Lee & White

It has finally happened.

The Belgian Privacy Commission was once regarded as a toothless lion where its role was mainly passive in nature - giving advice and recommendations. Although it had the power to send warnings and denounce violations to the public prosecutor (only if a complaint first reaches the Commission), it was unable to sanction or do much else. This has resulted in violations of the Data Protection Law nationwide where companies and organisations fearlessly processed personal data according to their whims and fancies. The Privacy Commission has finally realised its inability to bite and is doing something about it.

On October 21, 2013, the Belgian Privacy Commission announced in De Standaard, its intention to set up a special investigation team which would actively seek out breaches of privacy. The Commission wants to play a more active role in checking whether companies or organisations are breaching privacy. By policing, it would be able to better protect the privacy of the individual and maintain law and order.

The initiative is said to have stemmed from recent data breaches:

• The National Railway Company of Belgium (NMBS/SNCB) stored personal data of 1.46 million customers  on a non-secure server which resulted in the leak of these data (which included first and last names, gender, date of birth, email addresses, phone numbers, and in some cases home addresses) whereby there was possible access by a mere online search engine query.

• Belgacom's (Belgium's largest telecoms company) internal IT systems had been breached and compromised with malware by a third party which enabled hackers to access telephone and online information.

Although this realisation has come in much later than preferred in comparison with the ICO, its UK counterpart, it is a move that must be applauded.

The gravity of the current situation where the protection of personal data is currently in shambles has reached its limit, and more than ever, the Privacy Commission needs stronger powers to tackle these breaches and safeguard the privacy of the individual. The Commission stated that the investigation team will in the first instance, look into companies and organisations which handle sensitive personal data such as insurance companies and hospitals and focus on a particular sector each year.

The Commission is also seeking to obtain the power to sanction non-compliant companies and organisations as the current situation is such that the Commission can refer violations to the courts, but this is regarded as an overkill. With such a power, the Commission would be able to make decisions such as to no longer allow an offender access to a particular database to render their operations and business more difficult or to revoke permission to build a database.

With this development, companies and organisations which are still relaxed in their attitude towards the protection of personal data and regard such protection as non-profitable, should re-think the business case of protecting personal data and have it as priority in their next budget before it is too late.

Facebook, as mentioned in detail in the news, was exposed for keeping shadow profiles on users and non-users.

Through an incident (which should have been classified as a bug as it had been available for months) it was revealed that Facebook is keeping so-called shadow profiles of its users as well as data subjects who do not use their services.

A shadow profile is information about a certain data subject which the data subject in question did not give to the data processor. This profile is created without consent of the data subject and possibly without his knowledge. This means the data processor gathered this information through or by combining other sources, either through other data subjects or from other sources such as other web sites, chat sessions, search history, phone conversations…

European Data Protection law forbids this kind of ‘data brokerage’, gathering, combining and reprocessing data from different sources to build a file with personal data for these reasons:

• Data processors can only process your data with your explicit consent.
• Data processors can only process such personal data which is relevant to their services to you.

Your personal data has become a commodity which they use for their own profit and without a relationship with you, the data subject. Quite a number of companies, small and large, have made it their business to gather everybody’s personal data and sell it on to the highest bidder. Recent times have made it very easy for such companies to gather all information in an automated way and from the comfort of their own office. They are also not bothered by the fact that they are serving stale information which is no longer or never was correct, but can have very deep implications on your personal life.

European Data Protection Law has several safeguards:

• If a data subject suspects a data processor has such a shadow profile, the law provides a means to officially request a complete list of data kept by the data processor concerning the data subject.
• If a data subject objects to the data processor’s use of the data subject’s data, the data subject can submit a request to cease processing such data.
• The new EU Data Protection proposal mentions the right to be forgotten, but lobbying by major data processors is probably going to water this down.

The lessons for our clients are clear:

• Be transparent, only gather personal data from your data subjects through informed and explicit consent.
• Do not process other information than that given by the data subject and only if it is relevant to the purpose of your relationship with the data subject.
• Keep it alive, keep data up to date and do not keep data of data subjects beyond the duration of the relationship with your data subject.
• Protect the personal data entrusted to you.

It is looking good for Data Protection in Belgium and the EU as Ms. Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, announced groundbreaking changes to EU Data Laws to be introduced in a Bill to the EU Parliament this week.

Speaking at the “Digital, Life, Design” conference in Munich on January 22^nd, 2012, she confirmed that personal data is indeed an asset, a  message which has already begun passing around since the UK Information Commissioner commissioned a report on privacy by design to help articulate the business case for proactive protection of privacy in 2008 and which we believe and preach with conviction. “Personal Data is the currency of today’s digital market, and like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services.”, she stated. And the amount of data, including Personal Data, is growing by a whopping 40% a year worldwide.

Given the fact that 72% of European Citizens said in a recent poll that they are concerned about how their personal data is used by companies, and given that businesses are concerned too, how can they keep control over data which races around the globe in a virtual cloud?

“Trust has to prevail”, states Ms. Reding. Rightly so. If the population is to give the current growth continued support, they need to have a good understanding of the issues and be able to trust that their data is not being abused. They entrust the EU with the task to draw up the rules and follow up on their correct implementation and execution. Trust is the key to any relationship - and how much more in the business world?

We have a unified currency in the EU, but Data Protection law is fragmented into 27 different, and sometimes conflicting, regulations. Whilst some member states are top of the class, others have watered the 1995 EU Directive down so much that it is no more than a sign on the wall showing how bad things are. A lot of burden has been added, sometimes in the form or red tape and lengthy cumbersome administrative procedures. As such, it has all been a futile exercise as it missed its economic goal.

Ms. Reding states “Privacy concerns are one of the most frequent reasons why people don’t buy goods and services online.”. She is adamant about the way forward: “This needs to be changed.”

Two legislative texts will be proposed:

“First, a Regulation to enhance opportunities for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.”

The first point, legal certainty, will be achieved by one Data Protection Law in the form of a directly applicable Regulation which will apply to all Member States in the European Union, and to all organisations offering their goods and services to consumers in the EU – even if their servers are based outside the EU.

This new Regulation will unleash the potential of the Digital Single Market, and will save businesses around 2.3 billion Euros per year, removing barriers to market entry, which were especially affecting our clients, the small and medium-sized enterprises. It will simplify the regulatory environment and drastically cut red tape. Current notification requirements are replaced by a duty for companies to be responsible and accountable for the protection of Personal Data in their business field. Each company will have to appoint a Data Protection Officer.

There will be one law, applicable to all member states, and companies will only have to deal with a single Data Protection Authority linked to the country of its main establishment.

All Data Protection Authorities will have the same adequate tools and powers to enforce the EU Law.

They will:

• Deal with complaints
• Carry out investigations
• Take binding decisions
• Impose effective and dissuasive sanctions.

The rules for international data transfers will be strengthened and simplified - a necessary step in a world where data travels freely around the world and major companies have made it their specialty to circumvent the more ‘difficult’ countries by operating in or via countries with weaker Data Protection legislation.

Trust from the individuals will be earned through a few key principles, boiling down to one point: Transparency.

• Informed
  • People need to be informed in simple, clear, and unambiguous language.
• Consent
  • People need to freely give their specific and informed consent.
• Control
  • People need to have control over their own data at all time. Aside from the control we know already, it will also include portability, the possibility to take one’s data and easily move it from one provider to another, and the right, not the option, to be forgotten.
• Alert
  • Individuals need to be swiftly informed, within 24 hours, when any of their personal data is lost or stolen.
  • Companies suffering such a breach need to notify their Data Protection Authority without undue delay, i.e. ‘within 24 hours’.

Ms. Reding concludes:

"We will get a strong, consistent and future-proof framework for data protection, applied consistently across all Member States and across all European Union policies. We will make our data protection legislation fit for the digital age so it encourages innovation and development of new technologies and services.

We will adjust the rules to the reality of multinational businesses. And will adjust the rules to the reality of people's lives. Europeans live, work, shop and travel freely in the EU, so their data must travel freely as well: Freely and safely. The reform will become a golden opportunity for business: complying with the EU’s laws on data protection will lead to a competitive advantage. European data protection rules will become a trademark people recognise and trust worldwide. I would welcome if everyone here put these new rules to life."

Well said. Data Protection without a doubt enables businesses to make more and better business, leading to a competitive advantage over competitors, having a solid and healthy relationship with loyal customers. Any organisation would pay good money for this.

You can read the full text of Ms. Reding's speech here

It will take some time to bring the new law into practice, but organisations should be aware and prepared, making the necessary changes sooner rather than later.

If you need to assess your current status with relation to the new Data Protection Law or need advice on implementing or improving compliance with current or the next legislation, review our services and contact us.

Is this a typo? No, it isn't, the outlook for data protection is bleak, and no immediate improvement is to be expected.

First of all, the team at Lee & White would like to wish you a Happy New Year.

Happy because you chose to come here on your own accord and happy that we did not spam you with - probably sincere but spam wishes all the same and which are likely to be loaded with the inevitable commercial 'opportunities'.

As the new year has just started, we are hopeful that protection of personal data and control over use of your own personal data will improve significantly.

But looking back, what happened in 2011?

• A year of major privacy incidents that made it harder - but still normal to many- to ignore the importance of such incidents.
• The rise of moguls that devour personal data and any other data they can 'find', who make it difficult for you to control who is (ab)using your data, and even make you want and think it is normal to share your most personal of data with the world, but mainly the moguls themselves.
• Personal data collection devices with functions such as recording, tracking, spying, eavesdropping, ... commonly known as smartphones.
• ...

2012 will be the year of

• Street View becoming even more commonplace, exposing your most private locations.
• Spies recording your every move and thought using their personal data collection device.
• Full commercial exploitation of our most personal data of all... our face.
• Automatic identification and tracking through techniques such NFC, RFID, Bluetooth, GSM, Wifi, face and car registration recognition.
• Economic crisis... if privacy does not obviously have a positive business case (despite the fact that it actually does), then it gets deferred or cancelled.
• Basically, no place to hide or control who processes your personal data.
• ...

Technology is moving very fast, lawgivers are trying to keep up, priorities are economic and profit rules.

Well, I'm sure privacy will be top of the agenda in 2013.

Despite many obvious reasons for ensuring both technical and organisational security measures within a company, many companies (don't be surprised) are yet to implement these.

Unrestricted access to server rooms (for purposes which will set you on the floor laughing, but sadly true), sharing of passwords between colleagues, unlocked cabinets, messy desks with confidential information displayed for all eyes, non-secure company websites collecting personal data, and so on. If you're nodding to all these as you read, then you've got a company who is in breach of the Data Protection Law.

Now, last week on the news, Sony Pictures was humiliated when hacking group LulzSec claimed it had accessed unencrypted personal data of SonyPictures.com and Sony BMG's Websites in Belgium and the Netherlands. According to the group, getting the information was not that complex - gaining access to SonyPictures.com with a single SQL injection.

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," they claimed. "This is disgraceful and insecure: they were asking for it."

According to Beth Givens, director of Privacy Rights Clearinghouse, the attacks on Sony would seem to indicate lax practices on Sony's part. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards." (Read more: cnetNews)

It is clearly another lesson to be learnt. But, are companies learning or ignoring this important legal and moral duty to its customers? How many companies will take the appropriate security measures now, or will it depend on the budget and short term profit?

Epsilon, the largest global online marketing company that manages communications for a number of the biggest international firms in the world, announced that it has suffered a breach in their e-mail system on March 30th, resulting in the theft of millions of customer data. It is said to be the largest data theft in history.

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system," Epsilon said.

Epsilon sends out an estimated 40 billion permission based emails yearly on behalf of their 2,500 clients and brands which include some prominent names such as Citi, JPMorgan Chase, Capital One, Mariott Rewards, TiVO, Walgreens, McKinsey, and Kroger. It was initially believed that the breach had only affected customers of Kroger but it is likely that more companies are affected as more companies confirm that they have their data stolen as well. Clients of Epsilon have already begun to take steps to protect their customers by warning them of potential fraudulent emails.

"The information that was obtained was limited to email addresses and/or customer names only," claims Epsilon, and though this may be true, it is all the information needed for a hacker to gain more sensitive information by sending out phishing emails to subcsribed customers. Scams such as this have high success rates as they prey on gullible and uninformed users.

How does it work? Simple.

Take this scenario as an example. SJ, a customer of company XYZ subscribes to receive email notifications of their promotions. She receives an email with the latest products available, and clicks on a link assuming it would take her to the information page for a product she is interested in. What she is unaware of is this - it is a fraudulent email and clicking on that email takes her to a hoax page where she is prompted to enter her personal information. As she is oblivious to this deception, she submits her details, falling into the scammer's trap.

There are other simpler ways too. Such emails could be embedded with a virus that affects a user's computer by simply opening the email.

It is highly important that you are cautious and wary of whom, and to where you give your personal information; how your personal information is handled; and what security is in place to protect your information. A reputable company, and one that values its customers' privacy will inform on their data processing practices. It is their legal duty. You will find this in their Privacy Statement - if they do not have one, be wary. You are, by law, empowered to query such companies, and their third parties on the type and purpose of information kept about you. You have the right to access your information, and to request that this information be deleted where necessary.

One of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

"What's the big deal anyway?". A remark we hear very often when discussing personal data issues."Nothing to be concerned about, who would be interested in my personal data, and what can they do with it anyway?"