Ewan Sutherland: Insights on Global Governance and Data Protection

Ewan Sutherland LINK Centre, Wits University Ewan Sutherland

2020 2016 2017 2020 2015 2017 2021 50 Billion 6.4 Billion 8.4 Billion 20.4 Billion 1 Trillion 20 Billion 46 Billion Cisco Systems Gartner Group IBM IHS Markit Juniper 2 Ewan Sutherland, March 2018, SISCA Dundee

Governance of governance Design and implementation of: Institutions Legislation and rules Liability Guidance to firms and citizens Accountability and transparency Appellate systems Review mechanisms Ensuring human rights (n.b., privacy) Regulatory state Network governance 3 Ewan Sutherland, March 2018, SISCA Dundee

Global: International Telecommunication Union (ITU) United Nations Office for Drugs and Crime (UNODC) Continental: European Union National: Industrial strategy (BEIS) Spectrum (Office of Communications) Data protection (ICO) Municipal: Planning consent Smart city projects 4 Ewan Sutherland, March 2018, SISCA Dundee

Functions An independent advisory body on data protection and privacy, comprised on representatives of national data protection authorities Contributes to the development and better functioning of the internal market for electronic communications networks and services Organising the co-ordination of European Conference of Postal and Telecommunication administration (CEPT) in preparation for and during the course of ITU: Council, Plenipotentiary Conferences, WTDC, WTSA and other meetings Provides opinions on the draft measures the EC intends to adopt relating to the the Digital Single Market (DSM) A centre of expertise for cyber security located in Heraklion. Supported by a Permanent Stakeholders' Group, that advises the Executive Director on the performance of his duties. A high-level advisory group that assists the EC in the development of radio spectrum policy Article 29 Working Party Body of European Regulators of Electronic Communications (BEREC) CEPT Com-ITU Communications Committee (COCOM) European Union Agency for Network and Information Security (ENISA) Radio Spectrum Policy Group (RSPG) 5 Ewan Sutherland, March 2018, SISCA Dundee

Created only by leading countries Government-industry partnership: UK now says government-led Involvement of experts from: Signals intelligence (e.g., GCHQ) Specialist criminal investigators (e.g., NCA) Cybersecurity exercises (e.g., NATO) Collecting and sharing information on: Threats Vulnerabilities Responses 6 Ewan Sutherland, March 2018, SISCA Dundee

Scrutiny of legislation: Digital Economy Act Data Protection Bill Committee inquiries into: Cybersecurity National security Growing up with the Internet (children) Skills shortage Online Platforms and the Digital Single Market Oversight of regulatory authorities 7 Ewan Sutherland, March 2018, SISCA Dundee

Some legislation dates back to 1970s: Principles are very well established Recent addition of the right to be forgotten United Kingdom: Data Protection Act 1984 and 1998 Data Protection Bill (in Commons) European Union: Data Protection Directive (95/46/EC) General Data Protection Regulation (EU) 2016/679 explicit obligations on systems design Considerable disagreements with USA PM insisted at MSC that UK would retain strict data protection laws after Brexit PM insisted at MSC that UK would retain strict data protection laws after Brexit 8 Ewan Sutherland, March 2018, SISCA Dundee

SecurView cameras TRENDnet Lax security exposed the private lives of hundreds of consumers to public viewing on the Internet A sex toy, manufactured by Svakom Design USA Ltd, had an embedded camera to allow users to capture and share intimate moments. However, inadequate security allowed others to view the video streams. Manufacturer failed to take reasonable steps to secure routers and Internet-protocol cameras. The FDA approved a firmware update, effectively a product recall, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities Standard Innovation designed its high-end sex toy to synchronise with a smartphone app to collect and record intimate and sensitive data regarding use of the device, including the date and time and device settings, which were transmitted to its servers in Canada. Settled by class action. Siime Eye D-Link Abbott's implantable cardiac pacemakers We-Vibe 9 Ewan Sutherland, March 2018, SISCA Dundee

Historic legal power to intercept mails Extended to telegrams, telephones and Internet Now to the Internet of Things: Fitness bands Toasters Sequence of legislation leading to: Investigatory Powers Act 2016 Requires providers to retain metadata Complex interactions with ECHR and EU Treaties Section 1 held not to comply with EU treaties: Home Secretary v Watson MP & Ors [2018] EWCA Civ 70 (30 Jan. 2018) Mutual legal assistance (MLA) with other countries: Budapest Convention MLA treaties 10 Ewan Sutherland, March 2018, SISCA Dundee

Attempts to shape the market to increase profits Avoidance of regulation Pendulum has swung against technology firms and in favour of regulation Some firms try to avoid regulation: Regulatory arbitrage (e.g. Uber) Some firms try to get US government to stop other governments from requiring data localisation 11 Ewan Sutherland, March 2018, SISCA Dundee

Outside Europe many countries have grossly inadequate governance, lacking: Data protection laws and authorities Parliamentary oversight Judicial review Class actions Network of national data protection authorities Failure by firms to adopt basic principles: Privacy by default Security by design Unclear that collecting every bit of data is commercially valuable or well understood Firms face considerable risks from: Regulators Courts Privacy and security too often an afterthought 12 Ewan Sutherland, March 2018, SISCA Dundee

Ewan Sutherland sutherla [@] gmail.com +44 141 649 4040 skype://sutherla http://orcid.org/0000-0001-5220-9605 http:// www.ssrn.com/author=927092 http://www.wits.ac.za/linkcentre/teaching-and-research-team/ewan-sutherland/ 13 Ewan Sutherland, March 2018, SISCA Dundee