privacy, drones, and iot
TRANSCRIPT
![Page 1: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/1.jpg)
Privacy, Drones, and IoT
Laura Vivet Lawyer, CIPP/E/US
June 2016
![Page 2: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/2.jpg)
What is Privacy?
![Page 3: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/3.jpg)
Different Meanings & Regulations Worldwide
• Has Omnibus Data Protection Law • Omnibus Law in Proces • No Law or Sectorial Coverage Only
![Page 4: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/4.jpg)
Privacy in the United States
1. Sectorial approach
2. “Right to be left alone”
3. Multiple definitions of personal data or sensitive data:
• Common law
• Federal and state laws
• FTC consent decrees -unfair and deceptive practices
![Page 5: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/5.jpg)
Common Law Kyllo vs United States
![Page 6: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/6.jpg)
Federal & State Laws
What is covered? Risk
FCRA Applies to CRA
Limits the use of consumer reports
Protects consumer reports (any information pertaining to 7 factors)
Civil/criminal penalties
Damages
Private right of action
COPPA Operators of commercial websites/online services directed to children <13
Places parents in control
PII = name, SSN, video, audio, geolocation, cookies, etc
Civil penalties (up to $16,000 per violation)
Damages
Reputation
GLBA Applies to financial domestic institutions
Addresses privacy & security
NPI
Civil penalties up to $1.1M
Private right of action in some states
HIPPA Covers health related entities
Protects health information
PHI
Civil/criminal penalties Fines up to $250,000
![Page 7: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/7.jpg)
• Unfair acts and deceptive practices • PII/Sensitive information: name, etc; consumer data linked to a
specific consumer, computer or device; live feeds • RISK: Up to $100 M. Other requirements: security measures,
training programs, disclosures, etc.
FTC consent decrees
![Page 8: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/8.jpg)
![Page 9: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/9.jpg)
Privacy in Europe• Comprehensive approach • Fundamental right (Art. 8 CFR) • Directive 95/46/EC —> GDPR • Enforcement: Independent DPA in each MS • Other Privacy provisions: E-commerce,
telecommunications, health information • “Personal data”: Broad definition • Applies to any entity, public or private • Processing of PD —> Anything! • Extraterritorial scope —> Applicable outside EU! • Exceptions • RISK: Up to €20 M or 4% total
worldwide annual turnover
![Page 10: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/10.jpg)
In Europe everything is
forbidden unless
allowed.
United States ≠ Europe
In United States everything is allowed unless forbidden.
![Page 11: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/11.jpg)
• Between US and EU • Co-regulatory framework • “Personal data”: Broad definition • Public Sector —> Privacy Act • Private Sector —> PIPEDA (+ AL, BC, QB) • Enforcement: Independent DPAs • Statutory torts, anti spam, criminal code, etc.
RISK • (2015: Penalties $17,800) • Data breach < $100,000 • Anti spam: Civil/criminal < $10M
Privacy in Canada
![Page 12: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/12.jpg)
Drones
![Page 13: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/13.jpg)
Drones & Privacyin the United States
Key concepts:“Reasonable expectationof privacy” and the limits of“private property”
No federal law addresses privacy
Tools: • Common Law
• State & local regulations
• Voluntary Best Practices UAS
![Page 14: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/14.jpg)
Common Law Causby vs United States
![Page 15: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/15.jpg)
State & Local Regulations (some examples)
California Responds to the use of UAS by the paparazzi
Florida Protects against surveillance activities
Arkansas Prohibits the use of UAS to commit voyeurism
New Hampshire Conduct video surveillance of citizens who are lawfully hunting, fishing or trapping
![Page 16: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/16.jpg)
• NTIA Multistakeholder Process(May 18, 2016)
• Commercial and private
• Private industry and privacy advocates
• Privacy and security
• US DHS Best Practices in UAS Programs (December 18, 2015)
• DHS and local, state and federal government
• Privacy and security
Voluntary Best Practices UAS
![Page 17: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/17.jpg)
Drones & Privacy by Design
![Page 18: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/18.jpg)
What is covered? Risk
GDPR Commercial operations
Government operations (except outside scope of Union law)
Up to €20 M or 4% total worldwide annual turnover
Member States Laws
Household activity (hobbyists)
Freedom of expression and information
Outside scope of Union Law: Public security, defense
Civil/criminal penalties
Damages
Drones and Privacy in the EU
![Page 19: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/19.jpg)
The Internet of Things (IoT)
![Page 20: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/20.jpg)
IoT creates 3 kinds of risk:
• Malfunction
• Hacking
• Privacy and security can create economic harm
Internet of Things Risk
Factors that shape the risk equation:
• Vulnerability
• Intent
• Consequences
Metrics to assess IoT risk:
• Value and sensitivity of the data
• Criticality of a function
• Scalability of failure
![Page 21: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/21.jpg)
Measures • Autonomy
• Authentication and encryption
• Differentiate important vs unimportant and define criticality
• Consider failure
• Critical systems not linked to the internet
Minimize Risks for the IoT
Problems • Limited ability to patch
& update software
• Management difficulties
• Computing resources limited on IoT devices
• Cost and complexity
• Wireless
![Page 22: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/22.jpg)
Risk is dynamic Will be greatest for the 1st generation of IoT devices
![Page 23: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/23.jpg)
Identify and minimize privacy risks
Privacy Impact Assessment
General Steps
1 Describe the project
2 Describe the information lifecycle
3 Identify privacy and related risks
4 Identify and evaluate privacy solutions
5 Integrate PIA solutions into the project plan
![Page 24: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/24.jpg)
References
Daniel Solve, “Privacy Law Fundamentals”, 2013, IAPP https://iapp.org/news/a/iapp-books/
DLI Piper, “Data Protection Laws of the World”, June 28, 2016 https://www.dlapiperdataprotection.com/#handbook/world-map-section
Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change”, FTC Report, March 2012 https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
European Charter of Fundamental Rights http://www.europarl.europa.eu/charter/pdf/text_en.pdf
General Data protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Current UAS Landscape, NCSL http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx
Department of Homeland Security, Best Practices re UA, onlineS https://www.dhs.gov/sites/default/files/publications/UAS%20Best%20Practices.pdf
NTIA Multistakeholder Process re commercial and private UAS, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems
James Andrew Lewis, “Managing Risk for the Internet of Things”, CSIS, February 2016. https://www.csis.org/analysis/managing-risk-internet-things
Michael Garcia, Naomi Lefkovitz, Suzanne Lightman, “Privacy Risk Management for Federal Information Systems”, NIST, May 2015 http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf
M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 https://www.whitehouse.gov/omb/memoranda_m03-22
Canada, Privacy Impact Assessment: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308
Art. 29 WP, Opinion 7/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering System http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf
ICO, Privacy Impact Assessment Code of Practice, UK, online: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
![Page 25: Privacy, Drones, and IoT](https://reader031.vdocuments.mx/reader031/viewer/2022022202/5879f0ba1a28ab70298b49e7/html5/thumbnails/25.jpg)
References
MapofIsraeliteCamp: http://emp.byui.edu/satterfieldb/Tabernacle/TabernacleCampIsrael.html
Differentmeaningsandregulationsworldwide: https://iapp.org
FTCandTrendNetsettleclaimoverhackedsecuritycameras,CNET: http://www.cnet.com/news/ftc-and-trendnet-settle-claim-over-hacked-security-cameras/
Drones: http://www.suasnews.com/2014/10/drones-fly-into-south-park-episode/
CommonLawCausbyvsUnitedStates: http://www.thehappychickencoop.com/a-history-of-chickens/
DronesandPbD:http://www.dezeen.com/2014/10/30/ambulance-drone-alec-momont-emergency-uav-tu-delft/
InternetofThings: http://www.computerweekly.com/news/4500260406/Top-10-internet-of-things-stories-of-2015
Riskisdynamic,itwillbegreatestforthefirstgenerationofIoTdevices: http://blog.orbitahealth.com/bebaio/8-iot-cartoons-that-will-add-some-humor-to-your-day