Contenu connexe Similaire à Privacy in Europe eMetrics Summit London2012 Similaire à Privacy in Europe eMetrics Summit London2012 (20) Privacy in Europe eMetrics Summit London20121. Data Collection & Privacy:
Are you ready to avoid fines and build customer trust?
René Dechamps Otamendi – eMetrics Summit London - 2012
2. About me
Entrepreneur
Analytics Pioneer in Europe (Formerly OX2 in Belgium)
CEO of Mind Your Group (Spain)
Cofounded with Aurélie Pols
MYG Shareholders & Advisors:
Avinash Kaushik
Bryan Eisenberg
Jeffrey Eisenberg
Jim Sterne
More: Visit my LinkedIn Profile | Follow me: @rdo
©Mind Your Privacy, S.L. @rdo
3. What Mind Your Privacy does
EU PRIVACY AUDIT EU PRIVACY FINE MAINTENANCE EU COOKIES
TUNING / PRIVACY BY DESIGN SPECIAL
Compliance level EU legislation Privacy by Design internal For any Company active
assessment compliance (Directive procedures & Privacy in Europe using cookies
and Regulation) support (mainly CMO)
Helping companies to comply with EU Privacy legislations
©Mind Your Privacy, S.L. @rdo
4. The idea?
2007
@AureliePols The West Wing
©Mind Your Privacy, S.L. @rdo
8. 2006-2008
Privacy is dead, get over it?
vs.
“Data Chernobyl”
©Mind Your Privacy, S.L. @rdo
9. 2009:
“EU Cookie law” (Directive) passes
http://web.archive.org/web/2
0091117195452/http://aurelie
.webanalyticsdemystified.com/
2009/11/10/eu-cookie-law-
interpretation-is-
breathtakingly-stupid/
©Mind Your Privacy, S.L. @rdo
10. 2009-2012
Countries implement the Directive
into their national legislations
Resulting ‘potentially’ in…
27 interpretations!
A mess!!!
©Mind Your Privacy, S.L. @rdo
11. 2004 - 2009
Viviane Reding EU Commissioner for Information Society
©Mind Your Privacy, S.L. @rdo
12. 2009 -
Viviane Reding EU Commissioner for Justice, Fundamental Rights and Citizenship
©Mind Your Privacy, S.L. @rdo
13. 2009 -
Neelie Kroes - EU Commissioner for Digital Agenda
©Mind Your Privacy, S.L. @rdo
14. Media is starting to talk…
http://online.wsj.com/article/SB10000872396390443389604578026473954094366.html
©Mind Your Privacy, S.L. @rdo
15. Media is starting to talk…
http://topics.nytimes.com/top/reference/timestopics/subjects/p/privacy/index.html
©Mind Your Privacy, S.L. @rdo
16. 25 th January 2012
New EU Personal Data Protection Regulation announced by…
http://www.youtube.com/watch?v=uFyw_4OYWdo
©Mind Your Privacy, S.L. @rdo
17. How the EU explains the need
of the new rules
http://www.youtube.com/watch?v=5ByVaZ0rg8U
©Mind Your Privacy, S.L. @rdo
18. 11th October 2012
Viviane Reding reminds everyone
That Privacy is a EU fundamental right
http://europa.eu/
rapid/press-
release_SPEECH-
12-716_en.htm
©Mind Your Privacy, S.L. @rdo
19. Why is it a fundamental right?
Let’s get back 70 years ago…
©Mind Your Privacy, S.L. @rdo
21. Back to present
A variety of commissions are set to review
and it’s being fast tracked
EXPECTED APPROVAL
2013
The EU PDP rules are shaping Privacy policies
in other regions of the world as Asia
©Mind Your Privacy, S.L. @rdo
22. What´s going on with privacy?
Do we really need the new
regulation?
Why now?
©Mind Your Privacy, S.L. @rdo
23. Why and what? 1/2
A real single digital market based Reform eliminates unnecessary
on TRUST administrative burden & costs
EU international standard setter 1 rule for the 27 member states
for privacy and 500 million people
The former EU PDP rules date 1 single point of contact for PDP:
from 1995… The national data protection
agency (DPA)
Dangers: loss of control of one’s
personal data For SMEs (less than 250 people)
exemption of appointing a DPO
72% of EU citizens are concerned
(Data Protection Officer) + not
that personal data are misused:
obliged to do all paperwork
companies passing data over to
other companies without
permission
Businesses faced with
contradictory legislation and load
of notification requirements
legal fragmentation is bad for
business, innovation and growth
©Mind Your Privacy, S.L. @rdo
24. Why and what? 2/2
Clear rules for international data Citizens know what happens
transfers inside multi-national to their data
companies (1 DPA OK)
Explicit consent
DPA 1 stop shop where the
Data portability: data belongs
company is based and where the
to them so they can move
citizen is based
providers (can be…)
Strong and independent DPAs
Notification of data breaches
(from politicians and companies)
(24hours)
New sanctions
Right to be forgotten (not
Personal data belongs to the always easy)
individual
Privacy policies must be clear and
understandably written in clear
language
KEY IDEA: individuals always own their personal
data; companies just manage them (trust)
©Mind Your Privacy, S.L. @rdo
25. Let’s have a closer look
at the notion of consent
PRIOR consent
©Mind Your Privacy, S.L. @rdo
26. Consent required anyway
(explicit consent)
Proposal for Data Protection Regulation requires (“consent should be given explicitly”)
BUT the European Parliament* included a line:
“the consent can be implicit only when the data subject acts in such a way that a
certain amount of personal data must necessarily be processed, for instance by asking
for particular goods or services, and in such a case the consent is referred only to the
minimum necessary”.
*Committee on the
Internal Market
and Consumer
Protection
@rdo
27. A basic rule to understand
how to manage consent
Let us imagine PERSONAL DATA as a LEGO brick
You can use it to build many different things!
The hand that handles that brick is the one deciding
how to use that brick
if (and only if)
The brick owners (individuals) agree with that specific use
SO
The hand (controller/company) will ask incremental
consent for each possible use
©Mind Your Privacy, S.L. @rdo
29. How to ask for consent!
©Mind Your Privacy, S.L. @rdo
30. How to ask for consent
©Mind Your Privacy, S.L. @rdo
31. And what about Cookies?
I N F O R M A T I O N R E Q U I R E D U N D E R A L L C A S E S
CONSENT NOT REQUIRED CONSENT REQUIRED
1st party cookies 3rd party cookies
Merely tech cookies Tech cookies saving personal information
(passwords/log-in remembered)
Essential data to provide adequate service (no Others purposes not directly related to the
acceptance of collection = no service) service to be provided (*)
©Mind Your Privacy, S.L. @rdo
36. Current level of internet websites
Non compliant in Spain
Over 99%
©Mind Your Privacy, S.L. @rdo
37. The Right to be Forgotten
The Directive contains the Right to have personal data erased
always? No, just in case this data is no longer necessary in relationship
with the purpose for which the data were collected
exceptions? Data retention for allowed reasons (historical, statistics, and
scientific reasons or for reasons of public interest – law habilitation required)
The European Parliament (Committee on the Internal Market and
Consumer Protection) amended the article regarding the Right to
be Forgotten modifying “the right to be forgotten” into “the right
to have such personal data erased”
• It seems everything will remain as usual (erase right)
©Mind Your Privacy, S.L. @rdo
38. The Data Portability Right
Proposal for the Data Protection Regulation (Article 18)
2. Where the data subject has provided the personal data and the processing is
based on consent or on a contract, the data subject shall have the right to
transmit those personal data and any other information provided by the data
subject and retained by an automated processing system, into another one, in
an electronic format which is commonly used, without hindrance from the
controller from whom the personal data are withdrawn.
SOME QUESTIONS IN THE AIR:
How will formats be standardized?
Will the original controller lose data anyway? If so, will the
original controller get the right to received from the recipient
controller any compensation for administrative cost?
Its seems rather unreasonable… This Article will need some
legal development
©Mind Your Privacy, S.L. @rdo
39. Data Breaches notification
Proposal for Data Protection Regulation (Article 31) originally provides 24 hours
to notify data breaches but amendment by European Parliament (Committee on
the Internal Market and Consumer Protection) erased that limit:
In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 24 hours after having become aware of
it, notify the personal data breach to the supervisory authority. The notification
to the supervisory authority shall be accompanied by a reasoned justification in
cases where it is not made within 24 hours.
SOME QUESTIONS IN THE AIR:
As the text is not definitive: which option will prevail?
Some concerns exist due to no specific consequences
regarding applicable sanctions, or not
©Mind Your Privacy, S.L. @rdo
43. EU RULES WILL APPLY TO COMPANIES NOT ESTABLISHED IN THE EU, IF THEY OFFER
GOODS OR SERVICES IN THE EU OR MONITOR THE ONLINE BEHAVIOR OF CITIZENS
UNDERSTANDING EUROPEAN SCHEMAS:
WHO IS WHO?
• Labour
consultants
• Analytics
services
• Logistics services
• Billing services
©Mind Your Privacy, S.L. @rdo
44. EU RULES WILL APPLY TO COMPANIES NOT ESTABLISHED IN THE EU, IF THEY OFFER
GOODS OR SERVICES IN THE EU OR MONITOR THE ONLINE BEHAVIOR OF CITIZENS
A new scope (Article 3.2):
This Regulation applies to the processing of personal data of data subjects residing in the Union by a
controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behavior.
And (Article 25): the controller shall designate a representative in the Union.
This obligation shall not apply to:
(a) a controller established in a third country where the Commission has decided that the third
country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise
employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering
only occasionally goods or services to data subjects residing in the Union.
The representative shall be established in one of those Member States where the data subjects
whose personal data are processed in relation to the offering of goods or services to them, or
whose behavior is monitored, reside.
The designation of a representative by the controller shall be without prejudice to legal actions
which could be initiated against the controller itself.
©Mind Your Privacy, S.L. @rdo
45. And the fines…
1.000.000 € or 2% Global Turnover
With the current Spanish legislation (not yet the Directive):
In 2011 companies have paid 20.000.000 € in fines!
©Mind Your Privacy, S.L. @rdo
46. A new risk scenario…
Privacy standards expected by EU customers will increase so...
• not providing these privacy standards will
o impact on trust
o increase the risk of suffering penalties
©Mind Your Privacy, S.L. @rdo
47. …means a new opportunities scenario
Until regulation is enforced...
• Companies can optimize privacy by
design solutions while testing
• Users and consumers demanding
privacy appreciate organizations
pioneering privacy
©Mind Your Privacy, S.L. @rdo
48. Some examples
(real examples taken from the toughest legislation
in terms if enforcement and fines: SPAIN)
©Mind Your Privacy, S.L. @rdo
49. Carrefour Credit Card
50.000 €
Cortefiel video camera
2.000 € instead of 60.000 €
©Mind Your Privacy, S.L. @rdo
50. Vodafone
60.000 €
France Telecom
6.000 € instead of 40.000 €
©Mind Your Privacy, S.L. @rdo
51. A final (practical and not lawful) recap:
EU lawmakers are decided to improve data protection and privacy
level of Europeans (EU Regulation contains fines up to 1 000 000 EUR
or, in case of an enterprise up to 2 % of its annual worldwide turnover).
Online Marketing Industry is aware about privacy’s importance
while feel unprepared. Note that privacy discussions is much
older than new marketing strategies.
While consumers want to be in control of their personal data
none in marketing/advertisement industry (from my own
experience) seem to feel comfortable by asking clearly for
consent.
©Mind Your Privacy, S.L. @rdo
52. FOOD FOR THOUGH
Privacy is:
Increases trust
A brand value
& customer experience
©Mind Your Privacy, S.L. @rdo
53. Becoming compliant
It will take time as it encompasses Online and Offline
Online means: websites, mobile, applications,
cloud services/computing…
You don’t want to be in the newspapers because
you’ve done nothing about it!
©Mind Your Privacy, S.L. @rdo
54. René Dechamps Otamendi
Thank you for your attention
www.MindYourPrivacy.com
Get your free document:
rene@MindYourPrivacy.com
©Mind Your Privacy, S.L. @rdo