Lee & White

Facebook, as mentioned in detail in the news, was exposed for keeping shadow profiles on users and non-users.

Through an incident (which should have been classified as a bug as it had been available for months) it was revealed that Facebook is keeping so-called shadow profiles of its users as well as data subjects who do not use their services.

A shadow profile is information about a certain data subject which the data subject in question did not give to the data processor. This profile is created without consent of the data subject and possibly without his knowledge. This means the data processor gathered this information through or by combining other sources, either through other data subjects or from other sources such as other web sites, chat sessions, search history, phone conversations…

European Data Protection law forbids this kind of ‘data brokerage’, gathering, combining and reprocessing data from different sources to build a file with personal data for these reasons:

• Data processors can only process your data with your explicit consent.
• Data processors can only process such personal data which is relevant to their services to you.

Your personal data has become a commodity which they use for their own profit and without a relationship with you, the data subject. Quite a number of companies, small and large, have made it their business to gather everybody’s personal data and sell it on to the highest bidder. Recent times have made it very easy for such companies to gather all information in an automated way and from the comfort of their own office. They are also not bothered by the fact that they are serving stale information which is no longer or never was correct, but can have very deep implications on your personal life.

European Data Protection Law has several safeguards:

• If a data subject suspects a data processor has such a shadow profile, the law provides a means to officially request a complete list of data kept by the data processor concerning the data subject.
• If a data subject objects to the data processor’s use of the data subject’s data, the data subject can submit a request to cease processing such data.
• The new EU Data Protection proposal mentions the right to be forgotten, but lobbying by major data processors is probably going to water this down.

The lessons for our clients are clear:

• Be transparent, only gather personal data from your data subjects through informed and explicit consent.
• Do not process other information than that given by the data subject and only if it is relevant to the purpose of your relationship with the data subject.
• Keep it alive, keep data up to date and do not keep data of data subjects beyond the duration of the relationship with your data subject.
• Protect the personal data entrusted to you.

Google's Eric Schmidt spoke about privacy at its annual Big Tent event in Watford, about the use and misuse of personal data gathered and kept by his company. Whilst we cannot comment whether they walk the talk, we do need to take note of some of the points he made:

We (you ed.) need to fight for privacy or we are going to lose it

Yes we are - if we haven't lost it already. Our personal data is everywhere and just about anyone knows who we are and what we do - to the smallest details. And if they don't yet, they know how to get it.

We are being observed willingly and unwillingly, and are spreading very detailed and sensitive information about ourselves. These days, anyone can pick up a name and put a face and all the trimmings, and they would identify us spot on. It's not difficult to put the pieces together - especially if it is lying about everywhere, like a cookie trail right to your doorstep.

So yes, we do need to keep striving to keep control over our personal data. This is both a task for the data subjects (i.e. you) and the data controllers (i.e. the organisations, but also you).

There's this concern that we (Google ed.) are somehow going to misuse this data and we're not telling you.

Is it only concern? Perhaps, the feelings go deeper...

• coercion - the feeling that you are forcing them to give you their personal data because your services are needed and there are really no alternatives.
• suspicion - the feeling that you are going to sell them to the highest bidder.
• distrust - the feeling that they cannot trust you,  know that you are in fact not to be trusted - but cannot do a thing about it.
• concern - yes, the overall wondering and worrying about what you are going to do with their personal data and for how long.

Do they ever have that ultimate control of their property or it is all a lie?

The solution is simple - be truthful and honest about your processing. It sounds like a lesson in ethics and morality, but yes, that is the bottom line. Say what you are doing and going to do, and do what you say. Set this out in a clear and complete privacy policy stating what you will and will not do with their personal data, how they can count on you to do so or question you if you do not.

I (Eric Schmidt ed.) can assure from a privacy perspective... we would lose you and not get you back.

That's right, you won't get them back.

Google has a "clear business incentive" to protect user's data; do it properly or lose your business. Not handling personal data properly, not keeping the relationship with your data subject (i.e. the person behind the 'customer', 'supplier' or 'prospect') will make you lose them. Perhaps not immediately, as perhaps you are delivering a service which they need and only you can supply, but certainly in the longer term, when an alternative company rises which offers the same services and which does handle personal data properly.

So, are you going to start handling the personal data under your care properly, or are you waiting for that competitor to do so first?

And if privacy threatening technologies, human error and malicious predatory individuals (all of which are usually beyond our control) are not enough to strip us of who we are, let us give strangers the freedom to roam in our houses whilst we are abroad - roaming in their homes, exploring around their things and learning a thing or two (maybe more) about their lives, as they simultaneously learn about ours.

Perhaps our one safe place, where we are who we truly are, where our core identities hover, where children once looked upon as their own, is given away practically for "free" for a budget vacation - home exchange.

So what is home exchange? It is a fashionable and cheap way of holidaying where you exchange your home with another from a different area and agree to live in each other's homes during the period of your holiday. The database of available homes for exchange can be found on the website of a home exchange company.

Websites offering such services are filled with happy stories and wonderful testimonials of cheap holidays and free accomodation practically anywhere in the world. And another absolutely important reason for taking up this opportunity is the fact that you are immersed in the culture and lifestyle of your exchange partner.

All you need to do for this exchange:

• make contact,
• share enough about who you are and your family (including photos of your home),
• have a mutual agreement,
• cover your property with the necessary insurances,
• provide sufficient information about things to do/places to visit in your area,
• prepare your house (cleaning, tidying, preparing sheets, preparing your computer - perhaps changing your log in information and password?, cleaning up those cookies in your browser - all of which actually leads to giving someone a very good story about YOU)
• hide as much of your confidential and personal information such as bills, letters, ...)
• ... 
• Oh yes, and pay a very small membership fee to the home exchange company who is doing you the favour.

So how can one say no to such an offer with all the numerous benefits?

Well, apart from the time and expense actually spent (if you include spending your free/not so free-time on all the above before the trip and perhaps even getting an insurance coverage for something you would not have done if this did not come up), this is a chance of a lifetime.

Afterall, what is so bad about them knowing all about you and your family? The risk is minimal if you will know just as much about them right? There is no trump card held. It's all in good faith. A bond of trust formed between you and your exchange partner.

And any processing done purely in the course of personal or household activity is exempted from the law - hence, your exchange partner could say that whatever processing he did is within this exception. In addition, the Belgian data protection law acknowledges the data subject's free and informed consent to the processing of his personal information, which is the case before us isn't it?

All very good  - except when it comes to confidentiality and private life, even with the best of friends, and the closest of family, some things are better left guarded and unsaid. Food for thought?

Do you want to tell a seller that you want to pay more?

Picture this, you’re in your favourite shop and you spot this dress... you want it!

You look at the price tag, is this a good price for this dress, is it an item that will be marked down in the next sales, do they have something similar in your other favourite shops, would your friends think you look gorgeous in this dress?

And then you decide, buy now, buy later, leave it.

Moving to the digital world: You browse on your favourite shop's eCommerce site and you spot this dress... you want it!

You look at the ‘price tag’, is this a good price for this dress, etc, etc?

Now know that the price of this item can be changed at the flick of a switch, based on supply and demand, or even calculated on the fly.

A few factors can be taken into account for this calculation:

• You came to see this dress for the 5th time in just as many days... you really want it, perhaps a small downwards nudge on the price would convince you
• You really ‘like’ this dress (on Facebook) – perhaps you want to pay just a little bit more
• You’re the right gender, age, build and style
• You’re married/engaged/befriended to someone with those properties and their birthday is coming up/tomorrow/today/yesterday...
• Your ‘friends’ really ‘like’ this dress, some of your ‘friends’ came back several times to look at it, and perhaps some even purchased it. – perhaps you don’t mind paying a bit more
• You looked at similar – more pricy – items at other stores, perhaps already adding it to your basket, without checking them out

From the point of view of the seller, how much can they ask for this dress? The answer? As much as they can get (from you), or in other words, as much as you would be willing to pay.

In French, the expression ‘A la tête du client’ is used, the best English translation being a price based on the customer’s appearances. In tech/marketing it is called ‘Behavioural Pricing’.

Behavioural pricing consists of calculating the asking price on the fly based on your personal data. This can include any of the following personal data, some of which are sensitive data and not allowed to be used for this purpose:

• Your age, gender, build, style, address, job, job level, medical history, tastes and dislikes
• Your browsing and purchase history
• Your travel history and plans
• Your friends and the above properties thereof

Farfetched? Possibly. Feasible? Certainly. Applied? Who knows?

In any case, the lesson to be learnt here is to not spread your personal data around unless absolutely necessary and justified, for the purpose only for which you are giving it, and only as long as they need it and you want them to have it.

Organisations know an awful lot about you and are starting to deduce and predict your every move, and you are giving them the means to do so, willingly, knowingly.

Getting to know you, getting to know all about you... sounds familiar, but unfortunately, it has nothing to do with Rodgers and Hammerstein's musical The King and I, nor is there an ounce of good, wholesome fondness to that phrase.

Rather, the phrase is cloaked with an ulterior motive - Money, Money, Money (and this is not with reference to ABBA's song).

What's wrong with that? Everyone is entitled to pursue that ultimate goal, and surely everyone does - or at least tries to make more money.

True. Perhaps it is safe to say that every business is set up for the purpose of making money, and more money if possible. The question in any business case for an expense is whether there will be a profit to gain - apart from ensuring the customers' happiness and satisfaction, of course.

Alright, enough about the musical influences, and down to more serious business.

Businesses are trying to get to know you. They want to get to know you better. The better they know you, the better they can get more out of you. To do just that, they need your personal information - from your name to how you spend your leisure time, every bit counts. This desire to obtain personal information is not new of course. But how far is that desire corresponding with the individual's best interest? The privacy right?

By researching and analysing an individual's browsing habits on its e-commerce site, coupled with his/her personal information already obtained, an online retailer is able to advertise products/services which are most relevant to that individual.

It is also the case for those companies/retailers which seek to match the type of products/services/brands to the individual customer's taste. Shops with their own payment cards to facilitate quicker payments at the till (to obtain a card, just fill in your personal information in the given form) analyse the information obtained at every purchase (of the type and quantity of things bought...) to send catalogues relevant to the individual customer/household. If toys/stationery items are the most frequent products purchased, the customer finds a catalogue filled with the latest promotions on toys/stationery items in his/her mailbox.

To an extent, it does seem quite harmless as the individual gets what he is interested in and it does save his time and effort in looking for the 'right' or 'most suitable' product/service/brand. And better yet, businesses carrying out these forms of advertising are actually saving cost. No more unwanted, wasted printing materials. No more spending a fortune on advertising products which a particular individual will never take a second glance at.

A very recent report in the New York Times showed that companies can even make predictions about their customers.

Companies can learn your secrets. 

A statistician from Target, a large retailer from the US, divulged that two colleagues from Target's marketing department popped the odd question, "If we want to figure out if a customer is pregnant, even if she didn't want us to know, can you do that?"

Timing is essential in this case. As most new parents are almost immediately bombarded with offers and advertisements on baby products from the moment the birth records are made public, the key is to get this group before any other retailer knows that a baby is on the way. By being able to identify these mothers-to-be as early as their second trimester (the time when most of these women are changing their lives and buying pre-natal vitamins, maternity clothing and baby stuff) the chances of keeping them for years to come are great. These women are then likely to buy diapers from Target, pass by the baby food aisle and grab a box or two, and on the way to the till, add a few more items to the cart. Once the customers get comfortable with the offered products, they will keep coming back - and for more.

The questions for the businesses are:

• Did you tell the individuals clearly that you were doing/are doing/will do this?
• Did you give them a chance to opt out?
• Did you ensure that the individuals can always exercise their rights under the data protection law any time?
• Are you ensuring the security of their personal information both organisationally and technically?
• Can you ensure that if there is a transfer/sharing of their personal information to third parties, that these third parties will ensure an adequate level of protection of their personal information too?

Answer all these with a YES, and you're likely to be a trusted organisation and you understand the business case for privacy. Privacy is profitable. Personal information is an asset. You protect that asset and you will gain trust, the customers that go with it and the profit that comes from doing business with them.

The questions for the individual are:

• Did you ask for any of this?
• Did you ask for your shopping behaviour to be scrutinised? checked? spied on?
• Are you aware of all that they know about you?
• Do you mind that they can build your profile almost spot on?
  For example, Spying On You Mart knows that Mr.Joe Customer who lives at 123 No Privacy Lane and shops at Spying On You Mart, has an estimated salary of $$$. He has at least one son and one daughter (judging from purchases of boys and girls toys) of the ages between 5-8 years of age (judging from the age group of the toys purchased) and potentially has a wife/female partner who is a size 38 (EU) (again judging from the several pieces of female clothing purchased) and they like barbecuing in the summer and eat Activia yoghurts.
• And with this information that they have about you, do they share it with third parties?
• And if they do, what are those third parties going to do with it?
• Will they protect that information from getting into the wrong hands?
• Did you opt in without realising?
• Can you ever stop them if you wanted/needed to?

Answer all these with a YES, and you've consented with full knowledge and with full trust in that organisation. If you can truly exercise your rights as a data subject, and know that that organisation is protecting and will continue to protect your personal information,  then the protection of your personal information is upheld and the duty of that organisation to you is fulfilled.

But in all cases, think very carefully, read the fine print, and do not give your personal information out unless you know what you're in for, your rights and how to get out. Otherwise, it's Hush Little Baby, Don't Say A Word.

"Privacy law is not allowing us to do this", "We're not allowed to do that". But what can proper personal data management, protection and handling actually do for you... Create business!

On our many encounters we regularly have lively discussions with professionals of all backgrounds and all levels, not surprisingly quite often on our favourite subject, personal data protection and management.

Most feedback we receive however, is related to the repressive perception of data protection law, and how it does not align with the commercial goals and roadmap of the organisation, more likely to limit rather than to offer opportunities.

What we try to explain in such cases, is that the law on the one hand forbids and regulates, but on the other hand enables and guides.

The law forbids that you do anything illegal with the data and use it in a way that can harm the individual identified by the data. It regulates the way that the individual can keep control over his property, i.e. his personal data, and what purposes this data can be used for.

On the other hand, the law creates the framework that allows you to handle personal data and guides both yourself and the data subjects on how to interact in an official and transparent way. You stay in full control but if you mess up, the law is there to enable the individual data subject to exercise his rights.

The basis of the law is the relationship between you and the data subject.

• It needs to be a live relationship.
• Both parties need to be in control.
• New relationships with other parties only with permission and knowledge of the data subject.
• The relationship needs to be transparent.
• Once the relationship ends, the data is no longer of any use and should not be used anymore.

The benefits are many:
As a company, you have many individuals with whom you regularly interact and who support you fully. You do not waste time on stale or dead relationships and do not waste resources on it. Your investment in personal data yields the maximum return. You send out communications to people who want to hear from you and will hear what you have to say.

As an individual, you know which companies you are working with and what they are doing with your information. Once you decide to move on, you know your personal data is not retained and can never be abused.

The downsides of not following this guidance:
As a company, your databases, cupboards and backup tapes are clogged down with stale information of people whom you once worked with but might never work with again. The information of 'live' relationships is hidden and lost in the noise of 'stale' data.

As an individual, your data is lingering forever and you have no control over what will happen with it. Will it end up in the company's archive forever, or in a hacker's database, or somewhere on a hard disk on eBay?

In our personal data workshops, we help every department within organisations maximize the full potential of handling personal data, exploring new potential and advising on ways of using the personal data, within the limits and spirit of the several international data protection legislations. The combination of the detailed knowledge and experience of our team in all related disciplines (data protection law, CRM, marketing, online presence, social networking) together with the knowledge, experience and market savvy of your team, creates novel and powerful new applications with many quick wins and long term benefits.

More information on our Personal Data Workshops and other services can be found here.

Is this a typo? No, it isn't, the outlook for data protection is bleak, and no immediate improvement is to be expected.

First of all, the team at Lee & White would like to wish you a Happy New Year.

Happy because you chose to come here on your own accord and happy that we did not spam you with - probably sincere but spam wishes all the same and which are likely to be loaded with the inevitable commercial 'opportunities'.

As the new year has just started, we are hopeful that protection of personal data and control over use of your own personal data will improve significantly.

But looking back, what happened in 2011?

• A year of major privacy incidents that made it harder - but still normal to many- to ignore the importance of such incidents.
• The rise of moguls that devour personal data and any other data they can 'find', who make it difficult for you to control who is (ab)using your data, and even make you want and think it is normal to share your most personal of data with the world, but mainly the moguls themselves.
• Personal data collection devices with functions such as recording, tracking, spying, eavesdropping, ... commonly known as smartphones.
• ...

2012 will be the year of

• Street View becoming even more commonplace, exposing your most private locations.
• Spies recording your every move and thought using their personal data collection device.
• Full commercial exploitation of our most personal data of all... our face.
• Automatic identification and tracking through techniques such NFC, RFID, Bluetooth, GSM, Wifi, face and car registration recognition.
• Economic crisis... if privacy does not obviously have a positive business case (despite the fact that it actually does), then it gets deferred or cancelled.
• Basically, no place to hide or control who processes your personal data.
• ...

Technology is moving very fast, lawgivers are trying to keep up, priorities are economic and profit rules.

Well, I'm sure privacy will be top of the agenda in 2013.

The electronic identity card or eID is the statutory or legal identity card in Belgium. Every Belgian citizen in Belgium above 12 years of age has an eID. In addition, foreigners, both within the EU and non-EU citizens residing in Belgium, having fulfilled the necessary residing requirements of the country, are also given an eID. With this eID, you are able to prove your identity and travel within the EU countries.

And it does not stop there. The eID, with a pincode, has a microchip which contains information not visible on the card itself such as one's address and electronic data (known as digital certificates). These certificates confirm your identity when you use the eID card reader. Through the eID, you can:

• prove your identity on the Internet
• place an electronic signature
• apply for official documents and fill in official forms
• and more...

Whilst anyone with an e-card reader can read the details on an eID by inserting the eID into the card reader and using the publicly available software, not everyone may - without a legitimate purpose and with the consent of the data subject. 

The presentation or submission of the eID card is not governed by the Data Protection Law. However, once the information on the identity card is read, copied or manually recorded, processing of personal data has taken place and is subject to the application of the Data Protection Law.

As such, it is of primary importance to establish that there is a legitimate purpose for the reading of the eID. Where the information is visible on the eID card to the naked eye, and sufficient to achieve the relevant purpose, the data controller should only copy/process that information and should not proceed with an electronic reading of the chip. This is because, as earlier stated, the microchip contains both information already visible on the card as well as hidden information which may not be necessary for the relevant purpose. If the data controller reads the information contained in the chip anyway, he is then processing irrelevant and excessive information unnecessary for his purpose(s) and is in breach of the Data Protection Law.

Hence, if you happen to be asked for your eID to be read by the card reader, which seems to be quite common in registering for mobile phone subscriptions and tenancy agreements, do exercise your right to know the specific purpose for reading your eID, and if the information required is visible on the card without having to read the chip, then do know that the data controller has no ground for making this request.

It would seem strange, and even overbold to admit that there are times when sharing is not an action deserving praise, but such situations do arise - particularly on the Internet. 

Let us use the most popular social network of our time as an example - Facebook. Facebook is all about sharing. One of the main reasons for its use is to share content with others such as pictures, videos, comments, sharing links and so on. In most instances, we share such content with the people we know on Facebook. We let our friends and family know what we're thinking about, what we ate, our current location (via Blackberry etc)...   

And then there are those who add strangers to their list by the dozen. You should see the amount of friends on the list of some of these people - running up to a thousand!  And how well do they know the people they 'friend' on their list? There are many who do not even consider the profile of their requestors before adding them to build up their list of friends. A social experiment conducted recently affirms the problems with sharing on the social network. Indeed, we would never share our personal information with strangers, so why do we do this on a social network?  

Sharing our personal information (even with friends) should be carefully considered. For example, sharing your location so that people know exactly where you are at a particular time leaves you quite vulnerable. There are users who boldly upload pictures of their passports and airline tickets with every bit of confidential information visible for all to see. Caution is certainly thrown to the wind in these cases. It is indeed a pity when people think that crimes such as identity theft and the likes are far-fetched and "only happen to others". 

Whilst it can be argued that, we were all once strangers to the other before friendship develops, the fact still remains that what one sees on the social network may not always be the truth. And be it with friends or strangers, danger lurks. For example, there have been several cases where teenagers befriend strangers through Facebook and the likes, and end up being raped. The cases come from all around the world - stretching from Malaysia, Indonesia, India and the UK.  

In fact, as Facebook admits in its Privacy Policy, even after one removes information from his/her profile, or deletes his/her account, copies of that information may remain viewable elsewhere to the extent that it has been shared with others (such as friends downloading and storing the pictures you have uploaded) and that the information might be reshared by others. So, are you still the master of your life or are you cheating yourself out? 

Undoubtedly, social networks such as Facebook have their good use - reconnecting with old friends, keeping in touch etc. However, with everything in life, caution is necessary. Use these tools wisely. 

And let us not forget about bloggers - especially mothers who blog about - every - single - thing. Yes, children's names, ages, birthdays, likes, dislikes, outings, things planned - e.v.e.r.y.t.h.i.n.g. They do not realise how much they have exposed their families and themselves to danger and abuse. Writing a blog may seem like a private journal - a personal diary, but it is in fact far from p.r.i.v.a.t.e. It is a publication on the Internet - visible to a few or to all (whichever is opted for) and remains on servers which the blogger does not have control over. 

Therefore, although sharing is one of life's basic skills, sharing yourself away in these instances is at a very heavy cost and hardly deserving of praise.

You can approach sharing your personal data in two ways:

Some people absolutely refuse to use applications such as Facebook, Twitter and LinkedIn.

Others simply register with these sites in order to stop others from stealing their identity and using it to impersonate them. Other people go all out and share their whole life, successes and woes, likes and dislikes, and publish it for everyone to see.

The same goes for user profiling. Some people do not mind that their every move is being traced and companies build extended profiles on their habits, likes and dislikes whilst others have a high Big Brother feeling and absolutely avoid using most, or even any of the electronic tools we have at our disposal these days.

It is quite impossible to avoid being tracked, as every move you make on the Internet, using your fixed or mobile phone, credit and debit cards, bank transfers, purchases, driving on the highway and walking in public places, is monitored, registered, analysed, mashed up, stored and used for a multitude of purposes. Even if you do not use electronic tools yourself, the movements of your car are still registered by the numerous intelligent camera's, even your face gets recognized by surveillance cameras. Tourists take geotagged snapshots with you as accidental passerby, and Facebook puts your name to your face.

In fact, it is actually quite undesirable to have people move 'under the radar' so to speak as it opens the door to illegal, antisocial and unwanted activities and removes the feeling of social control.

The data protection law empowers us to retain control on who handles our personal data and what they can use it for. It also allows us to stop people or entities from processing our personal data if we have good reason to do so.

The benefits of user profiling are many. Instead of having to actively search for information and goods that interest us, companies can present us with relevant and interesting information and goods and not bother us with information that does not interest us. It is like the baker who knows which kind of bread you like and the tailor who knows your size and taste and helps you find the perfect garment in no time at all.

Of course, there are also possible abuses with user profiling - such as criminals knowing when people are not at home.

In conclusion, user profiling has many advantages and disadvantages, but it is here to stay and cannot be avoided.

It is up to us, the general public or data subjects as we are called in data protection law, to keep a grip on our information, to exercise our rights and to keep arming ourselves with the necessary legal arms to keep abuse at bay.

The data protection law must not be seen as restricting the use of personal data, but as a means to install trust and order between the data controller and the data subject. It leaves us with many ways to help us use personal data correctly for a long term relationship between customer and supplier.