privacy regulations and your digital setup

How Will the New Privacy Regulations Affect Your Digital Setup?Thursday, 11th of February 3pm CET ・ 2pm GMT ・ 9am EST

Aurélie Pols Mind Your Privacy

Ewa Balazinska Content Manager

piwik.pro/blog

@piwikPRO /PiwikPro /piwik-pro

https://piwik.pro/blog/?pk_campaign=Privacy_Webinar_Slides&pk_medium=link&pk_source=slides

https://twitter.com/piwikpro

https://www.facebook.com/PiwikPro/

https://www.linkedin.com/company/piwik-pro

Aurélie PolsHow Will the New Privacy Regulations Affect Your Digital Setup?

Data privacy expert, entrepreneur, lecturer, and leader of Mind Your Privacy consultancy. Recognized as The Most Influential Industry Contributor of 2015 by the Digital Analytics Association, Aurélie sits on the data ethics Advisory Board of the European Data Protection Supervisor (EDPS) and is a Training Advisory Board member of the the International Association of Privacy Professionals (IAPP).

About the speakers

How Will the New Privacy Regulations Affect Your Digital Setup?

Matthias BettagIntroduction: Continuing the Safe Harbor Debate

Country Manager of the Digital Analytics Association (DAA) Germany since 2010, DAA Certified Web Analyst™ and Consultant based in Berlin. Lecturer at the University of British Columbia (UBC), Organizer of the Digital Analytics Hub Conference (DA Hub).

https://www.mindyourprivacy.com

Continuing the Safe Harbor discussion


• Webinar held in October 2015 by DAA Germany

• Also featured Aurélie Pols speaking

• on the meaning of the Safe Harbor renouncement.

• Since October 2015 new developments in the field:

• GDPR

• Privacy Shield

About DAA Germany


• Established as the first non-American regional DAA branch in April 2014

• Official status: non-profit organization (e.V)

• Close links with the Global DAA

• Education, building the digital analytics community publications, knowledge transfer and advice

• Organizing Events, such as :

• Digital Analytics Day

• DAALAs - DAA Late Afternooons - in various German cities

• Collaborating with industry leaders, co-organizing conferences and conferences

• Membership plans and opportunities

Jim Sterne, Founder of DAA, at the inauguration of DAA

Germany

http://daa-germany.org

http://daa-germany.org

Aurélie PolsHow Will the New Privacy

Regulations Affect Your Digital Setup?

Where did it come from?

• DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2009, amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

• What you need to remember here: Telecoms package + ePrivacy Directive.


http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Directive, but Not a Regulation

1. Transposition varies per country

2. Enforcement? Not reallyMaximum fine: €3500

Source: Technology Law Dispatch


http://www.technologylawdispatch.com/2014/02/privacy-data-protection/first-european-cookie-fine-issued-by-spanish-data-protection-authority/

Conclusion for Digital Analytics

1. Tick box projects

2. Cookie notices everywhere

3. EU decides in 2012 to go one step further…

EU Commission Vice-President, Viviane Reding

Citizens do not always feel in full control of their personal data

Source: WFA Marketers


http://www.slideshare.net/WFAMarketers/wfaeprivacymay2012

International Data Transfers

Obliterating the internal data processing framework known as SafeHarbor:

The European Court of Justice in Luxembourg declares SafeHarbor illegal in October 2015. Data of EU citizens can’t be processed by US entities on the basis of SF, more guarantees are needed.

February 2016: Announcement of PrivacyShield, new framework for transatlantic data flows between US and UE.

Source: European Commission

Edward Snowden

2013

Max Schrems

2015


https://twitter.com/EU_Commission/status/694558200360783875

SafeHarbor Renounced, What Happens Now?

• SalesForce amends it contracts to replace SH clauses the very next day - details

• Data Protection Agencies declare a moratorium until end of January to give the politicians time to find a solution: the clock is ticking!!!

• Be careful with using non-European tools


http://www.salesforce.com/company/privacy/data-processing-addendum-faq.jsp

Why should digital analytics care today?

Coordinated Fines Regarding Consent Move Up to 4% of Global Turnover, Capped at €20M ➞ Increase of Direct Privacy Risk

Other risks:

• Increased coordination of EU Data Protection Agencies

• for investigations (GPEN) & fines;

• for consumer complaints

• Responsibility for all companies addressing EU citizens

• Increased responsibility for intermediaries: processors, joint controllers

• Increased hedging by citizens (AdBlocking)


What Does Digital Analytics Need?

1. Minimum viable privacy features in tools for compliance.

2. Flexibility of those features to adapt to audience and customer segments.

Issue for consideration: How can digital analytics be compliant, or even ethical, if minimum viable compliance features do not exist?


Consumer Attitudes Towards Privacy


• Privacy as a differentiator and a growing business priority

• Certainly context driven as Pew Research showed

http://www.pewinternet.org/2016/01/14/privacy-and-information-sharing/

What Should the Digital Industry Be Aiming For?


Data Trust Through the Entire Digital Ecosystem

• As taught by social media! • For full introduction to data ecosystem

please see the FREE whitepaper on Web Analytics for Data-Sensitive Industries.

If your customers trust you, they love you

and they will be passionate about your love…

…but if you breach their trust, you will not just create Dislike

You will create hate. People don’t go from Love to Dislike

TRUSTPRIVACY

$+$-LikeDislike


Inspired by IAPP

https://piwik.pro/c/web-analytics-in-data-sensitive-industries/?pk_campaign=Privacy_Webinar_Slides&pk_medium=link&pk_source=slides

https://iapp.org/news/a/from-privacy-to-trust-professionals

Data Trust Through the Entire Digital Ecosystem

GAPP OECD Guidelines FTC FIPPS EU Directive ISO 27002 APEC

ManagementOperations

ManagementPreventing Harm

CollectionCollection Limitation

ProportionalityInformation Acquisition

Collection Limitations

Quality Data QualityIntegrity of

Personal Info

NoticeSpecification of

PurposeNotice/

AwerenessTransparency Notice

Use, Retention, Disposal

Use LimitationLegitimate

PurposeAsset

ManagementUses of Personal

Info

Security for Privacy

Security Safeguards

Integrity/Security SecuritySecurity

Safeguards

Access OpennessAccess/

ParticipationAccess Control

Access and Correction

Choice/ConsentIndividual

ParticipationChoice/Consent

Asset Management

Choice

Monitoring and Enforcement

AccountabilityEnforcement/

RedressSupervisory

authorityCompliance Accountability

Disclousure to Third Parties

Persona Data Transfer to 3rd

Parties

GAPP: Generally Accepted Privacy Principles by American Institute of Certified Public Accountants (AICPA)

OECD: Organization for Economic Cooperation and Development

FIPPS: Fair Information Practice Principles by the Federal Trade Commission

ISO Certification appeared for Google Analytics in April 2015

APEC: Asia-Pacific Economic Cooperation

Source: Privacy Engineer’s Manifesto by Michelle Finneran Dennedy, Jonathan Fox and Thomas R Finneran


https://storage.googleapis.com/support-kms-prod/8E2BD7B74E99E08E0E4F9FA870E49092BFE4

Basic Principles

1. Collection Limitation

2. Data Quality

3. Individual Participation

4. Purpose Specification

5. Use Limitation

6. Openness

7. Security Safeguards

8. Accountability


• Risk: Fines up to 4% of global turnover • Timing for all EU Countries and addressing all EU

citizens: 2018 • Obligations:

• Cyber-security and breach notification

• Cross-border data transfers => SafeHarbor

• Mandatory Data Protection Officer (DPO)

• Written documentation

• Data Processors

• Consent


About the General Data Protection Regulation

From Directive to Regulation: • From implicit and opt-out to “a statement or a clear

affirmative action”

• Recognizing “special categories of data”:

Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person, or data concerning health or sex life and sexual orientation

• Children: Consent required up to 16 years of age!

• Right to be Forgotten: Data erasure when consent is withdrawn


Focusing on Consent

The Open-Source Opportunity

• Flexibility • Openness of code • Continuous improvement • Customizable and extensible • No data limits • Not limited to one vendor


Tuning in on Consumers’ Rights: DNT

• Universal Web Tracking Opt Out • Does your software respect the DNT

setting?


Source: DoNotTrack

http://donottrack.us

Thank You