Privacy, Drones, and IoT
1 like3,574 views
This document discusses privacy issues related to drones, IoT, and cross-border data regulations. It provides an overview of privacy laws and approaches in the US, EU, and Canada. The US takes a sectoral approach to privacy while the EU uses a comprehensive approach. Drones pose new privacy challenges regarding reasonable expectations of privacy. IoT devices increase risks of malfunctions, hacking, and privacy/security breaches. Risk from IoT will be greatest for first-generation devices. The document recommends identifying and minimizing privacy risks through measures like privacy impact assessments.
Privacy, Drones, and IoT
- 1. Privacy, Drones, and IoT Laura Vivet Lawyer, CIPP/E/US June 2016
- 3. Different Meanings & Regulations Worldwide • Has Omnibus Data Protection Law • Omnibus Law in Proces • No Law or Sectorial Coverage Only
- 4. Privacy in the United States 1. Sectorial approach 2. “Right to be left alone” 3. Multiple definitions of personal data or sensitive data: • Common law • Federal and state laws • FTC consent decrees unfair and deceptive practices
- 5. Common Law Kyllo vs United States
- 6. Federal & State Laws What is covered? Risk FCRA Applies to CRA Limits the use of consumer reports Protects consumer reports (any information pertaining to 7 factors) Civil/criminal penalties Damages Private right of action COPPA Operators of commercial websites/online services directed to children <13 Places parents in control PII = name, SSN, video, audio, geolocation, cookies, etc Civil penalties (up to $16,000 per violation) Damages Reputation GLBA Applies to financial domestic institutions Addresses privacy & security NPI Civil penalties up to $1 1M Private right of action in some states HIPPA Covers health related entities Protects health information PHI Civil/criminal penalties Fines up to $250 000
- 7. • Unfair acts and deceptive practices • PII/Sensitive information: name, etc; consumer data linked to a specific consumer, computer or device; live feeds • RISK: Up to $100 M. Other requirements: security measures, training programs, disclosures, etc. FTC consent decrees
- 9. Privacy in Europe • Comprehensive approach • Fundamental right (Art. 8 CFR) • Directive 95/46/EC —> GDPR • Enforcement: Independent DPA in each MS • Other Privacy provisions: E-commerce, telecommunications, health information • “Personal data”: road definition • Applies to any entity, public or private • Processing of PD —> Anything! • Extraterritorial scope —> Applicable outside EU! • Exceptions • RISK: Up to €20 M or 4% total worldwide annual turnover
- 10. In Europe everything is forbidden unless allowed. United States ≠ Europe In United States everything is allowed unless forbidden.
- 11. • Between US and EU • Co-regulatory framework • “Personal data”: Broad definition • Public Sector —> Privacy Act • Private Sector —> PIPEDA (+ AL, BC, QB) • Enforcement: Independent DPAs • Statutory torts, anti spam, criminal code, etc RISK • 2015: enalties $17,800 • Data breach < $100,000 • Anti spam: ivil/criminal < $10M Privacy in Canada
- 12. Drones
- 13. Drones & Privacy in the United States Key concepts: “Reasonable expectation of privacy” and the limits of “private property” No federal law addresses privacy Tools: • Common Law • State & local regulations • Voluntary Best Practices UAS
- 14. Common Law Causby vs United States
- 15. State & Local Regulations (some examples) California Responds to the use of UAS by the paparazzi Florida Protects against surveillance activities Arkansas Prohibits the use of UAS to commit voyeurism New Hampshire Conduct video surveillance of citizens who are lawfully hunting, fishing or trapping
- 16. • NTIA Multistakeholder rocess (May 18, 2016) • Commercial and private • Private industry and privacy advocates • Privacy and security • US DHS Best Practices in UAS Programs (December 18, 2015) • DHS and local, state and federal government • Privacy and security Voluntary Best Practices UAS
- 17. Drones & Privacy by Design
- 18. What is covered? Risk GDPR Commercial operations Government operations (except outside scope of Union law) Up to €20 M or 4% total worldwide annual turnover Member States Laws Household activity (hobbyists) Freedom of expression and information Outside scope of Union Law: Public security, defense Civil/criminal penalties Damages Drones and Privacy in the EU
- 19. The Internet of Things (IoT)
- 20. IoT creates 3 kinds of risk: • Malfunction • Hacking • Privacy and security can create economic harm Internet of Things Risk Factors that shape the risk equation: • Vulnerability • Intent • Consequences Metrics to assess IoT risk: • Value and sensitivity of the data • Criticality of a function • Scalability of failure
- 21. Measures • Autonomy • Authentication and ncryption • Differentiate important vs unimportant and define criticality • Consider failure • Critical systems not linked to the internet Minimize Risks for the IoT Problems • Limited ability to patch & update software • Management difficulties • Computing resources limited on IoT devices • Cost and complexity • Wireless
- 22. Risk is dynamic Will be greatest for the 1st generation of IoT devices
- 23. Identify and minimize privacy risks Privacy Impact Assessment General Steps 1 Describe the project 2 Describe the information lifecycle 3 Identify privacy and related risks 4 Identify and evaluate privacy solutions 5 Integrate PIA solutions into the project plan
- 24. References Daniel Solve, “Privacy Law Fundamentals”, 2013, IAPP https://iapp.org/news/a/iapp-books/ DLI Piper, “Data Protection Laws of the World”, June 28, 2016 https://www.dlapiperdataprotection.com/#handbook/world-map-section Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change”, FTC Report, March 2012 https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/ 120326privacyreport.pdf European Charter of Fundamental Rights http://www.europarl.europa.eu/charter/pdf/text_en.pdf General Data protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN Current UAS Landscape, NCSL http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx Department of Homeland Security, Best Practices re UA, onlineS https://www.dhs.gov/sites/default/files/publications/UAS%20Best%20Practices.pdf NTIA Multistakeholder Process re commercial and private UAS, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems James Andrew Lewis, “Managing Risk for the Internet of Things”, CSIS, February 2016. https://www.csis.org/analysis/managing-risk-internet-things Michael Garcia, Naomi Lefkovitz, Suzanne Lightman, “Privacy Risk Management for Federal Information Systems”, NIST, May 2015 http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 https://www.whitehouse.gov/omb/memoranda_m03-22 Canada, Privacy Impact Assessment: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308 Art. 29 WP, Opinion 7/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering System http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf ICO, Privacy Impact Assessment Code of Practice, UK, online: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
- 26. Thank you! Laura Vivet www.lauravivet.com ı lv@lauravivet.com