FPF Partner in algoaware Project Releases State of the Art Report
State of the Art Report:
After reviewing the literature and consulting a variety of experts, algoaware has released the first public version of the State of the Art Report, open for peer review. The report includes a comprehensive explanation of the key concepts of algorithmic decision-making, a summary of the academic debate and its most pressing issues, as well as an overview of the most recent and relevant initiatives and policy actions of the civil society as well as of national and international governing bodies. The peer-review is executed via four different engagements channels:
Consultation of experts with proven knowledge on specific sections of the report.
Targeted calls to provide feedback by the subscribers of their Twitter channel, who will be invited to scrutinize the findings by answering questions on the content of the report.
Engagement with experts from academia, industry and civil society at presentations and discussions at events and focus groups
Finally, an open call to give feedback is available through the MetaPDF tool, which can also be found on the algoaware website.
Background:
The algoaware study was procured by the European Commission to support its analysis of the opportunities and challenges emerging where algorithmic decisions have a significant bearing on citizens, particularly where they produce societal or economic effects which need public attention.
The study is carried out by Optimity Advisors and follows a call from the European Parliament for a pilot project supporting algorithmic awareness building. FPF is a partner in this project.
The objectives of the study include:
contributing to a wider, shared understanding of the role of algorithms, particularly in the context of online platforms, with the intention of raising public awareness and debate of emerging issues;
identifying the types of problems, emerging issues and opportunities raised by the use of algorithms, and establish a scientific evidence-base for these issues and opportunities; and
designing and prototyping a policy toolbox including solutions for a selection of problems, including policy options, technical solutions and private sector and civil society-driven actions.
The study will follow a policy design methodology resting on the analysis of scientific evidence as well as a robust stakeholder engagement. It aims to engage with a range of stakeholders across diverse sectors as we seek to map the areas of interest where algorithmic operations bear significant policy implications. To keep up to date with the debate, and for project updates, sign up for the algoaware newsletter here.
New Guide Compares Privacy Laws in EU and California
New Guide Compares Privacy Laws in EU and California
Guide and December 13 Webinar from FPF and DataGuidance
Explore GDPR & CCPA, Potential Federal Privacy Law
Washington, DC – The Future of Privacy Forum and DataGuidance have released a new report, Comparing privacy laws: GDPR v. CCPA, which analyzes and contrasts the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). GDPR, which became effective in the EU on May 25, 2018, and the CCPA, scheduled to go into effect January 1, 2020, both aim to protect individuals’ personal data and apply to businesses that collect, use or share that data, online or off.
“There is a growing consensus about the need for comprehensive federal privacy legislation in the U.S.,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “Policymakers will appreciate the insights and comparisons in this report even though the scope and approach for a federal privacy law will rightly differ from those of the GDPR or the CCPA.”
The report details how the two laws differ in significant ways, including their scope of applicability, the extent of collection limitations and rules concerning accountability. However, they are similar in certain definitions, the establishment of additional protections for people under age 16 and the inclusion of rights to access personal information, among other provisions.
“Given the size and influence of the EU and California, their privacy rules will each have a global effect,” said David Longford, CEO of DataGuidance. “Organizations around the world will find the guide helpful in understanding and complying with the GDPR and the CCPA.”
The guide compares the two pieces of legislation based on their scope, key definitions, legal basis, the rights they provide, and their approach to enforcement. Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between the GDPR and the CCPA.
On December 13, 2018, at 10:00 a.m. EST, FPF and DataGuidance will host a GDPR v. CCPA webinar to compare the two laws and discuss future developments in California and at the federal level. Speakers will include FPF Policy Counsel Stacey Gray and Gabriela Zanfir-Fortuna and DataGuidance CEO David Longford and Global Privacy Director Alexis Kateifides. Those interested in participating in the webinar may register at https://register.gotowebinar.com/register/6490805661630991885.
FPF has long supported a comprehensive federal consumer privacy law, believing that both businesses and consumers will gain from one clear standard that provides necessary protections for consumers and certainty and guidance for industry. FPF recommends that such a law address issues of interoperability with existing federal sectoral laws and global privacy frameworks while avoiding conflicts with existing requirements in order to promote beneficial cross-border data flows.
###
The Future of Privacy Forum is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more at www.fpf.org.
[Webinar] GDPR vs. CCPA: An in depth Comparative Analysis (Thurs, Dec 13, at 10:00 AM ET)
The Future of Privacy Forum (FPF) and DataGuidance have released a new Comparison Guide on the GDPR vs. CCPA, which provides an in-depth analysis on the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). The Guide highlights the degree of similarity of the GDPR and CCPA on the five key provisions, and a detailed analysis of the similarities and differences.
Please join the Webinar on Thursday, December, 13, 2018, 10:00 AM (EST), and meet the experts from FPF and DataGuidance who will provide an overview of the Guide’s key findings on the similarities and variances between the two laws.
Speakers:
Gabriela Zanfir-Fortuna, Policy Counsel, Future of Privacy Forum
Stacey Gray, Policy Counsel, Future of Privacy Forum
David Longford, CEO, DataGuidance
Alexis Kateifides, Global Privacy Director, DataGuidance
Calls for Regulation on Facial Recognition Technology
Today, Microsoft’s Brad Smith released a call for actionregarding the design, implementation and use of facial recognition systems. For use in both commercial and government contexts, he sets forth a clear path towards ethical uses of FR by ensuring privacy and discrimination concerns are addressed upfront. Likewise, AI Now, at New York University, issued a report about the potential concerns, and joined the growing demand for policies and regulatory action around this technology.
FPF published Privacy Principles for Facial Recognition Technology in Consumer Applications in September, 2018. These Principles define a benchmark of privacy requirements for those commercial situations where technology collects, creates, and maintains a facial template that can be used to identify a specific person – enabling the beneficial applications and services, while providing the necessary protections for individuals.
We include seven core privacy principles that address the concerns surrounding personally identifiable information (PII) collected by these systems. They include:
Consent,
Use – Respect for Context,
Transparency,
Data Security,
Privacy by Design,
Integrity and Access, and
Accountability.
In particular, we call for a baseline of express consent upon enrollment in a facial recognition database for verification or identification purposes. We believe these Principles can be used by companies and regulators as a resource for the development, refinement, and implementation of facial recognition technology in commercial settings.
We also released the associated graphic Understanding Facial Detection, Characterization, and Recognition Technologies as an educational reference to summarizes the key distinctions between facial scanning technologies. Relating each technology to its common use cases, benefits, concerns, and risk of identifiability, we outlined the minimum recommended notice and consent requirements and the Operator’s responsibilities.
We look forward to working with Microsoft, others in industry, and policymakers to “create policies, processes, and tools” to make responsible use of Facial Recognition technology a reality.
Privacy War Games Participants Stayed a Step Ahead of the Competition
Privacy leaders from 60 companies gathered at Cisco headquarters in San Jose, CA on November 12th for the inaugural Privacy War Games, a new training and preparedness program launched by FPF and The Providence Group. The war games split participants into five teams to practice strategic decision-making in a fast-paced environment that presented the challenges many companies can encounter in their every-day practice. This will help participants better manage future privacy risk – an increasingly complex task that is made more difficult by: the increasing number of state and sectoral privacy laws; evolving regulatory and compliance requirements; and the regulatory and legal ambiguity of the European General Data Protection Regulation (GDPR).
In light of a rapidly changing legal and regulatory environment, privacy risk management has grown increasingly complex for even the most advanced companies. The war games exercise forced our participants to explore privacy scenarios from different perspectives by adopting roles on the game teams that did not necessarily comport with their current jobs. By role-playing as the Federal Trade Commission, European Union regulators, state legislators, and two fictional companies, participants gained a deeper (and sometimes counter-intuitive) understanding of privacy challenges and anticipated how each team’s moves would affect the scenario as a whole.
The Privacy War Games team encouraged a commitment to authenticity throughout the exercise. Players withheld information, made decisions with limited information, dealt with unreasonable partners and managed stressful interactions with media and regulators.. Referees were assigned to each team in order to answer questions about rules and options available to the teams at various points in the game.
The exercise unfolded in two rounds. During the lunch break referees and a facilitator processed each team’s round one decisions. After lunch, the teams learned the consequences of their decisions and proceeded to make their round two decisions based on additional facts.
In a final debriefing, the control group facilitated a discussion, asking participants what they found surprising and what they learned. Answers ranged from insights gained about the scope of regulators’ authority to lessons learned about controlling the amount of information individuals in their own company should receive when there is a privacy incident. Several participants commented on how important it is to consider who needs to be at the table when a decision gets made. Companies need to have constructive conversations with a diverse team – even when departments have competing priorities.
Participants completed a postgame survey before leaving. Their feedback indicated that the event was well-received and provided suggestions for making the next war games event even better. Participants especially appreciated adopting the perspective of unfamiliar actors. In the few days after the event, FPF has already received inquiries on when the next PWG will take place.
According to a recent survey by PriceWaterHouseCoopers, only one-third of business leaders worldwide feel confident that their organization is prepared to meet recent and emerging requirements for cybersecurity, data privacy, and data-use governance. The 60 companies who participated in our war games are now ahead of the competition thanks to the valuable experiences and best practices that they acquired from this exercise.
We look forward to conducting more war games in the future. To learn about bringing the Privacy War Games to your company, contact [email protected].
Privacy Scholarship Research Reporter: Issue 4, December 2018 – GDPR in Focus
Notes from FPF
The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) aims to guarantee strong protections for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
The GDPR went into effect on May 25, 2018 and is one of the most comprehensive data protection laws in the world to date. The law represents the most comprehensive data protection reform in a generation. Its geographic scope extends far beyond the borders of Europe, and material scope reaches across all industries – including online services, mobile, cloud, IoT, financial services, healthcare, and telecom.
In this issue are articles that provide highlight key issues raised by the GDPR: how does the Article 20 right to data portability address (or not address) privacy concerns about onward transfer of personal information? How might privacy risks raised by the internet of things be mitigated by a GDPR-compliant transparency model? How might the GDPR right to explanation be implemented in a flexible and practical manner? How do the GDPR and ePrivacy Directive intersect with the standard contractual terms used by many online services? How can children’s privacy rights be best supported by the GDPR? Is the right to “legibility” the appropriate way to interpret and apply GDPR’s rights to explanation? The papers highlighted in this issue engage with these questions and more.
As always, we would love to hear your feedback on this issue. You can email us at [email protected].
Data Portability and Data Control: Lessons for an Emerging Concept in EU Law
I. GRAEF, M. HUSOVEC
This article observes that while Article 20 of the GDPR introduces the right to data portability, it is agnostic as it relates to how this data can be used once transferred. The authors state that unlike other initiatives, the right to data portability does not create ownership control over the ported data. How this regulation will be limited in that it may clash with the intellectual property rights of some current data holders (i.e. copyright, trade secrets etc) is discussed. The authors argue that as other regimes try to replicate the right to data portability, they should consider the resulting control, its breadth and its impact on incentives to innovate.
Authors’ Abstract
The right to data portability (‘RtDP’) introduced by Article 20 of the General Data Protection Regulation (‘GDPR’) is a first regulatory attempt to establish a general-purpose control mechanism of horizontal application which mainly aims to facilitate reuse of personal data held by private companies. Article 20 GDPR is agnostic about the type of use that follows from the ported data and its further diffusion. This contrast with forms of portability facilitated under competition law which can only occur for purpose-specific goals with the aim of addressing anticompetitive behaviour. Unlike some upcoming initiatives, the RtDP still cannot be said to create ownership-like control over ported data. Even more, this regulatory innovation will be limited in its aspirations where intellectual property rights of current data holders, such as copyright, trade secrets and sui generis database rights, cause the two regimes to clash. In such cases, a reconciliation of the interests might confine particularly the follow-on use of ported data again to specific set of socially justifiable purposes, possibly with schemes of fair remuneration. We argue that to the extent that other regimes will try to replicate the RtDP, they should closely consider the nature of the resulting control, its breadth and its impact on incentives to innovate. In any case, the creation of data portability regimes should not become an end in itself. With an increasing number of instruments, orchestrating the consistency of legal regimes within the Digital Single Market and their mutual interplay should become an equally important concern.
GDPR and the Internet of Things: Guidelines to Protect Users’ Identity and Privacy
S. WACHTER
Presented in this paper is a three-step transparency model based on known privacy risks of the IoT, the GDPR’s governing principles, and weaknesses in its relevant provisions. In an effort to help IoT developers and data controllers, eleven ethical guidelines are proposed focused on how information about the functionality of the IoT should be shared with users above the GDPR’s legally binding requirements. There are two case studies presented that demonstrate how the guidelines apply in practice: IoT in public spaces and connected cities, and connected cars.
Authors’ Abstract
The Internet of Things (IoT) requires pervasive collection and linkage of user data to provide personalised experiences based on potentially invasive inferences. Consistent identification of users and devices is necessary for this functionality, which poses risks to user privacy. The forthcoming General Data Protection Regulation (GDPR) contains numerous provisions relevant to these risks, which may nonetheless be insufficient to ensure a fair balance between users’ and developers’ interests. A three-step transparency model is described based on known privacy risks of the IoT, the GDPR’s governing principles, and weaknesses in its relevant provisions. Eleven ethical guidelines are proposed for IoT developers and data controllers on how information about the functionality of the IoT should be shared with users above the GDPR’s legally binding requirements. Two use cases demonstrate how the guidelines apply in practice: IoT in public spaces and connected cities, and connected cars.
Meaningful Information and the Right to Explanation
A. D, SELBST, J. POWLES
The authors believe the discourse about the right to explanation has, thus far, gone in an unproductive direction. The authors posit that there is a fierce disagreement over whether these provisions create a data subject’s ‘right to explanation’. This article attempts to reorient that debate by showing that the plain text of the GDPR supports such a right. The authors believe that the right to explanation should be interpreted functionally, flexibly, and at a minimum, enable a data subject to exercise his or her rights under the GDPR and human rights law. To make their point, they offer a critique of the two most prominent papers in the debate.
Authors’ Abstract
There is no single, neat statutory provision labelled the ‘right to explanation’ in Europe’s new General Data Protection Regulation (GDPR). But nor is such a right illusory.
Responding to two prominent papers that, in turn, conjure and critique the right to explanation in the context of automated decision-making, we advocate a return to the text of the GDPR.
Articles 13–15 provide rights to ‘meaningful information about the logic involved’ in automated decisions. This is a right to explanation, whether one uses the phrase or not.
The right to explanation should be interpreted functionally, flexibly, and should, at a minimum, enable a data subject to exercise his or her rights under the GDPR and human rights law.
Pre-Formulated Declarations of Data Subject Consent – Citizens-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections
D. CLIFFORD, I. GRAEF, AND P. VALCKE
This article examines how the respective data protection and privacy, consumer protection, and competition law policy agendas are aligned by looking through the lens of pre-formulated declarations of consent whereby data subjects agree to the processing of their personal data by accepting standard terms. The authors describe the role each area has as it relates to the GDPR and ePrivacy Directive, the Unfair Terms Directive, the Consumer Rights Directive and the proposed Digital Content Directive in addition to market dominance. This paper discusses the complicated issue of the economic value of personal data and tries to interpret the affects of this cross-reference.
Authors’ Abstract
The purpose of this article is to examine the alignment of the respective data protection and privacy, consumer protection and competition law policy agendas through the lens of pre-formulated declarations of consent whereby data subjects agree to the processing of their personal data by accepting standard terms. The article aims to delineate the role of each area with specific reference to the GDPR and ePrivacy Directive, the Unfair Terms Directive, the Consumer Rights Directive and the proposed Digital Content Directive in addition to market dominance. Competition law analysis is explored vis-à-vis whether it could offer indicators of when ‘a clear imbalance’ in controller-data subject relations may occur in the context of the requirement for consent to be ‘freely given’ as per its definition in the GDPR. This complements the data protection and consumer protection analysis which focuses on the specific reference to the Unfair Terms Directive in Recital 42 GDPR stating that pre-formulated declarations of consent should not contain unfair terms. Attention is paid to various interpretative difficulties stemming from this alignment between the two instruments. In essence, this debate circles the thorny issue of the economic value of personal data and thus tries to navigate the interpretation minefield left behind by the cross-reference.
The Importance of Privacy by Design and Data Protection Impact Assessments in Strengthening Protection of Children’s Personal Data Under the GDPR
S. VAN DER HOF, E. LIEVENS
Authors’ Abstract
This paper explores to what extent the current illusion of autonomy and control by data subjects, including children and parents, based on consent can potentially be mitigated, or even reversed, by putting more emphasis on other tools of protection and empowerment in the GDPR and their opportunities for children. Suggestions are put forward as to how the adoption of such tools may enhance children’s rights and how they could be put into practice by DPAs and data controllers.
Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation
G. MALGIERI, G. COMANDÉ
This papers analyzes the GDPR’s “right to explanation.” The authors make a clear distinction between different levels of information and of consumers’ awareness; they propose a new concept — algorithmic “legibility” — focused on combining transparency and comprehensibility.
The authors argue that a systemic interpretation is needed in this field. They show how a systemic interpretation of Articles 13–15 and 22 GDPR is necessary and recommend a “legibility test” that data controllers should perform in order to comply with the duty to provide meaningful information about the logic involved in automated decision-making.
Authors’ Abstract
The aim of this contribution is to analyse the real borderlines of the ‘right to explanation’ in the GDPR and to discretely distinguish between different levels of information and of consumers’ awareness in the ‘black box’ society. In order to combine transparency and comprehensibility we propose the new concept of algorithm ‘legibility’.
We argue that a systemic interpretation is needed in this field, since it can be beneficial not only for individuals but also for businesses. This may be an opportunity for auditing algorithms and correcting unknown machine biases, thus similarly enhancing the quality of decision-making outputs.
Accordingly, we show how a systemic interpretation of Articles 13–15 and 22 GDPR is necessary, considering in particular that: the threshold of minimum human intervention required so that the decision-making is ‘solely’ automated (Article 22(1)) can also include nominal human intervention; the envisaged ‘significant effects’ on individuals (Article 22(1)) can encompass as well marketing manipulation, price discrimination, etc; ‘meaningful information’ that should be provided to data subjects about the logic, significance and consequences of decision-making (Article 15(1)(h)) should be read as ‘legibility’ of ‘architecture’ and ‘implementation’ of algorithmic processing; trade secret protection might limit the right of access of data subjects, but there is a general legal favour for data protection rights that should reduce the impact of trade secrets protection.
In addition, we recommend a ‘legibility test’ that data controllers should perform in order to comply with the duty to provide meaningful information about the logic involved in an automated decision-making.
The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country. Like the GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy. The CCPA will take effect on January 1, 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.
As highlighted by this Guide, the two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.
However, the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. Regarding the latter for example, the GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. Conversely, the CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.
It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA.
Moreover, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data covered by other U.S. legal frameworks, including processing of personal information for clinical trials, and personal information processed by credit reporting agencies.
Further, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”
This Guide aims to assist organizations in understanding and comparing the relevant provisions of the GDPR and the CCPA, to ensure compliance with both pieces of legislation.
This Guide provides a comparison of the two pieces of legislation on the following key provisions:
Scope
Key definitions
Legal basis
Rights
Enforcement
Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between the GDPR and the CCPA. The degree of similarity for each section can be identified using the key below.
To stay up-to-date on our work, please subscribe to our distribution list.
Genetic Testing Will Be the Talk of the Table this Thanksgiving
This Thanksgiving, as families gather around the dinner table and discuss heritage and history, genetic testing is sure to be on the menu. Genetic testing companies are offering Black Friday and Cyber Monday discounts on kits to help you discover your genealogy and are sure to report record sales.
It is no surprise that as families come together this week, heritage, health, and the other fascinating information that can be drawn from DNA will be the talk of the table. From conversations about new family connections and serious health conditions to what types of wines best fit your genetic taste profile, DNA insights are becoming an important part of family discussions. And as with any family discussion, navigating serious or sensitive topics takes thoughtfulness and diplomacy; choosing a genetic testing provider also calls for careful consideration.
While today it is easier than ever to learn about family history, individuals should also be aware that genetic data is one of the most sensitive categories of personal information and warrants a high standard of privacy protection. Genetic data may be used to identify risk of future medical conditions, contain unexpected information that may be unsettling, and reveal information about the test taker’s family members. Because genetic information is so sensitive, you’ll want to know how a company will protect and use genetic data before buying Grandpa a kit on Black Friday.
One key way to assess a company’s genetic privacy practices is to look to the principles highlighted in the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services, a set of standards for the collection, use, and sharing of genetic data. Companies that currently support the Best Practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, FamilyTreeDNA, and Living DNA.
You also should carefully examine the company’s privacy policy to be sure you are choosing a company that has your genetic privacy in mind. Here are five important questions you should consider when deciding which genetic test to purchase (hint: all the answers should be YES):
Does the Company Ask for Your Consent Before Sharing Your Individual-Level Genetic Data with Third Parties? People choose to share their genetic data with third parties for a range of purposes (e.g., participate in scientific research or connect with potential relatives). However, genetic testing companies should never share your individual-level genetic data with third parties without your knowledge, particularly with insurers, employers, and educational institutions.
Does the Company Provide You the Ability to Delete Your Genetic Data and Destroy Your Biological Sample If You Choose? Companies may have default policies to destroy all samples once testing is completed, retain data or samples for only a finite period of time, or retain data and samples indefinitely or until you close your account. Companies should be clear about their retention practices and offer prominent ways to delete your genetic data and destroy your biological sample.
Does the Company Require Valid Legal Process before Disclosing Your Genetic Data to the Government? As we have seen in recent cases like the Golden State Killer, genetic data can be a powerful investigative tool for government. However, government access to your genetic data should not be as easy as pumpkin pie, as it presents substantial privacy risks. Companies should require that government entities obtain valid legal process before they disclose genetic data.
Does the Company Notify You of Material Changes to Its Privacy Statement and Ask You to Agree to the Changes? Companies may modify their privacy statements occasionally, and sometimes they significantly change how genetic data is collected, used, and stored. Companies may also be bought, sold, or go out of business. But before changes are implemented, you should be notified and given an opportunity to review the changes and choose whether or not you want to continue using the services.
Does the Company Have Strong Data Security Practices? As more than 12 million individuals have had their DNA tested, the potential for hacking and data breaches has become an increasing concern. Given the uniqueness of genetic data, companies should maintain a comprehensive security program through practices such as: secure storage of biological samples and genetic data, encryption, data-use agreements, contractual obligations, and accountability measures.
As we gather this week to give thanks for our families and heritage, let us also take a moment to consider the ways that genetic data can bring us closer together … and why it is important to protect it.
Limor Shmerling Magazanik Joins Israel Tech Policy Institute as Managing Director and Future of Privacy Forum as Senior Fellow
Limor Shmerling Magazanik Joins Israel Tech Policy Institute as Managing Director and Future of Privacy Forum as Senior Fellow
Former Senior Official at Israel’s Privacy Protection Authority to Lead ITPI
Washington, DC – November 20, 2018 – The Israel Tech Policy Institute and Future of Privacy Forum today announced Limor Shmerling Magazanik as ITPI Managing Director and FPF Senior Fellow. In this role, Magazanik will provide leadership on day-to-day operational matters of ITPI, including directing ITPI’s policy agenda; engaging policymakers, regulators, academics, and business leaders; convening multi stakeholder groups for discussion; and overseeing communications with the public and the advisory board.
“We are thrilled that Limor has joined our team,” said Jules Polonetsky, FPF CEO and ITPI Co-Founder. “She has a proven track record of success bringing together senior leaders from government, academia, civil society and the private sector to shape data governance principles and practices. We look forward to expanding our footprint in Israel under her thoughtful leadership.”
Major projects for ITPI in 2019 include data protection law, digital economy issues, supporting Israel’s emerging leadership in privacy technologies and enabling smart city and connected transportation deployments.
Magazanik comes to ITPI and FPF after a decade with the Privacy Protection Authority, serving most recently as Director of Strategic Alliances and previously as Director of Licensing & Inspection. She led policy initiatives and regulation in technology driven sectors and promoted compliance with data protection, privacy, cybersecurity and digital identity regulation. She is an adjunct lecturer at the Hebrew University Faculty of Law and the IDC Herzlia School of Law, has LL.B., MA and LL.M. degrees from Tel Aviv University and is a CIPP/E, CIPP/US, CIPM.
“After 10 years with the Privacy Protection Authority, I am excited to help connect the Israeli tech community to the Future of Privacy Forum’s world-class tech policy expertise,” said Magazanik. “I believe Israel can be a leader in developing technologies that enhance privacy protection.”
ITPI Co-Founder Omer Tene said, “Limor, who in her previous position coordinated extensively with European data protection regulators, is perfectly placed to bridge between regulators and policymakers on the one hand and tech innovators from Tel Aviv to Silicon Valley on the other hand.”
Magazanik has deep experience tackling information society issues such as the Internet of Things, autonomous vehicles, smart cities, biometrics, social networks, digital health care, credit data, fintech and more. She has a multifaceted background in both government and the private sector, having practiced corporate, property and banking law, as well as working in product and project management in the Israeli high-tech industry.
###
About Israel Tech Policy Institute
Israel Tech Policy Institute is an incubator for tech policy leadership and scholarship, advancing ethical practices in support of emerging technologies. Learn more about ITPI by visiting www.techpolicy.org.il.
About Future of Privacy Forum
Future of Privacy Forum is a global non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.
Long Overdue: Comprehensive Federal Privacy Law
FPF has long supported federal comprehensive consumer privacy law. We believe that both businesses and consumers will gain from one clear standard that provides consumers with needed protections and provides industry with certainty and guidance.
On Friday, FPF filed comments to the National Telecommunications and Information Administration (NTIA) in response to the Administration’s September 2018 Request for Comments on a federal approach to consumer privacy. The NTIA has requested input on the best approach to strengthen existing consumer data protections in the United States while promoting the administration’s high-level goals, including: enhancing legal clarity; reducing legal fragmentation; and increasing national and global interoperability.
In our comments, we called on Congress to draft and pass a national comprehensive consumer privacy law that would create baseline legal protections for individuals in the United States. In doing so, we recommend that such a law address issues of interoperability with existing federal sectoral laws and global privacy frameworks, and avoid creating conflicting requirements with existing frameworks in order to promote beneficial cross-border data flows (as an example, we have previously addressed the unintended consequences of various nations’ data localization laws).
We also note that a national privacy law would be likely to preempt some similar state legislative efforts, both as a natural outcome of the Supremacy Clause and as a matter of policy to support clarity and consistency in businesses’ compliance obligations. We also believe that consumers should not expect to have fewer privacy rights — such as the right to access, correct, or delete information, or to exercise meaningful control over whether that information is used for unexpected purposes, shared with others, or sold — simply because they live in one state rather than another. However, we flag for the Administration certain key implementation questions that should be carefully considered — such as the effect of a national law on the role of state attorneys general, enforcement actions under generally applicable business practices laws, and existing state constitutional rights to privacy.
We also recommend that the Administration address a range of important substantive considerations of a draft bill, including:
treating covered data with nuance in crafting legislative definitions;
promoting internal accountability, oversight, and training;
recognizing distinctions between sensitive and non-sensitive data; and
creating incentives for socially beneficial uses of data and for technical solutions that can resolve privacy issues while supporting data utility
We commend the NTIA and the Department of Commerce for their engagement on this important issue, and look forward to continuing to engage with stakeholders on a federal approach to guaranteeing clear, consistent, and meaningful privacy and security protections in the United States.
