Sunday, January 27, 2013

"Government exists to protect us from each other. Where government has gone beyond its limits is in deciding to protect us from ourselves." Ronald Reagan

Twitter Weekly Updates for EUdiscovery


Privacy, European Union Data Protection and EDiscovery

Ediscovery in US Civil Litigation and EU Data Protection
EDiscovery in the US
 Electronic Discovery (or “Ediscovery”) is the process of identifying, preserving, collecting, preparing, reviewing, and producing electronically stored information (“ESI”) in the context of the legal process. Some examples of ESI are: emails, word documents, power point presentations, excel sheets, social media posts, voice mail and videos.
The legal basis for one party to request from the other party to produce ESI that are in that party’s possession, custody and control is Rule 34 of the Federal Rules of Civil Procedure. (2006):
“(a) In General. A party may serve on any other party a request within the scope of Rule 26(b):
(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control: (bold added)
(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; or
(B) any designated tangible things; or
(2) to permit entry onto designated land or other property possessed or controlled by the responding party, so that the requesting party may inspect, measure, survey, photograph, test, or sample the property or any designated object or operation on it.”
In principle, any nonprivileged matter that is relevant to any party’s claim or defense, is subject to discovery, even if it is nor admissible as evidence, as long as it “may lead to the discovery of admissible evidence”, as per Rule 26(b):

“(b) Discovery Scope and Limits.
(1) Scope in General. Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense—including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter. For good cause, the court may order discovery of any matter relevant to the subject matter involved in the action. Relevant information need not be admissible at the trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence. All discovery is subject to the limitations imposed by Rule 26(b)(2)(C) “.
The Courts interpret the Federal Rules of Civil Procedure as having extra-territorial reach.
As long as the ESI is in the “responding party’s possession, custody, or control”, and is relevant to the litigation, it does not matter wherein the world these ESI reside, it is discoverable under federal law. If, for example, a US employee can access ESI of an affiliate overseas on a shared network, the US company has “possession, custody and control”, and the overseas ESI is discoverable on that basis.
The US has the broadest civil discovery procedure in the world. None of the other Common Law countries, such as the United Kingdom, Australia and Canada, have such a wide scope of discovery and in most of the Civil Code countries, such as in most of the European and Latin American countries, the concept of discovery obligations is unknown.
In the last few years a quite voluminous case law has developed regarding the interpretation and application of the Federal Rule of Civil Procedure (FRCP). The law has developed differently in each of the District Courts and it is important to keep that in mind when preparing a case.
In cases governed by US state law, keep in mind that many states have enacted new civil procedure rules to cover discovery of ESI. Most states have adopted the FRCP ediscovery model. For example, Florida became the 29th state to adopt specific electronic data discovery rules for its state courts on July 5, 2012. It is based on the FRCP model.

When confronted with a lawsuit or subpoena in a large case, it is considered best practice to appoint a project manager, who organizes an eDiscovery team and who coordinates the co-operation between corporate counsel, IT, records management, HR, outside counsel and various service providers. This task can be done in-house, or outsourced to a law firm or an eDiscovery consultant.
The IT and records management departments are helpful in explaining the company’s IT architecture and the life cycle of the records, as well as in preparing a computer network and data map to locate all discoverable data. The endless list might contain servers, backup tapes, flash drives, laptops, iPods, smart phones, VOIP systems, EZpass data, IMS and text messages. It is important to consult HR concerning departed employees as well, since the EDiscovery process will typically cover a time period going back a few years.
If the information is not “reasonably” accessible, because of undue burden or cost, the parties are relieved from disclosure, (Rule 26 (b) (2) (B)), as they are when the burden or expense of the proposed discovery outweighs its likely benefit, the so-called “proportionality rule”. (Rule 26(b) (2) (C) (iii)).
Very old ESI, stored on obsolete media, might fall into the category of “unreasonably accessible”, and a case where the lawsuit is worth $100,000, but the EDiscovery costs would amount to $1 million, would fall into the category of “disproportionate”.
The data custodians then need to be interviewed to ascertain what relevant data they might have.
Once all the ESI at issue has roughly been identified, a “Litigation Hold” letter has to be sent to all relevant parties to make sure that the potential evidence doesn’t get destroyed or altered.
A “Litigation Hold” or a “Legal Hold” is a communication issued as a result of current or reasonably anticipated litigation, audit, government investigation, or other such matter that suspends the normal disposition or processing of records.
It is very important to carefully document all these steps, in case you have to prove due diligence in preserving ESI to the Court.
Then comes the ”meet and confer” meeting with opposing counsel and the Court, where parties discuss the scope of production of ESI in terms of subject matter and relevant time period. The following topics are some that also need to be addressed: the search methodologies to be used; the list of keywords to be used for keyword search; the requirement for preservation of metadata; the format for the production of ESI (TIFF or Native or both); clawback agreements (a clawback agreement is an agreement outlining procedures to be followed to protect against waiver of privilege or work product protection due to inadvertent production of documents or data); and issues of cost shifting (Rule 26 (f)).
Next, outside vendors or service providers are usually called in to perform the actual collection of ESI.
Some important questions to ask the vendors are whether they provide software that enables key word searching, conceptual searching, technology assisted searching, predictive coding, near duplicate identification, e-mail threading, and foreign language search capabilities. In smaller cases, in house IT staff may do the job of collecting all the ESI.
Once all the ESI is captured, the project manager arranges for teams of contract attorneys to review the ESI for relevance, and confidentiality and privilege flagging and redacting. This is the most time consuming and expensive part of eDiscovery. In a large lawsuit with about 30 million documents to be reviewed, this part of the eDiscovery process sometimes takes a few years to complete.
The reviewed data get analyzed by trial attorneys and integrated into trial preparation software.
Finally, the reviewed and analyzed ESI gets delivered to the opposing counsel in CD, DVD, hard drive or other formats, who then has his own team review the ESI.
In large cases, this whole procedure is executed in the form of rolling productions, with scheduled releases of data.
When eDiscovery needs to be executed outside of the US, for example in a foreign affiliate or subsidiary of a US company, the basic procedure remains the same, except that there are myriads of complications due to different legislations that apply when data gets collected in foreign jurisdictions.
Many countries outside of the US have legislation that protects data from either being collected and/or from being exported outside of the country.
These can be criminal laws, labor laws, bank secrecy laws, and data privacy laws.
The European Union data protection framework is one of the most prohibitive set of laws that parties to a civil litigation or government investigation in the US has to deal with, when trying to collect and export evidence.
EDiscovery in the EEA and Data Protection Issues
The EEA (European Economic Area) consists of the 27 member states of the EU, plus Iceland, Liechtenstein and Norway. It has one of the strictest data protection frameworks in the world.
In the EU, data protection is a human right and is protected by article 8 of the  Charter of Fundamental Rights of The European Union.
The main legal instrument that regulates data protection in the EEA is the Data Protection Directive 95/46/EC.The Directive has been implemented by all 30 national member states into their national laws, and, while the Directive acts as a floor, some national laws have gone even further in their protection of personal data.
There are quite a lot of differences in implementation of the Directive: France, Germany, Spain, and Italy have stricter rules, while the UK has more lenient ones.
One of the most difficult problems of the EU data protection regime is the lack of harmonization of laws between the member states, and consequently also the difficult but important determination which national law is applicable in any given situation.
This is one of the points under consideration in the current process of overhaul of the entire European data protection regime.
On  January 25, 2012, the European Commission proposed a new Data Protection Regulation. That Regulation  should replace Directive 95/46/EC.
If the new legislation would indeed take on the form of a “Regulation”, it would be, under EU law, directly applicable to all member states, without need for separate implementation into national law, as would be the case for a “Directive” and that would considerably facilitate the global transfer of data outside the EEA.
Another proposed innovation would be the imposition of fines for data protection violation up to 2% of the gross annual turnover of the violating company.
It is expected to take quite a few years for the new rules to come into force though, so that for a while, the old rules will still apply and therefore will still be very relevant.
There is a serious conflict for US firms with affiliates in EEA countries, when they get involved in civil litigation within the US: On the one hand, federal and state rules mandate retention and production of all relevant data, even data located outside of the US, with the risk of severe penalties by the Courts in case of “spoliation”, and on the other hand, EU data protection laws (applicable to the EEA) mandate very strict data protection rules for “personal data” of their residents, that seriously restricts processing of personal data and transfer of those data to “non-adequate” countries outside of the EEA, with risks of steep fines in case of transgression.

Directive 95/46/EC regulates the processing of “personal data”.
“Personal data” is construed very broadly as “any information relating to an identified or identifiable natural person or “data subject”” (Article 2, (a) of Directive 95/46/EC).
For example, an email address is “personal data”.
“Sensitive Personal Data” are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions ( Article 8 of Directive 95/46/EC).
The processing of personal data within the EEA is subject to extensive regulation, which, in a nutshell, strives to incorporate privacy principles, such as consent, access, proportionality, transparency, necessity and legitimacy.  (Article 6 of Directive 95/46/EC).
The Article 29 Working Party, a EU data protection advisory body, recommends in its Working Document 1/2009 on pre-trial litigation in cross border ediscovery ( WP 158, 2009) guidelines to be followed in order to conduct cross border ediscovery within the requirements of the EU data protection framework.
It recommends that
  1. The filtering and reviewing of ESI for relevance should be done locally, within the EEA. Personal data should be anonymised or pseudonymised. The parties should obtain protective orders and filings under seal from the US courts to protect data from access by third parties.
  2. A notice should be sent to all employees or customers, whose emails or other data are collected. The data subject has a right to know that information is being collected about him/her.
  3. The data subject’s rights should be respected: for example, the data subject has the right to access the information that is being collected about him/her.
  4. Data Controllers should take reasonable measures to secure personal data from unauthorized access. This applies to vendors, law firms and courts in every stage of the ediscovery process.
  5. If the collection of ediscovery is outsourced to a third party, such as a vendor, there must be a written agreement with that third party, who must undertake strict confidentiality and provide appropriate security, must undertake to use the data only for specific purposes and within a specific retention period and only in accordance with the data controller’s instructions.
  6. There has to be a legal basis for processing of personal data. In other words, there has to be a legitimate reason to process personal data of other people: for example, curiosity is not a legitimate reason.  For the purpose of ediscovery, there are only two legitimate basis for processing personal data under directive 95/46/EC: One is informed and freely given consent by the data subject (article 7 (a) ), the other is a legitimate interest of the data controller, balanced with the fundamental rights of the data subjects. (article 7 (f) ). The Article 29 Working Party recognizes ediscovery as a “legitimate interest”.      For sensitive personal data, the legal basis is more stringent: consent is the only legitimate basis for purposes of ediscovery, and it has to be explicit and cannot be implied. For example, opt-out is implied consent, and opt-in is explicit consent.
  7. There has to be a legal basis for transfer of personal data outside of the EU. (articles 25 and 26). In the case of the US, this can be accomplished by several means: By receiving unambiguous consent from the data subjects (not very practical), by transferring the data to a Safe Harbor certified company in the US, by transferring the data under Standard Contractual Clauses agreements or by transferring them to companies that have “Binding Corporate Rules” in place. The question remains, however, how these personal data may be legally transferred onward to opposing counsel and to the Court. The Working Party recommends requesting a protective order from the Court, which guarantees the data a certain degree of privacy protection.
In addition , the national Data Protection Authorities (DPAs) need to get the proper notifications, as for every processing of personal data under the Directive.
In order to show good faith, in case the national DPA should conduct an audit, it is to be recommended that the data controllers involved in ediscovery include all the above mentioned privacy guarantees in their general policies.
When choosing ediscovery vendor or consultants to do ediscovery in the EAA, one must look to how well they guarantee the rights of the data subjects under Directive 95/46/EC , such as notice to the concerned data subjects and access of the data subjects to their data and whether the  processing of the data, such as preliminary document review, is done in the EU. When transferring data to the US for final processing, the US companies should either be Safe Harbor certified, or have model contract clauses or binding corporate rules, approved by the Data Protection Authorities, in place. This is a requirement for any EU personal data that will eventually be used in a civil proceeding in the US.
The increase of data protection risks associated with the rise of cloud computing has prompted the Article 29 Working Party to publish Opinion 05/2012 on Cloud Computing.
As a reminder tough, the Article 29 Working Party’s opinions are not legally binding, but they are very influential nevertheless.
Companies which have to apply ediscovery rules and at the same time are under the jurisdiction of the EEA data protection laws, find themselves between a rock and a hard place.
Under Rule 37 FRCP and under the traditional rule of “spoliation”, which means the destruction or alteration of evidence, or even the failure to preserve property or documents for another’s use as evidence in pending or reasonably foreseeable litigation, the US federal courts have broad discretion regarding the type and degree of sanctions they can impose.
The sanctions run the gamut from significant monetary sanctions, to “adverse inferences”, meaning directing the jury to assume that missing ESI is adverse to the spoliator, to even default judgments.
As with other laws, the case law has developed differently in the different district courts.
In general though, the Courts do not look kindly, not only to those parties in litigation who are guilty of willful spoliation, but also those who merely show negligence in preserving and producing ESI, and the case law of Judges sanctioning negligent parties has grown over the past few years.
As mentioned before, these rules apply to all relevant ESI in the parties’ possession, custody or control, regardless of their geographical location or the applicable local laws.
It is therefore crucial for companies that are affiliates or subsidiaries of US companies, to have a litigation hold procedure in place, since the reasonable expectation of a lawsuit alone triggers the obligation of preservation of ESI under the FRCP, without delay.
What is even more crucial for companies today is the proper management of “information governance.”
Since storage of ESI has become so cheap, especially in the cloud, the lure for IT has been very strong to just store everything, forever. This can have disastrous consequences once a company gets involved in litigation or internal investigations, since, once the ball starts rolling, nothing potentially relevant may be deleted and as a consequence, a company may have to end up paying a small fortune for processing of terabytes of useless information.
It is a huge cost saving move for companies to invest in information governance. That involves, among others, the decision as to which data will be preserved for what period of time, and needs to be tailored to the needs of the company, depending on the type of industry and the regulatory and business requirements of the company. For most companies, there is no reason whatsoever to retain all low level employees’ emails, forever. There need to be a policy, stating for example that all of certain levels of employees’ emails need to be deleted within 6 months.
Proper information management will also facilitate the ability to locate data in an increasingly complex information ecosystem.
As far as EU data protection framework is concerned, the risk facing EU affiliates of companies from the US in the course of EDiscovery procedures not totally in line with the national data protection laws, consists of being investigated and maybe fined by the local Data Protection Authorities.
Of course, the risk depends very much on the country where the data are located.
If they are located in Germany, for example, the risks are much higher than if they are located in the UK.
Right now, most Data Protection Authorities are understaffed and under financed, and there have been complaints about lack of compliance and enforcement.
In France, for example, a January 2011 study has shown that 82% of French enterprises do not abide by the French Data Protection Act of 2004.
But with the overhaul of the EU data protection framework in full swing, and with the strengthening of the data subjects’ rights, as well as the improving of enforcement as some of the main objectives of the overhaul, I believe it would be wise for companies to prepare themselves and make sure they have the right infrastructure in place for proper compliance. The Federal Courts have already declared that social media are discoverable and that the mere fact of outsourcing IT to the cloud does not relieve companies from their EDiscovery obligations under the FRCP.
In cases where ediscovery requirements are irreconcilable with EU data protection requirements, companies will have to do a balancing test between the risks of non compliance with EU data protection laws and risks of non compliance with EDiscovery obligations in the US, on a case by case basis.
Or maybe it should be the Federal Courts and the Data Protection Authorities who should do the balancing when companies find themselves between the rock of ediscovery and the hard place of data protection.
This is exactly what Working Group 6 (WG 6) of The Sedona Conference® is suggesting in its 6 principles, “The Sedona Conference® International Principles on Discovery, Disclosure & Data Protection (December 2011).
WG 6 recommends that, as long as the parties in cross-border ediscovery show good faith and reasonableness,  “US Courts, as well as Data Protection Authorities  should consider the balancing of competing factors to achieve a practical compromise between the US litigants’ interests and the EU data subjects’ interests. “

The subject matter of cross border ediscovery is an extremely complicated one, and the move to mobile, social media and the cloud only complicates already very complex legal issues of applicable laws.

Twitter Weekly Updates for EUdiscovery

Are Companies at Risk for Astronomical Fines for Future EU Data Protection Violations?

At a recent conference in Frankfurt, organized by the Internet Society, Peter Hustinx, the European Data Protection Supervisor, suggested sanctioning violations of the EU data protection laws with the same astronomical fines as violations of competition laws are sanctioned.
Henriette “Jetty” Tielemans, partner at the Brussels office of Covington & Burling LLP, reports as follows:
“The trade press regularly reports on multi-million euro fines for cartels or abuses of dominant positions by companies under the competition rules of the European Union.  These figures are far away from the fines that currently can be levied for data protection violations.  Observers of the competition law scene will agree that the main reason that companies operating in the EU pay attention to competition law is the astronomic fines that can – and are –  levied.
Observers of the privacy scene also agree that one of the reasons that privacy is sometimes still not taken as seriously as it should by companies, is the relative lack of enforcement, and the low fines in case of enforcement.  With shrinking legal budgets for compliance and training, companies often devote more resources to areas where fines are steep such as competition law.
Hustinx’s timing is not a coincidence. The European Union is reviewing the current 1995 Data Protection Directive and a draft proposal is expected this summer.  Traditionally sanctions for violations of data protection laws have been left to the twenty-seven EU Member States (and they vary widely)  but perhaps this will change.  It remains to be seen how Hustinx’s suggestion will be received by the European Commission’s Data Protection Unit which is in charge of the revision of the 1995 Directive, subject to control by the European Parliament and the Council of Ministers.  But the office of the European Data Protection Supervisor, charged with monitoring compliance by the European institutions of data protection rules within their own ranks and advising the European institutions on data protection issues, is influential and highly respected in the privacy community and this proposal will therefore not go by unnoticed.  If accepted, it would revolutionize the data protection landscape in Europe.”
At present, compliance with the national data protection laws within the EU member states is less than satisfactory.
For example, as we reported recently on this website, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).
Peter Hustinx’s suggestion should concern not only global companies with a physical presence in one or more EU member states, but also online businesses, websites and mobile applications that target the EU market, as we explained in this post on applicable law.
For our full overview of Peter Hustinx’s opinion in response to  the Commission’s Communication of November 4, 2010  regarding the Review of the Data Protection Legal Framework , see here.

Twitter Weekly Updates for EUdiscovery

The RFID Privacy and Data Protection Impact Assessment Framework in the EU: The Article 29 Working Party and the FTC are in No Rush

On February 11, the Article 29 Working Party adopted an opinion on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment (PIA) Framework for RFID applications. (ARTICLE 29 DATA PROTECTION WORKING PARTY 00327/11/EN WP 180 Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications)
The aricle 29 WP endorses the proposal developed by industry associations, experts, academics, and individual companies from across Europe.
One of the main privacy concerns related to RFID technology arises from uses of RFID technology which entail individual tracking and obtaining access to personal data. While an RFID operator may not have such a goal in mind when deploying an RFID application, it is important to consider the risk that a third party may use tags for such unintended purposes. The revised framework now clearly requires RFID operators to evaluate the risks that may arise when tags may be used outside the operational perimeter of an RFID application and/or are carried by persons.
The European Commission published a recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification on May 12th, 2009.( the “RFID Recommendation”).
One of the recommendations reads:
“Article 7: RFID use in Retail
Article 7.3: (a) Where a RFID application processes personal data or the privacy impact assessment…shows significant likelihood of personal data being generated from the use of the application, the retailer has to follow the criteria to make the processing legitimate as laid down in directive 95/46 and to deactivate the RFID tag at the point of sale unless the consumer chooses to keep the tag operational. (b) Where a RFID application does not involve processing of personal data and where the privacy impact assessment has shown negligible risk of personal data being generated through the application, the retailer must provide an easily accessible facility to deactivate or remove the tag.”
In the U.S. Federal Trade Commission Comments on the the European Commission’s recommendation of May 2009, the FTC stated, in response to recommendation  Article 7.3: (a)
” …Similarly, with respect to RFID, we caution against mandating a specific technological approach, such as mandatory deactivation of tags, before fully understanding the range of benefits the technology might provide to consumers, as well as the range of protective measures that might be available to consumers in the future.”
(The U.S. Federal Trade Commission’s Bureau of Consumer Protection is in charge of protecting consumer rights in the US.)
This is the recent Article 29 WP’s opinion on the subject matter of RFID use in retail:
“This concern (about individual tracking and access to personal data) has received particular attention in the retail sector, where it is feared that tagged items bought by individuals could be misused by retailers or third parties for tracking or profiling purposes. The European Commission addressed this concern in the Recommendation by establishing the principle that tags must be deactivated at the point of sale unless the customers give their informed consent to keep tags operational. The same Recommendation allows an exception to this deactivation principle if the PIA concludes that keeping tags operational after the point of sale does not represent a likely threat to privacy or the protection of personal data. The Working Party observes that a risk management approach, as suggested by the Framework, is an essential tool for the RFID Operator to assess the risks of taking the responsibility to keep tags activated after the point of sale.”
As shown with this example, a key point is that the Revised Framework is based on a risk management approach, which is an essential component of any Privacy and Data Protection Impact Assessment Framework.
The Article 29 WP however would like see implementaion of the Commission’s recommendation no earlier than three years from now.( 2014):
“The European Commission is expected to provide a report on the implementation of the Recommendation, its effectiveness and its impact on operators and consumers, with regards in particular to measures concerning the retail sector. This report is set to be produced 3 years after the Recommendation was published, that is by May 2012. However, considering that the Framework may take 6 months to fully take effect, supplementary time would be beneficial for all stakeholders before such an evaluation is conducted. Therefore, the Working Party would like to suggest to the European Commission to either postpone or supplement the proposed report at a later date set in 3 years from the publication of this opinion.”
In the above mentioned comments on the the European Commission’s recommendation of May 2009, the FTC remarked:
“The FTC staff supports the EC’s risk- based approach to addressing potential consumer privacy and data security issues related to the use of RFID technology. The FTC staff also agrees with the EC that there is a need to raise consumer awareness about RFID technology, in order to enhance consumer trust and to give consumers the tools to protect themselves from the risk of misuse of their information. Given the current stage of deployment of consumer-facing RFID applications, however, the FTC believes that mandating or encouraging specific technological tools for protecting consumer privacy is premature.” (bold added)
Implementation no earlier than 2014?
Last summer, Wal-Mart created quite a controversy when it started to use RFID tags to track underwear and jeans and the George Miller III Head Start Program in Contra Costa County, California, created a buzz when they started to make pre-schoolers wear jerseys, with RFID chips inside that track them through the day.
But RFID (Radio frequency identification) technology is far from new. It has been used for many years to keep track of cattle, prisoners, goods, and  pets.
RFID technology is already widely adopted, world wide and in many industries, and is also found in enhanced driver’s licenses, credit and debit cards, passports and government IDs, TWIC Cards, Employer ID/Proximity Cards, US EZpasses, London Oyster cards, just to name a few applications.
The risk of tracking, profiling, fraud, identity theft is here and it is real.  RFID readers are used by convenience stores, pharmacies, restaurants, fast food markets, bars, and many other places of business to read the RFID chips.
However, these same readers can be freely purchased and attached to a laptop with very little technical knowledge required. There are even cell phones with built in card readers that can steal your information. By simply walking past you, anyone  equipped with such a device can acquire your credit card number and expiration date. There is even a term for it: electronic pick pocketing.
Here’s a not so recent video by Boingboingtv’: “How to hack RFID-enabled Credit Cards for $8 (BBtv)”
Human RFID Implants are already used for access to car, home, office.
Human RFID implants with personal health and financial information are being used and promoted:
Premature? Seriously?

Twitter Weekly Updates for EUdiscovery

Twitter Weekly Updates for EUdiscovery

Facebook and the First Amendment: Facebook decides who gets to view your posts and whose post you get to view

In a bold new move, Facebook has taken on the role of content censor on its own platform, and has done so in its notoriously sneaky style.
It is by chance that I learned about the change in my Facebook settings, thanks to the fact that I am lucky enough to be connected to some of the thought leaders in the Privacy field, such as Rebecca Herold, also known as @PrivacyProf. She posted a note on her wall today, which I will reproduce below to give the authors the credit they deserve.


by Tracie Koziura on Thursday, February 10, 2011 at 8:53am
Info shared by Abby Smith – thanks Abby!)
Have you noticed that you are only seeing updates in your newsfeed from the same people lately? Have you also noticed that when you post things like status messages, photos and links, the same circle of people are commenting and everyone else seems to be ignoring you?
Don’t worry, everyone still loves you and nobody has intentionally blocked you. The problem is that a large chunk of your friend/fan list can’t see anything you post because the “New Facebook” has a newsfeed setting that, by default, is automatically set to ONLY SHOW POSTS FROM PEOPLE WHO YOU’VE RECENTLY INTERACTED WITH OR INTERACTED WITH THE MOST (which would be limited to the couple of weeks just before people started switching to the new profile).
So in other words, for both business and personal pages, unless your friends/fans commented on one of your posts within those few weeks or vice versa – you are now invisible to them and they are invisible to you!
Scroll down to the bottom of the Newsfeed on your HOME page and click on “Edit Options”. In the popup, click on the dropdown menu next to ‘Show posts from:’and select “All Of Your Friends and Pages” and then click Save.
Note: This is the fix for personal pages but I am unsure of whether or not the business pages are set up the same way.
Simply posting an update about it won’t do any good because lots of your friends/fans already can’t see your posts by default. You’ll either have to send out a message to everyone on your list (which I’m not even sure business pages can do and is a rather tedious method) or post an event explaining the situation like this one and invite your entire fan base and/or friend list. You can also tweet about it hoping that most of your fellow facebookers are also on twitter.
PLEASE FEEL FREE TO SHARE THIS NOTE WITH AS MANY PEOPLE AS YOU CAN SO WE CAN TRY AND GET EVERYONE INFORMED AS SOON AS POSSIBLE. Anyone who isn’t seeing your posts right now will never see them until they have changed their settings as explained above.

Here is a screenshot I took of my Facebook Home page to illustrate Tracie’s excellent explanation:

As you can see, my default setting was set by Facebook to show posts from”Friends and pages you interact with most”. Of course, I changed it immediately to show posts from “All your friends and pages”. None of my Facebook friends were aware of this default setting, and most of them are professionals, very well informed in social media matters.
After changing the default setting, I learned that one of my friends’ daughters was Bat-mitzvahd, through a post that was hidden from me before I changed that setting, because this friend very rarely posts on Facebook. Another Facebook friend learned, only after changing her setting, that her cousin had a new baby.
This latest move by Facebook seriously worries me:
In my opinion, it smacks of censorship as practiced by the worst kind of despots. By introducing this kind of default setting and , on top of that, by not notifying users of this change, Facebook is basically deciding for its 600 million users what they can and cannot see on its platform.
What is the motivation behind this latest change? More profit for Facebook, no doubt, even though I fail to grasp the exact logic behind it.
I have understood by now, that as much as I want to believe, (or maybe  Facebook wants me to believe) that I am the one using Facebook for my benefit, it is in reality Facebook that is using me for its benefit.
Facebook’s tactics of taking away our privacy and our choices, little by little, reminds me of the tactics used by the most dangerous tyrants in human history.
This excellent German video about the dangers of a sureveillance state, illustrates those tactics, as applied by governments.
It explains the traditional metaphor of the frog: when frogs are put in a tub of hot water, they instinctively jump out, because it hurts too much (except on Glenn Beck’s show, where they die instantly). Frogs that are put in a tub of cold water stay, even after the temperature slowly increases until they cook alive. So it is with people. When surveillance is increased slowly, people don’t revolt. They just adapt, and refrain from showing and exptressing differing attitudes than the mainstream, knowing they are being observed and fearing of coming across as different.
Next thing you know, you have a society where everyone behaves uniformly, where differences are not tolerated anymore and where democracy has disappered.
You don’t need to know German to understand this clip:
Granted, Facebook is not to be compared to a “surveillance state”, but the tactics it uses to get its users slowly but surely “used” to its practices, certainly sound very similar to the tactics used by a surveillance state to achieve its objective.
I wonder what machiavellistic justification Facebook will come up with to explain this latest move. In this case, it cannot use the old ruse that it wants to provide its users a “better user experience”. For someone wishing to use a social networking site to do social networking, the move of restricting the amount of people with whom one can network socially can not seriously be thought of as providing a “better user experience.”

Privacy and Data Protection in the EU: The grass is not always greener on the other side of the pond

According to the annual report of the French Association of Data Protection Officers (AFCDP), published on 28 January 2011, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).
The AFCDP is a professional organisation that represents French privacy professionals.  The AFCDP works to develop privacy best practices and to build relationships with the French National Data Protection Commission (CNIL).
Following French Data Protection Act, an individual may request that an entity that holds personal data about him, share that personal data with him. After a request is made, the entity has two months to provide full information to the person who made the request, free of charge. In certain circumstances, the individual may then request that the personal information be deleted or that it be brought up to date.
The AFCDP published a  second “Access Right Index”. It is intended to help French entities, both private and governmental, prepare themselves to respond to these information requests and to help educate individuals about their rights. The Index provides some insight into the manner in which entities are currently complying with the law.
To complete the study, access to personal data requests were sent to a panel of more than 220 French entities. In the Index, the AFCDP indicates which sectors were the best and worst in terms of compliance, and also provides anonymous, real examples of wrongdoing and guidance as to best practices.

Here are some results of that study:
Only 18% of the polled organisations responded in a legally satisfactory manner to information access requests.
31% did not respond within the legal time frame. ( two months).
51% responded within the legal time frame, but not in a legally satisfactory manner: Some responded as follows: “The requested information cannot be communicated because it is the property of the company.”
The French Data Protection Act of 2004 provided, among others, the creation of a Data Protection Correspondent role in public and private organizations, the Correspondants Informatique & Libertés (CIL) . The appointment of CILs is not obligatory, but it facilitates the procedures for processing of personal data for the companies that do appoint a CIL.
Even among the companies that have opted to appoint a CIL, the compliance numbers are far from satisfactory: only 40% of the polled companies with CILs have responded to access requests in a law abiding manner. For example, some of these companies sent a gift to the requesting party, instead of the data. Others sent an announcement that the data were deleted, followed by an announcement of miraculous recovery plus a demand for a significant “recovery fee” to access the information.
The CNIL is, like so many of its counter parts in other EU member states, currently under significant pressure to cut operating expenses.
If it does not enforce the Data Protection Act, what use is it?
This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless, unless these laws actually get enforced.
And if legislation does not even guarantee significant compliance, what kind of compliance will “self-regulation” achieve?
Congress, take note!


  1. Did you know you can create short links with Shortest and receive $$$$ for every visit to your shortened urls.

  2. Bluehost is definitely the best hosting company for any hosting plans you need.

  3. eToro is the #1 forex broker for novice and full-time traders.


Related Posts Plugin for WordPress, Blogger...