27 September 2015

Safe Harbor: Achieving a Defensible Standard of Care...

"Achieving a Defensible Standard of Care" within the enterprise requires an astute and proactive legal framework.  Operational Risk Management becomes a key component of the legal framework in multiple junctions of technology, data science and privacy law.

U.S. National Security continues to be in the center of the legal jousting between the European Union and the United States.  Underlying the debate is the data flowing through the Internet from data centers in Europe owned by U.S. companies.

What are the implications of a change in the Rule of Law and the rules associated with the collection, storage and analysis of data by companies such as Facebook?  How will the future of Operational Risk decisions impact the safety and security of nation states?  Is "Safe Harbour" ready for legal reengineering and a new updated global data privacy architecture for the Internet of Things (IoT).

III –  Conclusion 237. In the light of the foregoing, I propose that the Court should answer the questions referred by the High Court as follows:

Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.

Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
  Chief Privacy Officers and General Counsel within the ranks of Amazon, Google and Facebook are on a proactive mission quest.  How to keep business models fueled by advertising from erosion of data flows from outside the U.S. if precluded and if, all data from the EU must stay within the EU.

The Office of the Director of National Intelligence (ODNI) will be tracking the data privacy legal frameworks across the globe and the continuous changes that will be necessary to stay in compliance with U.S. laws.  Henry Farrell sums this up nicely in his WP analysis:
Thus, if the court rules as expected, the U.S. has to choose between two unattractive options. The first is to refuse to make any concessions on surveillance, hence endangering the business models of big and influential U.S. e-commerce firms, and making life much harder for other big corporations that e.g. have to transfer personnel files across borders. The second is to make real concessions to the EU on spying, moving away from indiscriminate surveillance to a system that would provide real protections for European citizens.
We are on the edge of many years of new business process reengineering (BPR), but this time it is not about the demise of proprietary client / server architectures and the addition of Internet Protocols.  The new data privacy BPR is now just underway and it has all to do with creating the sound contractual negotiations of digital devices across borders.  More importantly, the trusted business assurance questions being asked by Operational Risk Officers and the building of digital trust as data and rules are executed at the speed of light.

Achieving Digital Trust delivers to business executives, IT strategists, and innovation leaders something remarkable-a complete tool-kit of new strategies and resources that will change how they make decisions that matter, and how to build digital assets that can be trusted. 

As you pick up your mobile device to access Messenger, or Wickr, the rule of law is being put in motion in nanoseconds.  When you type the message to your colleague in Ireland or Germany from Detroit, your data is being processed across data centers in multiple countries.  Machines executing business rules with other machines.  Are the rules correct?  Are they all legal?

"Achieving a Defensible Standard of Care" in the next decade will be one of our most interesting challenges.  The Safe Harbor of our way of life may go beyond the simple integrity and assurance that the message simply gets delivered.

06 September 2015

Rule of Law: The Privacy vs. Security Paradox...

Chief Privacy Officers and Operational Risk Officers are watching with anticipation as Microsoft argues it's case with the U.S. Court of Appeals in New York, USA on September, 9, 2015.

The trustworthiness of data and the future of "Achieving Digital Trust" for companies and countries is a priority.  The wealth created from the management, storage and processing of data across global borders is at stake.  The "Rule of Law" that intersects with that data and the legal disclosure to government authorities, has been accelerating in countries such as Ireland, Belgium and Brazil.
The company hasn’t always been so eager to comply. A year earlier, it rebuffed a request from the Department of Justice for a suspected drug trafficker’s e-mails. Those were in a data center in Dublin -- and according to Microsoft, the arm of American law enforcement doesn’t extend to Ireland. That set in motion a legal challenge putting Microsoft and its general counsel, Brad Smith, in the lead of a charged battle between the U.S. technology industry and the U.S. government.
More than two dozen companies, including Apple Inc. and Cisco Systems Inc., have filed briefs on Microsoft’s behalf in the case, which is about due process and the right to privacy, and money. Internet service providers may be hard-pressed to sell Web-based products if they can’t promise that digital records stowed in foreign countries will be protected by those countries’ laws -- and from unilateral U.S. search-and-seizure missions.
The privacy vs. security business is apparent and a defensible standard of care remains vital.  Several companies in the data privacy industry have made the decision to establish their legal business entity in Switzerland.  Silent Circle, Proton Mail and Golden Frog are a few examples.  Why?

It is because the business of privacy is becoming a big business.  It is creating wealth.  Data privacy and the use of cloud-based products and services is now so pervasive across borders, that the collision of private companies and governments was inevitable.  Nation states are making it easier for global companies to locate, manage and operate in their data privacy friendly countries.

Digital Trust is at the center of the dialogue.  Operational Risk Management (ORM) surrounds the core conversations as you analyze the implications of building a data-centric business with the ability to comply with all of the regulatory and legal requirements.  The Electronic Communications Privacy Act (ECPA) of 1986 is being interpreted in Microsoft v. United States of America:

The Government’s brief confirms this much: Nowhere did Congress say that ECPA should reach private emails stored on providers’ computers in foreign countries. Small surprise for a statute written in 1986, before the creation of the global internet, when the notion of storing emails halfway across the globe was barely imaginable.

Congress can and should grapple with the question whether, and when, law enforcement should be able to compel providers like Microsoft to help it seize customer emails stored in foreign countries. Microsoft has outlined many reasons why Congress would be wary of granting that power: It would establish a norm that would allow foreign governments to reach into computers in the United States to seize U.S. citizens’ private correspondence, so long as those governments may assert personal jurisdiction over whatever company operates those computers. It would offend foreign sovereigns.

Business and Government across the globe are working diligently to create a balanced, legally sound and vital information sharing environment.  Consumers will continue to have a choice, on what vendor, device or data hosting company they utilize for their communications.  The features, functions and benefits will be carefully thought out, by the marketing and business executives.  Yet the question will be asked by each companies respective stakeholders:  What is the value of trustworthiness in the markets we operate in and how will we decide to create "Digital Trust"?

The consumer must also understand how these tools are being utilized by the dark and evil components of our human society.  Citizens must better understand the motivations for government to protect consumers and those organizations who choose to use certain tools on the Internet.  Those who have a fear of government also like the idea of law enforcement protecting their neighborhoods.  There are two sides to the private enterprise:
They aspire to be neutral conduits of data and to sit outside or above politics. But increasingly their services not only host the material of violent extremism or child exploitation, but are the routes for the facilitation of crime and terrorism. However much they may dislike it, they have become the command-and-control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us. If they are to meet this challenge, it means coming up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.
As private companies and nation states collaborate to attract new business commerce and tax revenues, your privacy and your company will be at the center of the negotiation.  The consumers preference of where you want your data stored and the legal environment where you want your data to be subjected to legal jurisdictions will continue.  For the good guys and the bad guys.  "Achieving Digital Trust" will be with all of us for some time to come.  As mankind evolves and the most valuable assets of our world become virtual, we can only hope "Trust Decisions" and the "Rule of Law" will stand the test of time.