Start Preparing for the DPR: Know Your Data

Organisations should not wait for the EU to finalise new privacy rules before taking action.  This was the message from the ICO as the UK data regulator released both a 3 year corporate plan, alongside the results of a new annual survey into consumer attitudes to privacy and data protection last week.

Although it seems likely that the Data Protection Regulation (DPR) won’t come into force until late 2017 at the earliest, the text is expected to be agreed by all parties by the end of this year.  There is still a lot of uncertainty over the finer details of the law, including what will or will not be considered as personal data, however it is safe to assume that many of the broad rights of individuals and responsibilities of organisations are not going to change too much.

There is therefore an opportunity for businesses of all sizes to begin some preparation now.  And one good reason to avoid delay is financial.  If you wait until the text is agreed to act, you are likely to find skills and expertise are suddenly in short supply and high demand.  When that happens prices rise and opportunists with no real expertise step in to offer quick fixes that could leave you out of pocket and no better protected than before.

The big question of course is, where do you invest now in order to save later?

These are what I think the top three issues are:

  1. Transparency with consumers is key.  Organisations will need to be able to explain in clear language what data they collect from and about individuals, and how they make use of it.
  2. Be prepared to defend your data use practices. Accountability is an important concept in the DPR, and this is about having a lawfully valid reason for your data use practices, which you are able to justify if challenged by either customers or regulators.
  3. Minimise risk wherever you can. Information about people is an increasingly valuable commodity, and that comes with increasing risks, both to the individuals themselves and to your business.  Data breaches and cyber-attacks are high profile examples, but there are others. Understanding these risks is the first step in counteracting them. Big fines are most likely to be handed out to organisations that fail to manage risks properly – and of course those fines are risks in themselves.

The first step in preparing for the impact of the DPR in all these areas comes down to one thing: Know Your Data.

To get a complete a picture you need to document:

  • What data are you collecting on individuals?
  • Where does it come from?
  • What are you using it for?
  • Where and how are you storing it?
  • Who is responsible for it and who has access to it?
  • Are you passing it on to any third parties?

Of course, simply having all this information to hand is not going to make you compliant, but it establishes a baseline to build a compliance program on.

What it does do is enable you to answer questions such as: Are we keeping people properly informed about data use? Do we have a justifiable reason for our collection and use of data? Are there steps we can take to reduce unnecessary use or risk?

Whatever the final form of the DPR in terms of its scope and the level of responsibilities placed on organisations, having the answers to these questions will be key to any project designed to ensure compliance.

And if you don’t Know Your Data, all you can be really sure of is that your business is carrying unknown data risks.  In a world of both big regulatory fines and bigger possible brand damage if you are caught doing something wrong with people’s information, that’s a pretty significant risk to carry.

We Can Help

If you just need somewhere to get started, then you can sign up for our DPR Readiness Toolkit, which includes a free spreadsheet template to start documenting your use of personal information.

If you need more detailed advice and help, then please give us a call.


Why the ECJ Google Decision is Smarter Than You Might Think

One of the central issues in the ECJ Google case was whether or not the search engine was acting as a data controller or data processor.  Google’s argument was comprehensively shot down by the court.  Google determines the nature and purpose of its indexing of websites, and therefore it acts as a data controller, subject to data protection law.

Google’s business is built on its well-publicised mission to organise the world’s information.  It revolutionised search through its ever evolving algorithm and its active crawling of the web to discover new links.

As a result there are a number of things that all search engines now do:

  • Crawl the web, looking for content to index.
  • Analyse it to try to understand its meaning (e.g. through keywords) and its value (e.g. by number of links to it).
  • Analyse user queries, to figure out what people want to discover.
  • Match the query to the available content, then organise the results according to value.

The concept of value is crucial to this activity.  It has resulted in the arms race that is Search Engine Optimisation (SEO).  ‘Getting to the top of Google’ is such a valuable thing for publishers that it has a whole industry behind it.

Search engines have become more ‘intelligent’ in order to combat attempts to game the system and inflate one publishers’ measured value above another.  This intelligence is at the core of Google’s business, which is why it is very secretive about how its algorithm works.  However it is this active intelligence in the system that results in its taking on the role of a data controller.

It didn’t use to be like that.  Back in the early days of the web, search engines were more passive things.  Publishers had to submit content to them, and more actively explain what it was about.  It would then more or less be added to their index automatically.  Now, although you can tell Google your content exists (such as through a site map), their algorithm decides whether or not to index it, how it will index it, and what value will be assigned to it.  This decision is also regularly re-evaluated.  Like a referee at a football match, although there are ways to influence it, Google’s decision is final.

So one solution to Google’s problem with this ECJ ruling is for the company to remove itself from the role of data controller.  This is not going to happen entirely of course, but it could potentially do so in respect of personal data.

Given its position in the EU market, it could actually do this relatively easily.  It could instruct publishers that it would not index content that it believed to contain personal data, unless specific conditions were met.

One of those conditions might be to tell Google when content contains personal data, and what the retention period of that data would be.  Given this information – which would be in the form of tags to the content, it could re-write the algorithm to take account of the publisher’s instruction.  In doing so, it becomes a data processor in respect of that data, and frees itself from responsibility.

It would of course be a massive change in its role, and a reduction in its market power.  And it would require publishers to change too.  However, it would resolve the problem.

Many commentators have said the ECJ decision is wrong because it puts the responsibility on the search engine, not the publisher.  I think it was absolutely right because search engines are relatively few in number, and they have the power to influence publishers on a large scale that regulators cannot.

In effect the ECJ has said there is a market problem, with the publication of personal data. By making it the responsibility of the markets biggest controllers, it can now sit back and watch the market take care of itself.

From the point of view of trying to find a way to tip the balance towards greater protection of personal data, its actually a pretty smart move.

What does the ECJ decision on Google mean for your business?

The decision by Europe’s highest court to require Google to remove links to out of date personal information from its search results has brought privacy into the headlines in a way that even the Snowden revelations fell short of at their height.  This is not really surprising because it is an issue that touches everyone in a much more obvious way.

Depending on who you listen to, the decision itself is a blow to free speech, a slippery slope to mass censorship, or a triumph for consumer privacy controls. It is difficult to say yet which of these will prove correct, if any, but one thing that almost everyone agrees on is, this could have far reaching consequences, and not just for Google.

So are there any broader implications for businesses other than Google and search engines.  I think the answer to that is yes.

First, it establishes that activity outside the EU can be subject to EU law if there is a local subsidiary that benefits from that activity.  This is big news for any data controller that sets up an EU sales office, even if the product/services being sold are themselves outside the EU.

Secondly it establishes that data aggregation or re-publishing can be seen as a separate processing activity that needs its own legal justification.  This could cause problems for social media services in particular – many of which rely on such activities.

Thirdly, it establishes that an individual has a right to prevent further use of information about them, even if it is already in the public domain.  This right is balanced with other interests, but it is still there.

It also seems that once an individual has made a request for a take down, it is up to the data controller to justify refusal.  The individual does not have to give their own reason.  So unless a company is prepared to spend time and money in making its case, the easiest solution will be to comply with the request.

It is perhaps telling on the last point that it appears from news stories that Google will soon be ready to unveil a tool to enable people to make requests.  Other companies will probably need to review if they need similar mechanisms.

These are some of the more obvious and immediate impacts, I am sure there will be many more.

ECJ Rules that Search Engines are Data Controllers

The European Court of Justice, the highest court in the EU, has made a decision against Google this week that may well prove to be a turning point for data protection rights in Europe, and provide a mechanism for individuals to exercise the Right to be Forgotten which is provided for in the draft Data Protection Regulation.

It has caused quite a stir, with many arguing that it marks a blow for freedom of expression.  However as much as anything it has also highlighted the cultural differences between the USA and Europe.  In Europe the right of free expression is more balanced against the right to privacy.

However, the overlooked factor in most of the stories on this issue, is that the ruling presents a fundamentally different view of the role of search engines as cataloguers of the web, than most people have, and as they themselves would like to be seen.

Google argued that it is not in control of the content of pages it indexes.  As a Data Processor it could not be held responsible for the personal data on the pages it indexes, and therefore would have no liability under EU data protection law.

The court by contrast ruled that in creating its index and generating a link as a result of the search, Google is re-using the data for a different purpose. It also spelled out that the purpose was in no small part to create a market for its advertising which also appears in the search results.

The change in purpose, and also because Google is in control of  how the index is formed, means that it has to be seen as a Data Controller when it displays search results.  Which in turn then automatically means that it is responsible for the protection of the personal data, and upholding the rights of the individual.

This is really the game changer here, and what may change the very nature of search in the future.  Or will it?

There has been an assumption that the court ruling means that Google must remove the page in question from its index. This is what has got people agitated and talking about censorship.  However, I don’t think the ruling suggests this.

Another point that is missed in a lot of commentary, is that this all stems from a search based on the person’s name.  It is the appearance of the page in the search result against the name that is problematic according to the court.

Google therefore may not need to remove the page itself from its index, only the link between the name and the page.  This would enable the page itself to continue to appear in other search results that did not make use of the persons name.

It would limit the ability to search for information about people directly, but it wouldn’t restrict the ability to find the same content on a different basis.

Of course, we are yet to see if such an interpretation is acceptable, but it would be a lot less radical than a requirement to remove the link to the content entirely.

Right to

Data Portability

Data Portability has become a major topic of interest since the EU proposed the Data Protection Regulation in 2012; however, it has been a topic of interest for quite a few years now. Most notably would be the 2007 founding of the DataPortability Project. But what exactly is data portability? How does it work? Is anyone currently offering it? Why is it important?

The idea of data portability is to support the principle concepts of consumer access and control over personal data. It is essentially about giving the individual the ability to ask for and to receive their data in a re-usable format; however, an important facet of data portability is a push toward an open standard for data storage and transfer. These protocols would be shared by many large organizations. Examples include being able to get copies of bank and credit card transactions in a spread sheet format, so that you can pass it to someone who can use the data to help with budgeting advice. Or, being able to download your Facebook profile, photos and data, so you can easily move it over to Google+.

Data portability is still in its infancy, so there are many ways that it currently works, but regardless of the methodology used, data portability is actually just one piece of the software coders know as a API. An API is an application programming interface: it’s a piece of the software that tells the software how to interact with other pieces of software. So, data portability can be thought of as a large scale API.

Currently, data portability works in very simple ways. First, embed codes and links for videos allow anyone the ability to post videos on another site. Pictures and blog posts can also be easily shared, particularly via special buttons on sites that allow automatic reposting on Facebook, Twitter, Digg, Reddit, Stumbleupon, etc. There’s also dynamic posting, which means that when content is posted on one social media site, it’s automatically posted to another social media account. But dynamic posting can also be the automatic posting of a link and description to a social media account (e.g. Twitter) when you post content on a site like However, probably the most exciting and interesting facet of data portability currently is OpenID. OpenID allows you to login to one site using the information already given to the first site. So, no longer do you need multiple accounts for each site across the internet, you can just sign in with one of your already existing logins.

Some sites have taken this further than others. For instance, Twitter offers little other than dynamic posting.

Google on the other hand offers OpenID access and the ability to download about two-thirds of the data they have collected about you. (You can do this by going to Google Takeout, you can download an archive of +1s, Blogger Posts, Buzz, Contact Lists, Google Drive, Google+ Circles, Google+ Pages, Google+ Photos, Google+ Stream, Hangouts, Profile, Voice, and YouTube.

Facebook also offers OpenID, but has a larger set of uses for it than Google currently because of their connection with online games and applications like Words With Friends. These games and applications use a specific user’s Facebook data to link them to their friends, keep track of their scores, and to automatically post on their Facebook wall on the end user’s behalf. Because of this, the dynamic posting options on Facebook are much greater than those available on Twitter. And just like Google, you can download your personal data; however, Facebook offers a larger data set than Google–they even offer you a list of keywords and interests they send you targeted ads for! You can download this information in your settings under the general tab (it’s on the bottom of the page in a small blue hyperlink).

Microsoft offers varied data portability across their software. One major area they offer data portability in is their Office 365 product. In Office 365, you can import or export your data very easily using a very simple automated process built into the software itself. You have 90 days after the end of your Office 365 subscription to export this data.

So, why is data portability seen as something important? Well, first, data sharing allows for simplicity: you can use many applications with the same pictures, login, password, profile, friends, etc. with the click of a button. However, on a more serious level, data portability allows people to have control over their data; however, at this current moment few providers make it simple to delete all of your information. Most portability currently is based on being able to export data and to use that data on other sites without harming the data already stored on the first site; however, this will soon change–at least for EU citizens–because of the new Data Protection Regulations that will be in full effect sometime in 2016. Even so, the current level of data portability keeps companies in check to a certain extent because end users are allowed to see the data being collected and therefore to make wiser decisions about what to share.

Cecilia Malmstrom

EU Data Protection Directive Safe Harbor

It is intriguing that with all the recent discussion of reforming the EU Data Protection Directive, Safe Harbor, the US framework to comply with Directive 95/46/EC, has not been discussed very often. Particularly when the necessity for US-based businesses to comply to the new EU Data Protection Regulation is such a hotly debated subject. So, let’s delve in and learn a bit about the EU Data Protection Directive and Safe Harbor.

The EU Data Protection Directive, Directive 95/46/EC, was finalized in 1995. As part of the larger framework of policies about privacy and human rights, the directive regulates the sharing of personal data between citizens of the EU and others. In a nutshell, it demands that personal data only be shared if it is processed transparently (the individual knows and consented to sharing that data); it is only taken for an explicit, legitimate purpose that is clearly defined; and it is only processed in accordance with its original purpose for being collected.

The EU Data Protection Directive also mandates that personal data only be shared with countries that have similar data protection regulations; however, this was not a very big concern until after the Internet became more prevalent. But by 2000, there were already over 360 million people online worldwide and the number of users was increasing everyday. Because of these issues, however, concern arose about what this meant for EU citizens and the private data they share with US-based organizations. So, the European Commission and the US Department of Commerce produced a framework for how US-based companies could comply with these regulations.

US-based companies who wish to comply with the US version of the EU Data Protection Directive, Safe Harbor, must uphold seven principles–notice, choice, onward transfer, access, security, data integrity, and enforcement. Notice and choice are connected: people must be informed about the data collection, its uses, transfers to third parties, and how to opt out of data collection.

Onward transfer is the policy that one entity may only pass data onto a third party if they are both already following all of these principles (and of course the original collector gave notice and got consent)–unless that third party is contracted by the data collector to process data solely for the data collector. Security means that the company must take reasonable measures to secure private data. Data integrity means that the data must be helpful to and about the purpose it was taken for. Access means that people must have access to their data and easily be able to correct incorrect personal data. Finally, enforcement is the policy that these principles must be enforced by a third party.

After this legislation passed in the US, the EU let out a final commission decision, 2000/520/EC, declaring “the adequacy of the protection provided by the safe harbour privacy principles“.* However, since then, the Safe Harbor framework has been heavily criticized. Leaving one to wonder if after reforming the EU Data Protection Directive, Safe Harbor will reformed or completely replaced with a new framework or…?

EU Data Protection Regulation

The EU Data Protection Regulation is a proposed new set of legislation that would replace the outdated Directive 95/46/EC passed in 1995 before the Internet became common place. This new regulation, once in effect, would limit the non-consensual sharing of personal data between individual citizens of the EU and third parties, with limited exceptions for governmental investigations. Its purpose is to keep the personal data the property of the person who the data is about, which is why a major part of the reform is “the right to be forgotten”. This right would not only allow any EU citizen access to their personal data at anytime, but would allow them to request that the collector of the data delete it at any time; however, some MEPs think this “right to be forgotten” is too difficult to actually implement.

Some countries within the EU already have passed data protection regulations to fill in for the gaps left by Directive 95/46/EC. In fact, Vivian Reding noted in her speech about the regulation that in many ways this new policy is bringing the German policies to the whole of the European Union.* Currently, however, because of the divergence of laws that organizations must meet, running a business or conducting a police investigation all across the EU can be frustrating, time-consuming, and expensive. Having a unified European Union Data Protection Regulation will end these issues, and is a major reason for the new legislation.

However, the major reason for updating the 1995 Directive is focused on the citizens and their sense of trust online. The EU Legislators recognize the growing role of technology and EU citizens using that technology in the future development of their economic growth; therefore, they wish to implement proactive measures to make people able to safely and securely use that technology. Or as they write in the 25th January 2012 proposal, “Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.”

The EU Data Protection Regulation is currently being debated and amended. It is expected to go into effect sometime in 2014, with full compliance being mandated by 2016. Entities found breaking these new mandates could incur fines of up to 1 000 000 EUR depending on the severity of the infraction.

EU Data Protection Reform

The EU Data Protection Regulation is a proposed reform to Directive 95/46/EC. Originally passed in 1995, Directive 95/46/EC, or the EU Data Protection Directive, is a European Union law focused “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

In a nutshell, it prevents the personal data of anyone in the European Union from being shared with anyone else without express consent of the person the data is about. Though, it should be mentioned that this legislation was passed before the advent of the Internet, so there is little to no way to regulate the sharing of personal data on the Internet at this moment all throughout the Union; however, some of the member states have their own data sharing regulations, which companies must follow if they do business in each of the individual states–something that is both a tedious and expensive process currently. For this and many other reasons, on the 25th of January 2012 the European Commission stated their desire to ameliorate Directive 95/46/EC.

The original legislation Directive 95/46/EC, went into effect on the 24th of October 1995. However, it too is actually a continuation of Convention 108, which focused on protecting individuals in relation to “automatic processing of personal data” and passed on the 28th of January 1981. The proposal to reform the Data Protection Directive was submitted on the 25th of January 2012. The data protection reform should be done by 2014, and should go into effect sometime in 2016.

The EU Data Protection Regulation’s main purpose is to extend the EU Data Protection Directive 95/46/EC to cover the massive changes in technology and the increase in globalization that have happened since 1995. Due to these changes, some of the countries in the EU have added individual personal data sharing regulations to their own laws. The new EU data protection reform will make the laws consistent across the Union–as well as have provisions for outside countries who wish to do business within the Union. Those who disobey the laws may incur hefty fines of up to 1 000 000 EUR.

And it will update the complimentary Framework Decision 2008/977/JHA which regulates the protection and interoffice sharing of personal data in police matters. In other words, while this privacy regulation would not interfere with the government’s right to supersede these policies if it is reasonably justified and in the best interest of the state as a whole such as to stop a terrorist attack.

However, the major concern of the EU is about individual security and safety while using online commerce. The policy aims to make data sharing simpler, more transparent, optional, and safer so that more consumers feel safe in the digital market. Which is why they write in the proposal for the Data Protection Reform, “Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.”

Though, some people, including certain US-based companies feel that these regulations go too far. Two major issues are that any data breaches must be reported within 24-hours and “the right to be forgotten”. The former is an issue because many companies do not like to divulge that their security systems have failed because they see it as a brand malfunction. And the latter is problematic to many companies because it means that the consumer will now have access to their “profile”, be able to delete or move it to a competitor at any time, and be able to completely opt out of that sort of data collection altogether, which will they see as a potential threat to internet direct marketing.

Data Protection Officer

What is a EU Data Protection Officer?
Data protection officers are a designated person within an organization that collects the personal data of Union citizens who is responsible for making sure that the organization follows the new regulations. They are appointed for two year periods and can only be terminated if they fail to fulfill their duty; however, they can be reappointed indefinitely. Like the rest of this legislation, the DPO would be mandated sometime in 2016 pending the finalization of the reforms in 2014.

While all people who collect personal data in the Union will be accountable to the law, Article 35 of the proposal says that only certain data collecting entities must have a designated data protection officer. These entities are “a public authority or body”, “an enterprise employing 250 or more persons”, or someone whose “core activities… require regular and systematic monitoring of data subjects.”*

The DPO has several duties that are spelt out in Article 37 of the proposal. First, they must “inform and advise the controller or the processor of their obligations… and to document this activity and the responses received.”* Next, they are to monitor the “implementation and application”* of the organization’s policies and training on data management as well as monitoring the application of these polices. They must also keep documentation on (according to Article 28) at least the name of the data collecting entity, contact details of their DPO, purpose of the data processing, types of subjects and data, “recipients of the personal data“, whether or not data is transferred outside the EU, and offering the time limits for data erasure. Likewise, they must monitor personal data breaches and “the response to requests from the supervisory authority”*. And they have a variety of roles to the supervisory authority including cooperating with the supervisory authority if requested and to be the supervisory authority’s contact person in the organization.

The Data Protection Officer is one of the areas of the EU data protection reforms that’s being heavily debated, however. The major areas of contention are on the importance of the DPO, how much work this actually is, and the criteria for deciding who does and does not need a DPO.

The general assumption is that the legislation means that the data protection officer is someone’s full-time position. But some of the MEPs working on the reform suggest that a full-time DPO is unnecessary because they could do the work part-time while performing other duties. And there are some who think that the DPO is superfluous.

The Union originally adopted the German model wherein any company with over 250 employees would have to appoint a data protection officer. This requirement, Vivian Reding argues**, will help small businesses to avoid getting overly burdened by administrative costs and work. However, Jan Phillip Albrecht–the regulation’s rapporteur–has suggested revisions that alter this model to focus not on employees, but on how many people’s data is collected. His model states that any company collecting data on 500 or more EU citizens must have a DPO.

Data Protection Act

The Data Protection Act is a 1998 United Kingdom Act of Parliament that makes the United Kingdom compliant with the EU Data Protection Directive which passed in 1995. It’s a very large and complex act that has unfortunately confused some people; however, it has eight principles, which are rather simple to understand.

The first data protection act principle is that “Personal data shall be processed fairly and lawfully”*. To clarify that, it states that “fairly and lawfully” more specifically means meeting the following two principles.

The second data protection act principle is that data can only be collected for specific, lawful purposes and cannot be used for anything that is contradictory to that purpose. The third principle is related: the data collected must be relevant to the original purpose and no more or less ought to be taken.

Data protection act principle four is that data must be accurate and up to date. Principle five is that the personal data must be deleted after the initial purpose is complete. The sixth states data collect must account for all of the rights in the Data Protection Act.

Principle seven makes entities accountable for data loss by mandating that they have security protocol in place on any device that has personal data on it. And principle eight declares that no data should be transferred to a country “unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”*

There are some exceptions to this act. The most notable is that the rights of the individual can be superseded if it is a matter of national security. Likewise, data collected in order to prevent or stop crime is exempt from the data protection act. But there are also certain exceptions for handling your own personal data because it is assumed that you will adopt the level of data protection that you already feel most secure with.

While the Data Protection Act has been in effect, however, there have been major technological advances. For instance, the Internet has become an everyday phenomenon and many companies collect extensive personal data and make individual profiles about each person. With that and the horizon of amazing technological advances ahead of us, many people feel that this act no longer goes far enough. However, the outdated Data Protection Act will be replaced by the larger scale EU Data Protection reforms that should be finalized by 2014 and mandated by 2016.