TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

""

""

The Privacy Advisor asked leading privacy experts to look into the future. We asked for their hopes, fears, and predictions for privacy in the year 2009. What will be a big development? What would they like to see happen related to privacy in the coming year?

We share their responses to those questions and others here. Turn the pages to hear from Martin Abrams, Ann Cavoukian, Richard Purcell, Christopher Kuner, and many others.


Privacy preferences

Jonathan Zittrain is co-founder and faculty co-director of the Berkman Center for Internet & Society at Harvard Law School. He recently authored The Future of the Internet, and How to Stop It.

I'll make a prediction that's as much aspirational as empirical: we'll see grassroots development of technology built on top of the Internet that allows people implicated by a piece of data (including data offered up by others) to comment on it, express a preference about it, and provide a way to be reached with questions about it. Just as Creative Commons has had a major impact on our ability to share our work but ask for restraint for certain purposes—such as being able to say "you can use this so long as it's for non-commercial purposes"—I hope we'll see ways to express parallel preferences for privacy. "I didn't take this photo of a private moment, but I'm in it, and I'd really prefer that it not be forwarded around." Well before we turn to legal restrictions—whether on individuals or on content aggregators—to protect privacy, we should explore the possibilities offered by architectures that let us express a preference—and give others a chance to respect it

Europe's year ahead
Christopher Kuner specializes in global data protection law at Hunton & Williams' Brussels office. He was named a "top privacy adviser" by Computerworld and was recently appointed to the European Commission's five-member expert group on data protection that will review the EU Directive.
Europe will enact breach notification requirements at both the EU and national levels. European data protection authorities will be overwhelmed by the number of breaches notified to them.

2009 will be the year of decision for BCRs: either a breakthrough will occur and a number of companies will have their BCRs approved by multiple data protection authorities, or companies will become disenchanted with the lengthy approval procedures and begin to turn their backs on BCRs.

Europe and the U.S. will meet in the middle of the Atlantic on privacy and data protection, i.e., the new Obama administration will seriously consider omnibus federal privacy legislation, and Europe will begin to consider making its data protection law less bureaucratic and more user-friendly

Look for a story on Christopher Kuner's book, European Data Protection Law Corporate Regulation and Compliance, in the February issue of the Privacy Advisor.

Biometric encryption, unthinking disclosure, and privacy by design
Trendsetter Ann Cavoukian is serving her second term as Ontario's Information and Privacy Commissioner. In 2007, she was named one of "Canada's Most Powerful Women," receiving the prestigious Top 100 Award.

There will be a steady growth of biometrics and biometric encryption. I predict that there will be a steady growth in the use of biometrics, for purposes unrelated to law enforcement, but this will also be accompanied by at least three deployments involving the use of biometric encryption (BE)—the most privacy-protective rendering of a biometric. The implementation of BE in practical applications will grow significantly in 2009.

Incidents of "unthinking disclosure" will increase. While users of online social networks (OSNs) will become increasingly aware of the need to protect their personal information and the tools at their disposal to do so, their efforts will be thwarted by their friends, colleagues, and associates who unthinkingly post inappropriate "tagged" information to various Web sites. There is a rapidly increasing collection of sites that accept tagged data, ranging from OSNs to geo-spatial sites, to gaming and virtual reality destinations. Technology can only offer limited protections. Capitalizing on the bandwidth most now enjoy, users should be exposed to a brief streaming video as they register for these services, to educate them on the practices they can use to promote greater safety.

Changing the Paradigm from Zero-sum to Positive-sum. As the commissioner of Ontario, I have been trying to change the paradigm—from a zero-sum game to a positive-sum model, with respect to privacy vs. security—I want to get rid of the "vs." I think it is folly to advance the view that technology will invariably ‘kill' privacy. Instead, we should be embedding privacy into the design specifications of various technologies to ensure its ongoing presence. I call this "Privacy by Design"—a term I developed in the ‘90s, which will hopefully be witnessed in a growing number of commercial applications in 2009.

Accountability, APEC, Obama, behavioral targeting
2008 Privacy Vanguard award winner Martin Abrams is executive director of the Centre for Information Policy Leadership.

   1. Almost all the initiatives of the Obama administration will generate privacy issues. Therefore, implementing laws and regulations will include language that will place use restrictions on data in the private sector.
   2. Behavioral targeting will generate significant debate in Washington, but a lack of business consensus will make federal legislation doubtful.
   3. A few key states will decide that filling the vacuum on behavioral marketing is a good thing to do and will resist the argument that states shouldn't regulate the Internet.
   4. APEC will join the EU Directive, raising issues on how well the U.S. links to the rest of the world on privacy.
   5. Accountability will be the key phrase in both the discussion of international data flows and domestic privacy compliance. This will raise new questions about what standard organizations should be accountable to.

Things I would like to see happen:

   1. The Obama administration creates an office dedicated to understanding information as an asset and creator of risks, and involve this office in both domestic and international policy discussions.
   2. The discussion in Spain pursuant to the harmonization resolution from Strasbourg focus on the elements that may be harmonized and those that are cultural.

Hear more from Martin Abrams at the IAPP Privacy Summit. He will present the session "Innovative Approaches to Privacy Legislation: Applying a Use-Based Approach," and will also present a two-part session" called "It's Time for a New Privacy Framework in the U.S. and Globally."

Cybercrime, Safe Harbor, the FTC, and privacy cutbacks
Larry Ponemon is chairman and founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices.

I believe that privacy officers in financial service organizations will be very busy in 2009 for two reasons:

  • Implementing the new Red Flags rule;
  • Dealing with the aftermath of industry consolidation and the resulting combination of very large databases containing sensitive customer information.

I believe that cyber crime will increase in sophistication, resulting in dangerous data breach events that have a high likelihood of customer or employee harm.

I believe that the new administration will be proactive in advancing its privacy and data protection agenda for both business and government. This new agenda will include a comprehensive federal privacy law concerning data breach notification and consent for third-party data use.

I believe the Federal Trade Commission will expand its efforts in the monitoring of corporate privacy and data protection commitments.

I believe that the U.S. Safe Harbor program will be expanded into a global initiative including APEC nations. I also believe that binding corporate rules (BCR) programs will become better accepted by European data protection authorities, thus making it easier for U.S. multinationals to get program approval.

Despite the increasingly important role of privacy within organizations, I believe corporate financial woes will result in several major companies cutting back on funding privacy initiatives. Some companies might decide to redefine the corporate privacy role by consolidating all data protection activities, including the safeguarding of business confidential documents and intellectual property, under a new function.

The corporate privacy function will ultimately morph into an expanded leadership role that emphasizes the strategic use and governance of corporate information assets. We are starting to see this happen in a few leading organizations.

Privacy enters the mainstream
Privacy trailblazer Lisa Sotto is head of Hunton & Williams' Privacy and Information Management Practice. She was named the "top global privacy expert" by Computerworld in 2007 and 2008.

Privacy is no longer an esoteric topic. It pervades every substantive area and is likely to take on greater significance in the next administration. While privacy will not take a front seat as a topic unto itself, it will be considered at every turn. For example, the appropriate use and protection of data will need to be considered in revamping the healthcare and financial sectors. Of course, data security will continue to be the topic du jour as long as identity thieves continue to steal data and profit from their crimes. I am hoping companies devote more resources to data security, but fear that this is unlikely given the state of the economy.

The Obama administration is likely to take an active role in international privacy discussions. There is a critical need for the U.S. to enhance its standing globally in the data protection arena, and I believe the U.S. government should play a significant role in seeking to harmonize privacy paradigms globally.

Lisa Sotto will present the session "Strategic Information Management: Beyond Personal Information" at the IAPP Privacy Summit in March.

Behavioral advertising
D. Reed Freeman, CIPP, is a partner in Kelley Drye & Warren, LLP's Advertising and Marketing and Privacy and Information Security Practice Groups. He is editor of the IAPP's Privacy Tracker legislative-tracking publication.

2009 will be a watershed year for online behavioral advertising as industry leaders adopt self-regulatory principles that allow for both innovation and appropriate consumer protections.

Hear more from D. Reed Freeman at the IAPP Privacy Summit in March, where he will present the session, "Back to the Future: Old Laws and New Technology."

Canada's privacy scene
David Loukidelis is serving his second six-year term as British Columbia's Information and Privacy Commissioner, where he oversees compliance with the province's Freedom of Information and Protection of Privacy Act and Personal Information Protection Act.

On the Canadian scene, 2009 will bring breach notification laws to some jurisdictions. We will also continue to struggle with inadequate security to protect personal information, for which there is no magic cure. And we may see other changes to better align private sector privacy laws across the country. Last, although I said this about 2008, this year will bring more focus on biometric technologies, certainly in access control systems and similar applications.

Internationally, we'll continue to see efforts to harmonize privacy standards globally, though we can't forget the need to work to make existing laws more effective. We can't forget, in other words, the real, practical challenges of privacy in favour of blue-skying possible global standards.

A call for careful consideration
Zoe Strickland is vice president and chief privacy officer for Wal-Mart Stores and an IAPP Board member.

I fear that policy-makers, in their zeal to ‘do something,' and frustration at not being able to yet figure out what that something is, will start establishing rules or guidance that deviate considerably from existing privacy principles, and in ways that are not workable online or offline. I hope that they are not simply reactive to new technology, or a security event, which could drive these sorts of results, but instead put some careful thought into privacy development, using existing privacy principles as the guide.

Glass half full
Sagi Leizerov, CIPP, is a senior manager in Ernst & Young's Privacy Risk Advisory Services. He serves on the IAPP's Education Advisory Board and the American Institute for Certified Public Accountants' Privacy Task Force.

An issue large organizations will continue to face in 2009 is their ability to understand how the same data, while in the hands of different organizational groups, is accurately identified so that the applicable requirements and obligations can be appropriately applied. My optimistic prediction for 2009 is that organizations will get better in breaking from thinking about their data in silos of systems and processes that have different owners and control requirements. Instead, individuals within organizations will adopt a more common vocabulary of controls that touch on privacy, security, intellectual property protection, records management, financial reporting, ethics, etc…, so that the necessary requirements are more likely to be identified and applied over the data.

Hear more from Sagi Leizerov at the IAPP Privacy Summit, where he will present the session, "When a Vendor Loses Your Data: Perspectives from the U.S., UK, and Japan."

The future of privacy from the Future of Privacy
Jules Polonetsky, CIPP, is the co-chairman and director of the Future of Privacy Forum.

Privacy developments will be slow in the U.S. in the first six months of the year, as the new administration and Congress grapple with the economy, healthcare, energy, and the mandate for "change." But once things settle, the latter half of 2009 will be one of the busiest ever for privacy issues. The perceived failure of the financial self-regulatory system and its lack of transparency will make it difficult for industry groups to continue to argue that a hands-off approach is the only way to address the online data ecosystem. Increasingly, robust behavioral targeting activity at Web sites and on smart devices, and the correlation of such data across platforms in combination with a wide range of appended data, will spark continued hearings and legislative activity. Privacy will be one of the areas where Democrats and Republicans find common ground on the need to help drive consumer transparency and control.

At the same time, U.S. companies will increasingly be open to adopting a consumer rights approach to data collection, instead of arguing that just about anything goes as long as there is no harm caused to an individual. The Web 2.0 philosophy of putting users in charge will finally trickle down to companies who realize that privacy, profits, and personalization can co-exist. Innovations such as labeling ads and just-in-time notices will progress to broader efforts to make privacy a feature that makes data use at Web sites obvious,
intuitive, and useful to users.

Jules Polonetsky will present during two sessions at the upcoming IAPP Privacy Summit, March 11-13 in Washington, DC: "Identity, Identifiers, and Personal Data" and "Cheers & Jeers: Who is Doing Privacy Right and Who Deserves Detention." He will also participate in the all-new "Privacy Book Club: Understanding Privacy" forum.

Healthcare's horizon
Kirk J. Nahra, CIPP, is a partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling for the healthcare industry and others. He chairs the firm's Privacy Practice. Kirk is a former member of the IAPP Board of Directors and is the current editor of the Privacy Advisor newsletter.

While healthcare reform is at the forefront of everyone's mind as we enter 2009, healthcare companies and others who use healthcare information also should be prepared to deal with a significantly different environment for healthcare privacy and security in the year ahead.

Here are a few of the top areas to be paying attention to in the next year.

   1. Healthcare privacy legislation in the new Congress
      After several years of inaction, there were significant movements in 2008 towards new healthcare privacy legislation, driven at least in part by the desire to expand the use of electronic medical records. It looks like there will be a healthcare technology component of the economic stimulus package, and there likely will be new privacy and security obligations tied to the stimulus package. Watch out—these may be very burdensome.
   2. Expanded enforcement of the healthcare privacy and security rules
      There is virtually no doubt that there will be increased enforcement of the current HIPAA rules in the new administration.
   3. Red flags and medical identity theft
      The FTC's "red flags" rule, the last  substantial rule remaining from the 2004 passage of the Fair and Accurate Credit Transactions Act (FACTA) law, stands far and away as the most broadly applicable and challenging new privacy regulation on the horizon. Healthcare companies will need to determine whether they meet the definition of "creditors," and will need to focus on the growing problem of medical identity theft.
   4. Controlling access to information
      With security breaches still in the news on an almost daily basis, healthcare companies need to pay particularly close attention to one key security issue—inappropriate access to and use of information by corporate insiders. As data has become more extensive, it is clear that many identity theft cases stem from insider breaches.
   5. Creative state laws involving  healthcare information
      The last critical issue for the healthcare industry involves a wild card—the minor trend in several states to restrict the sharing of doctor-focused prescription records. The key issue here is not the impact of this specific category of law, but, more importantly, whether states will use the opportunity presented by this law to impose new restrictions on the use and disclosure of certain kinds of information.

Hear more from Kirk Nahra at the IAPP Privacy Summit in March, where he will present "Wellness Programs: Great for Employees, Great for Employers—But Where Does Privacy Fit in?" and Privacy Professional Bootcamp.

State competition and health breaches
Kirk Herath is associate vice-president, associate general counsel and chief  privacy officer for Nationwide Insurance Companies in Columbus, Ohio. He is a past-president of the IAPP.

Political "change" will bring enforcement change, which will mean more privacy and security enforcement actions by regulators at the federal level will spur competition by the states, either with similar or deeper enforcement activities or a race to out-do the feds on the regulatory or legislative fronts, along the lines of Massachusetts. Many states will amend breach notification statutes to include, minimally, health data or information added to the definition of "sensitive" data—like California did in 2008—thereby increasing the number and scope of incidents nationally. Ever mounting "health breaches" will increase the pressure on Congress to pass a comprehensive health data privacy law that, unfortunately, will not amend existing health privacy and security requirements under HIPAA, but will instead add another layer of regulation on affected industries.

Increasing complexity
Richard Purcell is CEO of the Corporate Privacy Group, an independent consulting firm advising Fortune 100 companies on respecting and protecting personal information.

Increasing complexity will be one of the most significant challenges for CPOs and other information managers in 2009. Data flows are rapidly increasing in terms of sources, data types (PII and proprietary), policy governance (jurisdictions of origin, both geographically and data classes), volumes and concerned parties.
Let me break that down a bit:

Sources — online, offline, marketing, sales, retail, events, call centers, vendors, and others contribute data at increasingly rapid rates. How can anyone classify the data properly (this is PII, that is not—this is sensitive that is not—this is high security, that is not)? Risks are increasing, not decreasing, as we move into 2009.

Data Types — how does one separate the PII data from the proprietary (business confidential)? Is there a ‘data splitter' that allows us to effectively quarantine information to provide the handling and security procedures effectively? With security breach reporting requirements, we are focused on PII right now, but how many trade secrets are being breached? What if those had to be reported? Are incidents of breaches of business confidential data being reported internally? Does the CEO know what's happening?

Policy governance — we all know that different data is treated in different ways—some is more sensitive than others—some is PII and some is non-PII—who classifies this data? Under what policy has the data been collected? With whom can we share it? How do we know what choice a customer has made for using certain data, but not using other? If data is collected in the U.S. from a citizen of France (a tourist buys an iPhone from an Apple store in Los Angeles, for example), what policy applies? Across the different jurisdictions, does corporate policy actually create a reliable bridge toward compliance?

Volumes — there is more and more data collection all the time—the rate is increasing due to broader online services (Web 2.0 and SaaS (software as a service)) and business consolidation (businesses are acquiring others in this economic crisis) and the cost of storage is decreasing—the effect is more and more data.

Concerned parties — we've moved from a period of using vendors and service providers to one when subsidiaries, partners and affiliates are becoming more involved—who is accountable for appropriate and compliant data governance? Whose reputation suffers? Who do regulators investigate and hold accountable? What could a consumer possibly do to understand the relationships these various entities have with their personal data? Who would a consumer go to for access to their records?

Prediction

Businesses will continue to fail (and flail) in the face of this complexity, and this is directly against their own self-interest. The ongoing failure to protect and respect PII will only invite scrutiny from regulators and legislative momentum for privacy laws that could create serious barriers to business objectives. Those companies that realize this predicament are working toward developing comprehensive information management regimes that consolidate not only privacy and security, but also all corporate activities affecting personal information. Thus, we will see some companies developing broad management changes that recognize that PII is a key business asset requiring effective and purposeful management in the same way they manage intellectual property, trade secrets, and business confidential data. Privacy officers must be involved in these developments in order to advance responsible data governance standards as the processes become consolidated under a broader range of management.

In 2009, we will see this development unfold, though we won't see the creation of a Strategic Information Manager until about 2011.

Comments

If you want to comment on this post, you need to login.