Data Privacy & Protection Conference - Unlocking the Value of Digital Ethics
Boussias communication presentation, Athens June 23rd 2016 http://dataprivacy.boussiasconferences.gr/default.asp?pid=12&la=1&SpeakerId=1
2. @aureliepols
About me: MAD / BRU / SFO
1. Data Governance & Privacy Advocate for Krux Digital
2. EAG: Ethics Advisory Group for the European Data Protection
Supervisor (EDPS)
3. Chief Visionary Officer for Mind Your Privacy
• Training Advisory Board, International Association of Privacy Professionals (IAPP)
• Ethics & Privacy professor in Big Data & Analytics Master, Instituto de Empresa (IE)
• [Entrepreneur / Data Scientist? / Privacy Engineer? / Mother]
• (Dutch nationality, French mother tongue, work mostly in English, live in Spain)
2
3. @aureliepols
The European Data Protection
Supervisor:
an independent institution
responsible for ensuring the
protection of personal data by the
EU institutions and bodies
The EDPS
Giovanni Buttarelli
EDPS
Wojciech Wiewiórowski
Assistant EDPS
3
6. @aureliepols
Digital Ads & Targeting
Online Advertising surpasses TV to record annual
spend of €36.2bn
DATA load
2.5 quintillion bytes of data
are created everyday
Perpetually connected consumer
} 3 connected devices used per person in 2014
} 9h53m is the average time spent by US adult
on connected screens every day
Sources : IAB (2016), IBM (2014), Statistica (US, 2014), eMarketer (US, 2015)
DATA PRIVACY
THE NEW ERA
7. @aureliepols
DATA PRIVACY
THE PARADOX
65% of consumers do not have
confidence in the security of their personal
data.
67% are willing to share personal
data in exchange for additional services.
Source: Accenture
9. @aureliepols
Privacy actors within the data ecosystem
9
DATA
ECOSYSTEM
Citizens
Consumers
Voters
Authorities
law +
enforcement
Companies
Businesses
DATA QUALITY CLASS ACTIONS
AdBlocking
COMPLIANCE
GDPR Fines:
4% of Global Turn-
Over
10. @aureliepols
Framing digital data accountability
10
OUR
CLIENTS
DATA FLOW
RESPONSIBLITY
DATA
CONTROLLER
DATA
PROCESSOR
THEIR
CUSTOMERS
PRIVACY
RIGHTS
DATA PROTECTION / SECURITY
PRIVACY BY DESIGN (PbD)
DATA ETHICS
12. @aureliepols
One legal concept to rule them all
FTCs Fair Information Practice Principles (FIPPs)
Transparency
Choice
Information
review &
correction
Information
protection
Accountability
12
14. @aureliepols
Purpose, Consent & Data Uses evolution
Purpose
Consent
FIPPs
Data for
approved use
Before Big Data:
Purpose
Consent
FIPPsData analysis or
merging
New business
opportunity
Today’s challenge:
15. @aureliepols
The devil in the details, for our clients
Purpose = Reason for data collection, usually broad
• Website improvement, better UX
• Marketing communication
• Sharing data with 3rd parties
Consent
• Types
• Implicit: Opt-in? Double opt-in?; Explicit: Opt-out?
• Depends upon
• Type of data: PII, sensitive data, …
• Type of sector: financial, health, …
• Geography: US vs. EU, Singapore, …
15
17. @aureliepols
General Data
Protection Regulation
(GPDR) - May 25 2018
GDPR Fines: 4% of
Global Turn-Over !!!
Which variables or combination exactly?
Data types & the law: obligations vary
Hashing & encryption (by default)
17
18. @aureliepols
Tension between US PII & EU Personal Data
Personally Identifiable Information (PII) Personal Data
1. Name, such as full names, maiden name, mother’s
maiden name, or alias;
2. Personal identification #: social security # (SSN),
passport #, driver’s license #, account and credit card
#;
3. Address information: street address or email;
4. Asset information: Internet Protocol (IP) or Media
Access Control (MAC);
5. Phone #, including mobile, business and personal.
Information identifying personally owned property
such as vehicle registration # or title # and related
information.
“Personal data shall mean any information relating
to an individual or identifiable natural person (“data
subject”); an identifiable person is one who can be
identified, directly or indirectly, in particular or by
reference to an identification number or to one or
more factors specific to his physical, mental,
economic, cultural or social identity”
Based on the definition commonly used by most US States Directive 95/46/EC, the Data Protection Directive
19. @aureliepols
De-identification is a compliance exercise
From Shades of Grey: Seeing the full spectrum of Practical Data De-Identification by Jules Polonetsky, Omer Tene & Kelsey Finch,
April 1st 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709
19
20. @aureliepols
Identification capabilities is a TRUST issue
From Data Privacy: Understanding Privacy principles and ensuring compliance of your digital activities
by Aurélie Pols for AT Internet, May 2016
20
21. @aureliepols
Moving beyond the divide: Digital Ethics
• Layer approach for data driven companies:
Privacy Engineering by Krux
• Promise to our clients’ clients: TRUST
• Bare minimum: Compliance!
VALUE / ETHICS
Respect individuals
Corporate Social
Responsibility
RISK
Do not harm
Standard Operating
Procedure
COMPLIANCE
Don’t hit people! Legislation
ETHICS
PROCESS
LAW
22. @aureliepols
For Krux, this means
22
ü Assuring compliance & limiting risk for Krux
ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!!
ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
24. @aureliepols
Old and new EU Privacy rules
STABLE EU PRIVACY LEGISLATION
SafeHarbor
for international transfers
of personal data
EU Data Protection Directive (95/46/EC)
regulates personal data within the EU
EU ePrivacy Directive* on Privacy &
Electronic Communication – think cookies!
* (2002/58/EC amended 2006/24/EC & 2009/136/EC)
FUTURE EU PRIVACY
LEGISLATION
PrivacyShield
strong enough?
EU General Data Protection
Regulation (GDPR) strengthens &
unifies data protection for EU citizens
Revision of the ePrivacy Directive à
Regulation? Confidentiality for all
communications (Skype, WhatsApp, …) +
strengthen consent rules?
May 25 2018
Draft December
2016: EU DNT?
25. @aureliepols
Data Privacy laws globally?
Blue = Strong Privacy legislation - Green = Moderate - Orange = Limited ??
25
Data Balkanization vs. UN Globalization effort
Joe Cannataci
UN Special Rapporteur
Privacy in the Digital Age
27. @aureliepols
Competing on Privacy?
• Increased non compliance
risk for the data industry
• Clients will require:
ü Guidance
ü Documentation
ü Features
Privacy Engineering by Krux
27
28. @aureliepols
For Krux, this means
28
ü Assuring compliance & limiting risk for Krux
ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!!
ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
30. @aureliepols
DOs
1. Define your role with the Data Ecosystem
2. Keep metadata on Purpose and Consent*
3. Undergo Privacy Impact/Risk Assessments (PIAs) for
§ Product Launches
§ (new) Data Uses
4. Document Data Flows
5. Keep data clean & to a minimum: data retention & breach
notifications
* Unless anonymization today, not tomorrow!!!
30
31. @aureliepols
DON’Ts*
1. Break the Consent chain
2. Disrespect Customer Expectations
3. Sell personal data without Consent
4. Buy data without understanding Purpose
5. Enrich data without understanding previous rules
• Unless anonymization today, not tomorrow
31
32. @aureliepols
Ethics of the data analyst
32
I shall remember data are not only numbers but actual people, that could be harmed by my work;
I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as
well as security best practices;
I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;
I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for
help or escalate in order to take the appropriate measures;
I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective
consent mechanisms;
a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);
b) I will never sell non consented data about individuals;
c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.
I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;
I shall align security protocols with how personal &/or sensitive the data is;
I will keep trace and document the data used in order to minimize risk related to data uses.