Leading experts in telecommunications law and policy gathered recently at the Hogan Lovells Winnik International Telecommunications and Internet Forum in Washington, D.C., with privacy and data security issues coming up frequently in all of the discussions. In the final panel of the Forum, Hogan Lovells partner Winston Maxwell convened a panel of corporate practitioners that addressed head on some of the current issues in the active legal and policy dialogue underway in this area.
Panelists Harriet Pearson (CPO, IBM Corporation) and Tokë Vandervoort (CPO, XO Communications) first focused on Cloud computing’s implications. “Security-related expectations for Cloud should use a risk-based approach,” commented Pearson. “Depending on the type of data and work involved, different types of resources and approaches will be needed. In a business-to-business context security resources should be focused on the areas of highest risk. Security is not an ‘end state’ — it is a process, and it’s always relative, in the same way that we accept there is some level of risk in behaviors like driving a car or sending a rocket to the moon. A certain level of risk will always be there.”
The panelists then reflected on the implications of European data privacy law, especially in light of the recently released draft EU data protection Regulation. Vandervoort commented on the draft Regulation’s currently proposed 24-hour time period for notifying data security breaches, indicating that such a timeframe not only is extremely challenging, but that the outcomes of such rapid-fire reporting will be at odds with the public policy goals presumably served by such notification requirements. “With a 24 hour deadline, and no materiality threshold, companies will notify the DPAs of everything,” predicted Vandervoort. “Will European officials be equipped to handle this?” she queried.
Both Pearson and Vandervoort discussed the roles of cloud providers. “A cloud provider may not have a right or even the ability to access customer data residing on a cloud platform,” commented Vandervoort. “In those circumstances, is the cloud provider a ‘recipient’ of the data? Is the cloud provider a processor if it doesn’t know what it is holding?” Vandervoort cited the robust security and privacy rules that apply to telecom operators in multiple jurisdictions, and opined that “because telecom carriers are content neutral, delivering services designed to protect all voice and data communications against unauthorized interception or disclosure, they aren’t recipients of data and logically may not be data processors, and that whether cloud providers are depends on a variety of service specific factors.” Pearson further noted that the distinction in current European law between data “controllers” and “processors” is a vital one to maintain, as it is the controllers who have the power to direct what can be done with data and how; processors carry out such direction, frequently are not privy to the actual content or type of data being managed, and have no real authority to change the directions.
Both panelists predicted that the proposed European Regulation would generate several years of debate, and that all types of companies should take advantage of the current opportunities to inform and influence the course of the debate in Europe and elsewhere, given the significant effect the proposed data privacy Regulation would have if enacted in its current state.
For a summary of the proposed European Regulation, click here.