Data is the new oil, privacy is the new green - Eye4Travel Amsterdam

Data is the New Oil
Privacy is the new Green
November 25th 2014
Eye4Travel Amsterdam
Aurélie Pols
@aureliepols

The SUN went down on Privacy
“You have zero privacy
anyway, get over it”,
Scott McNealy, CEO of Sun
Microsystems, January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
Presented by: Aurélie Pols
@AureliePols

Call me a bore,
I’ve been listening to the helicopters coming,
while humming Wagner’s Ride of the Valkyries

From the rooftops of Amsterdam
@AureliePols
Source:
http://www.tripadvisor.nl/Lo
cationPhotoDirectLink-g188590-
d1740219-
i104248061-
Wyndham_Apollo-
Amsterdam_North_Holland_
Province.html

The is one I do not Trust (my data with)
Source: http://www.cnet.com/news/ftc-sues-wyndham-hotels-over-data-breaches/
@AureliePols

The story?
Reasonably protect the security of consumers’ personal data
Source: http://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation
@AureliePols

Outcome?
Source: http://www.phiprivacy.net/digging-in-their-heels-wyndham-and-labmd-challenge-ftcs-authority-in-data-security-cases/
Source :http://www.adweek.com/news/technology/ftcs-data-security-case-against-wyndham-worldwide-moves-forward-156847
@AureliePols

Courts writing Privacy history?
The Right to be Forgotten (RTBF)
Source: http://www.economist.com/news/leaders/21602219-right-be-forgotten-sounds-attractive-it-creates-more-problems-it-solves-being
@AureliePols
E
C
J

A Global Privacy Perspective
@AureliePols
US & UK EU ASIA
Common Law Continental Law Partially
continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Amend
ed
New
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA, COPPA,
VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per US
state
“Personal Data” => Risk levels:
low, medium, high, extremely
high

For now, 0 €, no business
WYNDHAM LOST MY TRUST
@AureliePols

I care about my data
@AureliePols
Source:
https://twitter.com/JavZamora/status/
479233003710083072/photo/1

About my online anonymity
Recent Pew Research: US citizens care about
Privacy
Source:
http://www.pe
winternet.org/2
013/09/05/ano
nymity-privacy-and-
security-online/
@AureliePols

Defining Privacy: do you need to?
@AureliePols
Privacy & Business Ethics
vs
Data Protection & Responsible Uses of Data
Customer Trust Legal Compliance
Data
Balancing act
=
Risk Management
Exercise

Privacy is Important
BUT WHO IS RESPONSIBLE?
@AureliePols

Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
@AureliePols

Purpose, Consent & Data Uses
From:
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
To:
New
business
opportunity
Data analysis FIPPs
or merging
Big Data is Killing the Privacy Framework

Why is this bubbling up now?
D-I-G-I-T-A-L makes Data Global, replicable, …
The World Economic Forum – Personal Data: The
Emergence of a New Asset Class (2011)
The EU GDPR – General Data Protection Regulation
(2012- 2015?)
The OECD – Guidelines on the Protection of Privacy &
Transborder Flows of Personal Data (1980, reviewed in 2013)
The UN – The Right to Privacy in the Digital Age (2014)
@AureliePols

Total Privacy fines worldwide
@AureliePols
6 weeks into
2014, the
world total in
Privacy
damages had
reached 50%
of last year’s
record: $74
million
Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3

And of course data breaches
@AureliePols
Target,
JPMorgan,
Home Depot,
…
But what happens
After the breach?

How many lawsuits is Target facing?
@AureliePols
140
totaling over $750 million

THE QUESTION IS NOT IF, IT’S WHEN
@AureliePols

Privacy ABC
@AureliePols
FIPPs:
Fair
Information
Privacy
Practices
Source:
https://security.berkeley.edu/sites/default/files
/uploads/FIPPSimage.jpg

If you collect PII… then
@AureliePols
US & UK EU
Common Law Continental Law
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector
Over-arching EU Directives &
based legislations:
Regulations
HIPPA, COPPA, VPPA,
…
PII: varies per state Risk levels: low, medium, high,
extremely high

So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport
number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.
Information identifying personally owned property, such as vehicle registration
number or title number and related information
@AureliePols
Source: information based on
current ongoing analysis (partial
results)

PII vs. Risk levels: US vs. EU
Risk
level
Low risk data type
(clickstream data)
@AureliePols
Extremely high
(profiling of sensitive data:
probability of being pregnant => Target?)
PII
High
(sensitive data: health, financial,
Medium political views, sexual orientation, …)
(profiling: typically
retargeting through
cookies)
Data type & Information Security Measures

PERSONAL DATA
@AureliePols
EU Directive 95/46/EC, Article 2ª.
Shall mean any information relating to an identified or identifiable
natural person ('data subject');
an identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural
or social identity;

A cat dies!
EVERY TIME YOU USE THE
ACRONYM PII
@AureliePols

Privacy Role Playing in the EU
@AureliePols

Controller vs. Processor
Web property: Big
corporation, SME
@AureliePols
Customer: visitor,
voter, citizen, …
Intermediaries: tools,
agencies, consultancies,
…
Data Flow
Responsibility
Privacy
Rights

12 Responsibilities of a Data Controller
1. Inform participants
2. Obtain informed consent
3. Ensure the data held is accurate
4. Delete personal data when it is no longer needed => delete or anonymize
5. Protect against unauthorized destruction, loss, alteration and disclosure => security
6. Contract with Data Processors responsibly
7. Take care transferring data out of Europe
8. If you collect “special” categories of data, get specialist advice
9. Deal with any data subject access requests
10. If the assessment is high stakes, ensure there is review of any automated decision making
11. Appoint a Data Protection Officer (DPO) and train staff
12. Work with supervisory authorities and respond to complaints
Source: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities
@AureliePols

Role playing example
Surveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy
@AureliePols

What about security?
@AureliePols
Data Collection
Processes
Resources
DPO

Implement Information Security Measures
Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/
@AureliePols

@AureliePols
Entreprise goal
User goals
Privacy Policy
Requirements
Privacy
Mechanisms
Procedures
& Processes
Privacy Awareness
Training
Quality Assurance
Quality
Assurance
Feedback

Yelp said that only about 0.02 percent of users who actually completed the
registration process during the time period provided an underage birth rate, “and we
have good reason to believe that many of them were actually adults.”
The company had an average of about 138 million unique visitors in Q2 of 2014.
Cost? above 16$/monthly unique …
Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html
@AureliePols

Data has become a valuable asset
DATA IS A RISK BECAUSE IT EXISTS
@AureliePols

What about travel?
CUSTOMER ON THE MOVE & AT
REST IS NOT EQUAL
@AureliePols

National Security vs. Privacy
@AureliePols
Data
Retention
vs.
Data
Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK,
passed), SOPA (US:
Stop Online Piracy
Act, similar to
French HADOPI) &
PIPA (US: Protect IP
Act)

Data Quality: if this is not me?
@AureliePols

If this was not me, what to do?
@AureliePols

Legislation & risk: win-win?
@AureliePols
New headache
- COPPA
- ISO 14443

Personalised pricing?
Don’t personalize on sensitive data
@AureliePols
Source:
http://privacytools.seas.harvard.edu/
files/privacytools/files/p44-
sweeney.pdf

Who owns the customer?
• Who owns the data?
– Privacy policies
– Data sharing principles (& options => choice)
• Who is responsible for the relationship?
– Who gets the money?
– How does the customer know who to contact?
@AureliePols
• Transparency & communication
• Core business & collaborative procedures with partners

Where to start?
Compliance?
Privacy?
Security?
@AureliePols
Moving targets

The “Magnum” Plan
• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures
(data protection)
• Adopt global & sustainable Privacy best practices
@AureliePols

@AureliePols
LOCAL HQ
SUBSIDIARY
1
Customer
Terms &
Conditions
Applicable Security Measures???
LOCAL
SUBSIDIARY
1
LOCAL
SUBSIDIARY
2
LOCAL
SUBSIDIARY
3
LOCAL
SUBSIDIARY
4
Where does it sit? Cloud/SaaS

Example of data flow issues
@AureliePols
Quantified self movement
Personal “health” data
Direction of flow is essential
Consequences on Privacy Policy

5 ONLINE MARKETING RULES TO
RESPECT CONSUMER’S PRIVACY
@AureliePols

5 Online Marketing rules to respect consumer's privacy
1. Say what you do and do what you say
2. Harness your data liability
3. Foster data frugality & documentation
Agile is the ‘mot du jour’
4. Cherish the human aspect of data protection
5. Dialogue and find common ground
@AureliePols

Limiting Risk of holding data
Data Minimization Principle
Limit the collection of personal information to what is directly
relevant and necessary to accomplish a specified purpose
Data Retention Policies
Set of guidelines that describes which data will be archived, how
long it will be kept. Permanent deletion of the retained data is
part of any effective data retention policy.
@AureliePols

Data Retention Policies
• Delete the data, everywhere!
• Anonymize or De-identify the data
@AureliePols
By Ann Cavoukian and
Khaled El Emam, June 2011,
http://www.ipc.on.ca/image
s/Resources/anonymization.
pdf

Privacy by Design (PbD)
7 Fundamental Principles
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive
@AureliePols
events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by
ensuring that personal data are automatically protected in any given IT system or business
practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an
essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of
information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated promises and
objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice,
and empowering user-friendly options

Data is the new oil, privacy is the new green - Eye4Travel Amsterdam

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (11)

Similar to Data is the new oil, privacy is the new green - Eye4Travel Amsterdam

Similar to Data is the new oil, privacy is the new green - Eye4Travel Amsterdam (20)

More from Aurélie Pols

More from Aurélie Pols (20)

Recently uploaded

Recently uploaded (20)

Data is the new oil, privacy is the new green - Eye4Travel Amsterdam

Editor's Notes