Principles of Mobile Privacy. Pat Walshe. Director of Privacy, GSMA

Similar documents
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

DATA PROTECTION POLICY

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Second Mission -Namibia

Merthyr Tydfil County Borough Council. Data Protection Policy

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

European Commission initiatives on e- and mhealth

Guidelines on Data Protection. Draft. Version 3.1. Published by

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

Data protection compliance checklist

Data Compliance. And. Your Obligations

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine

PRIVACY POLICY Personal information and sensitive information Information we request from you

How To Understand The Data Protection Act

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Article 29 Working Party Issues Opinion on Cloud Computing

Information Governance Policy

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

BCS, The Chartered Institute for IT Consultation Response to:

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

Dublin City University

DATA PROTECTION POLICY

Response of the German Medical Association

Data Protection Act a more detailed guide

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

Digital Agenda for Europe Cartagena de Indias, September 1, 2015

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

How To Protect Your Personal Information At A College

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Big Data for Law Firms DAMIAN BLACKBURN

Comments and proposals on the Chapter II of the General Data Protection Regulation

The Manitowoc Company, Inc.

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Health Data Governance: Privacy, Monitoring and Research - Policy Brief

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Corporate Policy. Data Protection for Data of Customers & Partners.

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Mobile, privacy and regulation in Latin America: What is the role of self-regulation?

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

Data Protection Policy

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Dealing with data breaches in Europe and beyond

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

The potential legal consequences of a personal data breach

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Work programme

Data Protection Policy

Privacy in the Cloud: Data Protection and Security in Cloud Computing

005ASubmission to the Serious Data Breach Notification Consultation

Assistant Director of Facilities

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

I. Personal data and its use in the business to business environment.

Big Data for Mutuals. Marc Dautlich 25 November 2013

Emerging Data Protection regulations in Africa. Christophe Fichet

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

DATE: 1 APRIL Introduction

Application of Data Protection Concepts to Cloud Computing

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Privacy and Electronic Communications Regulations

Data Protection Policy June 2014

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

Accountability: Data Governance for the Evolving Digital Marketplace 1

Comments and proposals on the Chapter IV of the General Data Protection Regulation

I. Need for Federal Privacy Legislation

Data Security and Extranet

AlixPartners, LLP. General Data Protection Statement

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection & Cyber Security Law Update 1 st October 2015

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Healthcare Coalition on Data Protection

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Mitigating and managing cyber risk: ten issues to consider

technical factsheet 176

Data for the Public Good. The Government Statistical Service Data Strategy

Scottish Rowing Data Protection Policy

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Written Contribution of the National Association of Statutory Health Insurance Funds of

Data Protection in Ireland

University of Limerick Data Protection Compliance Regulations June 2015

Privacy and Data Protection

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Honourable members of the National Parliaments of the EU member states and candidate countries,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Information & ICT Security Policy Framework

Information Management Strategy. July 2012

Transcription:

Principles of Mobile Privacy Pat Walshe Director of Privacy, GSMA

Introduction With the rapid expansion of ICT, the law has sought to address, and keep pace with, the privacy and data protection challenges that new technologies and data processing capabilities bring about It has also becoming clearer that new technologies and ways to analyse data can help drive innovation, deliver significant social and economic benefits and meet pressing public policy needs Data protection and privacy are currently regulated by a patchwork of international and regional instruments, as well as by national and sectoral laws A key question is what is the most effective regulatory framework to use in order to secure these benefits, while protecting privacy especially in a connected and increasingly converged world? What is the role of data protection and privacy in creating trust among consumers and citizens? What is the role of trust in economic growth and development? 2

Background 3

Harmonised policy? 4

Harmonising policy for a converged world? Telecoms Act/Licences/Codes Data Protection Act Cyber Security Health Law Enforcement Transport ecommerce Mobile Money Disaster Response 5

Privacy, what does it mean to you? 6

History, Development and Practice Session Overview What is Privacy? Key Approaches to General Data Protection Laws Privacy and Data Protection in Telecommunications Data Security 7

Privacy as a concept it is not new the right to be left alone 8

A right to privacy? Data Protection? EU Charter of Fundamental Rights Article 7 - respect for private and family life Everyone has the right to respect for his or her private and family life, home and correspondence Limited interferences permitted that must be set out in law Article 8 - Protection of personal data Everyone has the right to the protection of personal data concerning him or her 9

Aspects of online and mobile privacy Informational privacy A person s ability to control, or significantly control, the use of information about them Communications privacy The right of an individual to expect that their personal communications are free from monitoring, observation and intrusion Spatial privacy (location and context) The right of an individual to move about without being identified, tracked and monitored in ways that might impact on their right to freedom of movement and association 10

Data protection law developments Over 100 data protection and privacy laws have been influenced by the following reports, guidelines, conventions, directives and regulations: 1973 US Department of Health, Education and Welfare report on Fair Information Practices (FIPS) 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (updated 2013) 1980 Council of Europe Convention (108) for the Protection of Individuals with regard to Automatic Processing of Personal Data (under review) 1990 UN Guidelines for the Regulation of Computerised Personal Data Files 1995 EU Directive 95/46EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (to be replaced with new regulation) 2012 EU draft General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data 2014 African Union Convention on Cyber Security and Personal Data Protection 11

Data protection and privacy Africa Constitutional right to privacy Angola Benin Burkina Faso Cape Verde Cote d Ivoire Gabon Ghana Kenya Habeas Data + communications + communications Data Protection Data Protection Law (2011) Protection of Personally Identifiable Information (2009) Protection of Personal Data Act (2004) Protection of Personal Data (2001 amended 2013 not enacted) Protection of Personal Data (2013) Protection of Personal Data (2011) Data Protection Act (2012) Data Protection Bill 2013 Restrictions on Transfer of Data Constitutional right to privacy Mali Mauritius Morrocco Senegal Seychelles South Africa Tunisia Uganda Privacy of telegraphic, + communications & + communications telephonic or personal electronic information communications Data Protection Restrictions on Transfer of Data Protection of Personal Data 2013 Data Protection Act (2004) Protection of Individuals in Relation to the Processing of Personal Data Protection of Personal Data (2008) Data Protection Act (2003) Protection of Personal Information Act 2013 Personal Data Protection (2004) Data Protection and Privacy Bill 2014 12

Data protection law the basics Data protection law sets out rules that seek to protect privacy by: Placing obligations and restrictions on organisations regarding how they can collect and use personal data Giving individuals rights to: object to direct marketing and automated decision making obtain a copy of data held about them have data corrected, erased or blocked Point to Consider: Data protection laws are intended to protect an individual s privacy, but do they achieve this in a world of converged services? 13

Data protection law common principles Process data fairly and lawfully Process data only for specified purposes Collect and use the minimum amount of data necessary Keep data accurate and up-to-date Keep data only as long as necessary Respect the rights of individuals Keep data secure (via technical and organisational means) Ensure adequate protection/follow rules if sending data overseas 14

Personal data? Recap: Data protections laws only apply to personal data (e.g., data that can be used to identify a living individual or that relates to an identifiable individual) Examples of personal data may include: Name and address Email address (even business email addresses if they are non generic) MISDN/IMEI/IP Address/MAC Address? Data protection law also covers sensitive personal data that includes any data relating to: Health Race or ethnic origin Political opinions Religious beliefs Trade union membership Sex life Criminal proceedings or convictions 15

Data protection revision the EU New General Data Protection Regulation (not a directive): Creates a set of harmonised rules across all EU ember states Introduces fines of up to 5% of global turnover Strengthens obligations to provide information and choice Places stricter requirements on consent Requires Data Protection by Design and Default Requires impact assessments Encourages support for privacy certifications/seals Extends the definition of personal data (to include location data, device identifiers) Gives individuals the right to data portability Extends data breach notification to all sectors (not just telcos) 16

Telecommunications privacy it s not new Council of Europe, Recommendation 509 (1968) on human rights and modern scientific and technological developments: newly developed techniques such as phone-tapping, eavesdropping, surreptitious observation, the illegitimate use of official statistical and similar surveys to obtain private information, and subliminal advertising and propaganda are a threat to the rights and freedoms of individuals and, in particular, to the right to privacy which is protected by Article 8 of the European Convention on Human Rights 17

Telecommunications privacy Regulation generally applies to public electronic communications networks and services, and seeks to ensure: Confidentiality of communications Protection against unauthorised monitoring or surveillance Security of communications, networks and data Privacy of traffic, location and billing data Rights for callers to present or withhold calling line identity Restrictions on marketing and secondary use of data 18

Telecommunications privacy asymmetries In addition to general data protection and privacy laws, mobile and fixed operators are also subject to: Licence conditions Multimedia/communications laws E-Privacy laws Interception and disclosure laws Data retention laws Electronic transactions laws Statutory codes of conduct or guidelines These may: Restrict, or set conditions on, the use of customer information that could distort the market in data and/or hinder economic growth and public policy objectives Oblige operators to put in place interception and disclosure capabilities for law enforcement/national security reasons Require the erasure or anonymisation of traffic and location data (except for network management, billing, customer services, fraud prevention or delivering Value Added Services with consent) 19

Security 20

Security is not privacy Security and Privacy are terms that are often used interchangeably Intricately entwined, one often follows the other It is possible to have poor privacy and good security practices It is difficult to have good privacy without security Security confidentiality, integrity and availability Privacy appropriate use of information The true objective of security is the protection of privacy Security is a means to an end Cannot rely solely on technology to ensure privacy requires a good and accountable compliance programme! 21

Security and integrity of networks and services Providers of public communications networks, or publicly available electronic communications services, are required to: Take appropriate technical and organisational measures to appropriately manage risks posed to security having regards to the state of the art [of available measures] Take all appropriate steps to guarantee the integrity of. networks [to] ensure the continuity of [the] supply of services Act on and report personal data breach [meaning a breach of security] leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service 22

Rethinking data protection and privacy in the connected world 23

Rethinking data protection and privacy in an increasingly mobile and connected world Mobile connectivity always on 24

Rethinking privacy converging policy and regulation? As more and more people use a mix of traditional communications services and instant messaging and VoIP services from internet companies, what is the best approach to: Creating legal certainty and a level playing field for business? Creating consistency in privacy experiences for users? Ensuring innovation in technology and data use that drives economic and social opportunities and meets public policy objectives? 25

Big Data Session Overview What is it? Opportunities Making it happen realising opportunities while protecting privacy 26

Big Data what is it? Big Data is an overarching theme for using multiple data sources to continuously generate new insights to make data-driven decisions. Volume Vast amounts of data Velocity High speed of processing Value Variety Different types of data Veracity Accuracy and reliability of data 27

Big Data what can it do? Data driven innovation urban planning and transport systems Personalisation of services (government and commercial) Identity management Humanitarian aid disaster response Disease management Early warnings of environmental threats Agriculture/farming Improving healthcare and patient self-management 28

Big Data social good? Potential areas of use Description Rationale for action Predicting the spread of infectious disease Optimising urban planning and management Open data innovation creating opportunities Predicting the spread of infectious disease by combining aggregated health data with mobility patterns Urban planning and management using mobility and demographic data Big Data crowdsourcing for social good Build new capabilities Many social uses combine same datasets as more commercially oriented Big Data deployments Corporate social responsibility Social value of data to both developed and developing economies is significant Regulatory agenda Could over-regulation on user privacy destroy both private value and public good what is the balance? 29

Case study using CDRs to help aid agency response in Africa 30

Key Big Data challenges Legal framework today key challenges Rules/limits on the collection, use and retention of personal data Relies on notice and informed choice (consent), as well as users actively engaging in the collection/use of their data Big Data reality today/tomorrow Big Data is based on ever increasing volumes and varieties of data Big Data is about the discovery, or inference, of previously unknown facts and patterns (it is impossible to predict and communicate future undiscovered uses) Risks emerge from use, not just the collection of data Transition from simple, well-defined binary exchanges of data to complex, multiplicity of real-time data sharing across borders Evidence shows users don t read, or understand, privacy policies (due to their complexity, length and use of legal language) Choice is often too complex to exercise Often data collection/sharing is passive to the user Machine-to-Machine sharing challenges notice and consent Cannot notify the unknown More detailed notification may burden user and undermine privacy Personal data defined and predetermined, and linked to whether a person is identifiable or not Inference of data permits singling out of individuals and/or their devices without the user being identified Privacy risks increasingly contextual and not tied to identifiability Metadata may hold more risks (e.g., geolocation embedded in images/tweets) Imposes strict rules on overseas transfers Data flows across borders, in real-time and simultaneously between multiple parties Restrictions on profiling (and proposed obligation to notify users about envisaged effects ) Many services are already personalised Big Data is predicated on analysis/profiling Big Data extracts knowledge of significant societal and economic value. Will this knowledge be subject to regulation? Emerging emphasis on anonymisation Does not consider the value of data to be extracted by other privacy protective methods Emerging intent to regulate for Do Not Track Uncertainty as to whether this applies to the collection of data or persistent profiling and targeting 31

Economics and user experience of privacy policy? Policy approaches to concerns about data protection and privacy do not sufficiently reflect the economic dimensions of regulation, nor its impact on user experience. Regulation may: Lead to costs for designing and maintaining excessive notice and consent requirements that will erode, rather than strengthen, privacy by burdening consumers with unwarranted choice Involve economic loss to online businesses where consumers disengage from an online transaction due to a need to make excessive privacy choices Preclude the use of data that has significant social and economic benefits and that are crucial to meeting pressing public policy needs (see OECD, WEF, EU, UN) 32

Economics and user experience of privacy policy? Organisations such as the OECD, and a number of OECD countries, are actively looking to increase their understanding of the economic and social benefits that can be derived from Big Data. Areas of interest include: Investigation of the attitudes of users towards, and the exchange value they place on, their privacy in the context of Big Data The costs of designing for regulatory notice and consent The economic costs of regulatory restrictions Investigation of the social and economic benefits that Big Data can have on helping to shape not only policy, but also user understanding and acceptance of Big Data frameworks Such research could support a more valued and trusted knowledge-based society, as well as better policy making. 33

Research on consumer attitudes and perceptions 34

Most mobile internet users are concerned about sharing their personal information 35

and want to choose whether to share their information with third party companies 36

Users want rules to apply consistently 37

What have we learned? Mobile users around the world have similar privacy attitudes. Research shows they: Don t read long T&Cs but want companies to respect their privacy Want simple ways to understand and express their privacy choices Value targeted ads and personalised services from companies they trust This presents an opportunity to find new ways to respect users privacy, create better privacy experiences for them, and build trust in the mobile ecosystem and commercial and government services 38

Future-proofing privacy 39

Legislative and regulatory policy Around the world, policymakers and regulators are seeking to address the challenges of an always on, connected digital society, as well as issues such as Big Data. There are a number of proposals being made to balance the evolving needs of stakeholders consumers/citizens, businesses, governments and regulators that focus on people not just data. Areas of particular interest include: How to address risks arising from the context of the collection and use of data Ways to demonstrate compliance and accountability (including for cross border transfers), such as selfregulation, codes of conduct, privacy certification schemes, privacy by design and default Anonymisation and pseudonymisation of data Encryption Sanctions 40

A risk based approach to privacy 41

International regulatory co-operation and enforcement Association of Francophone Data Protection Authorities (AFAPDP) (includes Burkina Faso, Cape Verde, Senegal, Tunisia) Latin American Data Protection Network (RIPD) Global Privacy Enforcement Network (GPEN) International Data Protection and Privacy Commissioners Conference International Working Group on Data Protection in Telecommunications (IWGDPT) 42

Bridging privacy 43

International regulatory focus and co-operation Data protection and privacy seen as enablers of economic growth and social good 44

Industry regulation: The GSMA s mobile privacy initiative A key objective: Identify mobile friendly methods for users to make informed decisions about their privacy and the use of their personal information. Privacy principles: Provide an overall framework to help develop more detailed privacy design guidelines, codes of conduct and business practices. Guidelines: Express the privacy principles in functional terms and establish best practice for applications and services that seek to create, access and share a user s personal information. Accountability framework: To help organisations demonstrate that their business practices comply with the guidelines. 45

GSMA: Mobile privacy principles 1 Openness, transparency and notice 2 Purpose and use 3 User choice and control 4 Data minimisation and retention 5 Respect user rights 6 Security 7 Education 8 Children and adolescents 9 Accountability and enforcement 46

GSMA privacy by design app guidelines applying the principles in practice Help developers design privacy into apps Uses illustrative examples and use cases Includes modules on: Location Mobile advertising Children Social networking In order to maintain the strong growth in both the sales and popularity of mobile apps, customers need to be confident that their privacy is protected when they use them. and these guidelines set an important standard in defining what consumers should expect from their apps. Stephen Deadman, Group Privacy Officer, Vodafone 47

Accountability Accountability is found in both the OECD guidelines and APEC privacy framework, and is also proposed in the draft EU General Data Protection Regulation. In the context of the GSMA initiative, accountability is the acceptance and demonstration of compliance with commitments say what you do, and do what you say. 48

Mobile app privacy regulatory action Canada Mobile App Privacy Guidelines EUROPE Art 29 WP Opinion on App Privacy Germany App privacy guidelines UK ICO Mobile App Privacy Best Practice JAPAN Smartphone Privacy Initiative USA Cal AG Recommendations FTC Mobile Disclosures Report NTIA Mobile Transparency Code CHINA Mobile Smart Terminal Regulation AUSTRAILIA Mobile App Privacy Guidelines Mauritius Mobile App Privacy Best Practice Hong Kong Mobile App Privacy Best Practice Source: QUALCOMM

Conclusions 50

Conclusions Data protection and privacy are complex issues There is no one-size-fits-all approach that can be applied to these areas Group discussion 51

Conclusion: a trust framework that is interoperable Legal and regulatory structures that create the right incentives for business and users Technology standards and solutions that assist users, aid interoperability, choice and control Consistency of experience through co-regulation, industry standards and common vocabularies Training and awareness developers, users 52

Thank you Pat Walshe pwalshe@gsma.com +447753 934537 www.gsma.com/publicpolicy/mobile-and-privacy 53

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information