General Data Protection Regulation Top Ten Issues

The ink is barely dry on the draft, but the  EU General Data Protection Regulation (GDPR) looks set to change the regulatory environment for personal information not just in the EU, but around the world. Its aim is to create a legal infrastructure for the use of personal data that is fit for purpose, both today and in the future.

The GDPR was designed to increase legal certainty with regards to information flows both within the EU’s borders and beyond. It also introduces stronger consumer protections, with requirements for greater transparency and accountability about how data is used by businesses, not-for-profits and governments alike.

This is intended to give individuals increased trust in data practices.  Consumer research in the last few years has shown consistently high levels of concern and lack of trust in this area, and this is believed to be a potential brake on the future growth of digital technologies.

However, in order to achieve these goals the GDPR does come with some stings in its tail. It places much greater requirements on businesses to communicate effectively with customers, and obtain much clearer consent for the use of their data.  Organisations also have to provide customer choice mechanisms, and there is a greater emphasis on documenting data processing activity. And then of course there are the fines.

At over 200 pages it is a very wide ranging instrument.  However, for those who haven’t had time to read it yet, these are what we think the top 10 issues for most organisations will be.

1.  A broader definition of Personal Data

As we predicted earlier, the scope of what constitutes ‘personal data’ has explicitly been broadened to include any information ‘relating to’ an individual. This specifically includes ‘online identifiers’ so cookies and the advertising IDs seen in the mobile eco-system will be caught up, along with anything that contributes to identifying an individual, or links to such identifying information. This has some widespread implications for online tracking in particular.

2.  A higher bar for consent

Whilst the final text shied away from explicit consent as a requirement, except when special categories of (sensitive) data are concerned, there is still much emphasis on gaining consent through active user mechanisms like tick boxes.

A key part of the test of the validity of consent is whether consumers understand what they are agreeing to, and are given a meaningful choice. There is also a significant shift in the burden of proof.  You will need to be able to provide evidence that you obtained consent from specific data subjects, which is going to require much better record keeping for many organisations.

3.  Data Protection Officers

Although not a universal requirement, many organisations will be required to appoint a Data Protection Officer (DPO) to oversee data uses and ensure compliance with the law. They will be mandatory in the public sector, but for private sector organisations the key test will be whether the organisation is involved in “systematic monitoring of data subjects on a large scale“, however it is not clear at this time how ‘large scale’ will be interpreted.

Earlier, more detailed, requirements for the skills and experience of the DPO and guarantees over their employment, have been dropped but a key issue in the short to medium term will be a lack of the right people to fill such roles.

DPOs however can be outsourced, which may create a market for new services, especially to cater for the needs of smaller businesses.  The DPO responsibilities can also be given to someone alongside other work within the organisation, as long as this does not create a conflict of interest.  So training existing staff into the role could be a viable option for many.

4.  Transparency and Accountability

The GDPR scraps the need for controllers to register with their Data Protection Authority (DPA), but replaces this with a requirement to both better inform data subjects about practices and rights, and to keep records that can be made available on request – such as in the event of a data breach or a compliance complaint.  Such records are about demonstrating that the organisation has thought through the impact of its systems and processes, and made informed choices about how to comply with the GDPR.  The Data Protection or Privacy Impact Assessment (PIA) is one example of such documentation.  It is intended that a PIA will show that an organisation has considered the risks associated with its particular personal data practices, and taken reasonable steps to control or mitigate them.

There are also new requirements on the level of detail that organisations must provide to data subjects about their practices, as well as a need to make sure that this information is both accessible and easy to understand. In particular there is a need to explain the logic behind decisions made on the basis of analysing personal data – which may have particular significance in some sectors that have relied on such processes being largely secret. Organisations are also expected to inform subjects about their rights and how to exercise them.

5.  Data Protection by Design and Default

Although references to this have been cut back in comparison with earlier versions of the text, the GDPR contains requirements that the design of systems and processes are required to give consideration to compliance with the principles of data protection. Particular emphasis is placed on the ideas of only collecting data necessary to fulfil specific purposes, discarding it when it is no longer required, and protecting data subject rights.

It also sets up the possibility for the development of certifications and codes of practice that organisations can follow to help meet these requirements.  Keep an eye for these as they develop.  In particular we expect DPAs to get involved in this area.  They will be losing their registration fees and therefore needing new sources of income.  In the UK the Information Commissioners Office (ICO) has already been developing this idea, so expect it to continue. Trade bodies are also likely to have a role to play here.

6.  The Right to Erasure and Data Portability

These new data subject rights are likely to pose challenges for many organisations. The right to erasure is a clarification of the much talked about ‘right to be forgotten’.   Although the circumstances when the right can be exercised have been made clearer, the balancing against other rights and obligations is still needed.

The right to have a copy of your data in a machine readable form to transfer to another provider may be difficult at first, but it could also lead to better systems interoperability in the longer term – which is already a growing technology trend.  In particular this provision may facilitate the development of the market for ‘personal data stores’, an idea that has long been talked about, but not yet fully realised as providers have struggled with sustainable and scalable business models.

7.  Removal of Subject Access Request Fees

Data subjects have a right to know whether or not an organisation is processing their personal data, what that data is and the purposes of the processing.  The GDPR removes the ability to charge an upfront fee for providing such information, and there is a risk requests will increase as a result of this, pushing up costs.  Current allowable fees don’t exactly cover the cost of  a Subject Access Request (SAR), but are seen as a deterrent to time wasters.  If companies are no longer able to charge fees, it is feared this could open the floodgates to many more SARs.

Companies will be allowed to charge for subsequent copies of the same data, which may reduce the risk of this to some extent. However, it may be worth investing in making sure you can respond to such requests as efficiently as possible, which will not be easy in many cases.

8.  Reporting Data Breaches

Data controllers will be required to report data breaches to their DPA, unless it is unlikely to represent a risk to the rights and freedoms of the individuals concerned. However this qualification may be difficult to judge, so in many cases, it will be safer to notify. The notice must be made within 72 hours of becoming aware of it, unless there are exceptional circumstances, which will have to be justified.

Where the risks to individuals is high, then the data subjects themselves will also need to be notified, although a specific time scale is not specified for this.  It is also worth noting that the DPA can instruct an organisation to inform data subjects if they haven’t already, so we can expect to see further guidance on the circumstances when it would be correct to do so.

9.  Fines

The GDPR very deliberately raises the bar in terms of the ability for DPAs to issue fines for breaches of the rules.  They can go as high as 4% of global turnover.  Not only are these designed to ensure data protection becomes a board level issue, by taking into account worldwide revenues, they seek to side step attempts by multinationals to engage in fine-avoidance business structures.

It is also worth noting that fines can be levied without the necessity to demonstrate harm – although the largest ones will likely be reserved for cases where data subjects have directly suffered damages.

10.  Data Processor Responsibilities

Organisations that only process data on instructions from their client are not directly covered by the current data protection regime.  Their actions were assumed to be governed by agreement with the customer who would be the data controller, and therefore directly responsible for the actions of the processor. However this all changes under the GDPR, and processors now have direct legal obligations and responsibilities.

In particular this means that processors can in certain circumstances be held directly liable and be required to pay compensation to a data subject. It will therefore become very important to establish the contractual relationships and liabilities of the different parties in a controller/processor relationship, and the costs of some services by processors may rise to offset additional risks and insurance costs.

 

We hope you find this useful.  In future posts we will look at more details of what you can do to prepare, as well as looking into each of these areas in more detail.

In the mean time, if you have any questions and would like to know more about how the GDPR might effect your business, do get in touch and we will be happy to help.

ashleymadison

Learning From Ashley Madison

 

The recent theft and subsequent leaking of the personal information of users of the Ashley Madison dating site for married people and its other stable brands is not the biggest data breach the world has seen in the last few years, but it is quite probably the most controversial.

Whatever people choose to think about the basic premise of the business, or the people that signed up to its services, the hacking and subsequent release of the data is illegal and quite likely to lead to serious harm for some of the users of the site.

It is therefore right that everybody who deals in the handling of personal data should look to see what they can learn from this event.

Context is King

The sensitivity of information, and therefore the lengths one should go to protect it, is often more reliant on context than the information itself.

Email addresses are personal information, yet they aren’t generally thought of as particularly sensitive or needing of close protection.  After all, they are about communication, so designed to be shared.

Stored in a database of people supposedly looking for an extra-marital fling however, is a completely different ball game.  As has been pointed out elsewhere, some of the emails leaked indicate users in Saudi Arabia, where adultery is a capital offense.  Though we don’t know it yet – the hackers may have condemned some people to death.

At the very least is seems inevitable that the marriages and careers of many people will be ruined.  It doesn’t even matter if no wrong doing took place, suspicion by the mere presence of an email address in the data, will be enough to change some people’s lives forever.

Transparency, Transparency, Transparency

Amazingly enough, the privacy policy on the site is not that long or complicated.  However, it is clear that different versions are served up to different users.  On first access I noted my location was recorded as in the UK, and I got a policy from Praecellens Limited, operating out of Cyprus.  However, I could switch my location to the USA, and then be served the policy from Avid Dating Life Inc. of Canada

What strikes me is that even a cursory reading rings huge alarm bells.  For a start the Cyprus policy, presumably for EU readers, is different, but it still uses US-style language, lots of references to PII rather Personal Data. So immediately it seems like a half-hearted job.

More importantly, it makes clear that although some information ‘may be considered as sensitive’ – the policy allows for any personal information to be sold to unspecified third parties for marketing purposes.  At the same time the policy also stresses how important privacy is to the business.

Of course we know that nobody reads privacy policies, and this seems to prove it.  I find it difficult to believe that anyone contemplating embarking on a clandestine affair would knowingly agree to such unspecified information sharing that could easily lead to legal disclosure of their use of the site.  All of which tells me that there needs to be clearer ways of surfacing this kind of information, and clearer indications of consent – something of course being called for under the EU Data Protection Regulation.

Beware the All Seeing Cookie

Running a very brief scan over a few of the public pages on the site we identified trackers from Google, Facebook and Twitter on the ‘Infidelity News’ blog.  These are all organisations that can tie online behaviour directly to real identities, meaning the site is directly leaking at the very least ‘interest’ data about identified individuals in a way that could immediately impact their wider social profiles unless they are extremely careful.

However, the site clearly ignores EU cookie law requirements for consent.  It doesn’t even notify visitors, let alone give them some control.  Yet this is very  clearly the sort of site that users might want to keep out of their browsing history.  Not giving users the option for simple controls. is not only a breach of the cookie rules, it shows either a cavalier attitude to privacy, or ignorance of the power of the cookie to identify individuals.

Privacy is not Security

It also seems despite the promises of the importance of privacy, little thought was put into this when designing the system.

Email addresses were allowed to be on the system unverified – breaking data protection rules about accuracy of data as well as opening up non-users of the system to potential harm. Although the company claims that sensitive information is encrypted at rest on disk, as noted above, in this case even emails are sensitive, and were clearly not encrypted. Or at least not encrypted well enough to prevent their release.

Similarly it has been widely reported that the password re-set feature, can be used to effectively reveal the email addresses of users registered on the site.

Some reports have suggested that the security on the site is generally better than many others, which also manages to highlight quite well that security and privacy are two different realms. I don’t know whether or not the company carried out any kind of privacy impact or risk assessment.  However, it seems obvious now that not enough attention was paid to privacy concerns in the development of the platform and its services.

A Watershed Event?

The nature of the business makes it an obvious choice target for malicious attack. If there had been more thought given to privacy, it would not have made a breach any less likely to happen, however it may have reduced the impact of it.

The very nature of the potential damage here could in fact become a force for change in the way that the law looks at privacy harms.  Most law courts reduce harm in data breaches to financial loss.  Many actions fail because direct financial harm is very difficult to establish.

In this case, financial harm is likely to be way down the priority list of members.  It will be the harm to their personal lives – in many cases irreparable – that will almost certainly been the focus of the inevitable law suits.  How the courts deal with this could open the door for the wider recognition of non-financial harms In breaches of privacy – and that may make this a watershed event.

UPDATE 24 August:

Sadly, just three days after writing this post, my worst fears appear to have come true: two Ashley Madison users who had their personal details published, have reportedly taken their own lives as a direct result. My deepest sympathies go out to their loved ones.

Facebook Data Practices Breaking EU Law

facebook-unlike

With limited information and an absence of meaningful user choice, Facebook’s behavioural profiling and resulting targeted advertising practices do not meet the requirements for legally valid consent, according to a new report (PDF) from experts at the University of Leuven and Brussels Free University.

The report was commissioned by the Belgian Data Protection Authority, the CPP and is an in-depth analysis of both data practices and the notices and policies given to users to explain them.

Some of the interesting findings of the report are:

  • Opt-out controls for advertising are insufficiently clear or comprehensive enough to meet the standard of consent under data protection law.
  • User privacy settings can lead to a false sense of control, as they do not really limit how Facebook can use data for advertising purposes, more just what other users can see.
  • Use of user generated content by Facebook for commercial purposes is particularly singled out as controls to prevent this are largely absent.
  • Many of the contract terms could be considered as unfair practices under consumer protection laws, including the licences to re-use copyright material claimed by Facebook.
  • Some adverts may be considered to be equivalent to direct marketing communications, which by law require opt-out controls, which are not provided.
  • Use of location data should be subject to opt-in rather than opt-out consent.

There was also an example of how user sentiment can be easily twisted or removed. An advert for a fitness program appeared to have been endorsed by a user who had in fact  been critical of it.

The authors also highlighted a point that is often overlooked, Facebook is not so much a social network as it is a ‘vast advertising network’ – and this has become especially true as it has acquired other businesses like Instagram and WhatsApp.  These two in particular have helped it obtain more detailed information about its users.

Additionally, following the acquisition of ad platform company Atlas Solutions from Microsoft, it has created a new opportunity to advertised to people while they surf, or ‘off platform’ as it is often called.

This capability was something I have commented on elsewhere – and I understand the research team will be looking in more depth at this in the future.

It’s Not the TV that’s Smart

Samsung came under fire recently when it was revealed that the privacy policy on its latest line of Smart TVs warned anyone bothering to read it not to say anything of a sensitive nature within range, because it might just send your conversation off to some unspecified other company for analysis.

Then just a few days later it came to light the company was investigating an error that caused unexpected adverts to interrupt some programs.  One suspects the concern here is more aligned to whether or not those ads were being properly paid for, than any privacy issues it might raise.

Some people might also remember how one expert uncovered the fact that another brand of Smart TV, this time from LG, was transmitting viewing data back to corporate HQ, even after changing a setting supposedly designed to stop it.

To my mind, what these stories all really reveal is that these devices are basically mislabelled.  They are not smart at all.  And I don’t mean that in the sense of ‘a bit less clever than we have been told’ either.

Smart in this context is really just a euphemism for ‘Connected’.  All of the processing that makes the TV appear smart is being done somewhere else.  And in the case of Samsung’s voice recognition feature – by another company completely.

The same is true for almost any device being sold with a Smart label.  The smart bit happens somewhere else, so in order to be smart the device has to send out loads of data – much of which can be personal in itself, or used to infer things about us that we would rather it didn’t.  Try disconnecting your smart device from the internet, and you quickly discover that it is pretty dumb.

My guess is that a lot of people kind of realise this fact.  Of course the device manufacturers would also claim that they are being open with buyers about this, by pointing to the ubiquitous but never read privacy policy which we all dutifully agree to in order to make your device actually work.

But here is the thing.  If they were called Connected TVs, it would be a little reminder every day of the reality – that your screen is gathering just as much, if not more input about you and your preferences, as it is providing output.  It would also tell us that the bit that we own – the bit that actually sits in our home, is in fact subservient to a data crunching server somewhere else in the world, and we have no idea what it knows, or thinks it knows about us. It would remind us that far from having bought something we value for a fixed and fair price, we have in fact signed up to give something else away, our data, that has an ever-increasing value to other people who will strive to exploit that for their own maximum gain. Where do you think the smart is in that?

A Smart TV however sounds like the bit of hardware I have is the clever thing, which of course makes me clever for buying it.

I’d like to own a Smart TV, one that can understand what I like to watch, give me suggestions for new shows, maybe record things automatically when it knows I going to miss them.  But my Smart TV has to work for my benefit only, and it has to be able to do it without sending loads of data off to who knows where.  I would rather expect it to collect data from the web to my advantage.  It would find ways of skipping over the ads if I wanted it to – because it was working for my interests not those of someone else’s business model. My Smart TV would be smart enough to hold all my data locally, jealously guarding my privacy above all other interests if I wanted it to, but trading it if it was to my advantage.

My Smart TV would be both mine and smart in every sense of those words.  I’d be happy to pay a good sum of money for it.  Unfortunately it doesn’t exist.

As for the current crop of Connected TVs, you would have to pay me a princely sum to put one of those in my living room in exchange for my information. Who’d like to make the first offer?

Google Gets Sanctioned for Dutch Data Protection Law Infringements

The Dutch Data Protection Authority the CBP has this week issued sanctions against Google which could result in a fine of up to 15 million Euros if it doesn’t make significant changes to its privacy policy by February 2015.

Back in 2012, Google decided to combine all of its services under a single privacy policy, ostensibly for the purpose simplification.  At the same time this enabled it to combine user data from its diverse services, some of which it acquired rather than developed, into what amounts to a single customer view, and one that is probably a more complete picture of a larger number of people than almost any other company on the planet, save for perhaps Facebook.

This change raised immediate concerns about whether the new policy was in line with EU data protection laws.  In particular the focus has been on whether the company was giving people sufficient information about its practices, and therefore whether any consent could be considered valid.

The DPAs in 6 EU countries France, Germany, the UK, Italy, Spain and the Netherlands decided to investigate further.

In November 2013, the CBP made the decision that the policy was in breach of the law, and has outline steps needed to bring the company in line.  The new sanctions are the end result of this decision and will kick in from the end of February 2015 if Google fails to meet all demands.  The CBP has said the sanctions will be ‘incremental’. Although it fails to clarify what this means it would seem logical to assume that the size of the fine will rise over time as long as the company remains non-compliant.

Transparency and the Privacy Policy

I don’t know you, but I do know you are a liar.  Don’t worry though, so am I.

Practically everyone online has at some point ticked the box to say they have read/understood/accepted a privacy policy without actually doing so.

Yet, in a data driven world, they are important documents, the basis on which organisations gain consent from customers/visitors to collect and manage personal data. As a result they are often written in language that most people don’t fully understand, and are longer than Shakespeare plays to make sure they cover all eventualities. No wonder very few people read them.

There have been lots of attempts to improve privacy policies of course. The Information Commissioners Office in the UK has published guidance and the EU Data Protection Regulation proposes a ‘layered’ pictographic model.  The idea is laudable, but they ruin it with a mandatory set of icons (PDF – go to pg.115) that are terrible in almost every single way.

However the problem is not really with the privacy policy itself as a document, it is the fact that it has been mis-sold to consumers.  They are led to believe its purpose is to inform.  However, if that were true it wouldn’t be buried in a link at the bottom of the page, and written in dense legalese.  Website designers and copywriters know how to inform people online.  The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners, especially in the case of a dispute.  There is nothing wrong with this but it doesn’t fulfil the more common need for accessible information about privacy practices at the company.

This lack of clear information is an increasingly significant problem for business.  Many surveys have shown that people don’t trust companies to keep personal information secure or not to mis-use it.

There is also significant risk when companies use data in ways that may be legitimate in terms of the privacy policy, but are unexpected by consumers.  The idea of Surprise Minimisation is gaining ground, but privacy policies do not support this kind of approach

Rather than try to reform privacy policies, we think it is better to introduce something new, something that has the sole and clear purpose of informing the visitor about privacy and data practices, and fully supporting the concept of surprise minimisation.

That something is what we are labelling a Transparency Notice.  You will find one at the top of this page, looking like this:

transparency notice icon

Hover over the icon (the one at the top of the page, not this one) and you are presented with a short overview of our information practices.

The visual and language style is deliberately designed to engage.  It avoids legal terminology while providing enough information to create accurate consumer expectations of data practices.

With the mini bullet icons we borrowed from the ideas of the traffic light labelling system being used in some supermarkets for food health messaging.  We realise however that no-one would likely want to use red, as it was too danger oriented.

The green tick is meant to denote privacy protection practices, and the orange ‘i’ is for data collection practices you might want to learn more about.

Right now we regard this as a prototype, but are considering releasing it as a product, including perhaps a WordPress plug-in. If there is enough interest we could develop a simple service to enable customisation and integration into any site.

We welcome all comments and suggestions for improvements.