These are notes are from a panel discussion session at the American Bar Association 2011 conference in Toronto on Saturday, August 6, 2011. Panelists included Dr. Paolo Balboni, Director, European Privacy Association, Milan, Italy; the Honorable Julie Brill, Commissioner, Federal Trade Commission, Washington, DC; Stuart Ingis, Venable LLP, Washington, DC, and Jennifer Stoddart, Privacy Commissioner of Canada, Ottawa, Canada. The session was moderated by Saira Nayak, Nayak Strategies, Redmond, WA. Note: these are my selected notes from this session; any inaccuracies or omissions are my own. I welcome your comments and follow-up thoughts!
Can Self Regulation help?
Is Self Regulation really a part of a framework?
Key elements of Self Regulation:
- clear & consistent standards
- accountability – internal and external
- organizations should be accountable (found in APEC, European, OECD and PIPEDA frameworks)
- CIPL (Centre for Information Policy Leadership) also identified accountability as important
- accountability agents and third part audits
- individual user acces
- Safe Harbor provisions used to incentivize
- consumer education
Self Regulatory Organizations
- e.g. cinematic content, children's advertising, online advertising in the US
Co Regulatory Organizations
- e.g. online advertising in Europe
Stuart Ingis on OBA (Online Behavioral Advertising) Notice and Choice
Digital Advertising Alliance (DAA)
- website: AboutAds.info
- self regulatory program for online behavioural advertising
- principles released in July 2009 – 50 page document > Self-Regulatory Principles for Online Behavioral Advertising
- advertising option icon > the icon indicates adherence to the Principles > consumers can click on icon to view clear disclosure statement; an easy-to-use opt-out mechanism
- icon used in ad notices; for example: Dawn and American Express Rewards Gold card
- a lot of publishers and advertisers are putting notices and icon in footers
- DAA consumer choice mechanism – www.AboutAds.info – self-populates, you should go there if you haven't
- CBBB (Council of Better Business Bureaus) and DMA (Direct Marketing Association) have complementary accountability programs
Dr. Paolo Balboni on Trust Marks
- have been put into place to help with Self Regulation
- Action 17 EU Digital Agenda
- Art. 29 Working Party Opinion 3/2010 [pdf]
- companies started to see compliance with privacy and data protection as an asset to sell their services and products. Favourable to proving compliance of such trustmarks
- Commission is going to evaluate whether to use trustmarks
- certificates in general could be a valuable way to support accountability. Steps: privacy assessment; implementation option; getting a trustmark to make a consumer see a company is compliant
- trustmark is a label that allows consumers to recognize if they can trust a website
- Trustmark Organizations (TMOs): e.g. Trusted Shops (strong in Germany, France and UK but not yet pan-European), thuiswinkel woorborg (very local; very strong in The Netherlands; a consumer association of Holland is behind it), TRUSTe (he has been critical of this company but they have improved; they are very strong in the United States and well-positioned in Europe; looking into the European market).
- active monitoring of compliance is key
- The Commission is looking for pan-European trustmark to allow for cross-border use.
Q. Your general view of Self Regulation and other model schemes
Commissioner Stoddart: Yes, there is a role for Self Regulation in every modern economy. Cannot have compliance with the law unless there is an attempt at self compliance. However, in Canada have not taken the position that Self Regulation is enough. They have passed a law covering consumer protection of data. It is written in a very general way and they try to interpret it flexibly.
Commissioner Brill: Self Regulatory frameworks are important. Is it sufficient? There have to be some key elements for Self Regulation to be enough.There ought to be some kind of compliance monitoring and real consequences if there is not compliance. It needs to keep pace with technology. Self Regulation might be more facile and hold more promise for keeping up with technology. Set up a mechanism for consumers to interact with it; it needs to avoid technological loopholes. It needs to take into account sensitive information in a self regulatory regime.
Q from audience: De-regulation in an industry such as the airline industry; how do you get people to buy in if the underlying structure is entrepreneurial?
Ingis: There is government oversight; government puts pressure on the business industry to self regulate. Every industry is different. In advertising and marketing world; sometimes regulation is backed up with legislation, sometimes not. If you compared these areas with those with just legislation, you would probably see more compliance with Self Regulation.
Commissioner Stoddart: Back in 1995 the average consumer could understand what was going on in the advertising world; today the average consumer does not know what is going on with the technology when they click on advertising. The ability to take advantage of the trail of information is extraordinary. When Microsoft set up of 8.0 browser they wanted an opt out feature, an opt out feature that has to be refreshed. New features of the digital world; as regulatory bodies need to have an understanding.
Ingis: Doesn't jump to the conclusion that Self Regulation doesn't work. Need education and transparency. Some views are cultural, some related to demographics (e.g. age). Benefits outweigh the concerns, as long as protection is in place. Wall Street Journal stories about the Microsoft browser may have been embellished. Microsoft was going to have a feature to allow for ad blocking; did not have it as a default. Has been characterized as not as accurate as it was.
Q: Co-regulatory scheme by both government and industry to make this work?
Dr. Balboni: The European Commission – EU is recommending an accreditation scheme for third parties providing trustmarks. Say there is no compliance with privacy and data protection by the advertising industry, both parties can accept the risk (the advertisers and the consumer). Now the government is putting Self Regulation in place; he thinks this is a good idea. Better to have Self Regulation, then the industry is more likely to comply with it.
Commissioner Brill: When does Self Regulation work best, should it be part of Co Regulation? Yes. What does it require? Difficult to talk about it in the abstract. In the US, they have identified by statute certain areas that need regulation e.g. credit reports, health information, online children's information, financial information under the GLB. What about geolocation information? Facial recognition? Is self-regulatory model enough to address these sensitive areas? Data brokers who may not be traditional credit reporting agencies may fall under this regulatory area. At its best, it is an iterative process. Where are the areas of sensitive process? They put out reports identifying the issues; industry is clearly reading the reports.
Commissioner Stoddart: In the last 10 years, the emergence of the concept of trustmark used outside of North America has seen them reimported back through the Asian world. At the same time, many of the countries that use trustmarks (e.g. Mexico), see an increasing pattern to co-regulation.
Q: What is the current program around OBA (online behavioral advertising)? How is the program doing? Are consumers aware somebody is tracking them? Are companies competing to show they are protecting data?
Ingis: There is not some deadline to be hit; people are supposed to be compliant now to the IAB's (Interactive Advertising Bureau's) part of its code. Progress was strong at first behind the scenes, not public. There is a finite number of actors, expected to decrease with consolidation. They have had good progress, and a further call from the Commission to do more. They have undertaken to look to see if they can put walls around all data protection.
Q from audience: Finite number of actors but multiple levels of regulation?
Ingis: it benefits everybody if there is more uniformity
Q: How much should regulators work together? Are there discussions going on?
Commissioner Brill: Yes. They have not enacted a comprehensive FIPPS (Fairness of Information and Protection of Privacy) law but have a UDAP (Unfair and Deceptive Acts and Practices) law. Europe is undergoing a similar process. Canada is also looking at it; they have adapted concepts born in Canada. All are responding to things happening in industry. There are organizational, institutional and structural ways they are working together: e.g. OECD principles, APEC. Also GPEN (Global Privacy Enforcement Network).
Commissioner Stoddart: US leadership is very important in developing networks of data protection. There are also standards around fairness of information and protection of data. There is also European Adequacy status - abiding by those principles when exporting information from that country. Canada was the first granted, also granted to some other countries. This brings a more practical application to the table rather than formalities around data protection.
Q from audience: Recent US Supreme Court Sorrell case – prescription information from pharmacies – strong First Amendment principles in the US; other countries have equivalents and some don't; some have similar approached in a different way. How do you get a uniform system when principles are so different? How is that going to get balanced?
Commissioner Brill: the statute was an omnibus statute addressing prescription. The language that the SCOTUS majority decision focused on, it is hard for the justices to figure out what the state was intending with the statute. Decision is fairly sweeping but not the "death knell" for US regulators. She does not think the ability to regulate data brokers will be affected. The First Amendment does make the US different, but she is not sure how different it makes them.
Commissioner Stoddart: Coming out of international debate, it is showing how uniform regulation might take place. No one is thinking they are going to use somebody else's model; but there is a lot of willingness to be flexible to retain your own approach to make it compatible with the continuous flow of data.
Q from audience: the definition of personal information (PII) – Canada interprets it more broadly.
Commissioner Brill: U.S. state regulation around PII came out at a time before this was an issue.
Nayak: Almost anything could be considered PII if in the right context; take a piece of information that is not considered private and combine it with another piece of information, and it might be considered PII.
Dr. Balboni: Europe's definition of PII is very broad. In Europe there is an attitude that their model will be exported to the world; when they look at the US or other countries, they see it as poor. This is too bad. E.g. cloud computing – need data protection.
Q: Accountability – is there a role for accountability agents or third parties to certify compliance of companies and the patchwork that will result from the regulation across the countries?
Commissioner Stoddart: In both Google wifi and Staples investigations they asked for practical enforcement ideas; took a book out of the US Federal Commission book. On accountability generally, there is the idea that government regulatory agencies could delegate to third party accountability agencies if structured correctly could be interesting.
Commissioner Brill: In the Google Buzz settlement the FTC required third party audits – information was made public in a way that consumers didn't understand or expect would have been made public.
Q from Commissioner Stoddart: How do you go after those who are flying under the radar?
Ingis: This can be one of the strengths of self regulation if done right; bigger companies helping to do it in a forum in which they are comfortable. Larger companies were the first ones to step forward and they are seeing the rest of the ecosystem coming into play. Violators are coming forward and some haven't even heard of the program in industries in which they are active.
Q: Consumers are supposedly going to benefit; seeing a lot of renewed calls for access. Britian: MyData program. What is the role of Self Regulation here, can it define a framework for access?
Dr. Balboni: will be reflected in a new version of the European Data Protection protocol. Europe has some experience in this area of "privacy by design" or "privacy by default" – point at which access should be given to end users. Look at a way to build privacy by design to empower the user and give access to the data the company will have. The perception of personal data is changing in consumers.
Commissioner Brill: The access question is incredibly important; there was not enough time to cover it today. In the US they give consumers the right to access their credit reports because the consumer needs to be able to correct them so they are not denied rights if inaccurate. Regulation around the data broker industry is important. Practical obscurity: consumers do not know who is collecting data on them. Important role by the CDIA (Consumer Data Industry Association) and other organizations could play a Self Regulatory role.
Commissioner Stoddart: Access to information has been a right for Canadian citizens over the last 10 years. It is the status quo.