Federal Privacy Council’s Law Library

Curated on Posted on by Stefaan Verhulst

Federal Privacy Council: “The Law Library is a compilation of information about and links to select Federal laws related to the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information (PII) by departments and agencies within the Federal Government. The Law Library does not include all laws that are relevant to privacy or the management of PII in the Federal Government.

The Law Library only includes laws applicable to the Federal Government. Although some of the laws included may also be applicable to entities outside of the Federal Government, the information provided on the Law Library pages is strictly limited to the application of those laws to the Federal Government; the information provided does not in any way address the application of any law to the private sector or other non-Federal entities.

The Law Library pages have been prepared by members of the Federal Privacy Council and consist of information from and links to other Federal Government websites. The Federal Privacy Council is not responsible for the content of any third-party website, and links to other websites do not constitute or imply endorsement or recommendation of those sites or the information they provide.

The material in the Law Library is provided for informational purposes only. The information provided may not reflect current legal developments or agency-specific requirements, and it may not be correct or complete. The Federal Privacy Council does not have authority to provide legal advice, to set policies for the Federal Government, or to represent the views of the Federal Government or the views of any agency within the Federal Government; accordingly, the information on this website in no way constitutes policy or legal advice, nor does it in any way reflect Federal Government views or opinions.  Agencies shall consult law, regulation, and policy, including OMB guidance, to understand applicable requirements….(More)”

Data Ethics – The New Competitive Advantage

Curated on Posted on by Stefaan Verhulst

Book by Gry Hasselbalch and Pernille Tranberg: “…describes over 50 cases of mainly private companies working with data ethics to varying degrees

Respect for privacy and the right to control one’s own data are becoming key parameters to gain a competitive edge in today’s business world. Companies, organisations and authorities which view data ethics as a social responsibility,giving it the same importance as environmental awareness and respect for human rights,are tomorrow’s winners. Digital trust is paramount to digital growth and prosperity.
This book combines broad trend analyses with case studies to examine companies which use data ethics to varying degrees. The authors make the case that citizens and consumers are no longer just concerned about a lack of control over their data, but they also have begun to act. In addition, they describe alternative business models, advances in technology and a new European data protection regulation, all of which combine to foster a growing market for data-ethical products and services….(More).

Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms

Curated on Posted on by Stefaan Verhulst

 at Freedom to Tinker: “The advent of social apps, smart phones and ubiquitous computing has brought a great transformation to our day-to-day life. The incredible pace with which the new and disruptive services continue to emerge challenges our perception of privacy. To keep apace with this rapidly evolving cyber reality, we need to devise agile methods and frameworks for developing privacy-preserving systems that align with evolving user’s privacy expectations.

Previous efforts have tackled this with the assumption that privacy norms are provided through existing sources such law, privacy regulations and legal precedents. They have focused on formally expressing privacy norms and devising a corresponding logic to enable automatic inconsistency checks and efficient enforcement of the logic.

However, because many of the existing regulations and privacy handbooks were enacted well before the Internet revolution took place, they often lag behind and do not adequately reflect the application of logic in modern systems. For example, the Family Rights and Privacy Act (FERPA) was enacted in 1974, long before Facebook, Google and many other online applications were used in an educational context. More recent legislation faces similar challenges as novel services introduce new ways to exchange information, and consequently shape new, unconsidered information flows that can change our collective perception of privacy.

Crowdsourcing Contextual Privacy Norms

Armed with the theory of Contextual Integrity (CI) in our work, we are exploring ways to uncover societal norms by leveraging the advances in crowdsourcing technology.

In our recent paper, we present the methodology that we believe can be used to extract a societal notion of privacy expectations. The results can be used to fine tune the existing privacy guidelines as well as get a better perspective on the users’ expectations of privacy.

CI defines privacy as collection of norms (privacy rules) that reflect appropriate information flows between different actors. Norms capture who shares what, with whom, in what role, and under which conditions. For example, while you are comfortable sharing your medical information with your doctor, you might be less inclined to do so with your colleagues.

We use CI as a proxy to reason about privacy in the digital world and a gateway to understanding how people perceive privacy in a systematic way. Crowdsourcing is a great tool for this method. We are able to ask hundreds of people how they feel about a particular information flow, and then we can capture their input and map it directly onto the CI parameters. We used a simple template to write Yes-or-No questions to ask our crowdsourcing participants:

“Is it acceptable for the [sender] to share the [subject’s] [attribute] with [recipient] [transmission principle]?”

For example:

“Is it acceptable for the student’s professor to share the student’s record of attendance with the department chair if the student is performing poorly? ”

In our experiments, we leveraged Amazon’s Mechanical Turk (AMT) to ask 450 turkers over 1400 such questions. Each question represents a specific contextual information flow that users can approve, disapprove or mark under the Doesn’t Make Sense category; the last category could be used when 1) the sender is unlikely to have the information, 2) the receiver would already have the information, or 3) the question is ambiguous….(More)”

Big Data Is Not a Monolith

Curated on Posted on by Stefaan Verhulst

Book edited by Cassidy R. Sugimoto, Hamid R. Ekbia and Michael Mattioli: “Big data is ubiquitous but heterogeneous. Big data can be used to tally clicks and traffic on web pages, find patterns in stock trades, track consumer preferences, identify linguistic correlations in large corpuses of texts. This book examines big data not as an undifferentiated whole but contextually, investigating the varied challenges posed by big data for health, science, law, commerce, and politics. Taken together, the chapters reveal a complex set of problems, practices, and policies.

The advent of big data methodologies has challenged the theory-driven approach to scientific knowledge in favor of a data-driven one. Social media platforms and self-tracking tools change the way we see ourselves and others. The collection of data by corporations and government threatens privacy while promoting transparency. Meanwhile, politicians, policy makers, and ethicists are ill-prepared to deal with big data’s ramifications. The contributors look at big data’s effect on individuals as it exerts social control through monitoring, mining, and manipulation; big data and society, examining both its empowering and its constraining effects; big data and science, considering issues of data governance, provenance, reuse, and trust; and big data and organizations, discussing data responsibility, “data harm,” and decision making….(More)”

Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online

Curated on Posted on by Stefaan Verhulst

Paper by Alessandro Acquisti et al: “Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security trade-offs, the decision-making hurdles affecting those choices, and ways to mitigate those hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users towards more beneficial choices. The article discusses potential benefits of those interventions, highlights their shortcomings, and identifies key ethical, design, and research challenges….(More)”

The Future of Drone Use: Opportunities and Threats from Ethical and Legal Perspectives

Curated on Posted on by Stefaan Verhulst

Book by Bart Custers: “Given the popularity of drones and the fact that they are easy and cheap to buy, it is generally expected that the ubiquity of drones will significantly increase within the next few years. This raises questions as to what is technologically feasible (now and in the future), what is acceptable from an ethical point of view and what is allowed from a legal point of view. Drone technology is to some extent already available and to some extent still in development. The aim and scope of this book is to map the opportunities and threats associated with the use of drones and to discuss the ethical and legal issues of the use of drones.
This book provides an overview of current drone technologies and applications and of what to expect in the next few years. The question of how to regulate the use of drones in the future is addressed, by considering conditions and contents of future drone legislation and by analyzing issues surrounding privacy and safeguards that can be taken. As such, this book is valuable to scholars in several disciplines, such as law, ethics, sociology, politics and public administration, as well as to practitioners and others who may be confronted with the use of drones in their work, such as professionals working in the military, law enforcement, disaster management and infrastructure management. Individuals and businesses with a specific interest in drone use may also find in the nineteen contributions contained in this volume unexpected perspectives on this new field of research and innovation….(More)”

Reframing Data Transparency

Curated on Posted on by Stefaan Verhulst

“Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP, a privacy and information policy think tank based in Brussels, London and Washington, D.C., and Telefónica, one of the largest telecommunications company in the world, issued a joint white paper on Reframing Data Transparency (the “white paper”). The white paper was the outcome of a June 2016 roundtable held by the two organizations in London, in which senior business leaders, Data Privacy Officers, lawyers and academics discussed the importance of user-centric transparency to the data driven economy….The issues explored during the roundtable and in the white paper include the following:

  • The transparency deficit in the digital age. There is a growing gap between traditional, legal privacy notices and user-centric transparency that is capable of delivering understandable and actionable information concerning an organization’s data use policies and practices, including why it processes data, what the benefits are to individuals and society, how it protects the data and how users can manage and control the use of their data.
  • The impact of the transparency deficit. The transparency deficit undermines customer trust and customers’ ability to participate more effectively in the digital economy.
  • Challenges of delivering user-centric transparency. In a connected world where there may be no direct relationship between companies and their end users, both transparency and consent as a basis for processing are particularly challenging.
  • Transparency as a multistakeholder challenge. Transparency is not solely a legal issue, but a multistakeholder challenge, which requires engagement of regulators, companies, individuals, behavioral economists, social scientists, psychologists and user experience specialists.
  • The role of data protection authorities (“DPAs”). DPAs play a key role in promoting and incentivizing effective data transparency approaches and tools.
  • The role of companies. Data transparency is a critical business issue because transparency drives digital trust as well as business opportunities. Organizations must innovate on how to deliver user-centric transparency. Data driven companies must research and develop new approaches to transparency that explain the value exchange between customers and companies and the companies’ data practices, and create tools that enable their customers to exercise effective engagement and control.
  • The importance of empowering individuals. It is crucial to support and enhance individuals’ digital literacy, which includes an understanding of the uses of personal data and the benefits of data processing, as well as knowledge of relevant privacy rights and the data management tools that are available to them. Government bodies, regulators and industry should be involved in educating the public regarding digital literacy. Such education should take place in schools and universities, and through consumer education campaigns. Transparency is the foundation and sine qua non of individual empowerment.
  • The role of behavioral economists, social scientists, psychologists and user experience specialists. Experts from these disciplines will be crucial in developing user-centric transparency and controls….(More)”.

A decentralized web would give power back to the people online

Curated on Posted on by Stefaan Verhulst

 at TechCrunch: “…The original purpose of the web and internet, if you recall, was to build a common neural network which everyone can participate in equally for the betterment of humanity.Fortunately, there is an emerging movement to bring the web back to this vision and it even involves some of the key figures from the birth of the web. It’s called the Decentralised Web or Web 3.0, and it describes an emerging trend to build services on the internet which do not depend on any single “central” organisation to function.

So what happened to the initial dream of the web? Much of the altruism faded during the first dot-com bubble, as people realised that an easy way to create value on top of this neutral fabric was to build centralised services which gather, trap and monetise information.

Search Engines (e.g. Google), Social Networks (e.g. Facebook), Chat Apps (e.g. WhatsApp )have grown huge by providing centralised services on the internet. For example, Facebook’s future vision of the internet is to provide access only to the subset of centralised services endorses (Internet.org and Free Basics).

Meanwhile, it disables fundamental internet freedoms such as the ability to link to content via a URL (forcing you to share content only within Facebook) or the ability for search engines to index its contents (other than the Facebook search function).

The Decentralised Web envisions a future world where services such as communication,currency, publishing, social networking, search, archiving etc are provided not by centralised services owned by single organisations, but by technologies which are powered by the people: their own community. Their users.

The core idea of decentralisation is that the operation of a service is not blindly trusted toany single omnipotent company. Instead, responsibility for the service is shared: perhaps by running across multiple federated servers, or perhaps running across client side apps in an entirely “distributed” peer-to-peer model.

Even though the community may be “byzantine” and not have any reason to trust or depend on each other, the rules that describe the decentralised service’s behaviour are designed to force participants to act fairly in order to participate at all, relying heavily on cryptographic techniques such as Merkle trees and digital signatures to allow participants to hold each other accountable.

There are three fundamental areas that the Decentralised Web necessarily champions:privacy, data portability and security.

  • Privacy: Decentralisation forces an increased focus on data privacy. Data is distributed across the network and end-to-end encryption technologies are critical for ensuring that only authorized users can read and write. Access to the data itself is entirely controlled algorithmically by the network as opposed to more centralized networks where typically the owner of that network has full access to data, facilitating  customer profiling and ad targeting.
  • Data Portability: In a decentralized environment, users own their data and choose with whom they share this data. Moreover they retain control of it when they leave a given service provider (assuming the service even has the concept of service providers). This is important. If I want to move from General Motors to BMW today, why should I not be able to take my driving records with me? The same applies to chat platform history or health records.
  • Security: Finally, we live in a world of increased security threats. In a centralized environment, the bigger the silo, the bigger the honeypot is to attract bad actors.Decentralized environments are safer by their general nature against being hacked,infiltrated, acquired, bankrupted or otherwise compromised as they have been built to exist under public scrutiny from the outset….(More)”

Privacy Preservation in the Age of Big Data

Curated on Posted on by Stefaan Verhulst

A survey and primer by John S. Davis II and Osonde Osoba at Rand: “Anonymization or de-identification techniques are methods for protecting the privacy of subjects in sensitive data sets while preserving the utility of those data sets. The efficacy of these methods has come under repeated attacks as the ability to analyze large data sets becomes easier. Several researchers have shown that anonymized data can be reidentified to reveal the identity of the data subjects via approaches such as so-called “linking.” In this report, we survey the anonymization landscape of approaches for addressing re-identification and we identify the challenges that still must be addressed to ensure the minimization of privacy violations. We also review several regulatory policies for disclosure of private data and tools to execute these policies….(More)”.

Privacy Laws Around the World

Curated on Posted on by Stefaan Verhulst

Bloomberg Law: “Development of international privacy laws and regulations with critical impact on the global economy been extremely active over the last several years.

Download Privacy Laws Around the World to access common and disparate elements of the privacy laws from 61 countries. Crafted by Cynthia Rich of Morrison & Foerster LLP, the report includes expert analysis on privacy laws in Europe and Eurasia (non-EEA); East, Central and South Asia and the Pacific; the Western Hemisphere (Latin America, Caribbean and Canada); as well as Africa and the Near East.

Privacy Laws Around the World…access:

Side-by-side charts comparing four key compliance areas including registration requirements, cross-border data transfer limitations, data breach notification requirements and data protection officer requirements

A country-by-country review of the special characteristics of framework privacy laws

An overview of privacy legislation in development around the world…(More) (Requires Registration)”