Regulatory Calls for Participation

Current Regulatory Related Calls For Participation (Consider making this section a Live list on a wiki)

• FTC Roundtable (2009-2010) - The US Federal Trade Commission in the US has recently been hosting a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioural advertising, mobile marketing, the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.
• European Commission: Public Consultation on Privacy (2009-2010) The European Union is based on the respect for fundamental rights. Article 8 of the Charter of Fundamental Rights of the European Union expressly recognises the fundamental right to the protection of personal data. In order to remove potential obstacles to the flows of Personal Data and to ensure a high level of protection within the EU, data protection legislation has been harmonised. The Commission also engages in dialogue with non-EU/EEA countries so as to achieve a high level of protection of individuals when exporting personal data to those countries. It also initiates studies on the development at European and international level on the state of data protection and negotiates international agreements to safeguard the rights of individuals where their personal data are transferred (shared) to (with) third countries for law enforcement purposes, such as the fight against terrorism and serious crime. (European Commission, 2010b)
• OECD Roundtables (2010) - Organisation for the Economic Co-operation and development - "2010 is an important year for privacy, as the OECD marks the 30th anniversary of its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Guidelines were the first international statement of the core information privacy principles and have proven highly influential over the years, serving as the basis for national and international privacy instruments. Several events have been planned for 2010, beginning with an OECD Roundtable on the impact of the Privacy Guidelines, which took place on 10 March. The keynote speaker for the event was the Honourable Michael Kirby, who chaired the OECD expert group that developed the Guidelines in 1980. Justice Kirby spoke of context in which the Guidelines were conceived, their strengths and enduring value, and their future. Justice Kirby was then joined by the former Vice-Chair of the expert group, Louis Joinet, and the former Head of the ICCP Division, Hanspeter Gassmann, who recalled the experience of drafting the Guidelines."
• EU-US Consultation: (2010) Consultation on the future EU-US international agreement on personal data protection and information sharing for law enforcement purposes (http://ec.europa.eu/justice_home/news/consulting_public/0005/consultation_questionaire_en.pdf and http://ec.europa.eu/justice_home/news/consulting_public/0005/registered_organisations/european_privacy_association_registered_en.pdf)
• National Strategy for Trusted Identities in Cyberspace http://www.nstic.ideascale.com/ The Whitehouse and DHS have recently promulgated the National Strategy for Trusted Identity in Cyberspace (NSTIC) in late June, and public comments are due by July 19th. The NSTIC outlines an ambitious identity management strategy for the United States, but public discussion has been extremely limited. The NSTIC is a very significant and policy document which may have an impact on Internet commerce, online speech, identity management, identity trust frameworks, and online anonymity. We (the Liberty Coalition, eCitizen Foundation, CDT, and others) are concerned that no meaningful public discussion has occurred. (Email from Aaron)
•  The UK Ministry of Justice has issued a call for evidence on current data protection laws, seeking views on:

?           How the European Data Protection Directive and the UK Data Protection Act are working

?           The impact of data protection on individuals and business, and

?           Whether the Information Commissioner's powers and penalties could be strengthened.

• Direct link - Call for Evidence on the Current Data Protection Legislative Framework, 6 July 2010.The responses will be assessed and used to inform the UK’s position in negotiations on a new EU instrument for data protection, "which are expected to begin in early 2011." This fits in with the expected publication by end 2010 of the Commission's draft of the new EU data protection legislation. http://www.justice.gov.uk/news/newsrelease060710a.htm

In global cyberspace, legal privacy instruments vary not only among jurisdictions but are currently changing and evolving inside jurisdictions. These change have an impact on public policy.

Legally there is a lot of activity that is changing the policy of organisations internationally. Some examples of this include:

In the UK the Information Commissioners Office (ICO) has receive this year (and is going to receive in the future) greater powers to audit and fine organisations who break privacy regulations. In addition, there are already laws that are due to be implemented that effect information sharing. In Europe these include 'Cookie Law' (Parliament, 2009) and in the UK the controversial Digital Economy Bill (Parliament, 2010), which imposes penalties for peer-to-peer file sharing of copyrighted material. An online regulation that will attempt to enforce privacy related public policy for Internet cafes and Internet Users in the UK.

The Article 29 Working Party released a report on the 26th of May 2010 revealing that the 3 major search engines, Yahoo, Google, Microsoft, are not compliant with data protection law (e.g. illegal) when managing search queried information. "Personal data related to search queries is very sensitive, and search history should be treated as confidential personal data. This legal guidance (also found in FIP principles) indicates that the retention period shouldn't be longer than necessary for the specific purpose. Even if IP address or cookies are replaced by a unique identifier, the individual can still be identified by correlating stored queries." (Article 29 Data Protection Working Party, 2010)

A draft of a Bill that is currently in progress is the Council Of Europe: The Consultative Committee Of The Convention For The Protection of Individuals with Regard To Automatic Processing of Personal Data (Council of Europe, 2009) Is a draft regulation that explicitly deals with quality of consent and profiling, implements regulation, provides a much greater degree of notice to the individual, and therefore, is intended to regulate information sharing transactions. (See section 5.1)

In the USA there are state laws regarding information sharing that have already been passed, a Massachusetts regulation 201 CMR 17.00 stipulates any business (in and out of Massachusetts) that holds personal information on residents of the state must be encrypted. Along with an online privacy bill, announced on May 4 2010 in the USA, proposes new legislation that would require companies to get a user’s explicit approval (that is, it would require users to “opt in”) before they “knowingly collect” information about a person’s medical history, financial records, Social Security number, sexual orientation or precise geographic location. (Ingram, 2010)