Sunday, January 27, 2013

Our plans protect freedom and opportunity, and our blueprint is the Constitution of the United States.

Twitter Updates for EUdiscovery

The International Association of Privacy Professionals’ First Europe Data Protection Congress

I recently attended the International Association of Privacy Professionals’ (IAPP) very first Europe Data Protection Congress in Paris on November 29 and 30.
The attendee list was impressive:
  • Privacy professionals, employed by Fortune 500 companies from a wide variety of industries, like Hewlett-Packard, Lockheed Martin, Citigroup, Oracle, Western Union, Microsoft, IBM, Dell, Google, Yahoo, Estee Lauder, Pfizer, Johnson & Johnson, Eli Lilly, Merck, Mc Donald’s, Procter & Gamble and Disney. Even Facebook was represented.
  • Vendors, like Lexis Nexis, Nymity, Iron Mountain and ADP.
  • Partners of the international law firms Bird & Bird, Covington & Burling, Hogan Lovells, Morrisen & Foerster, Sidley Austin, Osborne Clarke, Field Fisher Waterhouse and Pearl Cohen Zedek Latzer.
  • Partners of the national law firms Cabinet Gelly (France), Van Bael & Bellis (Belgium), Bristows (UK), Panetta & Associati (Italy), Houthoff Buruma (Netherlands), Coelho Ribeiro E Associados (Portugal and Spain), Baker & Daniels (USA), and Hunton & Williams (USA).
  • Privacy Consultants like Brian Tretick of Athena (USA) and Anne Wilkes of ACW Privacy Consulting Ltd. (UK).
  • Representatives of the European Data Protection Supervisor, of the French Data Protection Authority (DPA) (the CNIL), of the Spanish DPA, of the British DPA (the ICO) and of the European Commission.
  • The IAPP staff, headed by executive director Trevor Hughes.
  • One lone privacy advocate, Tara Taubman of Open Rights Group (UK).
The timing of this conference could not have been more opportune, as it took place in the wake of a ground breaking Communication by the European Commission on November 4, announcing a global overhaul of the current EU Data Protection framework.
In this communication, the European Commission announced that fifteen years after the original 1995 Data Protection Directive was enacted, the original twofold objective of protecting the fundamental right to data protection as well as of achieving the free flow of data in the internal European market is still valid.
However, two factors have caused the 1995 Directive to have become too outdated to guarantee these two objectives : The rapid technological advances and the globalisation in the ways information is collected, stored and transferred.
These dramatic changes were reflected in some of the topics debated during the breakout sessions:
  • Cloud Computing: Peter Fleisher of Google pointed out that the current Directive is totally inadequate for cloud computing, since many of the Directive’s legal concepts rely on data being located in one particular place. However, Google has servers in the US, in Ireland, in Belgium and is building new ones in Finland and Austria. Google’s data are always duplicated in multiple locations and are constantly moving around from one location to another. Concepts for dealing with trans-border transfers of data, like Safe Harbor, BCR, and Model Contracts all rely on knowing the location of the data and were not created with the “cloud” in mind. Fleisher suggested that in the long run only the adoption of global standards would provide a solution for the “location” conondrum.
  • Cross-Border Discovery and Investigations: Seth Berman of Stroz Friedberg pointed to the same problems concerning the difficulties of dealing with a location-based concept as a basis for determing the applicability of the Directive. If the data are located in the European Union, then the Directive is applicable and cross-border discovery of these data has to conform to its legal requirements.But where are the data located when they are in the “cloud”? Is the Directive applicable for discovery of updates on Facebook posted by a Europen Citizen? But are these data “located” in the EU? The Directive was not drafted with social media in mind, and new concepts need to replace the old, pre-cloud/pre-social media notions of data location.
  • Data Breach Notification: In the context of strengthening the individual’s rights, the Commission has declared in its communication: “It is also important for individuals to be informed when their data are accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons. The recent revision of the e-Privacy Directive introduced a mandatory personal data breach notification covering, however, only the telecommunications sector. Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission will examine the modalities for extending the obligation to notify personal data breaches to other sectors in line with the Commission declaration on data breach notification made before the European Parliament in 2009 in the context of the reform of the Regulatory Framework for Electronic Communications. This examination will not affect the provisions of the e-Privacy Directive, which must be transposed into national laws by 25  May 2011. A consistent and coherent approach on this matter will have to be ensured. The Commission will examine the modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the criteria for triggering the obligation to notify.”
This panel, presided over by Ruth Boardman, partner at Bird & Bird, stressed the fact, that for once the European Union had been inspired by the US initiatives in Breach Notification Legislation.
Again, it is the exponential growth in personal data holdings and the increased outsourcing of data to third countries and to the “cloud” that have caused increased data breach scandals and have required changes in the Directive. Some EU member states, like Germany, already have enacted a national general data breach law (Section 42 a FDPA- September 2009), but most others will have to implement their national laws once the new legal framework is in place.
Other important suggestions for consideration in reframing the Directive by the Commission are : The right to be forgotten, Privacy by Design, greater transparancy in internet related data collections, data portability rights, achieving more harmonization among the vastly different implementaions into national laws by the member states, the requirement of mandatory privacy officers in companies and organizations, the requirement of privacy impact assessments upon introducing new systems and technologies in companies and organizations, and strengthening as well as harmonizing enforcement of the Directive.
Concluding the panel on the revision of the 1995 Directive, Henriette Tielemans of Covington & Burling asked the European Commission representative Thomas Zerdeck: “Will the new baby be a directive or a regulation?” to which Thomas, in his usual style, replied: “This is way too complex. You will find out in 2011.”
The European Commission has opened a public consultation period (from November 4, 2010, to January 15,2011) to obtain views on its ideas for addressing new challenges to personal data protection in order to ensure an effective and comprehensive protection to individuals’ personal data within the EU.
They welcome contributions from citizens, organisations (i.e., Non-Governmental Organisations, businesses) and public authorities.
Thus all stake holders have a chance to be part of this sweeping overhaul of the European Union Data Protection framework.

First Tweeted Int’l Data Protection and Privacy Commissioners Conference – Jerusalem 2010

The 32nd International Conference of Data Protection and Privacy Commissioners, held on  october 27-29 2010 in Jerusalem, Israel, was the first event of its kind to be tweeted live.
Israel’s data protection authority, ILITA, enabled live streaming of the conference on its web site, so that even twitterers who could not attend the conference in person, were able to tweet about it in real time from all over the world.
The hashtag was #privacygenerations and all the tweets were archived at

Here are some statistics :
Total tweets: 578
Total twitterers: 78
Total hashtags tweeted: 15
Total URLs tweeted: 38
Top 10 twitterers
80% (463) of the tweets in this TwapperKeeper archive were made by 25% (20) of the twitterers.
The top 10 (12%) twitterers account for 57% (334) of the tweets.
41% (33) of the twitterers only tweeted once.
@nacpec (73)
@PrivacyCamp (40)
@givoly (35)
@embedprivacy (32)
@cedric_laurant (30)
@EUdiscovery (28)
@JulesPolonetsky (25)
@HealthPrivacy (24)
@Bsegalis (24)
@InfoLawGroup (23)
Top 10 @reply recipients and/or mentions
31% (184) of the tweets in this TwapperKeeper archive were @replies or mentions.
24% (19) of the twitterers who tweeted as part of this TwapperKeeper archive received an @reply and/or mention.
Note: recipients marked ‘*’ did not tweet as part of this TwapperKeeper archive.
@zephoria (32) *
@cedric_laurant (20)
@ILITAgovil_en (17)
@JulesPolonetsky (14)
@abrandtva (13)
@givoly (11)
@EUdiscovery (9)
@oceanpark (8)
@InfoLawGroup (8)
@PrivacyCamp (8)
Top 10 “conversations”
(1) @cedric_laurant <–> @givoly (3)
(3) @IsCool <–> @oceanpark (1)
(2) @givoly <–> @JulesPolonetsky (1)
(1) @givoly <–> @oceanpark (2)
(1) @EUdiscovery <–> @privacyguru (1)
(1) @InfoLawGroup <–> @JulesPolonetsky (1)
(1) @Bsegalis <–> @JulesPolonetsky (1)
(1) @givoly <–> @ProfJonathan (1)
(1) @abrandtva <–> @EUdiscovery (1)
Note: a ‘conversation’ is an exchange of at least one @reply or mention in each direction between any two twitterers who tweeted as part of this TwapperKeeper archive.
For more details and statistics, see here.

Privacy and Data Protection: A Super Sad True Love Story

Meet Lenny Abramov:
“ZIP code 10002, New York, New York. Income averaged over five-year-span, $289,420, yuan-pegged, within top 19 percent of U.S. income distribution. Current blood pressure 120 over 70. O-type blood. Thirty-nine years of age, lifespan estimated at eighty three (47 percent lifespan elapsed; 53 percent remaining). Ailments: high cholesterol, depression. Born: 11367 ZIP code, Flushing, New York. Father: Boris Abramov, born Moscow, HolyPetroRussia; Mother: Galya Abramov, born Minsk, Vassal State Belarus. Parental ailments: high cholesterol, depression. Aggregate wealth: $9,353,000 non-yuan-pegged, real estate, 575 Grand Street, Unit E-607, $1,150,000 yuan-pegged. Liablities: mortgage $560,330. Spending power: $1,200,000 per year, non-yuan-pegged. Consumer profile: heterosexual, nonathletic, nonautomotive, nonreligious, non-Bipartisan. Sexual preferences: low-functioning Asian/Korean and White/Irish American with Low Net Worth family background; child abuse indicator: on; low self-esteem indicator: on. Last purchases: bound, printed, nonstreaming Media artifact, 35 norther Euros; bound, printed, nonstreaming Media artifact, $126 yuan-pegged; bound, printed, non-streaming Media artifact, 37 northern euros.”
This is Lenny’s profile that the people who inhabit Gary Shteyngart‘s latest novel “Super Sad True Love Story” can freely view on their äppärät.
The novel is set in a near future New York, where everyone walks around with an äppärät around his/her neck, constantly streaming. The streets are lined with Credit Poles, that instantly register and exhibit each passerby’s credit rating from his/her äppärät and giant banners that proclaim: “America celebrates its spenders”. Huge conglomerates named ColgatePalmoliveYum!BrandViacomCredit and AlliedWasteCVSCitigroupCredit call the shots.
At work, there are huge billboards, where each employee’s  health data and mood status are displayed and adjusted daily.
People (with the notable exception of the protagonist, Lenny Abramov) don’t read books anymore, but just scan texts for info.
This world is divided into two categories: The HNWIs (high net worth individuals) and the LNWIs (low net worth individuals). Many LNWIs have lost their homes, their jobs, their health insurance and are camping out in tent cities in Central Park. They don’t even own äppäräts. Riots are about to break out.
Meanwhile, the HNWIs are busy shopping on their äppäräts on sites like AssLuxury. They communicate through a social network site called GlobalTeens. They obsessively  GlobalTrace each other’s locations. Men and women  gage each other in bars by streaming their Personality, F**kability, Male Hotness and Sustainability ratings on their äppäräts. Detailed sexual preferences are instantly revealed.
And of course, the Governement, via the “American Restauration Authority”, keeps a close eye on all its citizens via those very same äppäräts. It sends regular global messages via the äppäräts, always ending with:”By reading this message, you are denying its existence and implying consent.”
At the center of this darkly satirical novel, a genuine and moving love story unfolds between Lenny and the much younger, e-culturally hip Eunice Park.
While reading Super Sad True Love Story, I was struck by how accurately Shteyngart has depicted most of the current issues concerning loss of privacy: Government Surveillance, Profiling, Geotracking, Global tracking, Legalese Nonsensical Disclaimers, Hyper-Sexualization,  Sub-Literacy are exposed with great wit.  Financial and private health information are not protected and are publicly showcased to favor the young, the healthy, the wealthy and the polyanna-happy.
This novel  is a frightening and powerful description of what will happen to us as a society if we don’t take drastic action NOW to halt the increasing erosion of our privacy by the public and private sector alike.
I love my privacy and would not want it to end the way a super sad true love story always does.

Federal Court in NY Says EU Documents Containing Personal Information are Off Limits in Class Action Litigation

This post was written by Kevin Xu and John L. Hines, Jr.
U.S. courts often disregard foreign data privacy laws in the context of discovery. Litigants sometimes find themselves compelled to produce under U.S. law what they are forbidden to produce under the privacy laws of another country. However, a recent U.S. court decision indicates increasing sensitivity to the privacy expectations of persons abroad.
On August 27, 2010, in connection with In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation, the court ruled that some data collected and processed in the EU would have been unlawful to transfer to the United States under the EU Privacy Directive, and thus, should not be subject to production in U.S. litigation.
Judge John Gleeson of the U.S. District Court for the Eastern District of New York deferred to the European Commission’s request to shield documents related to its antitrust investigation of the interchange fee practices of Visa and MasterCard from the discovery request of plaintiffs. The plaintiffs had asked the court to compel production of the documents, claiming they were relevant to the litigation at hand, while the European Commission sought to keep the documents confidential under its Privacy Directive. The court held that even though the materials requested by the plaintiffs are plainly relevant to the litigation, federal courts should avoid any unnecessary circumventions of the practice of international comity.
Read More

Behavioral Advertising is for Compumers

I saw the movie “Inception” by Christopher Nolan last night. It is not a movie I would usually pick, since I am not particularly fond of science fiction. But my daughter insisted: “You MUST see this movie. You won’t regret it.” I caved in and indeed enjoyed watching that movie. In the movie, technology has advanced to the point where certain highly skilled people are able to enter the human mind through dream invasion and plant seeds for new ideas. The story is sophisticated and emotionally engaging, the actors give excellent performances, and the ending is, well, unexpected.
Marketers using the behavioral advertising technique would have never recommended that movie to me.
Behavioral Advertising is a technique used by internet marketers to target consumers, based exclusively on their past online behavior: Past choices, past preferences, past browsing and search history. Companies will tell you what to purchase, based on your past online behavior.
Amazon’s and Netflix’s recommendations are based on the customer’s past purchases. I recently bought a Garmin nüvi 255W 4.3 inch Portable GPS Navigator on Amazon. Within the hour, I received an email from Amazon, suggesting I might also be interested in the Garmin nüvi 37907 4.3 inch Portable GPS Navigator . Sure, Amazon, thanks! I was just thinking of starting a Garmin nüvi GPS Navigator collection…
Facebook also recommends friends based on people who already are your friends. LinkedIn recommends “People You May Know”, based on your previous connections.
Proponents of behavioral advertising claim that the loss of privacy experienced by  consumers as a result of the creation of individual profiles for the purpose of behavioral targeting is offset by the benefit consumers gain from getting  advertisements that are custom tailored to their peferences and interests.
I beg to differ.
No machine on earth would have recommended I see “Inception”, because none of my past choices pointed in that direction.
But, I am not a “compumer“. I am not a “computer-consumer”. I am a human being, capable of imagination and dreams, programmed for evolution and change.
I am afraid that if we let machines make all our consumption suggestions, we will become frozen in our status quo, defined and limited by our past inputs, in other words, we might welll turn into computers, or “compumers” ourselves.
We will keep watching the same type of movies we have watched in the past, we will keep reading the same type of books we have read in the past, we will keep eating the same type of food we have eaten in the past, we will keep friending the same type of friends we have friended in the past, and we will keep connecting with the same type of professionals we have connected with in the past.
We will be locked into a  class, as determined by data mining companies and online data aggregators.
What will become of that quintessential American idea of being able to “re-invent” ourselves, when our past becomes less than satisfactory? What will become of the desire to expand  horizons, of the allure of unchartered territories, of the drive for social mobility, of the basic human need for change and progress?
But then, maybe one day technology will have progressed to the point where marketers themselves will be able to plant the seeds for all of the above mentioned ideas into our brains through “Inception”!
Update: 11/03/2010
Well, “Inception” in real life has apparently started already! see:

EU Article 29 Working Party Decrees Strict Opt-In Standards for Behavioral Advertising Data Collection

by Bret Cohen
On June 24, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers’ surfing habits must obtain the consumers’ affirmative opt-in consent to such data collection.At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.
Behavioral Advertising is Regulated in the EU by Two Primary Sources
The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The e-Privacy Directive is to be implemented in the national laws of EU member states law by June 2011.
The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.
Opt-In Consent Requirement and Opt-Out Deficiencies Explained
The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.
Currently, consumers can “opt out” of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.
The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes.
Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.
Read more

The Fifth Sail

“It is quite clear,” replied Don Quixote, “that you are not experienced in this matter of adventures. They are giants, and if you are afraid, go away and say your prayers, whilst I advance and engage them in fierce and unequal battle.”

Of the Valorous Don Quixote’s Success in the Dreadful and Never Before Imagined Adventure of the Windmills

“It is quite clear,” replied Don Quixote, “that you are not experienced in this matter of adventures. They are giants, and if you are afraid, go away and say your prayers, whilst I advance and engage them in fierce and unequal battle.”

Ediscovery, Cloud Computing and EU Data Protection: Cloud Nationalities Do Matter


  1. Did you know that you can shorten your urls with AdFly and get cash for every click on your short links.

  2. Bluehost is ultimately the best hosting provider for any hosting services you require.


Related Posts Plugin for WordPress, Blogger...