Lee & White

Google's Eric Schmidt spoke about privacy at its annual Big Tent event in Watford, about the use and misuse of personal data gathered and kept by his company. Whilst we cannot comment whether they walk the talk, we do need to take note of some of the points he made:

We (you ed.) need to fight for privacy or we are going to lose it

Yes we are - if we haven't lost it already. Our personal data is everywhere and just about anyone knows who we are and what we do - to the smallest details. And if they don't yet, they know how to get it.

We are being observed willingly and unwillingly, and are spreading very detailed and sensitive information about ourselves. These days, anyone can pick up a name and put a face and all the trimmings, and they would identify us spot on. It's not difficult to put the pieces together - especially if it is lying about everywhere, like a cookie trail right to your doorstep.

So yes, we do need to keep striving to keep control over our personal data. This is both a task for the data subjects (i.e. you) and the data controllers (i.e. the organisations, but also you).

There's this concern that we (Google ed.) are somehow going to misuse this data and we're not telling you.

Is it only concern? Perhaps, the feelings go deeper...

• coercion - the feeling that you are forcing them to give you their personal data because your services are needed and there are really no alternatives.
• suspicion - the feeling that you are going to sell them to the highest bidder.
• distrust - the feeling that they cannot trust you,  know that you are in fact not to be trusted - but cannot do a thing about it.
• concern - yes, the overall wondering and worrying about what you are going to do with their personal data and for how long.

Do they ever have that ultimate control of their property or it is all a lie?

The solution is simple - be truthful and honest about your processing. It sounds like a lesson in ethics and morality, but yes, that is the bottom line. Say what you are doing and going to do, and do what you say. Set this out in a clear and complete privacy policy stating what you will and will not do with their personal data, how they can count on you to do so or question you if you do not.

I (Eric Schmidt ed.) can assure from a privacy perspective... we would lose you and not get you back.

That's right, you won't get them back.

Google has a "clear business incentive" to protect user's data; do it properly or lose your business. Not handling personal data properly, not keeping the relationship with your data subject (i.e. the person behind the 'customer', 'supplier' or 'prospect') will make you lose them. Perhaps not immediately, as perhaps you are delivering a service which they need and only you can supply, but certainly in the longer term, when an alternative company rises which offers the same services and which does handle personal data properly.

So, are you going to start handling the personal data under your care properly, or are you waiting for that competitor to do so first?

"Privacy law is not allowing us to do this", "We're not allowed to do that". But what can proper personal data management, protection and handling actually do for you... Create business!

On our many encounters we regularly have lively discussions with professionals of all backgrounds and all levels, not surprisingly quite often on our favourite subject, personal data protection and management.

Most feedback we receive however, is related to the repressive perception of data protection law, and how it does not align with the commercial goals and roadmap of the organisation, more likely to limit rather than to offer opportunities.

What we try to explain in such cases, is that the law on the one hand forbids and regulates, but on the other hand enables and guides.

The law forbids that you do anything illegal with the data and use it in a way that can harm the individual identified by the data. It regulates the way that the individual can keep control over his property, i.e. his personal data, and what purposes this data can be used for.

On the other hand, the law creates the framework that allows you to handle personal data and guides both yourself and the data subjects on how to interact in an official and transparent way. You stay in full control but if you mess up, the law is there to enable the individual data subject to exercise his rights.

The basis of the law is the relationship between you and the data subject.

• It needs to be a live relationship.
• Both parties need to be in control.
• New relationships with other parties only with permission and knowledge of the data subject.
• The relationship needs to be transparent.
• Once the relationship ends, the data is no longer of any use and should not be used anymore.

The benefits are many:
As a company, you have many individuals with whom you regularly interact and who support you fully. You do not waste time on stale or dead relationships and do not waste resources on it. Your investment in personal data yields the maximum return. You send out communications to people who want to hear from you and will hear what you have to say.

As an individual, you know which companies you are working with and what they are doing with your information. Once you decide to move on, you know your personal data is not retained and can never be abused.

The downsides of not following this guidance:
As a company, your databases, cupboards and backup tapes are clogged down with stale information of people whom you once worked with but might never work with again. The information of 'live' relationships is hidden and lost in the noise of 'stale' data.

As an individual, your data is lingering forever and you have no control over what will happen with it. Will it end up in the company's archive forever, or in a hacker's database, or somewhere on a hard disk on eBay?

In our personal data workshops, we help every department within organisations maximize the full potential of handling personal data, exploring new potential and advising on ways of using the personal data, within the limits and spirit of the several international data protection legislations. The combination of the detailed knowledge and experience of our team in all related disciplines (data protection law, CRM, marketing, online presence, social networking) together with the knowledge, experience and market savvy of your team, creates novel and powerful new applications with many quick wins and long term benefits.

More information on our Personal Data Workshops and other services can be found here.

It is looking good for Data Protection in Belgium and the EU as Ms. Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, announced groundbreaking changes to EU Data Laws to be introduced in a Bill to the EU Parliament this week.

Speaking at the “Digital, Life, Design” conference in Munich on January 22^nd, 2012, she confirmed that personal data is indeed an asset, a  message which has already begun passing around since the UK Information Commissioner commissioned a report on privacy by design to help articulate the business case for proactive protection of privacy in 2008 and which we believe and preach with conviction. “Personal Data is the currency of today’s digital market, and like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services.”, she stated. And the amount of data, including Personal Data, is growing by a whopping 40% a year worldwide.

Given the fact that 72% of European Citizens said in a recent poll that they are concerned about how their personal data is used by companies, and given that businesses are concerned too, how can they keep control over data which races around the globe in a virtual cloud?

“Trust has to prevail”, states Ms. Reding. Rightly so. If the population is to give the current growth continued support, they need to have a good understanding of the issues and be able to trust that their data is not being abused. They entrust the EU with the task to draw up the rules and follow up on their correct implementation and execution. Trust is the key to any relationship - and how much more in the business world?

We have a unified currency in the EU, but Data Protection law is fragmented into 27 different, and sometimes conflicting, regulations. Whilst some member states are top of the class, others have watered the 1995 EU Directive down so much that it is no more than a sign on the wall showing how bad things are. A lot of burden has been added, sometimes in the form or red tape and lengthy cumbersome administrative procedures. As such, it has all been a futile exercise as it missed its economic goal.

Ms. Reding states “Privacy concerns are one of the most frequent reasons why people don’t buy goods and services online.”. She is adamant about the way forward: “This needs to be changed.”

Two legislative texts will be proposed:

“First, a Regulation to enhance opportunities for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.”

The first point, legal certainty, will be achieved by one Data Protection Law in the form of a directly applicable Regulation which will apply to all Member States in the European Union, and to all organisations offering their goods and services to consumers in the EU – even if their servers are based outside the EU.

This new Regulation will unleash the potential of the Digital Single Market, and will save businesses around 2.3 billion Euros per year, removing barriers to market entry, which were especially affecting our clients, the small and medium-sized enterprises. It will simplify the regulatory environment and drastically cut red tape. Current notification requirements are replaced by a duty for companies to be responsible and accountable for the protection of Personal Data in their business field. Each company will have to appoint a Data Protection Officer.

There will be one law, applicable to all member states, and companies will only have to deal with a single Data Protection Authority linked to the country of its main establishment.

All Data Protection Authorities will have the same adequate tools and powers to enforce the EU Law.

They will:

• Deal with complaints
• Carry out investigations
• Take binding decisions
• Impose effective and dissuasive sanctions.

The rules for international data transfers will be strengthened and simplified - a necessary step in a world where data travels freely around the world and major companies have made it their specialty to circumvent the more ‘difficult’ countries by operating in or via countries with weaker Data Protection legislation.

Trust from the individuals will be earned through a few key principles, boiling down to one point: Transparency.

• Informed
  • People need to be informed in simple, clear, and unambiguous language.
• Consent
  • People need to freely give their specific and informed consent.
• Control
  • People need to have control over their own data at all time. Aside from the control we know already, it will also include portability, the possibility to take one’s data and easily move it from one provider to another, and the right, not the option, to be forgotten.
• Alert
  • Individuals need to be swiftly informed, within 24 hours, when any of their personal data is lost or stolen.
  • Companies suffering such a breach need to notify their Data Protection Authority without undue delay, i.e. ‘within 24 hours’.

Ms. Reding concludes:

"We will get a strong, consistent and future-proof framework for data protection, applied consistently across all Member States and across all European Union policies. We will make our data protection legislation fit for the digital age so it encourages innovation and development of new technologies and services.

We will adjust the rules to the reality of multinational businesses. And will adjust the rules to the reality of people's lives. Europeans live, work, shop and travel freely in the EU, so their data must travel freely as well: Freely and safely. The reform will become a golden opportunity for business: complying with the EU’s laws on data protection will lead to a competitive advantage. European data protection rules will become a trademark people recognise and trust worldwide. I would welcome if everyone here put these new rules to life."

Well said. Data Protection without a doubt enables businesses to make more and better business, leading to a competitive advantage over competitors, having a solid and healthy relationship with loyal customers. Any organisation would pay good money for this.

You can read the full text of Ms. Reding's speech here

It will take some time to bring the new law into practice, but organisations should be aware and prepared, making the necessary changes sooner rather than later.

If you need to assess your current status with relation to the new Data Protection Law or need advice on implementing or improving compliance with current or the next legislation, review our services and contact us.

Is this a typo? No, it isn't, the outlook for data protection is bleak, and no immediate improvement is to be expected.

First of all, the team at Lee & White would like to wish you a Happy New Year.

Happy because you chose to come here on your own accord and happy that we did not spam you with - probably sincere but spam wishes all the same and which are likely to be loaded with the inevitable commercial 'opportunities'.

As the new year has just started, we are hopeful that protection of personal data and control over use of your own personal data will improve significantly.

But looking back, what happened in 2011?

• A year of major privacy incidents that made it harder - but still normal to many- to ignore the importance of such incidents.
• The rise of moguls that devour personal data and any other data they can 'find', who make it difficult for you to control who is (ab)using your data, and even make you want and think it is normal to share your most personal of data with the world, but mainly the moguls themselves.
• Personal data collection devices with functions such as recording, tracking, spying, eavesdropping, ... commonly known as smartphones.
• ...

2012 will be the year of

• Street View becoming even more commonplace, exposing your most private locations.
• Spies recording your every move and thought using their personal data collection device.
• Full commercial exploitation of our most personal data of all... our face.
• Automatic identification and tracking through techniques such NFC, RFID, Bluetooth, GSM, Wifi, face and car registration recognition.
• Economic crisis... if privacy does not obviously have a positive business case (despite the fact that it actually does), then it gets deferred or cancelled.
• Basically, no place to hide or control who processes your personal data.
• ...

Technology is moving very fast, lawgivers are trying to keep up, priorities are economic and profit rules.

Well, I'm sure privacy will be top of the agenda in 2013.

Cloud computing, it is a hot topic these days. But what is it all about?

Basically, it describes technologies to deliver software as a service. The cloud provider provides processing power, software, data access, and storage in order to deliver services to the consumer of the cloud services.

How does it look from your end of the screen? Compare it to your water supplier; at the end of the day, the average user would probably require that when he turns on the tap, water comes out. The more concerned user would be a bit more interested in the quality and origin of the water coming out.

A better parallel with regard to your data however would be the attended cloakroom. You would arrive at the theatre and hand your coat to the cloakroom attendant in exchange for a numbered ticket. After the show, you would hand the ticket to the attendant in order to have your coat returned.

So as a user (the data subject), you would hand your personal data to a company (the data controller) you trust, and this company would store your data or process it in ‘the cloud’ through his cloud provider (a data processor).

If the attended cloakroom is unattended (after closing hours) or in case of an emergency, you could browse through the coat hangers in the cloak room and find your coat. What if it wasn’t there, what if the cloakroom had ‘outsourced’ storing the coats? You would appreciate a sign saying ‘We outsource our coat storage to external sites in x, y and z’. You could still go to x, y and z and retrieve your coat.

With data however, nobody is guaranteeing that the data is stored completely in one location, it might be distributed over multiple data stores. It is also not guaranteed that the data is stored only once, only that it is stored at least once. And no guarantees that if data is deleted or moved, it is physically removed or erased in the original location.

So what can we learn from this short story:
It is vital that everybody involved knows where the data resides, handles it with care and only for as long as needed and wanted, keeps it safe from abuse, and deletes it when no longer needed.

Data Controller

• Draw up and adhere to rules regarding handling personal data. (data handling procedures)
• Draw up and implement procedures to allow data subjects to execute their legal rights under the Data Protection Law.
• Ensure your subcontractors abide by the same rules you impose on yourself.
• Inform your data subjects of these rules, be transparent. (privacy statement)
• Audit yourself regularly to check adherence to your rules and the Data Protection Law.
• Audit your subcontractors to check the above.
• Be vigilant!

Data Subject

• Read the information provided by the data controller before handing over your personal data.
• Execute your legal rights under the Data Protection Law.
• Stay in control of your personal data, know who is using it and what for.
• Be vigilant!

And finally. if in doubt, do not hand over your personal data and look for another provider.

The electronic identity card or eID is the statutory or legal identity card in Belgium. Every Belgian citizen in Belgium above 12 years of age has an eID. In addition, foreigners, both within the EU and non-EU citizens residing in Belgium, having fulfilled the necessary residing requirements of the country, are also given an eID. With this eID, you are able to prove your identity and travel within the EU countries.

And it does not stop there. The eID, with a pincode, has a microchip which contains information not visible on the card itself such as one's address and electronic data (known as digital certificates). These certificates confirm your identity when you use the eID card reader. Through the eID, you can:

• prove your identity on the Internet
• place an electronic signature
• apply for official documents and fill in official forms
• and more...

Whilst anyone with an e-card reader can read the details on an eID by inserting the eID into the card reader and using the publicly available software, not everyone may - without a legitimate purpose and with the consent of the data subject. 

The presentation or submission of the eID card is not governed by the Data Protection Law. However, once the information on the identity card is read, copied or manually recorded, processing of personal data has taken place and is subject to the application of the Data Protection Law.

As such, it is of primary importance to establish that there is a legitimate purpose for the reading of the eID. Where the information is visible on the eID card to the naked eye, and sufficient to achieve the relevant purpose, the data controller should only copy/process that information and should not proceed with an electronic reading of the chip. This is because, as earlier stated, the microchip contains both information already visible on the card as well as hidden information which may not be necessary for the relevant purpose. If the data controller reads the information contained in the chip anyway, he is then processing irrelevant and excessive information unnecessary for his purpose(s) and is in breach of the Data Protection Law.

Hence, if you happen to be asked for your eID to be read by the card reader, which seems to be quite common in registering for mobile phone subscriptions and tenancy agreements, do exercise your right to know the specific purpose for reading your eID, and if the information required is visible on the card without having to read the chip, then do know that the data controller has no ground for making this request.

Despite many obvious reasons for ensuring both technical and organisational security measures within a company, many companies (don't be surprised) are yet to implement these.

Unrestricted access to server rooms (for purposes which will set you on the floor laughing, but sadly true), sharing of passwords between colleagues, unlocked cabinets, messy desks with confidential information displayed for all eyes, non-secure company websites collecting personal data, and so on. If you're nodding to all these as you read, then you've got a company who is in breach of the Data Protection Law.

Now, last week on the news, Sony Pictures was humiliated when hacking group LulzSec claimed it had accessed unencrypted personal data of SonyPictures.com and Sony BMG's Websites in Belgium and the Netherlands. According to the group, getting the information was not that complex - gaining access to SonyPictures.com with a single SQL injection.

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," they claimed. "This is disgraceful and insecure: they were asking for it."

According to Beth Givens, director of Privacy Rights Clearinghouse, the attacks on Sony would seem to indicate lax practices on Sony's part. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards." (Read more: cnetNews)

It is clearly another lesson to be learnt. But, are companies learning or ignoring this important legal and moral duty to its customers? How many companies will take the appropriate security measures now, or will it depend on the budget and short term profit?

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

It's almost the end of the quarter, sales numbers are nearly on target, we just need a little boost to get them higher, perhaps even above target, I need that bonus.

"You know what? Let's launch a quick campaign and mail our prospects!"

I'm sure this all sounds very familiar if you are in the marketing department of any medium to large company, and it is a great initiative of course. But who shall you email? Where do you get the addresses?

We could for example mail our prospects, people who expressed some interest in one of our products; or perhaps people who entered that competition last month; perhaps people who were submitted by someone in our friend-gets-friend referral campaign; perhaps the subscribers to our newsletter; what about ex-customers we want back; let's buy a list from a broker; ...

And this is where it gets hairy:

• Are you mailing the right people, possibly sending a super promo mail that will anger a new customer who paid so much more for the same product a few days ago?
• Do you have permission to email these prospects; did you ask them for their permission to send them this kind of promotions and did they opt-in?
• Did you exclude persons who opted out from your list?
• Is your list deduplicated? Are you not sending multiple mails to the same person through the same or different email addresses?
• Are you not publishing your list of email addresses to every recipient?

A mistake at this level can cost you dearly, in terms of losing face or upsetting client or supplier relations, and it could all be solved if you had followed proper procedures when you acquired the email addresses.

All you needed to do was:

• Ask for a prospect's email only when needed.
• If you want to use this information for other purposes, inform the prospect and ask for his explicit permission.
• Allow the prospect to review, change and delete his information at his simple request at any time.
• Check if the supplier of your mailing list or broker has obtained the permission of your prospects and has informed them of the possibility of their information going to you for marketing purposes.
• At any communication, give the prospect the opportunity to opt out of future communications of this kind or of any kind.

A Privacy Impact Assessment at the design phase of a project can detect such opportunities and a Data Protection Audit can analyse and correct the flow of information within your organisation.

It will save you in the long run!

We have all gotten so used to our gadgets that we are willing to sacrifice basic human rights to get our hands on them. People do not always know the value of their personal data, or value it so low that they are willing to give it up for peanuts (or a chocolate bar).

Often it is ignorance, and we are not aware that our gadgets or services are giving away important personal data. And then there are those of us who are aware of this fact, and are counting on our provider to treat our personal data properly, or at least according to their privacy statement, which of course we check thoroughly before buying or starting to use such gadget or service.

A few examples: