Tag Archives: GDPR

Birgit Sippel makes first public statement on ePrivacy – and why it shouldn’t stifle innovation

The European Parliament’s new Special Rapporteur for the proposed ePrivacy Regulation, German MEP Birgit Sippel, has made her first public statement setting out her beliefs – and she didn’t mince her words.

Speaking at the IAPP Europe Data Protection Congress, she told a sold-out event that online and offline privacy should be afforded the same status:

“Would you allow a stranger to go into your bedroom or look through your drawers without your permission?” she asked. “No, you probably wouldn’t.”

Sippel also called for over the top (OTT) providers, including services such as messaging and dating apps, to be covered by the ePrivacy Regulation, arguing: “Some of us may send an SMS text, while others may use a service like WhatsApp. One is covered by the current ePrivacy Directive, while the other is not. Consumers need the same protections for both.”

She also called for an abolition of surveillance-driven advertising – and the need for implemented legislation to make good on universally-agreed freedoms such the right to personal privacy.

One key theme from her speech was that businesses have the answers to innovating with privacy – and that compliance with privacy regulation need not stifle new ideas.

She said that businesses are innovative and should be able to create ways of obtaining meaningful consent without causing consumer fatigue.

Here at digi.me, where we have built a bespoke Consent Access platform so our users – and those who want consented access to their data – can do just that, we couldn’t agree more.

New legislation will always bring challenges, but in rising to meet those we create superior products that exceed consumer expectations while being compliant.

And that’s certainly a win-win situation for everyone. So here’s to innovation!

10 key things you need to know about the EU GDPR and personal data

The General Data Protection Regulation (GDPR) becomes law across Europe in May 2018, replacing a patchwork of data protection laws across the various member states and essentially making privacy the new norm.

Wide-ranging in its scope, a key theme is returning a lot more power over personal data to individuals, who will have new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.

The GDPR also includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was in its infancy.

Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.

Here’s a quick guide to the main features:

  1. Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer be asking for capabilities they don’t actually need, which will immediately restrict data leakage.
  2. Explicit permission means just that – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
  3. Data portability gives you the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it, for example to give it to another service provider.
  4. Giving someone your data doesn’t mean they will always have access to it – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines. (read more about the difference here)
  5. Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
  6. Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
  7. Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
  8. One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
  9. Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
  10. The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.

Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.

The new rules will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.

UK’s data protection body issues GDPR guidance on consent

The Information Commissioner in the UK has drafted guidelines for what businesses and organisations handling personal data will need to do to comply with the new GDPR out for consultation.

In the draft guidance, the ICO notes that: “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data.

“When consent is used properly, it helps you build trust and enhance your reputation.”

The draft guidance’s key points include:

• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.

• Consent means offering individuals genuine choice and control.

• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

• Explicit consent requires a very clear and specific statement of consent.

• Keep your consent requests separate from other terms and conditions.

• Be specific and granular. Vague or blanket consent is not enough.

• Be clear and concise.

• Name any third parties who will rely on the consent.

• Make it easy for people to withdraw consent and tell them how.

• Keep evidence of consent – who, when, how, and what you told people.

• Keep consent under review, and refresh it if anything changes.

• Avoid making consent a precondition of a service.

Overall, the draft guidance sets out how the ICO interprets the GDPR, key changes from existing data protection regulation, and its general recommended approach to compliance and good practice.

But it is also clear that the guidance will need to evolve both to take account of future guidelines issued by relevant European authorities, and according to experience once the law is in place from May of next year.

EU GDPR: full details of what it means for personal data and your business

Data is the currency of today’s digital economy – and the new GDPR will not only protect this valuable resource for both individuals and companies when it becomes law in 2018 but increase innovation and cut costs as well.

According to estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020 – and business opportunities will only be increased by strengthening and unifying Europe’s already high standard of data protection.

Jan Philipp Albrecht (Greens, DE), who steered the GDPR legislation through Parliament, said: “The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition.” But what are the key things businesses need to know?

  • One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
  • Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU. They will also profit from faster decisions, one single contact point and less red tape as well as consistency of decisions where the same processing activity takes place in several member states.
  • The same rules for all companies – all companies, whether or not they are based in the EU, will have to adher to the same rules when doing business with its citizens, creating a level playing field that does not exist at the moment where European companies are governed by stricter standards.
  • Technological neutrality – innovation will continue to thrive under the new rules.

There are also new rights aimed primarily at giving individuals more control over their personal data that will additionally benefit business. For example, the new right to data portability, which allows individuals to move their personal data between service providers without losing, for eg contacts and emails, will take away disincentives to switch which often mean building up again from scratch, meaning start-ups and small companies can compete on equal terms in markets previously dominated by industry giants. This will make the European economy more competitive. New privacy-friendly solutions are also likely to fare well in this climate.

SMEs will also benefit from a data protection reform aimed at stimulating economic growth and allowing them to access new markets by cutting costs and red tape for European business. As well as the measures outlined above, such as one law instead of 28, the obligations on data controllers and processors are adjusted based on the size of the business and/or the the nature of the data being processed, so as to avoid creating unnecessary red tape and a disproportionate regulatory burden for smaller firms. So, for example:

  • SMEs need not appoint a data protection officer, unlike larger companies, unless their core activities require regular, systematic and large scale monitoring of data subjects. or they process sensitive areas of personal data such as that revealing racial or ethnic origin or religious beliefs.
  • They also do not need to keep records of any processing activities that are occasional or are unlikely to result in a risk to the rights of the data subject
  • They will also not be obliged to report all data breaches to individuals, unless these represent a “high risk for their rights and freedoms.”

An essential principle of the new system will be that data protection is private both by design and by default, which will incentivise businesses to innovate and “develop new ideas, methods, and technologies for security and protection of personal data.”

The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.

The use of “big data” analytics, such as driverless cars, which can done using anonymised or pseudonymised data, will be actively encouraged under the new regulation, showing it goes hand in hand with innovative and progressive solutions.

Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data.

Giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.

EU GDPR – full details of what it means for you and your personal data

Stricter data privacy rules will come in across the EU in 2018 after MEPs finally agreed them – but what does that mean exactly for you and your private information?

The GDPR, which will apply across the EU and is aimed at creating a high, uniform level of data protection fit for the digital age, includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was still in its infancy.

The new rules are backed up by harsh sanctions including fines of a up to 4pc of a company’s global turnover if they don’t comply. So what are the key elements to be aware of?

  • A right to be forgotten – an individual right to have data deleted from companies when you no longer want them to have it, or because consent was given for something that no longer applies. This is distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines, (read more about the difference here) and the provisions are clear that this is about improving personal privacy, not restricting the freedom of the press or erasing past events. Historical and scientific research are also safeguarded. The only caveat is that where “the retention of the data is necessary for the performance of a contract or for compliance with a legal obligation”, such as on medical records, for eg, it can be kept for as long as necessary.
  • Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
  • Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
  • Right to know if your data has been hacked – companies and organisations will have to notify their national data authority as soon as possible so that users can take appropriate measures to protect themselves and their data.
  • A right to data portability will make it easier for individuals to transmit personal data between service providers, such as to a new email provider without losing contacts and emails, and this information must be provided in a way that is easy to reuse.
  • Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as  ethnic origin, political opinions, religion or sexual orientation.
  • Easier access to personal data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
  • Special protection for children – Children below a certain age (for member states to each define between 13 and 16) will need parental consent to open an account on social media sites such as Facebook, Instagram or Snapchat. (This is already the case in most EU countries). They will also have a “clearer right to be forgotten” in case they are put under pressure to share their personal data without fully realising the consequences.
  • Privacy as the new norm –  data privacy by design and default are now essential elements of the EU data protection rules, and data protection safeguards will be built into products and services from the earliest stage of development, while privacy-friendly default settings will be the norm on social networks or mobile apps. In future, companies will have to design defaults and products so that as little personal data as possible is collected and processed.

    The new laws have been four years in the making and received the highest number of amendments (3,999) ever tabled in the European Parliament.

    Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions will only apply in these countries to a limited extent, while Denmark will be able to decide within six months after the final adoption of the directive whether it wants to implement it in its national law.

Right to be forgotten: When should free speech trump privacy?

We live in interesting and largely online times, when significant amounts of personal information about each and every one of us can be found with a quick internet search or two.

But the online us, our web doppelgänger, is not one whose slate can ever be wiped clean – the internet never forgets what we say, what we do and notable things that happen to us, good and bad, continue to live on in perpetuity.

Or it least they did until the right to be forgotten sprung into being two years ago.

That judgement, handed down in Spain to a man unhappy that reports of his years-old bankruptcy were still the top results for a search of his name in Google, allows people within the EU linked to stories or actions they find outdated or undesirable to apply to have them de-listed from the search engine’s results. So not taken down, not removed from the web entirely – but a lot harder to find as they won’t appear in searches on that person’s name.

Crucially, this did not initially apply to Google indexes worldwide – so a search result de-listed in the UK, for example, would still be visible to users searching on google.com and google.fr – a loophole many exploited, and one essentially encouraged by the search giant.

But that has now come to a grinding halt after the French data protection authority fined Google €100,000 and ordered it to go even further, and block results for French people given the right to be forgotten from every domain, not just the French one.

In America, by contrast, what appears online is generally regarded as being free speech as protected by the First Amendment, and there are also statutes of limitation in US law, although these are extremely difficult to enforce online. The net result is that right to be forgotten has not gained traction there.

And this is where the arguments about free speech vs privacy smash into each other, with different but very similar parts of the same world held to differing accounts, and a verbal war being waged about what ultimately is more important – information that was once in the public domain staying there, or the rights of all of us to make mistakes and not be constantly reminded of them in the future?

Many, such as David Aaronovitch in the Times this week (£), claim that “Privacy rulings are striking at the heart of what we can find online” and “To me First Amendment rights should trump others,such as those to privacy, in almost every case because they alone make other rights possible. Freedom of speech and freedom of expression are the primary safeguards against secrecy, abuse of power and tyranny.”

The case in Europe is confused slightly, by those not fully across the legislation, with the new GDPR rules set to come in in 2018, which allow a personal right to forget as one of the core tenets. This allows anyone who has shared information with a company in the past to revoke permission to them to keep it, and to instruct the company to forget it. This, of course, with the other key elements (which you can read about in our blog) is a good thing for greater personal data control, which we fully support and which our app and platform will be compliant with from the outset.

But what of the European right to be forgotten, or more accurately de-listed, how do we square that with the immense opportunities that freedom to search and know have brought to each of us as well as the wider world?

Not to mention that limits on what individuals are allowed to be aware of in the world around them are more commonly associated with repressive regimes such as North Korea and China, rather than Western democracies?

It is easy to have sympathy for a young or foolish person, destined to have a moment of folly uncharacteristic of their general lifestyle haunt them around the web for decades to come, potentially costing them jobs and relationships (because nobody does anything significant any more without Googling, right?)

But it is that very power of Google in our lives that means we should be extremely wary of any increased algorithmic attempt to influence and shape our surroundings. Today it is a benign force used by sheepish individuals who want to re-craft their online persona – but can we guarantee results manipulation will only ever be at the behest of individuals, not governments? Of course we can’t.

As Aaronovitch notes, US companies such as Google are unaccountable over here, create their own rules and are big enough not to be intimidated by the rest of the world. Great when you’re on their side, not so great if you – or your country – fall foul.

So a Spanish decision kick-started right to be forgotten, and now France’s desire to protect its citizens is extending it. They’re countries broadly in line with Western thinking on human rights and other key issues – but would we be so blasé if one of those countries was Iran or Russia, whose views do not chime so well with ours?

This is why we should see this slow creep for what it is – an encroachment on our privacy rights, and one we should resist where we can.

It’s hard to summarise better than Aaronovitch does, as he concludes: “In the matter of the US domination of the internet, be very, very careful what you wish for.

“For one reason or another the Yanks have done a pretty good job of opening up the world of information and free expression. Is your plan really any better?”

As France jumps early, clarity that the GDPR will wait for no-one

France has once again taken a proactive approach towards personal data, passing a new bill that will adopt several of the provisions in the GDPR ahead of it coming in Europe-wide in 2018.

A new bill for a ‘digital republic’ was passed by the French National Assembly in January and is expected to be adopted later this year.

The bill, which will amend parts of the French Data Protection Act and the Consumers Code, includes the general right for consumers to retrieve their data partially or entirely and rights over that data, as well as the right to be forgotten.

Aside from demonstrating an enlightened view about the importance of personal data privacy and protection, the sanction powers given to the French Data Protection Authority (CNIL) give it significant teeth to punish breaches.

In a significant hike to its current punitive powers, the CNIL will be able to authorise fines up to EUR 20,000,000 or 4% of a company’s global turnover (whichever is higher) if a data controller fails to comply with the Data Protection Act.

So what does this mean for businesses based elsewhere in Europe, or simply dealing with European clients? Quite simply that they can’t assume they have the two-year grace period many had expected before the GDPR becomes law, and need to start becoming compliant asap.

This is especially relevant for businesses, international or otherwise, that rely heavily on the sale or trade of third party data as they are going to see their current business model destroyed under the new legislation, which provides a range of measures giving individuals greater control over the sharing of their personal data.

And France’s move – which other countries may well follow – is proof once again that innovation never stands still, and those who wait to act face being caught out and penalised heavily for not being at the vanguard of change.

New EU GDPR regulations: the four key things you need to know

Sweeping new data protection rules will be approved for the EU soon – but what does it actually mean for you and me?

The General Data Protection Regulation (GDPR), which is expected to be ratified by the EU within weeks, replaces a patchwork of data protection laws across the various member states, and is expected to become law within two years.

It is wide-ranging and thorough, returning a lot more power back to individuals over what personal data is collected, what it can be used for and what happens when an individual wants to remove consent, and will apply to all businesses not just based in the EU, but also those dealing with EU citizens.

Very much in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create that data in the first place, the four main strands that affect individuals are privacy by design, explicit permission, data portability and the right to forget – here’s a quick guide to each:

  1. Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed for the purposes of interacting with that app or service. We should no longer have services asking for capabilities they don’t need, which will immediately restrict data leakage.
  2. Explicit permission means just that – when you give permission to an app or website to have or use your details in one specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
  3. Data portability means you will have the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it. This could be through the site’s API, although some may make try to make this tricky for users. One of digi.me’s key differentiators is accessing all these APIs and other interfaces and normalising data from a variety of sources, and we will continue to make life easier for all in this way
  4. Giving someone your data doesn’t mean they will always have access to it – under the GDPR you will be able to revoke permissions and ask companies or platforms to forget it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records on which a medical decision has been made and b) that it is also a personal right to forget, and not to be confused with the controversy around Google and third parties being told not to link to stories and information about individuals that still exist online.

digi.me founder and chairman Julian Ranger said that the first two measures alone will put each and every individual in a much stronger position, with companies only able to ask for relevant data and then use that information for a specific purpose.

He added that businesses that rely heavily on the sale or trade of third party data are going to see their current business model destroyed and will have to abide by the new rules to get the data they need or want – but crucially directly, not around the side of individuals as now.

He said: “Apps and platforms such as digi.me, which put individuals back in control of their collected data but allow businesses to approach them for permission to use it, will become the new gold standard, as the rights of EU citizens over their data trump the desire of businesses to gather as much as they can.

“Each and every individual will be in a stronger position, while the data businesses do get will be richer and deeper in every way, and thus more useful, although there is no doubt this will be a sea change for many.

“With digi.me, if you own and control your own data, then businesses that request it in an exchange for an offer or service will be fully compliant with all these best practices.

“Fundamentally, with this new legislation, everyone is treating everyone else like proper grown-up adults and it stimulates innovation – good for individuals and businesses alike.”

Oversight of the new legislation, when passed, will be by the existing channels at country and EU level, including the Information Commissioner in the UK, with significant fines for companies found not to be complying.