Privacy and surveillance were inseparable – and hotly-debated – trends at the annual International Cybersecurity Forum in Lille, France this week, with one panel of experts in particular believing that the actions of Edward Snowden could yet result in the change of privacy laws and in the funding of data protection agencies, such as the ICO in the UK.
A stellar panel comprising Neira Jones, formerly the director of payment security & fraud at Barclaycard but now a consultant at Accourt (as well as chairman of the Cybercrime Advisory Board at the Centre for Strategic Cyberspace and Security Science), York Advisory director Arwaa Jones and Bird & Bird lawyer Gabriel Voisin tackled issue of privacy and surveillance in business, and admitted that perceptions around both will have to change.
Jones said that the debate is a “cultural and environmental issue” and while not completely attributing this to the wide-scale NSA and GCHQ surveillance – she also fingered the emerging Internet of Things trend – she said that change is likely to be implemented through the next generation of business workers.
“Generation Y will constitute 75 percent of the workforce in the years to come, and they have a very different profile,” said Jones. “Generation Y are more concerned about geography flexibility, and up-to-date technology. They're technically savvy, use the newest devices and want BYOD, tablets and the Internet of Things.”
“They've got a very different issue on privacy. Generation Y are publicly available on social networks, they're more likely to disclose personal info and are happy to do that for the privilege of using a service. But actually not secure at all.”
Jones added that technology is generally “eroding privacy” and pointed out – as SCMagazineUK.com has reported – that some European companies are withdrawing their services from being hosted in the US.
Arwaa Jones added that the definition of privacy is likely to change, especially as public sector and private companies approach with caution the issue of balancing employee surveillance with end-user privacy.
“Citizens expect privacy and I think we can set a reasonable expectation that the data we hold in relation to citizens is not misused or stolen from the public sector. Then there are some issues on clarification – when we agreed [terms] with the citizen and how”.
Voisin, a lawyer with Bird & Bird, said that change is necessary, if only because companies will likely be asked to be more transparent than ever before, as a result of the PRISM leaks.
“The good news for employers is that they can do what they want under French law,” said Voisin, who added that firms can easily monitor email, web access and other things by logging security events.
But he urged companies to explain this surveillance to the employee, file this with the appropriate judicial bodies and get the workers' representatives involved too. Failing to do this could result in administrative or even criminal proceedings, and could have other repercussions too. “It also means that any disciplinary action against an employee would be invalidated.”
Arwaa Jones, Gabriel Voisin, Claire Levallois-Barth (moderator; lecturer at Telecom Paris) and Neira Jones talk about privacy at FIC 2014
Changes in the law
Gabriel Voisin, a lawyer for Bird & Bird (and not the French aviation pioneer in the 20th century), foresees changes to the privacy law in Europe, but doesn't hold much hope for US counterparts.
Naming the EU Privacy Directive originating from 1985 and France's own Data Privacy Act from 1978, Voisin still urged reform on both continents: “The US, I am afraid to say, is not a privacy-friendly country. It's fair to say that the EU has a much more mature notion of privacy than the US.
“Is the Europe framework still valid? No, it needs to catch up on technology. The 1985 directive was created before Google [existed] and must be revised.”
But despite proposals for the European Union's General Data Protection Regulation to be agreed in 2014 and enforced by 2016, Voisin was not sure such law change will come into effect. “The question remains if it becomes positive law,” he said, adding that some member state are yet to agree to the change.
The law proposes various sanctions, says that the data controller must notify the DPA on learning of a data breach, that personal data be deleted if the individual withdraws consent, and that the user can request a copy of personal data to be transmitted electronically to another service.
ICO and other data authorities need more money
The increasing focus on data privacy and surveillance is likely to result not only in possible new law, but could also put pressure on local data authorities who are already under-staffed and under-resourced.
“It's good to have these authorities but the capabilities of these offices are limited by resource,” said Arwaa Jones, who added that such agencies more likely target the public sector. “Larger scale breaches and issues around privacy are not governed by the ICO.
“Much activity goes unnoticed but its still necessary to have them there.” Other panel members agreed that the DPA, ICO in the UK and CNIEL in France have some authority, but Voisin urged for greater funding from the European Union.
“At the moment, there are small data protection authorities in Europe and they are struggling to get enough people and resources to reinforce privacy and data protection requirements by the EU directive,” he said. “They only have 10 to 20 certified people.
“My message to Brussels is to give money to these authorities so that they can do their work.”