My Notes from the IAPP Global Privacy Summit 2010

As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter).  Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations).  Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper.  These are not direct quotes, unless specifically designated as such.  Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space.  For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age.  Without further ado, here are my notes.  Would love to hear your thoughts/reactions.

Day One, April 20

  • General Session-Keynote by Dan Ariely [author of Predictably Irrational:  The Hidden Forces That Shape Our Decisions]-fascinating, our intuition tends to be wrong, we behave irrationally, not always about free will

    Tweets, Blogging and Buzz:  Protecting Your Company from Privacy Risks When Using Social Media in Marketing, Advertising, and Promotions (Kimberly Cilke, Assistant General Counsel, The Go Daddy Group, Inc.)

  • Tweeting from session on Tweets, Blogging and Buzz (Privacy Risks)-what happens if you tweet about tweeting? :-)
  • Issues in social media-COPPA, ECPA, VPPA, TCPA, etc. Usual alphabet soup of privacy
  • COPPA issue re social media-what if Facebook user's profile discloses age-charged with knowledge? Cilke of GoDaddy says "not sure"
  • Tweetspam-do direct messages create CAN-SPAM problem if user opted out from company email? Consider Twitter TOS; also public relations issue
  • Social network hosts also need to consider EU law-Article 29 Opinion on Online Social Networking, recent Google convictions
  • Every company needs an internal social media policy, even if not using social media for business (employees ARE using social media)
  • Data security policies, records retention policies, and litigation holds, all need to be updated to address social media
  • Need training, audits, for social media policies
  • And, of course, remember to tell employees they have no expectation of privacy when using social media on company systems
  • No time to scratch surface of issues re targeted advertising using social media profiles-hopefully another panel will address

Legislative Update (Stu Ingis and Congressional Staffers)

  • Federal legislation update-need for transparency and choice (opt-out v opt-in)
  • Will it be comprehensive privacy bill including behavioral marketing? How would that work?
  • Senior government leader [not on panel] told Stu Ingis (re consent to third party transfers)-"third party is the world wide web". Is that realistic?
  • Panel says Rep. Boucher likely to circulate discussion draft of privacy bill
  • Panel says there will be opportunity for industry input and public hearing(s) on Rep. Boucher draft online privacy bill

The New EU Cookie Consent Law:  What is Your Strategy?  (Justin Weiss, International Privacy Director, Yahoo!, and Miriam Wugmeister, Morrison & Foerster)

  • Interesting-most at IAPP Summit are tweeting about anonymization panel with Paul Ohm. Not me, listening to panel on EU cookie consent
  • Panel says "consent" required by new EU eprivacy directive not specific as to traditional "opt-in"
  • Recital 66 of new EU eprivacy directive says consent can be expressed with appropriate browser settings
  • Unclear what meant by consent under new EU eprivacy directive-something more than notice and means to disable cookies
  • How will EU member states implement "cookie consent" aspects of new eprivacy directive? 1st party v. 3rd party cookies?
  • Much data collected by cookies not personally identifiable (PII)-so why is EU cookie consent being played out as privacy?
  • Opportunity for industry to educate regulators on cookie consent (technology) while EU members implementing (until 5/2011)

Exploring the Big Issues in U.S. Federal Privacy Legislation (Michael Hintze, Associate General Counsel, Microsoft, and Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology

  • No more notice and consent in new federal legislation
  • Will focus in new federal legislation be on collection or use? Really talking about use restrictions now
  • How will "third party" be defined for purposes of federal privacy legislation? Strangers, affiliates, etc.?
  • Will sensitive data be covered by federal privacy legislation? What is sensitive? Health/medical, children, location?
  • Compliance-companies have already invested a lot-law incorporating existing Fair Information Practices won't necessarily have much new cost
  • Should cost of compliance with US federal privacy legislation be tied to amount of personally identifiable information handled by company? Risk-based?

Facilitated Networking Session:  Data Breach Risks and the HITECH Act:  Best Practices for Risk Assessments, Notification and Compliance (Rick Kam, President & Co-founder, ID Experts, and Kirk Nahra, Partner, Wiley Rein LLP)

  • Who should do risk assessment-business associate or covered entity?  What do you think?
  • There will be more HITECH/HIPAA enforcement. Wildcard=State AGs
  • Loss of info re "shoe size" will never result in significant risk of harm

Day Two, April 21

  • Keynote - Viktor Mayer-Schonberger [author of Delete:  The Virtue of Forgetting in the Digital Age]
    • Do we really know every time information about us is collected, stored, accessed, etc., online?
    • Forgetting was always the default -Time - But we have moved from biological forgetting to digital remembering
    • Today remembering is the default; forgetting is the exception - What is at stake? Power and Time
    • Bentham's Panopticon- behavioral modification-threat of permanent surveillance-today, temporal panopticon
    • Perfect digital memory denies us the ability to change, evolve, forgive
    • Solution to digital remembering? Privacy rights? Information ecology? Digital abstinence? Full contextualization?
    • Mayer-Schonberger likes solution of cognitive adjustment - but psychologists say would take too long
    • Privacy DRM? Irony of permanent surveillance to ensure ability to forget.
    • Mayer-Schonberger wants to reintroduce forgetting - expiration dates for information
    • "Let us remember to forget"
  • Keynote - Scott Charney [Corporate Vice President, Trustworthy Computing, Microsoft]
    • System of authentication on the Internet is dysfunctional
    • Cloud computing-what is new? "Dynamic resource allocation and elasticity." So, my friends, is he right?
    • Identity and privacy will be "huge" in cloud computing due to data aggregation. Is everybody listening here?
    • Cloud computing changes balance of power between individual & State. What about balance between data owner & cloud provider?
    • Correct question to ask is do we want accountability and anonymity in a particular activity on the Internet

From Notice to Awareness:  Consumer Education and Behavioral Advertising (Charles Curran, Executive Director and General Counsel, Network Advertising Initiative; Douglas Miller, Executive Director, Consumer Advocacy and Privacy, AOL; Jules Polonetsky, Co-Chairman and Director, Future of Privacy Forum; and Anne Toth, Vice President, Global Policy and Head of Privacy, Yahoo!)

  • Toth on privacy notices and behavioral advertising-interstitial, notice with ad, not in privacy policy
  • Yahoo! privacy notices "CLEAR Ad" at the ad network level. Convey info-relevant and contextual where the ad is delivered
  • Curran-online behavioral advertising self-regulation-simplicity for consumer, but metadata-provides comprehensive information
  • Polonetsky-Future of Privacy Forum-half industry, half privacy advocates
  • Polonetsky-online behavioral advertising-most CPOs in business of responsible use of information, not "privacy"
  • Polonetsky discussing research on use of icon/symbol for privacy notice - eye symbol
  • Question, online behavioral advertising panel-will icon approach eventually be used for all privacy notices? They hope so
  • Debate-benefits/downside of standardization of privacy notice icon-metadata open, consistency-but discouraging innovation?
  • Interesting discussion- potential for privacy notice "icon-spam". Response- providing information better than status quo (nothing)
  • Polonetsky-Privacy notice icon - like recycling icon
  • Toth-Tell consumers what is going on, transparency- they will appreciate it, won't opt-out in droves. Excellent point!

Controllers, Processors and Sub-processors, Oh My! Managing Evolving Relationships in the Cloud (Stephen Bolinger, Attorney, Microsoft)

  • Managing evolving relationships in cloud computing. First joke alluding to volcanic ash as cloud
  • Presentation's sole focus, it turns out, is EU data protection legal landscape, not US
  • Is cloud provider co-controller or processor? "Margin of maneuver"
  • All about how Microsoft as cloud provider wants to remain data processor
  • Microsoft ("Clouds R Us" [in Bolinger hypothetical]) tells customer about security policies, but makes customer agree those are its instructions

Parting Thought

  • The IAPP Global Privacy Summit 2010 was fantastic. Great to see my privacy friends. Hope to see all on the west coast [Santa Clara] at Practical Privacy in June [14-15]! [I will be speaking on Security Considerations for Cloud Computing] Travel safe!