontractor. Data input through a module may be accessible to multiple parties in multiple geographies. Virtually all of the controls to protect data will be contractual (as opposed to compliance with laws) ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

17 Example 2 HR Outsourcing Services typically involve providing the majority of personnel administration functions: Payroll Benefits enrollment Change of status Communications to employees Helpline for employee inquiries ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

18 How a hypothetical HRO is staffed Assume client is in US, UK, NL and Belgium. Deal may be signed in London between Client UK and Accenture UK Accenture Consultants in US, UK, Argentina and Manila Call centers in Buenos Aires, Warsaw, and Kuala Lampur to ensure 24 hr coverage. Data processing in Bangalore Printing / mailing performed by third party in US. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

19 Why are services provided this way? Primary reason cost The search for efficiency and savings drives outsourcing Strong pressure on public companies to produce profits for shareholders. Secondary reasons ability to distribute work to expert teams in various geographies, 24 hour capabilities, languages ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

20 Added complexity communications infrastructure Servers are located in service locations, but are backed up on different continents for disaster discovery purposes. Secondary backup servers ( fail-over capacity ) may be in yet another country. The widely distributed service delivery team may use a private group website (hosted in Chicago, serviced from India) to collaborate on projects, share drafts, etc. The advent of VOIP may mean re-examining assumptions about the privacy /security of voice communications caching, routing, clear-text packets, etc. All of this means a complex web of Model Clauses and other data transfer agreements must be applied to follow the data difficult to administer. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

21 Predictions for the future The distribution of data and segmentation of business processes is driven by economics and improvements in information technology. Bandwidth availability will continue to improve, which will drive further distribution of data and segmentation of business processes. More businesses will engage in transitory data processing instead of traditional controllership. Business realities require consistent administration of data from many sources this means there is economic demand for harmonized international rules regarding data sharing, Increased or disharmonized regulation that interferes with transborder data flows will mean some economic efficiencies are unrealized. Territorial limits on transborder data flows may do little to address actual risks a risk-focused (rather than territorial) regulatory regime would be more protective of consumer interests. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

22 Outsourcing Myths Work is performed in substandard conditions, employing uneducated, untrustworthy people. Information security standards are lax. Data is necessarily less safe than it would be in its home country. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

23 Outsourcing Reality Work is performed in modern business conditions by educated, trained, screened personnel Information security standards are extremely strict Data is safer than it might be in many other places ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

24 Accenture Delivery Centers are focused on security expectations and are audited Bangalore has been certified at Level 3 of the esourcing Capability Model for Service Providers by Carnegie Mellon University 1 st outsourcer in the world to receive this designation 17+ Accenture delivery locations to receive SAS 70 Level II audits in centers are currently compliant with ISO 27001; 3 more will be added in October, 2007 (represents most of Accenture s outsourced service delivery locations); variety of other standards certifications in place. Global mandatory training on data privacy for all personnel ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

25 DATA FLOWS & DATA MIRRORING David Loukidelis Information and Privacy Commissioner for British Columbia oipc.bc.ca ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

26 Changing Nature of Trans-Border Data Flows (TBDF) As the other members of the panel have noted, the nature, complexity, scale and range of global data flows have dramatically changed in just 10 years The economics are such that bandwidth will continue to grow, storage will get ever cheaper and ICT will go on evolving As we navigate the New Spice Routes (Alhadeff), challenges to traditional models of data protection (DP) will grow more acute ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

27 Challenges to Traditional Accountability Mechanisms Governments and DPAs have long struggled with implications for DP enforcement of territorial limits of jurisdiction In Canada, constitutional limits on government authority result in a patchwork of similar but somewhat varying privacy laws Canadian DPAs thus face TBDF challenges similar to those across international borders Canadian legislative harmonization is desirable (compare US Uniform Law Conference approach) ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

28 Challenges to Accountability (cont d) Canadian DPA co-operation is desirable and is a reality, in public and private sector DPA activities Challenges to governments and DPAs are even greater in international TBDF Territorial limits on jurisdiction aside, basic nature of legal systems will vary, regulatory approaches often differ and cultures may clash This has to some degree been true since simpler days of A to B batch data transfers ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

29 Responding to Challenges Export control approach reflected in EU laws can be seen as one attempt to address challenges of TBDF US Safe Harbor is a noteworthy example of the challenges raised by varying policy responses to privacy issues, where one response is the export control approach Another response has been the model contract clauses approach (EU and ICC) ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

30 Meeting New Challenges Rapidly changing nature and extent of TBDF demand new solutions export control and model contract approaches are increasingly ill-suited for TBDF challenges What can be done? Not a new question and there are many possible answers ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

31 Regulatory Co-operation Bilateral DPA co-operation can be useful for specific complaints or cases (this can ease though not eliminate territorial limits issue e.g., Abika case and Canada-US cooperation) DPA information sharing can help those cooperating better allocate enforcement resources ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

32 Regulatory Co-operation (cont d) Multilateral co-operation can achieve this and more e.g., through creation of harmonized resources that smooth edges of privacy framework disparities Asia-Pacific Privacy Authorities organization as an example of multilateral co-operation in a regional international context ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

33 Co-operation & What Else? There are clearly some serious limits on how fruitful co-operation can be it cannot overcome the challenges mentioned earlier, most prominent being differences in legislative/regulatory regimes These challenges continue to drive the search for new approaches, to complement or replace existing approaches such as model contracts and export controls ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

34 Cross-Border Privacy Rules (CBPR) Systems Leaving international standards aside for now (they have considerable merit in principle), CBPRs involve a corporation adopting privacy rules to govern their global conduct CBPRs can be underpinned by an international standard like the APEC Privacy Framework Next step is for APEC and other organizations to establish accountability systems ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

35 CBPRs Systems (cont d) Challenge is to find alternative, complementary approaches for ensuring accountability for privacy practices in a complex TBDF world Accountability agents like trustmarks offer promise free of territorial restraints they could offer ADR, audit and redress and complement DPA and government action ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS

36 Conclusion CBPRs systems offer promise Work on international standards should continue (OECD meets APEC meets ISO?) DPAs can and should increase the level of co-operation on various fronts There is no panacea, but an array of approaches can serve stakeholders well in the brave new world of TBDF ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS