Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Commissioner's US diary - part four John Edwards
27 April 2017

US Capitol

The International Working Group on Data Protection in Telecommunications is a bit of a mouthful, so it is shortened to “The Berlin Group,” referring to the Berlin Data Protection Office, which initiated the working group in 1983, and has provided its secretariat ever since.

It meets twice a year, once in Berlin, and once away, and this spring’s “away” meeting happened to coincide with the Global Privacy Summit.

The meeting begins with a round of “country reports”:

  • Korea reported that its courts had recognised individuals’ rights of access to personal information about them held by Google
  • The US reported that Vizio had settled a complaint that its TVs were collecting information about viewing habits.
  • Israel noted that its data breach notification law requires victims of breaches to notify the data protection authority which then determines whether the affected individuals should be notified  (a model New Zealand could look at).
  • Italy has been working with telecommunications providers to develop a system to get in touch with people during earthquakes (also lessons for New Zealand here).
  • Hungary reported that its data protection authority had been asked by the security services to audit its information systems.
  • The United Kingdom is considering the role Cambridge Analytica  played in influencing political engagement in the UK during the Brexit vote.

It is a genuine working group. Somehow 32 delegates from 20 data protection authorities, together with selected experts and advocates manage to work through quite complex papers to reach agreed positions on emerging privacy issues that connect with telecommunications. At this session we discussed papers on:

  • Privacy on e-learning platforms
  • Privacy issues in ICANN’s “new generation Registration Directory Service” (RDS)
  • Common position on governmental data requests for information held outside US territory
  • Firmware updates for IoT devices
  • Connected cars
  • Smart infrastructure/ cities
  • Smart TVs and privacy
  • Cyber bullying

New Zealand proposed a paper: “Towards International Principles or Instruments to Govern Intelligence Gathering”.  After input from Canada and Berlin, it was accepted at the same meeting it was proposed (reportedly only the second time in the last 10 years that a paper has done so, the other being New Zealand’s paper on Transparency Reporting in 2014). I’ll post about our paper, what it means, and what comes next, later.

Apple and differential privacy

Tuesday’s half day session began with a presentation from Apple on its “differential privacy” a mathematically and conceptually challenging system it has for getting the value of user data, without compromising privacy.

Did you ever wonder how your iPhone knew what emoji to suggest when you typed in that you were “pumped” about something? Me neither – I just made that up, but it is the kind of thing that might happen.

Your phone will contribute data to Apple’s analytics to improve predictive text, emoji recommendations or a range of other applications in ways which gives Apple very good information about trends (suddenly everyone is pumped, and using a fist emoji, for example) without collecting a creepy history of all your texts. It’s complicated. There is a differential privacy engine in your phone, which is the first filter. It’s only going to send information about a couple of autocorrects, or emojis each day. Those are hashed and randomized so that only really significant aggregate trends appear in Apple’s analytics – all the rest just drop off, or are seen as effectively statistical static.   And Epsilon had a lot to do with it. (OK - I didn’t really understand).

Department of Homeland Security

Our meeting concluded at 1pm, and at 2pm I met with the Privacy Officer, and Director of International Privacy Policy of the Department of Homeland Security.

I was interested in understanding the effect of President Trump’s Executive Order purporting to reverse privacy protections extended to non-US citizens and residents over many years. Section 14 of this executive order says

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.  

Others had told me over the last week that the drafting leaves ambiguities which are difficult to interpret, but that the practical effect of the order might not be that significant for New Zealand travellers. Others had noted that as a matter of law, a discretion that exists in a statute could not be overridden by an Executive Order and, as such, section 14 might not be enforceable.

My contacts at DHS were, as you would expect, professional, neutral and circumspect. They did note that it would be open to New Zealand to seek inclusion in the Judicial Redress Act, which is the basis under which Europeans continue to enjoy the benefits of access to remedies, including Privacy Act protections. That is something worth pursuing, and which I will look into when I get back.

The other question I had was, do New Zealanders have to give over social media account details, and passwords, when they enter the States, as some have reported? Once again – this seems to have been the topic of some panic and misreporting, since the idea was first floated by the Secretary of Homeland Security at a House Homeland Security Committee hearing on February 7, 2017.

The answer is (at this stage) “No”. Social media account information is sought on an “optional” basis on visa forms, but is not required. There is no policy requiring social media account details, or passwords, and as part of the process of assessing any such proposal the DHS would undertake a full privacy impact assessment, like this one.

All options would be on the table were such a policy to be considered. The Secretary’s comments were prompted by concerns that border officials might not have an equal quality of information about citizens from all countries. 

The policy to require further information as a condition of entry might only apply to those countries for which the US authorities do not have good arrangements in place already, or could involve exempting “visa exempt” countries from any such requirement, which would include New Zealand.  At this stage, there seems to be no basis for New Zealanders to delete their accounts, or be overly concerned about border officials asking to review social media history.

That being said, if you have any problems at the border, and feel aggrieved by being delayed or subjected to extra screening, you are entitled to file a complaint or enquiry via the DHS TRIP Programme.

It’s been a packed and intense schedule, and I’m looking forward to heading home tomorrow. See you next week!

Image credit: Tara Siuk via Flickr

0 comments

Back

Comments

No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries