Protecting privacy from Internet giants can be done

Limor Shmerling Magazanik Photo: Eyal Yitzhar

The Israel Privacy Protection Authority tells "Globes" about the attempts to protect Israelis from Google and Facebook.

It can be assumed that the Israel Privacy Protection Authority (formerly the Israel Law, Information, and Technology Authority), which operates as one of the units in the Ministry of Justice, will become one of the most important government agencies in the coming years. The use of the social networks for propaganda purposes has greatly expanded in recent elections in Israel and worldwide, and set new records in the US presidential elections.

Insofar as the public and the government realize the enormous quantity of information about us that Google and Facebook are handling, as well as smaller corporations and companies, concern will grow that the information collected about us, the people, is becoming a real danger to democracy. How do we deal with it? A great deal of responsibility rests with the authorities for protecting privacy in Israel and throughout the world.

In a "Globes" interview, Israel Privacy Protection Authority director of public relations and administration Limor Shmerling Magazanik says that she is optimistic that countries recognize that overseeing and regulation concerning protection of privacy should be assigned a high priority, and that the authorities in countries throughout the world are cooperating with each other protecting individuals' privacy.

"Companies are impressed by fines"

The Privacy Protection Authority is the agency responsible for regulating and enforcing the basic right to privacy in the country. Laws for the protection of privacy have been in effect in Israel since the 1980s, and more laws were enacted at the beginning of the century.

"The Protection of Privacy Law is an old law. It resembles the European concept and the OECD document on protection of privacy, which is the first document to address the problem," Shmerling Magazanik says. "This law establishes an enforcement authority, so that it will be of significance."

"Globes": Have you already filed indictments?

Shmerling Magazanik: "Certainly. Just now, we're summing up an investigative case of ours on the subject of trading in medical information involving Rambam Medical Center, health funds in the north, and traders in information in long-term care services companies. In another investigative case involving the theft of the Israel Population and Immigration Registry and putting it online, a sixth and final verdict was recently rendered. The person who stole the information was a provider of computer services to the Ministry of Labor, Social Affairs, and Social Services. He was sentenced to 12 months in prison and fined NIS 100,000.

What are the limits of the ruling? For example, do you handle wiretapping?

"No, wiretapping is a criminal act that the police handle. We handle only offenses under the Protection of Privacy Law, for example the case of the medical information I mentioned. Employees at the hospital took a list of patients from the computer system with the dates on which they arrived for medical procedures, and gave it to another party with the patients' contact particulars, the expected hospitalization date, and what surgery they was going to be performed on them. This information was used by the next links in the chain for commercial purposes, and in order to offer the patients, most of whom were senior citizens, long-term care services after the operation. Under the Protection of Privacy Law, this was use of the database for unauthorized purposes, and without consent."

In your opinion, was the penalty a deterrent?

"Yes. In criminal activity the penalty is more severe - actual imprisonment. The person who put the Population Registry on the Internet was sentenced to 18 months in prison. There are also suspended sentences, community service, and fines. The punishment is significant, and the threshold is developing as the courts realize the importance of the matter.

"In addition, we have very extensive administrative enforcement activity, which is now accepted in commercial areas. Companies are far more impressed by fines than by criminal enforcement; it's much more effective.

"The Protection of Privacy Law states that use of your personal information is a violation of your privacy - period - unless you gave your consent, and gave it after they informed you exactly what they were going to do with the information, and by whom.

What exceptions are there? Customer clubs?

"That's one example. Even before customer clubs - you are a customer of a mobile telephone company, and it's clear that it's going to process your personal information. Otherwise, you can't get telephone services, content services, deals, and connectivity. There is therefore a transaction in which you consent to receiving services, and the company gets money from you, and you both know what it's for. Another example is when a fashion chain makes you an offer to join a customers' club. I provide my personal particulars, they now keep a record of everything I bought and when and how I bought it, and maybe also information about my family, and I get a 10% discount or accumulate points. This is a kind of private transaction - an exchange. I give information, I get something for it, and there's no violation of privacy, because the law has not been broken. The problems begin when there's no consent."

Or when there is no choice.

"Or there is no choice, and there are people earning money at our expense. To switch to the subject of the Internet giants, Facebook earned $27.6 billion in 2016 from advertisers. It got the money because it manages an enormous personal information processing service for two billion connected people. These people - us - put our information there, and we conduct our social and personal lives there, while Facebook profits from processing this personal information, and then sells focused advertisements for huge sums."

Market failure in dealing with giants

The threats from Facebook, Google, Apple, Amazon, and similar companies are increasing. Proposals have recently been made in the US by Congressmen to make Google and Facebook responsible for sending malicious content on the Internet. These questions involved issues such as the neutrality of the Internet and where to draw the line between our right to privacy and the companies' responsibility for the content that streams through them. While the neutrality of the Internet was a holy idea up until recently, today, when we see countries becoming involved in the Internet, and using it to overthrow regimes, it is much more difficult to defend this abstract idea.

In the world, the issue of violation of privacy is gathering momentum.

"Definitely. It was once questioned whether there should be regulation of the Internet. The answer now is that it's not a question of whether there should be regulation; it's a question of how, by whom, and how much. It's clear that there should be regulation of information processing activity. We're in the information revolution. The data and its uses are enormous. The potential for misuse - damage to rights, equality, money, exploitation of disadvantaged groups - requires regulation. People always have less power than commercial companies and large organizations, and the Internet has further upset this balance of power. There is market failure here - no one is able to cope with giant companies and fully understand what is done with the information, or to form a corporation in situations in which it is impossible to avoid the use of such concerns."

So we have reason to worry about coping with these threats.

"Progress is now being made in efforts in Israel and Europe to provide a solution there. The new regulation in Europe, which will apply all over the world, is designed to deal with the breaching of geographic borders, which is leading to the breaching of regulatory borders - how to deal with companies whose work processes challenge the quality of consumer legislation and antitrust legislation, and certain privacy protection legislation. In Israel, the Privacy Protection Authority took several innovative and advanced steps this year in order to cope with this."

What, for example?

"Minister of Justice Ayelet Shaked introduced a protection of privacy regulation for information consumption for the first time in Israeli law: a system of very detailed and up-to-date information security requirements. The regulation applies to the entire economy, and requires everyone to have better information security in order to prevent leaks and misuse of personal information."

Is Israel adopting any of the European regulation?

"Our regulation already includes at least what there is in Europe. Following our activity, Israel was recognized in 2011 as having a privacy protection regime that is compliant with the European Union. This recognition is very significant for the transfer of information between countries. At the same time, some of what is now needed is a substantial regulation and enforcement authority, and this is something that we're working on."

But you are already a regulation and enforcement authority.

"Certainly, but there are new challenges here. We have to constantly improve and revise what we're doing in order to provide a better response."

"One country by itself can't win"

Let's focus on the international giants like Google and Facebook. Are you confronting them?

Definitely. European countries are confronting them, and recently imposed several substantial fines on them. There is an intercontinental struggle here between two concepts: the European and the American. The European concept comes from human rights. The fundamental right to privacy was born after WWII. It involves the Holocaust and the realization of what terrible, tragic, and extreme damage is liable to be caused to people about whom detailed and precise personal information is kept. Europe later made this a directive applying to all EU countries, and listed everything permitted and forbidden in the use of personal information. Technology has developed with time, and European regulation is keeping up with technology, step for step. Israel is keeping up with the pace in order to adapt itself to the new challenges.

"At the same time, there is no basic privacy law in the US. There is, for example, a right to privacy of medical information, and there is legislation dealing with the transmission of medical information from one party to another. There is a specific law governing the collection of information from minors on the Internet. There is a consumer protection law into which the question of privacy has been inserted, but there is no supreme umbrella applying to all of it.

"The major US companies, such as Facebook, Amazon, Google, and Twitter, have established themselves as corporate entities in the US, but offer services throughout the world to citizens of other countries. They say, 'We're obeying the laws of the country in which we were incorporated. We're in the US, and what we're doing here is legal and legitimate.' The other countries are saying, 'This is not the US. There is a fundamental right to privacy here, so you can't do whatever you want.' What bothers us, though, are the limits of the enforcement authorities' geographic authority and the limits of commercial activity, which is anchored geographically."

So the rest of the world has to follow suit and accept it?

"We absolutely don't accept it. The new European regulation says, 'These are our privacy laws, and they apply to everyone offering services to European citizens, even if it's a US company'.

"In Israel, for example, when a class action for violation of privacy was filed against Facebook a year ago, the company said, 'If someone has a problem with Facebook services in Israel, they are welcome to sue us in California.' The Lod District Court said, 'We don't accept this. You operate in Israel, in Hebrew, for Israeli citizens, and advertise to Israeli customers through Israeli advertising firms. Your litigation should be here. We don't accept your corresponding jurisdiction.' The court thereby paved the way for continuing the lawsuit, which is still being heard."

Is Israel acting as a country, or are we saying, "We'll do here whatever they do in Europe"?

"The Privacy Protection Authority has agreed on several cooperative setups, because we realized that one country can't win in this matter, so there is a network of international regulators in which we're planning all sorts of global activities and contending with these issues of how to enforce in the more difficult places. So we're getting help from the regulator of another country and joining it in enforcement. There's another direction here, which we're promoting in Israel, of cooperation with authorities for fair trade and preventing restraint of trade. This comes from the realization that forces can help each other create effective and integrated enforcement for these giant companies."

Do you believe that Facebook and Google will change their usage agreements?

"I believe that right now, with the more severe sanctions going into effect, the global companies will start paying more attention to privacy protection laws."

I read Google's privacy agreement, and it appears that it can collect information about me with almost no limitations. The users are completely exposed.

"But there are things that can be done; it's necessary to be aware and active. Try to enter the privacy definitions of Google and start turning things off. I, for example gave authorization for only two out of 30 applications: location services and Waze and Pango. It's possible to enter and turn this off, so that Google can't make a timeline of the places that you've visited in the past. You can also turn many things off in Facebook.

"Solutions are starting to appear around the world that make it possible to manage consent and the applications that are used in a clear way. There will be something like a dashboard that you can enter and see all the applications, and what information each of them provides. Then the consumer can say, 'I'm not willing to accept this, I'm willing to accept that, and I'm turning that one off until I realize that I need it.' There are startups that are creating such products, so that you won't have to be a computer genius in order to manage your authorizations and consent."

So are you optimistic? Are we on the way to being a little better protected?

"Yes. This is a war that has to be fought, and even if we don't win 100% all the time, we have to demand these rights and not give way, because giving up isn't an option. We, both the Israeli regulator and regulators worldwide, and policymakers, are constantly searching for more innovative, sophisticated, and effective ways of fighting this war. At this point in time, given the near future of privacy, I'm more optimistic."

Privacy Protection Agency

Legislation: The Privacy Protection Agency is a regulatory body that supervises and enforces according to the Protection of Privacy Law - 1981, the Credit Data Service Law - 2002, and the Electronic Signature Law - 2001.

Regulation: The Privacy Protection Agency is responsible for protecting personal information in digital databases and for ensuring the right to privacy.

Goals: Promoting the individual's control of personal information about him, influencing processes of shaping privacy in organizations and information systems, and strengthening the public's feeling of being protected, in order to reduce the growing risk to privacy.

Tools: The Privacy Protection Agency requires organizations and businesses to obey the provisions of the law, and to halt activity in breach of privacy. In the framework of its enforcement, orders have been given to correct faults, for example in information security or in the way the customers' consent is obtained for use of information. Orders are given to delete illegally obtained information, administrative fines are imposed, and database records whose owners violate the law are eliminated. In severe cases, the Private Protection Agency conducts a criminal investigation and sends its recommendations to the state prosecutor.

Activity: Publication of instructions to owners and keepers of databases; conducting training; providing an opinion on the subject in proposed bills, regulatory initiatives, and projects; cooperation with regulators in Israel for promoting protection of privacy; and international activity with foreign enforcement and regulatory authorities in information protection.

Advocate Limor Shmerling Magazanik

Position: Director of public relations and administration department in the Privacy Protection Agency

Personal: Age 44, married with two children

Professional: She was the director of licensing and inspection in the Privacy Protection Agency, and previously was a lawyer in civil and commercial law in the private sector.

Education: BA and MA in law, MA in literature

She has been certified by the International Association of Privacy Professionals (IAPP) for European and US requirements, and for managing privacy in an organization. She is a lecturer at the Interdisciplinary Center of Herzliya.

Published by Globes [online], Israel Business News - - on October 30, 2017

© Copyright of Globes Publisher Itonut (1983) Ltd. 2017

View comments in rows
Update by email about comments talkback
Limor Shmerling Magazanik Photo: Eyal Yitzhar
Limor Shmerling Magazanik Photo: Eyal Yitzhar
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018