This document discusses privacy issues related to drones, IoT, and cross-border data regulations. It provides an overview of privacy laws and approaches in the US, EU, and Canada. The US takes a sectoral approach to privacy while the EU uses a comprehensive approach. Drones pose new privacy challenges regarding reasonable expectations of privacy. IoT devices increase risks of malfunctions, hacking, and privacy/security breaches. Risk from IoT will be greatest for first-generation devices. The document recommends identifying and minimizing privacy risks through measures like privacy impact assessments.
3. Different Meanings & Regulations Worldwide
• Has Omnibus Data Protection Law
• Omnibus Law in Proces
• No Law or Sectorial Coverage Only
4. Privacy in the
United States
1. Sectorial approach
2. “Right to be left alone”
3. Multiple definitions of personal data or
sensitive data:
• Common law
• Federal and state laws
• FTC consent decrees
unfair and deceptive practices
6. Federal & State Laws
What is covered? Risk
FCRA Applies to CRA
Limits the use of consumer reports
Protects consumer reports (any information
pertaining to 7 factors)
Civil/criminal penalties
Damages
Private right of action
COPPA Operators of commercial websites/online
services directed to children <13
Places parents in control
PII = name, SSN, video, audio, geolocation,
cookies, etc
Civil penalties (up to $16,000
per violation)
Damages
Reputation
GLBA Applies to financial domestic institutions
Addresses privacy & security
NPI
Civil penalties up to $1 1M
Private right of action
in some states
HIPPA Covers health related entities
Protects health information
PHI
Civil/criminal penalties
Fines up to $250 000
7. • Unfair acts and deceptive practices
• PII/Sensitive information: name, etc; consumer data linked to a
specific consumer, computer or device; live feeds
• RISK: Up to $100 M. Other requirements: security measures,
training programs, disclosures, etc.
FTC consent decrees
8.
9. Privacy in Europe
• Comprehensive approach
• Fundamental right (Art. 8 CFR)
• Directive 95/46/EC —> GDPR
• Enforcement: Independent DPA in each MS
• Other Privacy provisions: E-commerce,
telecommunications, health information
• “Personal data”: road definition
• Applies to any entity, public or private
• Processing of PD —> Anything!
• Extraterritorial scope —> Applicable outside EU!
• Exceptions
• RISK: Up to €20 M or 4% total
worldwide annual turnover
13. Drones & Privacy
in the United States
Key concepts:
“Reasonable expectation
of privacy” and the limits of
“private property”
No federal law addresses privacy
Tools:
• Common Law
• State & local regulations
• Voluntary Best Practices UAS
15. State & Local Regulations
(some examples)
California
Responds to the
use of UAS by
the paparazzi
Florida
Protects
against
surveillance
activities
Arkansas
Prohibits the
use of UAS
to commit
voyeurism
New Hampshire
Conduct video
surveillance of
citizens who are
lawfully hunting,
fishing or trapping
16. • NTIA Multistakeholder rocess
(May 18, 2016)
• Commercial and private
• Private industry and privacy
advocates
• Privacy and security
• US DHS Best Practices in UAS
Programs (December 18, 2015)
• DHS and local, state and federal
government
• Privacy and security
Voluntary Best Practices UAS
18. What is covered? Risk
GDPR Commercial operations
Government operations (except outside scope
of Union law)
Up to €20 M or 4% total
worldwide annual turnover
Member
States
Laws
Household activity (hobbyists)
Freedom of expression and information
Outside scope of Union Law: Public security,
defense
Civil/criminal penalties
Damages
Drones and Privacy in the EU
20. IoT creates 3
kinds of risk:
• Malfunction
• Hacking
• Privacy and security
can create economic
harm
Internet of Things Risk
Factors that shape
the risk equation:
• Vulnerability
• Intent
• Consequences
Metrics to assess
IoT risk:
• Value and sensitivity
of the data
• Criticality of a
function
• Scalability of failure
21. Measures
• Autonomy
• Authentication and
ncryption
• Differentiate important
vs unimportant and
define criticality
• Consider failure
• Critical systems not
linked to the internet
Minimize Risks for the IoT
Problems
• Limited ability to patch
& update software
• Management
difficulties
• Computing resources
limited on IoT devices
• Cost and complexity
• Wireless
23. Identify and minimize privacy risks
Privacy Impact Assessment
General Steps
1 Describe the project
2 Describe the information lifecycle
3 Identify privacy and related risks
4 Identify and evaluate privacy solutions
5 Integrate PIA solutions into the project plan
24. References
Daniel Solve, “Privacy Law Fundamentals”, 2013, IAPP https://iapp.org/news/a/iapp-books/
DLI Piper, “Data Protection Laws of the World”, June 28, 2016 https://www.dlapiperdataprotection.com/#handbook/world-map-section
Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change”, FTC Report, March 2012
https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/
120326privacyreport.pdf
European Charter of Fundamental Rights http://www.europarl.europa.eu/charter/pdf/text_en.pdf
General Data protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Current UAS Landscape, NCSL http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx
Department of Homeland Security, Best Practices re UA, onlineS https://www.dhs.gov/sites/default/files/publications/UAS%20Best%20Practices.pdf
NTIA Multistakeholder Process re commercial and private UAS,
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems
James Andrew Lewis, “Managing Risk for the Internet of Things”, CSIS, February 2016.
https://www.csis.org/analysis/managing-risk-internet-things
Michael Garcia, Naomi Lefkovitz, Suzanne Lightman, “Privacy Risk Management for Federal Information Systems”, NIST, May 2015
http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf
M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
https://www.whitehouse.gov/omb/memoranda_m03-22
Canada, Privacy Impact Assessment: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
Art. 29 WP, Opinion 7/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering System
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf
ICO, Privacy Impact Assessment Code of Practice, UK, online: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf