By Jessica Caplin and Myriam Denis
In honor of Prof. Stefan A. Riesenfeld, BJIL is presenting an exciting panel discussion today on global developments in privacy law. Panelists will consider topics including privacy law in Brazil, China, and other emerging markets; the sources and norms of comparative privacy law; and the relationship of privacy to security and free expression in the global context.
Our distinguished speakers are:
• Colin Bennett, Professor of Political Science, University of Victoria
• James DeGraw, Partner, Ropes & Gray LLP, San Francisco and Hong Kong
• Michelle Dennedy, Vice President and Chief Privacy Officer, McAfee Inc.
• Danilo Doneda, Professor, Fundação Getúlio Vargas-Rio de Janeiro, and Member, Brazil Ministry of Justice Committee on Electronic Commerce
Moderated by Chris Hoofnagle, Lecturer-in-Residence, Berkeley Law School
12:45–The room is filling up quickly with people wolfing down one of three delicious sandwich options from Gregiore. Everyone is waiting anxiously for the panelists to arrive and the fun to begin. The room still smells vaguely of the property class that came just before this.
12:50–The panel is about to start! A hush falls over the crowd as the panelists try to locate their seats. Lacking: some intro-music, along the lines of Eye of the Tiger.
12:52–Huge thank yous from the BJIL EiCs to the Miller Center at Berkeley Law. Also a reminder that there is a reception at 6:30pm. A huge thank you to the BJIL Symposium team for putting on an incredible event. [Applause].
12:53–Berkeley Law has one of the best privacy faculties in the nation, chief among them our moderator today, who has just taken the podium.
12:57–Moderator Hoofnagle is introducing our panelists, who range from academics, to practitioners, to government employees. They may not necessarily be speaking on behalf of their government or company.
1:00–Hoofnagle-please discuss privacy in Canada (Colin Bennett) and Brazil (Danilo Doneda). Bennett: international organizations currently involved in the privacy regulation were established before the internet was invented. It’s not as though new institutions arose to respond to the global internet. Re: Canada–In the late 90s, Canada passed a general data protection law at the federal level as a result of pressure from the EU. US approach has been more pragmatic. Each Canadian privacy law is regulated by a privacy commissioner, which is typically an outside agency. These institutions do not have clear equivalents in the United States, but they like to consider themselves ombudsmen. In this way, people know where to go when they have a privacy complaint.
1:03–Hoofnagle: what specific rights could a Canadian citizen invoke? Bennett: there’s been a convergence and harmonization of basic principles–right to legal process, obligations of organizations to keep information secure. But, there are differences in terms of enforcement and appointment of a “supervisory authority” whose role is solely privacy protection. In the United States, the regulation of privacy protection is shared among several agencies. The Canadian system gives an identity to privacy regulation, which is an advantage.
1:05–Hoofnagle: Doneda, can you address privacy in Brazil? Doneda: Brazil has not enacted a general privacy protection law, though 103 countries had done so as of last May. Freedom of Brazilian privacy system is developed based in part on US consumer protection laws. Brazil’s current system is not enough to protect citizens and enterprise. Brazilian government is working on a data protection bill that has been in the works for at least three years., but it is difficult to predict what will happen to this bill in Parliament. Brazilian law is aligned with a European continental law system, so it cannot deviate far from European data protection law frameworks. Thus, the US model is not applicable to Brazil.
1:11–Hoofnagle: Lets talk to our domestic guests and talk about what the Snowden leaks mean. In some sense, the leaks were great for the privacy community, because there has been more attention and interest. Dennedy: McAfee and Intel are in a very interesting position as it comes to “Crazy Eddy,” as I like to call him. My personal opinion is “Enjoy your borscht, sir.”
But in all seriousness, McAfee is a wholly owned subsidiary of Intel with a very tight relationship with our parent company. Security involves “not big data, but ginormous data,” and you end up getting closer and closer to monitoring and surveillance. Snowden broke many, many laws and many, many honor codes. It is not fully clear how much metadata he actually saw. As a Chief Privacy Officer and legal counsel, I have to make sure how ethical principles are built into the services McAfee offers. When you realize the amount of data being shared among international agencies, you have to go back to the US Patriot Act. Whenever there’s a law that only has two people dissenting, you can assume that it’s a terrible law enacted out of panic. Information targeting human beings can be incredibly helpful and lifesaving, but, the underbelly of that is squashing our rights of free speech and making journalists afraid to out men like Snowden.
1:19–DeGraw: Snowden’s revelations have had a fairly significant impact. I represent companies in China, and it has changed the conversation a fair amount. When you’re trying to have a Chinese company and a US company share data, you have to consider whether a government for either country will have a backdoor into the system. This includes hardware and software. In the last few years, it has become really easy to do deals with China, because post-Snowden, the attitude is, “well, your government is just as bad as my government.” The flip side is, here in the United States, there are companies that want to cooperate with law enforcement, and those companies are having great difficulty working with tech companies who view them as essentially state actors.
1:22–How are you handling objections from international partners who don’t want the data in the US or who don’t trust a US AV company.
Dennedy: I wrote a book! [She wrote it with her dad, which is awesome]. We all knew that a Snowden-like revelation was coming. There’s an idea of privacy-by-design–you can’t disclaim away bad practices. DeGraw: We have to be cognizant of all the same issues. You need to prep a client beforehand and tell them what the issues are. There must be a deep conversation between the engineers on both sides and discuss the government’s model for each nation. How do you handle the legal and PR issues?
1:30–Hoofnagle: I’m hearing words like “blowback” and scrimmage. What does this mean for Canada and Brazil? Bennett: Regarding Snowden, for as long as I can remember, people have been saying that what this movement needs is a Chernobyl. Whatever you think about Snowden’s decisions, and we’ll be debating them for a very long time, the revelations he has presented have been the msot important development in privacy in a very long time. He has exposed some activities that are staggering. And I cannot remember a time when there has been such sustained focus on privacy and the right of citizens. We have Snowden to thank for that. in terms of implications for Canada, because we are implicated for that as part of the FVEYs, there has been much debate about government accountability and whether or not the adequacy regime Canada now enjoys can be sustained. Perhaps we’ll have to change some of our laws. There has also been debate and a string of bills about data retention. Things are definitely happening, and they wouldn’t have happened but for “Crazy Eddy.”
1:34–Hoofnagle: everyone is pointing fingers at NSA, but NSA can turn around and say, “look at GCHQ, CSIS, the Dutch…” Bennett: Under Canadian law, there is no question that metadata is personal data, so there will be reform. The question is how radical that reform will be.
1:36–Hoofnagle: Doneda, can you reflect on the Brazilian reaction to the Snowden leaks? Doneda: the revelations have had both a good and bad impact. Brazil’s reactions were among the strongest in the world. Privacy protection became an issue with preeminence in the public agenda. But, the discussion has been on protection and privacy of the state, not the citizens. Among the Brazilian reactions, there is a bill being discussed in Brazilian Congress–the “Internet Civil Rights Framework.” The idea is to make permanent such principles as internet neutrality and mandatory data protection.
1:40: Hoofnagle: lets talk about localization. Should data have to stay within a nations walls (i.e., should Google France keep its data in France?) Ten years ago people wanted to put their data in a “data haven” to protect is from law enforcement.
Doneda: In my opinion, internet traffic travels all over the world, regardless of where the centers are.
DeGraw:Localization is a blunt instrument that will lead to incredibly increased cost to big and small companies and will tamp down growth of internet companies. On a political stance, think of how easy it was for Egypt to turn off the internet during times of unrest.
Dennedy: All these comments today are “Dennedy” not McAfee! The cost issue is really interesting in cloud computing. Amazon still loses money. Google wouldn’t be able to sustain the cloud without ads. It would be great to be in a world where privacy trumps tax, cost, employment concerns. But, engineering talent is rare and precious and you get it where you can. We also need to be thinking more about satellites and technology, because it’s as important for growth as the Silk Road was.
Bennett: two crucial models: 1) Data Export Control Model–jurisdiction-to-jurisdiction approach. Europeans are not the only ones who’ve included these provisions. 2) Canadian Model: An organization that outsources data processing to wherever is responsible for ensuring the organization processing that data abides by provisions of Canadian law. This approach is very messy and complicated.
1:55–Someone makes a joke about Berkeley and rainbows
1:56–Question from the audience! What is the current state of affairs in terms of UN involvement in privacy?
Doneda: UN in these arena mostly cares about jurisdiction about human rights. Most discussions are dubious about localization and there is a doubt about instruments to make human rights apply all over the world.