Зустріч в рамках Комітету АПУ з питань телекомунікацій, інформаційних технологій та Інтернету з юристом з США Патріком М. Беллом щодо обговорення питань конфіденційності та безпеки даних, 26.07.2017, м.Київ

1. Data Privacy and Security in
the Digital Age: the Battle for
Balance
Patrick Bell
Ukrainian Bar Association
Kiev, Ukraine
July 2017

2. Why is Data Privacy and Security in the
Digital Era Important?
• Personal data collection and security are among the most salient
privacy issues at stake today.
• The amount of data created in just the last two years is more than all
data created before.
• The amount of data being created and stored is growing
exponentially.
• One estimate is that 1.7 megabytes of information is being created every
second

3. Importance cont’d
• This is not just funny cat videos of pictures of your vacation either
• Your most personal information including medical history and the
most intimate details of you and your family’s life are being stored in
cloud based servers that are located around the planet.
• In fact the largest data storage center on the planet, the Range
International Information hub is located in Langfang, China.
• At 6.3 Million square feet it is larger than the next four largest data centers
which are all located in the US.

4. Importance cont’d
• This concern is not a benign one either as Big Data companies have
been repeatedly fined for violations of data security and privacy
violations
• This is true regardless of wherever you live
• For example Apple was fined $32.5 Million, Google fined $22.5 Million in
2012 and $17 Million in 2013 by the US Federal Trade Commission and
Facebook was recently fined $164,000 in France in 2017 for violating privacy
rules.
• At the forefront of the fight is a battle to balance the rights of three
groups: individuals, corporations and governments
• This is also true in terms of the legal battle raging around the world, be
it in Europe or the United States over “safe harbor” regulations

5. US Law Perspective
• Unlike our European Counterparts US Data Privacy and Security is
approach from a slightly different perspective.
• Certain groups are seen as being vulnerable populations and thus in
need of increased protection.
• Emblematic of these groups are those are not able to give informed
consent to release of their personally identifying information (PII)
• One such group that has received special attention are children.
Especially those age under age 13.

6. Statutory Basis
• Statutorily the basis for this protection exists in the Children’s Online
Privacy Protection Act ( COPPA ) (15 U.S.C. § 6501, et seq.)
• COPPA was enacted and signed into law by President Bill Clinton on
October 21, 1998
• The act provides four bases for this protection including:

7. Statutory Basis cont’d
(1) To enhance parental involvement in a child’s online activities in
order to protect the privacy of children in the online environment
(2) to help protect the safety of children in online fora such as chat
rooms, homepages, and pen-pal services in which children may make
public postings of identifying information
(3) to maintain the security of children’s personal information collected
online; and
(4) to limit the collection of personal information from children without
parental consent

8. Critical Sections of COPPA
• In this regard the critical sections of COPPA are § § 1303 and 1305 which
provides a prohibition and prosecution authority respectively
• Specifically:
• § 1303 prohibits “unfair and deceptive acts and practices in connection with
the collection and use of personal information from and about children on
the Internet”
• § 1303(b) provides a series of 5 requirements designed to enhance privacy
and mandates parental notification be given by sites who collect children’s
information and;
• § 1305 provides prosecutorial discretion for States’ Attorney’s General to
file actions in Federal Court

9. COPPA Rule
• To implement COPPA a federal rule, the Children’s Online Privacy
Protection Rule was introduced at 16 CFR PART 312 by the Federal
Trade Commission
• This proposed rule was introduced on April 27, 1999 ( Fed Reg. Vol.
60 No. 80)
• There was significant debate about the rule, especially with regards
to reporting requirements
• Many business entities, especially small businesses, objected to the
reporting requirements as onerous

10. COPPA Rule cont’d
• Despite intense lobbying the COPPA rule went into force on April 21,
2000
• Now these rules apply not just to websites directed at children but
also to websites who know they are collecting data about children.
• This rule was amended on December 19, 2012 and the amended rule
became effective on July 1, 2013 which amended the meaning of the
term “operator” and simplified the direct notice requirements

11. What to do after it happens
• Despite COPPA and a raft of other laws the number of breaches continues
to increase both in quantity and severity
• It happens more than is publicly acknowledged
• The trend is so large that 33 of 50 state legislatures in the United States
have considered so called “Security Breach Notification Bills” or SBNBs in
2015
• At the federal level S. 177 was introduced by Sen. Bill Nelson (D-FL) in
2015 but it did not make much headway and was not passed as of the last
Congressional Recess this Summer

12. What to do after it happens
( NCSL,2015)
• SBNBs typically require four elements in the model state statute
• “Require entities to report breaches to attorneys general or another
central state agency
• Expand the definition of "personal information" (e.g., to include
medical, insurance or biometric data) in cases of a security breach
• Require businesses or government entities to implement security
plans or various security measures
• Require educational institutions to notify parents or government
entities if a breach occurs.”

13. A Digital Bill of Rights
• Given the patchwork of protections and the obvious loopholes, many
have called for a “digital” bill of rights that would require companies
to notify customers when companies are going to sell their data to 3rd
parties.
• Trump recently signed a congressional resolution that repealed
measures that would have mandated that broadband providers notify
customers when they are going to sell their data to 3rd
party
marketers.

14. The New Frontier
• Regardless of what is happening on your desk or lap the new frontier
for data privacy and security is your smartphone
• There are nearly as many cell phones as there are people
• Nearly 7 billion phones with a current world population of 7.4 billion
• In fact there are more phones in Ukraine than the current population
of Ukraine with approximately 57.5 million phones and 46 million
people as of December 2013

15. Net Neutrality: the Final Frontier?
• This repeal of privacy regulation also calls into question rules on Net
Neutrality promulgated by the FCC
• Congress has recently asked the executives of the major Big Data
Companies ( Comcast, Facebook, Google, etc) to testify their regarding
position on proposed new Net Neutrality rules
• This could also have a big impact on data security and privacy regulations
passed in the last administration
•

16. What you can do
• Given all that has occurred in the last five years
• ( Snowden revelations, Wiki Leakes etc )
• Among the best things you can do to protect your privacy is use an
anonymized web browser like TOR ( the onion router) which provides a
completely private web search service.
• This is not a failsafe option however as both NSA and other government’s
routinely “ sniff “ the exit nodes of anonymized web browsers like TOR
• The best available option is to use a Virtual Private Network and to encrypt
your data as it goes into an anonymized web browser.