Transcript Title of Presentation

Big Data and Global Privacy
With Innovation Comes Increased Regulatory Scrutiny
Vance Gudmundsen
Regulatory Counsel, Privacy Officer
FICO
Rebecca E. Kuehn
Vice President and Senior Regulatory Counsel
CoreLogic
© 2014 Fair Isaac Corporation. Confidential.
This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac Corporation’s express consent.
Big Data and Global Privacy
► What
is big data? Is big data inclusive or exclusive?
Should there be limits to its collection and usage?
you get 3rd party data for advertising, marketing, hiring decisions,
or credit management, is the 3rd party a “data broker”?
Should data brokers be regulated?
► If
► Who’s
► What
2
winning: your data security or the hackers?
do the privacy developments around the world mean to you?
© 2014 Fair Isaac Corporation. Confidential.
Global Privacy Developments
Data Privacy and Security Are Global Concerns
3
© 2014 Fair Isaac Corporation. Confidential.
Mauritius Conference
October, the 36th International Conference of Data Protection and Privacy
Commissioners from around the world
► In
► Agenda:
► One
stop shop—centralization versus proximity
► Big data—consumer access to sources of data
► Surveillance vs. dataveillance
► Issued
4
Declarations on big data and the Internet of Things
© 2014 Fair Isaac Corporation. Confidential.
ICO (UK) Big Data Guidance
► Conditions
for data processing under the Data Protection Act:
►
Processing is necessary for the performance of a contract;
► Data minimization
► Consent, freely given, specific and informed (not inferred)
► If
company buys a large dataset of personal data for analytics purposes, then it becomes a
data controller with respect to that data
►
If company collects data for one purpose, and subsequently uses it for another (incompatible) purpose,
individuals must give consent for the new use
► Individuals have a right to access and correct information about themselves
► Guidance
►
5
is grounded in the concept of fairness
Processing must be for legitimate interests, which are balanced with the rights, freedoms, and
legitimate interests of the individuals concerned (reasonable expectations)
© 2014 Fair Isaac Corporation. Confidential.
EU Data Privacy Regulation: The Framework for Data
Protection Across the European Union
►
In March 2014 the EU Parliament adopted a draft to supersede Directive 95–46:
►
►
►
►
►
►
►
In June the European Council met and did not agree on several points:
►
►
►
►
►
6
One-stop-shop (single member state data protection authority)
Restriction on profiling for marketing (most oppose);
Right to be forgotten
Pseudonymized vs. anonymized data
Portability of PII
Privacy by design
One-stop-shop: “regulatory arbitrage”
Regulation vs. Directive – politically, Members prefer legal uncertainty to harmonization
Right to be forgotten: what rules would apply?
Consent to collect, use, and disclose PII (beyond cookies)
► In July, 30 prominent EU scientists’ open letter to EC: consent requirements undermine basic economic
and social research
In October, Jean Claude Juncker/his European Commission was approved by the EU Parliament
for a 5 year term; under current timetable, the Regulation will be passed in 2015, effective 2017
© 2014 Fair Isaac Corporation. Confidential.
ECJ’s Google Decision: Right to be Forgotten
► European
Court of Justice in July ruled that Google
must provide some users the right to delete links
about themselves, including public records, and
other data lawfully collected and accurate
► In
2009 a Spanish citizen objected to having a Google
search of his name include a 1998 Spanish newspaper
article that reported on his financial debts and the forced
sale of his property.
► Google was ordered to “balance” the right to be
forgotten against the right of freedom of speech
► The right to be “de-linked”?
7
© 2014 Fair Isaac Corporation. Confidential.
Google’s Reaction to the ECJ Decision
►Google’s
response
► Google
organized 7 open meetings, over 2 months, in European capitals, with
renowned experts on the panels, hosted by Google’s CEO and CPO
► In October, Google published a ‘Transparency Report’ on requests received in
each EU member state to remove search results
► Since
May 2014, highest number from France and Germany—around 89,000 URLs in
each country, with 40,000 URLs removed; 3rd highest was the UK with over 60,000
URLs, with 18,500 removed
►European
response
► Google
has implemented the ruling too broadly, to make a political point
► Google should apply the right globally without noting that any search results
have been omitted (to prevent any negative inferences)
8
© 2014 Fair Isaac Corporation. Confidential.
European Response to the ECJ Decision
► Martine
Reicherts, EU Justice Commissioner (August 18): Each case will
have to be assessed on its own merits, based on the type of information in
question, its sensitivity for the individual's private life, and the interest of the
public in having access to that information. The person’s role in public life might
also be relevant
► EC
publishes paper called “Mythbuster” (September 18)
► UK
House of Lords report (July 23): The decision is bad law. The Data
Protection Regulation will not include the right to be forgotten
► Article
29 Working Party (September 18): promised to create a database of
decisions made by search engines to ensure a coordinated approach
noted that celebrities want to know why they aren’t “Google famous”
(when Google does not remove their content)
► Blogs
9
© 2014 Fair Isaac Corporation. Confidential.
Other Reactions to the ECJ Decision
► Japanese
court ordered Google to remove results that hinted a citizen was
involved with criminal activity
► Recent
proposal in Brazil's Congress to implement RTBF
► A new
vague Internet Bill of Rights would permit online RTBF: no attempt to construct
parameters such as the ECJ’s—“negative pieces of news”
► U.S.
reaction to ECJ was based on a perceived violation of the 1st Amendment
► DNTK
(S. 1700) would amend COPPA (applicable to children under 16)
► CA S.568 (effective 2015) “eraser button” for content posted by minors
10
© 2014 Fair Isaac Corporation. Confidential.
Russian Data Localization Requirement
► In
July 2014 President Putin signed Bill 553424-6 re Russia’s privacy laws:
Companies that obtain personal data of Russian citizens must store that data only in Russia.
Companies located outside Russia must place servers within Russia if they plan to continue
doing business with Russian citizens.
► Effective:
September 1, 2016, but a bill was introduced last month that would
move the effective date to January 1, 2015
11
© 2014 Fair Isaac Corporation. Confidential.
Canada Moves Away from Strict Consent (S-4)
► S-4,
the Digital Privacy Act, would amend PIPEDA by expanding the permissible
scope of information sharing:
► Using
business contact information (including an email address), for the purpose of
communicating or facilitating communication with the individual in relation to his or her
employment, business or profession.
► Permitting the collection, use, and disclosure of personal information during business
transactions with a carefully structured non-disclosure agreement
► Permitting the investigation of a breach of an agreement, contravention of a Canadian law,
or to detect, prevent or suppress fraud.
► Note
12
similarity to GLB
© 2014 Fair Isaac Corporation. Confidential.
APEC Cross-Border Privacy Rules (CBPR)
►
EU Safe Harbor = self certification of compliance with EU data protection law
►
►
►
APEC: 21 APEC nations have instituted a similar approach (with assistance from FTC and Commerce)
►
►
►
Step 1: Company’s data privacy policies submitted to APEC-recognized Accountability Agent for review (compliance with
the APEC Privacy Framework) and certify eligibility
Step 2: Enforcement and Dispute Resolution is administered through the country’s Cross-Border Privacy Enforcement
Authority (FTC in the U.S.)
History
►
►
►
►
►
13
Company may share data on EU residents with its U.S. company
Using EU-approved model contract clauses is also an approved method
2012 U.S. joined
June 2013, TRUSTe named first approved “Accountability Agent”
August 2013, IBM received the first privacy certification
APEC and the EC are exploring interoperability between the CBPR and European Binding Corporate Rules
CBPR is not fully implemented; it still requires the participation of a critical mass of APEC member nations (currently,
only the United States, Mexico and Japan are participants in the program)
© 2014 Fair Isaac Corporation. Confidential.
US Privacy Developments
► The
14
Future of Big Data Is Uncertain
© 2014 Fair Isaac Corporation. Confidential.
Setting the Stage: Who Are the Players?
► U.S.
data privacy law is not comprehensive – it is sector specific:
► GLB
(NPPI, PII), FCRA (consumer report), HIPAA (PHI), DPPA, COPPA,
Telecommunications Act (CPNI), VPPA, FERPA, ECPA, RFPA, V2V
► State laws (e.g., NV and MA encryption standards; NYDFS security standards; data
breach laws)
► U.S.
law is based on notice and consent, but this model may not fit the digital age
► The
amount of data available is enormous and access to data is immediate
► The era of “big data” has created a new dialogue around data privacy
15
© 2014 Fair Isaac Corporation. Confidential.
Congress and the White House
► Congress
held hearings in 2012 (House) and 2013 (Senate) on data brokers
► Consumers
are shielded from the use of big data by the “veil of secrecy”, and there are
very few laws that restrict this
► The industry (DMA) countered with the economic and social value of using big data
► White
16
House report (May 2014) said big data can cause discrimination
© 2014 Fair Isaac Corporation. Confidential.
The Federal Trade Commission (FTC)
► May
2014 Report findings:
► Data
brokers collect and store billions of data elements covering nearly every US
consumer, largely without consumers’ knowledge
► Data brokers combine online and offline consumer data; they use the data to make
inferences, potentially sensitive inferences, about consumers
► Report
conclusions:
► Require
data brokers to provide consumers access to their data, including sensitive data
held about them, in detail, including sources of the data and inferences drawn from such
data, and the ability to opt-out of having their data shared for marketing purposes
►
17
Risk mitigation products: provide transparency when a company uses a risk mitigation product to
limit consumers’ ability to complete a transaction
© 2014 Fair Isaac Corporation. Confidential.
FTC Workshop
Big Data: A Tool for Inclusion or Exclusion?
► Workshop
explored the extent to which big data has inclusive or exclusive effects
for certain disadvantaged groups.
► Does
Big Data reinforce existing disparities or help overcome them?
► Does Big Data disadvantage the “off line” consumer (the non-”data literate”)?
► Facebook algorithm determines what news is presented
► Workshop
raised the question of whether existing anti-discrimination laws are
sufficient to address concerns.
► Does
ECOA reach the marketing of credit offers through the use of data analytics?
► Does Section 5 of the FTC Act operate to fill the perceived gaps?
18
© 2014 Fair Isaac Corporation. Confidential.
Consumer Advocates
2014—National Consumer Law Center report: “Big Data: A Big
Disappointment for Scoring Consumer Risk”
► March
► Focused
on the use of data for eligibility, within and without the FCRA. Recommends
more study by the FTC and the CFPB into accuracy, potential discriminatory impact, and
compliance with other federal laws
2014—World Privacy Forum report: “The Scoring of America: How Secret
Consumer Scores Threaten Your Privacy and Your Future”
► April
► Focused
on the lack of transparency around different types of scoring (including identity
and fraud scoring), the factors used in those scores, which may include readily
commercially available information about race, ethnicity, religion, gender, marital status,
and consumer-reported health information
► The “creepiness” factor
19
© 2014 Fair Isaac Corporation. Confidential.
California S. 1348
of “online data broker” is broad: a commercial entity that collects, assembles, or
maintains personal information concerning individuals residing in California who are not customers
or employees of that entity, for the purposes of selling or offering for sale the personal information
over the Internet to a third party
► Definition
► Requires
authenticating the identity of a person who contacts a company
difficult if the person were a fraudster or a criminal
► combing through dozens (perhaps hundreds) of separate databases in order to find related fragments of a
person’s identity requires sophisticated software and processes
► correcting data that is allegedly inaccurate would require a robust investigative effort, due to the FCRA
requirement that information be “accurate and complete.”
►
► RTBF:
upon request, company must delete data even if lawfully collected, stored, and used by the
company, and never transferred to any third party
►
Company must post notice of right to remove information; individual can require personal information be
“removed from public display on the Internet”
► Class actions permitted with stipulated damages of $1000 per violation and attorney’s fees
20
© 2014 Fair Isaac Corporation. Confidential.
FTC’s Privacy Jurisdiction: Wyndham Case
► FTC
used its “unfairness” authority (section 5 of the FTC Act) to regulate data
security
► Federal
district court judge ruled the FTC has section 5 (FTC Act) authority to bring
actions arising from Wyndham’s alleged data security violations
► Gramm-Leach-Bliley gives FTC authority to define “appropriate” safeguards
► District
Court judge certified two questions for the appellate court:
► (1)
can the FTC bring a Section 5 unfairness claim involving data security; and
► (2) must the FTC formally promulgate regulations before bringing its unfairness claim
► House
Oversight Committee hearing on FTC jurisdiction (7/24/14)
► Retrospective
liability? If there was a breach, the security must have been
inadequate
21
© 2014 Fair Isaac Corporation. Confidential.
Where Do We Go From Here?
► Big
data solutions include:
► Transparency
by giving consumers access to their data, and/or better notices
► Consumer consent for the use of their data (opt-in or opt-out)
► New laws prohibiting discrimination based on
“discrimination by algorithm”, “digital redlining”
“credit score aggregating”
► Internet
of Things
► Apple-pay
eliminates data breaches?
► Telephone
Consumer Protection Act—prior express consent
► State
legislatures and other regulators (e.g., S.1348 in California; NYDFS)
► MoFo
“drone” practice: 25 lawyers from aviation, privacy, environmental, product
liability and other practices
22
© 2014 Fair Isaac Corporation. Confidential.
23
Thank You!
Vance Gudmundsen
Regulatory Counsel,
Privacy Officer
FICO
Rebecca E. Kuehn
Vice President and
Senior Regulatory Counsel
CoreLogic
© 2014 Fair Isaac Corporation. Confidential.
This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac Corporation’s express consent.
Learn More at FICO World
Related Sessions
►Regulatory Olympics: Why Conduct Risk Matters; Thursday, 11:00 am–12:00 pm
►Customer Communications: Clearing the Regulatory Hurdles; Friday, 11:45 am–12:45 pm
Products in Solution Center
►Regulatory
Compliance Solution
Experts at FICO World
►Vance Gudmundsen
►Sharon O’Connor Clarke
White Papers Online
►Delivering Customer Value Faster with Big Data Analytics
Blogs
►www.fico.com/blog
24
© 2014 Fair Isaac Corporation. Confidential.
Please rate this session online!
Vance Gudmundsen
Regulatory Counsel,
Privacy Officer
FICO
25
© 2014 Fair Isaac Corporation. Confidential.
Rebecca E. Kuehn
Vice President and
Senior Regulatory Counsel
CoreLogic