20 in 2012: The Top Privacy Issues to Watch
EU proposed regulations
First major review of the existing regulations.
First aspect of this is the right to be forgotten, including data portability to take it from a vendor and move it with you. This is a challenge to implement. There is also the right to delete, or expunge their data from any place it might be stored.
Europe is looking for streamlined jurisdiction; the european main site of your business will be authoritative for the regulations you must comply with.
This EU directive (the cookie directive) says if you set or read information on a client device you need to get consent for that. This will be untenable for the end user with today's web browsing technologies. The regulators are debating still what this will actually mean. Browser controls permitting cookies may be the loophole for this.
FTC Staff Report
The US has been struggling with their privacy regulator, and an analysis of privacy issues (including online privacy but not exclusively) has resulted in a draft framework report. It should be released in the next 6 weeks, and is expected to include the idea of operational privacy; it becomes a business concern, it is baked into business controls in each enterprise/organisation. This accepts that there are implied consent items, within the boundaries of reasonable privacy expectations between the consumer and the enterprise.
Do not track is hugely accepted, switching off online tracking being an option for all browsers. Browser manufacturers are already on this, and we can see more of this available later this year.
The FTC accepts that there is a new type of data called consumer data; data that relates to a particular consumer, but is not identifiable. The definition of this will be in the paper.
The US Dept of Commerce has a white paper report coming (called a green paper until it is released in 6 weeks) and are playing chicken with the FTC on who will release first. The Obama administration is willing to consider a privacy bill of rights, and a recognition that law cannot answer every question, therefore industry needs a code of conduct.
Notice of security breach is catching on like wildfire since it started in California. The current state of this provides a patchwork quilt of responses because each state legislation is unique. Industry is pushing for a standardised approach to simplify. The strong aspects of this policy is that it is consequential, rather than prescriptive, and therefore has increased the use of encryption, for example.
Art called FaceOff by italian artist illustrates the layers of persona that social media encourages of the populace.
facebooks IPO listed privacy more times than any other risk, showing that social media giants recognise the risks, but aren't yet really doing anything because we are not voting with our fingers.
Online behavioural advertising where via cookies you are cross site tracked for your interests and behaviours. Self regulatory efforts are starting to see some traction. The digital advertising alliance is starting to see some maturity.
Consumers value privacy, but we have trouble setting that value to more than 50 cents off a cheeseburger.
Mobile devices, and the privacy considerations for mobile apps. Industry must accept and respect privacy because people are begining to vote with their fingers, and it easy to delete an app that violates our trust.
Geo-data sensitivity is an awareness that is growing with the consumer marketplace. Most devices that deliver your geo-data to other parties do so with no knowledge of the device user.
Cloud computing continues to be a controversial topic, because the information economy knows no jurisdictional boundaries. The issues are not de facto compatible with data transfer and privacy expectations and needs to make functional use of the cloud concept.
Emerging markets introducing privacy laws, mexico, brazil, argentina, india are all creating privacy laws that face outwards more so than inwards, to protect the outsource business processing industry.
Regulatory risk is where the rubber hits the road for privacy and security. Regulators around the world are seeking and obtaining more powers than they have ever had to enforce data protection. The FTC is becoming more aggressive in going after privacy violating organisations.
Class action risk also grows, NetFlix settled for $9M in the US this week, for their data collection practices. The barrier has been the issue of harm, but a number of judges are starting to show a willingness to close their eyes to allow the cases to progress to the point where a settlement occurs. Watch the US market and the reactions to these law suits.
Brand risk is more amorphous but it is growing in awareness, as most major publications are establishing beat reporters for privacy topics specifically. As many as 500 stories per day globally are published with respect to privacy issues, so the brand risk is growing as media is slavering for the next big story.
Privacy by design and default is necessary because of these risks. Privacy cannot be an option, or an after thought placed on the infrastructure to hold responsibility for.
Accountability is necessary through metrics, audits, controls, and generally taking information and managing the data in your enterprise seriously.
Everyone is talking about big data because it is solidly in place, and every role dealing with big data is on some respect a privacy role. privacy needs to have complete oversight over big data collection, storage, use, and management. big data is driving big jobs that require privacy knowledge and awareness.
we are all privacy professionals: if you touch data, information security, or systems that touch data, you need to understand privacy to an adequate level to react correctly when any issue arises.
Stay aware, track the EU framework, FTC report, and the risk environment. Build privacy before launch, operationalise privacy into your organisation. Build response plans, and train your organisation.
- Posted using BlogPress from my iPad
Location:13th Privacy & Security Conference