Principles of Mobile Privacy Pat Walshe Director of Privacy, GSMA
Introduction With the rapid expansion of ICT, the law has sought to address, and keep pace with, the privacy and data protection challenges that new technologies and data processing capabilities bring about It has also becoming clearer that new technologies and ways to analyse data can help drive innovation, deliver significant social and economic benefits and meet pressing public policy needs Data protection and privacy are currently regulated by a patchwork of international and regional instruments, as well as by national and sectoral laws A key question is what is the most effective regulatory framework to use in order to secure these benefits, while protecting privacy especially in a connected and increasingly converged world? What is the role of data protection and privacy in creating trust among consumers and citizens? What is the role of trust in economic growth and development? 2
Background 3
Harmonised policy? 4
Harmonising policy for a converged world? Telecoms Act/Licences/Codes Data Protection Act Cyber Security Health Law Enforcement Transport ecommerce Mobile Money Disaster Response 5
Privacy, what does it mean to you? 6
History, Development and Practice Session Overview What is Privacy? Key Approaches to General Data Protection Laws Privacy and Data Protection in Telecommunications Data Security 7
Privacy as a concept it is not new the right to be left alone 8
A right to privacy? Data Protection? EU Charter of Fundamental Rights Article 7 - respect for private and family life Everyone has the right to respect for his or her private and family life, home and correspondence Limited interferences permitted that must be set out in law Article 8 - Protection of personal data Everyone has the right to the protection of personal data concerning him or her 9
Aspects of online and mobile privacy Informational privacy A person s ability to control, or significantly control, the use of information about them Communications privacy The right of an individual to expect that their personal communications are free from monitoring, observation and intrusion Spatial privacy (location and context) The right of an individual to move about without being identified, tracked and monitored in ways that might impact on their right to freedom of movement and association 10
Data protection law developments Over 100 data protection and privacy laws have been influenced by the following reports, guidelines, conventions, directives and regulations: 1973 US Department of Health, Education and Welfare report on Fair Information Practices (FIPS) 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (updated 2013) 1980 Council of Europe Convention (108) for the Protection of Individuals with regard to Automatic Processing of Personal Data (under review) 1990 UN Guidelines for the Regulation of Computerised Personal Data Files 1995 EU Directive 95/46EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (to be replaced with new regulation) 2012 EU draft General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data 2014 African Union Convention on Cyber Security and Personal Data Protection 11
Data protection and privacy Africa Constitutional right to privacy Angola Benin Burkina Faso Cape Verde Cote d Ivoire Gabon Ghana Kenya Habeas Data + communications + communications Data Protection Data Protection Law (2011) Protection of Personally Identifiable Information (2009) Protection of Personal Data Act (2004) Protection of Personal Data (2001 amended 2013 not enacted) Protection of Personal Data (2013) Protection of Personal Data (2011) Data Protection Act (2012) Data Protection Bill 2013 Restrictions on Transfer of Data Constitutional right to privacy Mali Mauritius Morrocco Senegal Seychelles South Africa Tunisia Uganda Privacy of telegraphic, + communications & + communications telephonic or personal electronic information communications Data Protection Restrictions on Transfer of Data Protection of Personal Data 2013 Data Protection Act (2004) Protection of Individuals in Relation to the Processing of Personal Data Protection of Personal Data (2008) Data Protection Act (2003) Protection of Personal Information Act 2013 Personal Data Protection (2004) Data Protection and Privacy Bill 2014 12
Data protection law the basics Data protection law sets out rules that seek to protect privacy by: Placing obligations and restrictions on organisations regarding how they can collect and use personal data Giving individuals rights to: object to direct marketing and automated decision making obtain a copy of data held about them have data corrected, erased or blocked Point to Consider: Data protection laws are intended to protect an individual s privacy, but do they achieve this in a world of converged services? 13
Data protection law common principles Process data fairly and lawfully Process data only for specified purposes Collect and use the minimum amount of data necessary Keep data accurate and up-to-date Keep data only as long as necessary Respect the rights of individuals Keep data secure (via technical and organisational means) Ensure adequate protection/follow rules if sending data overseas 14
Personal data? Recap: Data protections laws only apply to personal data (e.g., data that can be used to identify a living individual or that relates to an identifiable individual) Examples of personal data may include: Name and address Email address (even business email addresses if they are non generic) MISDN/IMEI/IP Address/MAC Address? Data protection law also covers sensitive personal data that includes any data relating to: Health Race or ethnic origin Political opinions Religious beliefs Trade union membership Sex life Criminal proceedings or convictions 15
Data protection revision the EU New General Data Protection Regulation (not a directive): Creates a set of harmonised rules across all EU ember states Introduces fines of up to 5% of global turnover Strengthens obligations to provide information and choice Places stricter requirements on consent Requires Data Protection by Design and Default Requires impact assessments Encourages support for privacy certifications/seals Extends the definition of personal data (to include location data, device identifiers) Gives individuals the right to data portability Extends data breach notification to all sectors (not just telcos) 16
Telecommunications privacy it s not new Council of Europe, Recommendation 509 (1968) on human rights and modern scientific and technological developments: newly developed techniques such as phone-tapping, eavesdropping, surreptitious observation, the illegitimate use of official statistical and similar surveys to obtain private information, and subliminal advertising and propaganda are a threat to the rights and freedoms of individuals and, in particular, to the right to privacy which is protected by Article 8 of the European Convention on Human Rights 17
Telecommunications privacy Regulation generally applies to public electronic communications networks and services, and seeks to ensure: Confidentiality of communications Protection against unauthorised monitoring or surveillance Security of communications, networks and data Privacy of traffic, location and billing data Rights for callers to present or withhold calling line identity Restrictions on marketing and secondary use of data 18
Telecommunications privacy asymmetries In addition to general data protection and privacy laws, mobile and fixed operators are also subject to: Licence conditions Multimedia/communications laws E-Privacy laws Interception and disclosure laws Data retention laws Electronic transactions laws Statutory codes of conduct or guidelines These may: Restrict, or set conditions on, the use of customer information that could distort the market in data and/or hinder economic growth and public policy objectives Oblige operators to put in place interception and disclosure capabilities for law enforcement/national security reasons Require the erasure or anonymisation of traffic and location data (except for network management, billing, customer services, fraud prevention or delivering Value Added Services with consent) 19
Security 20
Security is not privacy Security and Privacy are terms that are often used interchangeably Intricately entwined, one often follows the other It is possible to have poor privacy and good security practices It is difficult to have good privacy without security Security confidentiality, integrity and availability Privacy appropriate use of information The true objective of security is the protection of privacy Security is a means to an end Cannot rely solely on technology to ensure privacy requires a good and accountable compliance programme! 21
Security and integrity of networks and services Providers of public communications networks, or publicly available electronic communications services, are required to: Take appropriate technical and organisational measures to appropriately manage risks posed to security having regards to the state of the art [of available measures] Take all appropriate steps to guarantee the integrity of. networks [to] ensure the continuity of [the] supply of services Act on and report personal data breach [meaning a breach of security] leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service 22
Rethinking data protection and privacy in the connected world 23
Rethinking data protection and privacy in an increasingly mobile and connected world Mobile connectivity always on 24
Rethinking privacy converging policy and regulation? As more and more people use a mix of traditional communications services and instant messaging and VoIP services from internet companies, what is the best approach to: Creating legal certainty and a level playing field for business? Creating consistency in privacy experiences for users? Ensuring innovation in technology and data use that drives economic and social opportunities and meets public policy objectives? 25
Big Data Session Overview What is it? Opportunities Making it happen realising opportunities while protecting privacy 26
Big Data what is it? Big Data is an overarching theme for using multiple data sources to continuously generate new insights to make data-driven decisions. Volume Vast amounts of data Velocity High speed of processing Value Variety Different types of data Veracity Accuracy and reliability of data 27
Big Data what can it do? Data driven innovation urban planning and transport systems Personalisation of services (government and commercial) Identity management Humanitarian aid disaster response Disease management Early warnings of environmental threats Agriculture/farming Improving healthcare and patient self-management 28
Big Data social good? Potential areas of use Description Rationale for action Predicting the spread of infectious disease Optimising urban planning and management Open data innovation creating opportunities Predicting the spread of infectious disease by combining aggregated health data with mobility patterns Urban planning and management using mobility and demographic data Big Data crowdsourcing for social good Build new capabilities Many social uses combine same datasets as more commercially oriented Big Data deployments Corporate social responsibility Social value of data to both developed and developing economies is significant Regulatory agenda Could over-regulation on user privacy destroy both private value and public good what is the balance? 29
Case study using CDRs to help aid agency response in Africa 30
Key Big Data challenges Legal framework today key challenges Rules/limits on the collection, use and retention of personal data Relies on notice and informed choice (consent), as well as users actively engaging in the collection/use of their data Big Data reality today/tomorrow Big Data is based on ever increasing volumes and varieties of data Big Data is about the discovery, or inference, of previously unknown facts and patterns (it is impossible to predict and communicate future undiscovered uses) Risks emerge from use, not just the collection of data Transition from simple, well-defined binary exchanges of data to complex, multiplicity of real-time data sharing across borders Evidence shows users don t read, or understand, privacy policies (due to their complexity, length and use of legal language) Choice is often too complex to exercise Often data collection/sharing is passive to the user Machine-to-Machine sharing challenges notice and consent Cannot notify the unknown More detailed notification may burden user and undermine privacy Personal data defined and predetermined, and linked to whether a person is identifiable or not Inference of data permits singling out of individuals and/or their devices without the user being identified Privacy risks increasingly contextual and not tied to identifiability Metadata may hold more risks (e.g., geolocation embedded in images/tweets) Imposes strict rules on overseas transfers Data flows across borders, in real-time and simultaneously between multiple parties Restrictions on profiling (and proposed obligation to notify users about envisaged effects ) Many services are already personalised Big Data is predicated on analysis/profiling Big Data extracts knowledge of significant societal and economic value. Will this knowledge be subject to regulation? Emerging emphasis on anonymisation Does not consider the value of data to be extracted by other privacy protective methods Emerging intent to regulate for Do Not Track Uncertainty as to whether this applies to the collection of data or persistent profiling and targeting 31
Economics and user experience of privacy policy? Policy approaches to concerns about data protection and privacy do not sufficiently reflect the economic dimensions of regulation, nor its impact on user experience. Regulation may: Lead to costs for designing and maintaining excessive notice and consent requirements that will erode, rather than strengthen, privacy by burdening consumers with unwarranted choice Involve economic loss to online businesses where consumers disengage from an online transaction due to a need to make excessive privacy choices Preclude the use of data that has significant social and economic benefits and that are crucial to meeting pressing public policy needs (see OECD, WEF, EU, UN) 32
Economics and user experience of privacy policy? Organisations such as the OECD, and a number of OECD countries, are actively looking to increase their understanding of the economic and social benefits that can be derived from Big Data. Areas of interest include: Investigation of the attitudes of users towards, and the exchange value they place on, their privacy in the context of Big Data The costs of designing for regulatory notice and consent The economic costs of regulatory restrictions Investigation of the social and economic benefits that Big Data can have on helping to shape not only policy, but also user understanding and acceptance of Big Data frameworks Such research could support a more valued and trusted knowledge-based society, as well as better policy making. 33
Research on consumer attitudes and perceptions 34
Most mobile internet users are concerned about sharing their personal information 35
and want to choose whether to share their information with third party companies 36
Users want rules to apply consistently 37
What have we learned? Mobile users around the world have similar privacy attitudes. Research shows they: Don t read long T&Cs but want companies to respect their privacy Want simple ways to understand and express their privacy choices Value targeted ads and personalised services from companies they trust This presents an opportunity to find new ways to respect users privacy, create better privacy experiences for them, and build trust in the mobile ecosystem and commercial and government services 38
Future-proofing privacy 39
Legislative and regulatory policy Around the world, policymakers and regulators are seeking to address the challenges of an always on, connected digital society, as well as issues such as Big Data. There are a number of proposals being made to balance the evolving needs of stakeholders consumers/citizens, businesses, governments and regulators that focus on people not just data. Areas of particular interest include: How to address risks arising from the context of the collection and use of data Ways to demonstrate compliance and accountability (including for cross border transfers), such as selfregulation, codes of conduct, privacy certification schemes, privacy by design and default Anonymisation and pseudonymisation of data Encryption Sanctions 40
A risk based approach to privacy 41
International regulatory co-operation and enforcement Association of Francophone Data Protection Authorities (AFAPDP) (includes Burkina Faso, Cape Verde, Senegal, Tunisia) Latin American Data Protection Network (RIPD) Global Privacy Enforcement Network (GPEN) International Data Protection and Privacy Commissioners Conference International Working Group on Data Protection in Telecommunications (IWGDPT) 42
Bridging privacy 43
International regulatory focus and co-operation Data protection and privacy seen as enablers of economic growth and social good 44
Industry regulation: The GSMA s mobile privacy initiative A key objective: Identify mobile friendly methods for users to make informed decisions about their privacy and the use of their personal information. Privacy principles: Provide an overall framework to help develop more detailed privacy design guidelines, codes of conduct and business practices. Guidelines: Express the privacy principles in functional terms and establish best practice for applications and services that seek to create, access and share a user s personal information. Accountability framework: To help organisations demonstrate that their business practices comply with the guidelines. 45
GSMA: Mobile privacy principles 1 Openness, transparency and notice 2 Purpose and use 3 User choice and control 4 Data minimisation and retention 5 Respect user rights 6 Security 7 Education 8 Children and adolescents 9 Accountability and enforcement 46
GSMA privacy by design app guidelines applying the principles in practice Help developers design privacy into apps Uses illustrative examples and use cases Includes modules on: Location Mobile advertising Children Social networking In order to maintain the strong growth in both the sales and popularity of mobile apps, customers need to be confident that their privacy is protected when they use them. and these guidelines set an important standard in defining what consumers should expect from their apps. Stephen Deadman, Group Privacy Officer, Vodafone 47
Accountability Accountability is found in both the OECD guidelines and APEC privacy framework, and is also proposed in the draft EU General Data Protection Regulation. In the context of the GSMA initiative, accountability is the acceptance and demonstration of compliance with commitments say what you do, and do what you say. 48
Mobile app privacy regulatory action Canada Mobile App Privacy Guidelines EUROPE Art 29 WP Opinion on App Privacy Germany App privacy guidelines UK ICO Mobile App Privacy Best Practice JAPAN Smartphone Privacy Initiative USA Cal AG Recommendations FTC Mobile Disclosures Report NTIA Mobile Transparency Code CHINA Mobile Smart Terminal Regulation AUSTRAILIA Mobile App Privacy Guidelines Mauritius Mobile App Privacy Best Practice Hong Kong Mobile App Privacy Best Practice Source: QUALCOMM
Conclusions 50
Conclusions Data protection and privacy are complex issues There is no one-size-fits-all approach that can be applied to these areas Group discussion 51
Conclusion: a trust framework that is interoperable Legal and regulatory structures that create the right incentives for business and users Technology standards and solutions that assist users, aid interoperability, choice and control Consistency of experience through co-regulation, industry standards and common vocabularies Training and awareness developers, users 52
Thank you Pat Walshe pwalshe@gsma.com +447753 934537 www.gsma.com/publicpolicy/mobile-and-privacy 53