privacy & data protection in the digital world

ww

w.e

mir

ates

id.a

e

© 2

013

Em

irat

es I

den

tity

Au

tho

rity

. A

ll ri

ghts

res

erve

d

P a r t n e r s i n B u i l d i n g U A E ' s S e c u r i t y & E c o n o m y

Our Vision: Provide an integrated and advanced personal identity management system that contribute to the transformation of the government and the economy and promotes security and global competitiveness of the UAE.

Privacy & Data Protection

Presented by Dr. Ali M. Al-Khouri In: 2nd Annual Gulf Cooperation Council e-Participation & e-Governance Forum – Organised by: Abu Dhabi University Knowledge Group and UAE Telecommunications Regulatory Authority. 9 – 11 September 2013 | Dusit Thani Hotel | Abu Dhabi | UAE.

Keynote Address

in the Digital World

www.emiratesid.ae © 2013 Emirates Identity Authority. All rights reserved 9/3/2013 3

• Introduction

• What is Data Privacy? Why Do We Need Data Protection?

• Data Privacy Laws & Practices

• Data Privacy in UAE

• Government Role in Data and Privacy Protection

• Concluding Remarks

Agenda AGENDA OF PRESENTATION

What is Data Privacy and why do we need Data Privacy? Data Privacy Laws and Practices- a Global view with examples

of European , South Korea , China Data Privacy in UAE Government Role in Data Protection Individual’s responsibilities in Data Protection Emirates ID Role as the Data Collector, Data Provider and

Protection of individual’s privacy






• Introduction






www.emiratesid.ae © 2013 Emirates Identity Authority. All rights reserved

• Explosive growth of computers & information technology ..

• Impact?

• Opportunities, challenges and problems ..

• Data/Information Age?

Introduction


every day, we create

2.5 quintillion bytes of data 2,500,000,000,000,000,000!

Data Explosion?

of the data in the world today has been created in the last two years!

• In the digital world, we are all somehow ubiquitously connected.

• Data security and privacy?


Expectations of Privacy but Compromising Technologies






• Introduction







Privacy? A Matter of Perceptions and Expectation

What does it really mean?


Privacy? A Matter of Perceptions and Expectation

Ability to control the dissemination and use of one’s personal information?

What does it really mean?


Data Privacy?

9/4/2013 11

Key to this is the public and private perception and expectation of handling this data. If the person willfully provides the data and agrees for it to be transmitted and retransmitted, there is no protection even sought on this data. Further, if the information is shared for his/ her own security, it would not be considered unprotected. The realm of Data Privacy and Protection is thus formed, where Governments and law making institutions accord the rights of privacy and protection of the privacy for an individual.

.. deals with the relationship between collection and dissemination of personal information ..

Privacy

.. that can lead to identification and private details of a person.


Data Privacy?

9/5/2013 12


.. deals with the relationship between collection and dissemination of personal information ..

Privacy

.. that can lead to identification and private details of a person.

Our digital interactions leave a huge trail of data leaving

behind bits and pieces of us with pointers to our real

behaviour.


What is Data Privacy?

9/5/2013 13



What is Data Privacy?

9/5/2013 14



Roles of Entities in Data Protection

9/3/2013 15



9/3/2013 16

… generally, a legal entity that regulates data collection, storage and transmission and acts to provide necessary protection to data

provider ensuring the agreed-levels privacy.

.. “authorized” entity to collect personal data & compile personal information

.. entity who willfully provides data to data collector.

.. entity who transmits data to other collectors or users of the data



9/8/2013 17

.. though may not be mandatory in many countries to be a specific entity, the responsibility of providing data protection lies with service providers and law institutions like the courts could provide required legal protection.

e.g., banks, credit card companies, health providers, insurance provider, government, service providers, retailers etc…

e.g., Internet service providers, telecom providers, mobile service providers, internal networks, etc.

Other semi structured data from each and every department of city government, telco-companies, healthcare providers, research centres, energy vendors, logistics companies, public transportation organisations and every possbile stakeholder in the city.

e.g., credit bureau, trust centres, etc.


• interactions, transactions, communications, sought to be analyzed for bringing commercial entities closer to the psyche of the individual (knowing customers –personalising services and products).

Digital Behaviour and Identity Construction?


Why Data is important?


“Data-driven innovation,” will help to create 4.4 million information technology (IT) jobs globally by 2015, including 1.9 million in the United States (US)

Big data has potential to create massive saving and revenues in all sectors: • create $300 billion in potential annual value to U.S. healthcare;

• €250 billion potential annual value to Europe’s public sector administration; and

• $600 billion in potential annual consumer surplus from using personal location data globally.

Value and Opportunities?


Agenda

• Introduction







Data Protection: Global Practices

9/3/2013 24

The heat map here depicts the global trends of privacy and adequacy of data protection provisions in the world.


Parameters of Categorization

9/3/2013 25

Types of personal data covered in data privacy legislation

legal obligations placed on public

and private organizations

Existence of legislation

preventing data transfers with

adequate data protection regulation

attainment of EU official Adequacy standard for data protection & privacy

ability to enforce data privacy regulations through an independent agency

Legislative & cultural barriers limiting government surveillance over communications.

Constitutionally-backed data privacy laws.


Data Protection: Global Practices

9/3/2013 26

EU provides highest restriction on data use, and privacy protection South Korea, highest in East. Middle East prominent in not providing adequate legislation, with exception to UAE and Qatar.

Forrester’s map is based on these criteria and provides a good overview of the maturity of data privacy in the world. As we can see the European Union provides the highest restriction in the use private data and provides the highest privacy protection. In the East, South Korea is the one with the highest protection of data privacy. The Middle East is prominent in not providing adequate legislation for privacy protection with only UAE and Qatar providing some restrictions with legal provisions for data protection.


Governments Enacting Privacy and Protection Laws

9/3/2013 27

تكبير الخط لطفا

.. basis of privacy laws in each of the EU member states..

enforced and legally binding to all institutions involved in the handling of personal information

strongest and the strictest enactment in the world

provisions for criminal prosecution and hefty financial fines for breach of the act.

.. strong proponent of privacy protection with a Federal Privacy act since 1998

updated to meet current day challenges of technology evolution

No specific laws.. national security.






• Introduction







Data Protection in UAE

.. إظهار خارطة اإلمارات

وتخفيف لون الدول األخرى بحيث

.تكون أقل وضوحا

Personal Information Privacy is Constitutionally guaranteed. Constitutional protection Criminal law protection UAE Penal Code, Article 379: "… any individual who by reason of his profession, craft, situation or art is entrusted with a secret and who discloses it in cases other than those permitted by the law, who uses it for his own advantage or another person's advantage … Shall be punishable by confinement for a minimum period of one year and by a fine of at least twenty thousand dirhams or by one of these two penalties … all this unless the individual to whom the secret pertains has consented that it be disclosed or used.“


Unauthorized access to any information system or website is illegal

Breaches of privacy can result in severe

penalties, which include fines,

incarceration, and even deportation.

data protection is

accorded under TRA

covers web transactions and

cyber crimes that seek to protect

individual privacy

Right to Privacy is Constitutional in UAE

data collection & transmission

in the interests of National Security,

such a written consent is

considered waived as per the Penal

Code


Unauthorized access to any information system or website is illegal

Breaches of privacy can result in severe

penalties, which include fines,

incarceration, and even deportation.

data protection is

accorded under TRA

covers web transactions and

cyber crimes that seek to protect

individual privacy

Right to Privacy is Constitutional in UAE

data collection & transmission

in the interests of National Security,

such a written consent is

considered waived as per the Penal

Code Personal information privacy is adequately provided for within the legal framework in UAE. However, there is no single authority or entity that constitutes a data privacy protection or information protection officer.


“You have zero privacy. Get over it.” Scott McNealy, CEO, Sun Microsystems. January 25, 1999

Erosion of Privacy

• constant changes in technology is making privacy harder.

– reduced cost for data storage

– increased ability to process large amounts of data

• Especially critical now (given increased need for security-related surveillance and data mining)






• Introduction







An intense role of Government Issued Personal Identity as a Unique National ID.

Modern Identity Management Systems

Intense role of Government issued personal identity as unique national ID.. providing required privacy in anonymity and yet provide meaningful data for authentication.


The Digital Identity provides the perfect PROXY for the

personal identity.

Personal ID and UAE National ID


Emirates ID

provide necessary credential

verification on the web

Service Seekers remain

anonymous on the web since only

Digital Certificates or

Biometrics would be used to establish

credential verification.

Trust Establishment


Individual Authentication Service Provider

Emirates ID

ID card






credentials remain anonymous

Digital certificates & biometrics are used to perform credential verification.

Anonymous Identity

The individuals would be known and authenticated as genuine persons by the National Identity Authority providing a THIRD PARTY authentication for the identity.



Emirates ID

ID card






credentials

Government do not share personal data

with servicer providers, but provide only

credential verification. (AUTH AS A SERVICE)

Service Providers

Thus, service providers can identify the potential service seeker securely from the authentication provided by the

Emirates ID Authority.


Individual Authentication Emirates ID

ID card






credentials

Channel Service Provider

• Internet

• Mobile

• Counter

• IVR

• Etc.

Electronic Channels

Government Identity Management Infrastructure support different communication platforms



Emirates ID






credentials

An individual will then be able to transact and interact freely without compromising his/her personal identity.

Anonymous Identity


UAE National ID and Privacy

• All data is treated as personally identifiable and subjected to the regulatory framework.

• Emirates ID Authority would provide this regulatory framework to ensure identity protection.

• Technical and Technology Solutions are already in place to support the regulatory and legal framework.






• Introduction







Conclusion

Data security and privacy will remain an issue in light of evolving technologies and increasing take-ups.

Although regulation is crucial, the issue of privacy vs. legislation will still be a riddle! chicken and egg conundrum.


Knowledge-based Economy

• Privacy laws: enabler or the barrier?

• Presence of a dedicated privacy protection agency.

• Need for more education programs, to raise awareness among citizens.

• Enforcement capabilities to ensure compliance.

• International collaboration.


“Data is a new class of economic asset, like currency and gold.” Source: World Economic Forum 2012

“Big data: The next frontier for innovation, competition, and productivity” – May 2011 - The McKinsey Global Institute

THANK YOU. Dr. Ali M. Al-Khouri

Director General | Emirates Identity Authority | UAE [email protected] | www.emiratesid.ae

Read our recent research from: http://www.emiratesid.gov.ae/ar/media-center/publications.aspx

privacy & data protection in the digital world

Technology

privacy data protection

rights reserved data

data collection

data provider

data collector

data explosion

rights reserved privacy

emirates identity authority