Creative destruction & Privacy Whitewashing: where does risk lie?

1. CREATIVE DESTRUCTION & PRIVACY WHITEWASHING: WHERE DOES RISK LIE? Founder, Aurélie Pols & Associates January 30th 2023 aurelie.pols@protonmail.com 1

2. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Data Governance & Privacy Engineer Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain (+kids!) AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • DPO for mParticle (Customer Data platform) – contractor (USA, New York) • Founder – Aurélie Pols & Associates • Group expert member for the Observatory on the Online Platform Economy (E03607) – EU Commission •Guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B) • Board Member European Center On Privacy and Security, Maastricht University (NL) • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics • Former Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co-founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) 2 Not former GAFAM

3. What I do for a living In case you are (still) wondering ;-) 3

4. Interlocking liabilities & obligations People Company (Telco, Bank, Insurance..) Company (Agency, consultancy, vendor, ...) Cloud provider • Aligning contract obligations • Risk • (+ Mitigation measures?) • Providing • Security + Privacy • Privacy engineering • Design & Default(s) B2C (+ B2B) B2B B2B Privacy Notices Lawful basis Data Subject Rights MSA SOW T&C 4

6. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – IAB’s CEO at Annual Leadership Meeting 1. (Privacy) extremists are political opportunists 2. Attacks to ”our” industry also from within => Apple 3. Opportunity for healthy competition: positive ∑, not zero ∑? 6 Source: https://www.dataprotection authority.be/iab-europe- held-responsible-for-a- mechanism-that-infringes- the-gdpr

7. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Rise up? For what? For who exactly? 7

8. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Is the IAB spamming now? 8 The gathering has begun? Surely this is spam… And no opt-out link? tsssss 🇨🇦

9. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Let’s blame Canada! Perro ladrador poco mordedor (bark but no teeth) Why? 9 Source: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2023/nr-c_230126/

10. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Had this been .. other than PIPEDA Let’s speculate 1. The GDPR, • A fine? • Deletion obligations? • At HomeDepot • For their processors? • (Notifications to data subjects?) 2. The US like CCPA/CPRA, Colorado, Connecticut, Virginia, Utah • Opt-out obligations? • A potential class action? 10

11. 11

12. 12

13. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Let’s go back to the story “Home Depot shared details from e-receipts with Meta without the knowledge or consent of customers” Geography: 🇨🇦 Purpose of data processing: delivering e-receipts to HomeDepot customers who purchased in store Data involved? Email Personal information? ✅ Applicable law: PIPEDA Program: Meta Platform Inc. Offline Conversions 13

14. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Taking a closer look at the data flows “Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot” 14

15. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – In “privacy” obligations terms, the issues are: i. sending PD/I to Meta beyond the purpose for the receipt (quid purpose limitation principle?) requires some form of a lawful basis under GDPR ii. Meta then engages in another data processing operation ie does the user have a FB account? + iii. FB compares to in-store purchases. isn't that data held by HomeDepot? how does FB do that? iv. to report on ad effectiveness ie another purpose in the interest of both companies and v. cross-mingle data between customer ie FB doesn't act as a data processor or even service provider under CCPA/CPRA anymore! 15

16. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Justifications by HomeDepot “Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. ” “Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de- identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program” 16

17. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – On the magic of de-identification This does NOT work under the GDPR or any opt-in laws which require: 1. A lawful basis • Implied consent is not one of them • GDPR has 6, LGPD has 10, Chinese PIPL 7 2. A defined purpose Please share broadly https://edps.europa.eu/system/files/2021-04/ 21-04-27_aepd-edps_anonymisation_en_5.pdf 17

18. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – 10 misunderstandings related to anonymization 1. Pseudonimization is not anonymization 2. Encryption is not anonymization 3. Anonymization of data is always possible 4. Anonymization is forever 5. Anonymization always reduces the probability of re-identification to zero 6. Anonymization is a binary concept that can not be measured 7. Anonymization can be fully automated 8. Anonymization makes the data useless 9. Following an anonymization process used by others renders same results 10. There is no risk and no interest in finding out to whom this data refers to 18

19. The data is anonymous, privacy law doesn’t apply Privacy whitewashing #1 19

20. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Justifications by HomeDepot (II) “... Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.” ”The company said that it did not notify customers of its information sharing agreement with Meta just prior to issuing e-receipts due to the risk of “consent fatigue.”” Actually, under the GDPR, the initial data processing operation would NOT require consent: the lawful basis would be contract. For subsequent processes however, like ADM, art 22 would apply where a data subject would have the Right NOT to be subject to it 20

21. The consumer consented Privacy whitewashing #2 Follow up question is typically: to what exactly? PURPOSE 21

22. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Lessons learnt, now what? The structure of how laws are built up really varies Their consequences as well so what enforcement means How enforcement is then accepted also In the end this is all about change “Home Depot was fully cooperative throughout the investigation and has agreed to implement the OPC’s recommendations. The company stopped sharing customer information with Meta in October 2022.” 22

23. The company will not do it anymore/again Privacy whitewashing #3 Follow up question is typically: how to make sure? 23

24. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – High level: opt-in vs. opt-out laws Comparing roles in 2 major privacy laws: GDPR is a horizontal law, which took 5 years to mature, is enshrined within EU law (Charter + TFEU), enforced by supervisory authorities CCPA was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy. 24 CCPA/CPRA GDPR Business Data controller Service provider Data processor 3rd party/data broker Joint controller Accountability Fundam ental right Lim ited rights Data to support growth

25. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – US privacy law is sectoral You’ve all heard of COPPA, HIPAA, VPPA, Fair Credit Act, … And boy, is this getting complicated! P = right to opt-out of processing for profiling/targeted advertising purposes 25 Source: https://iapp.org/media/pdf/resource_ce nter/State_Comp_Privacy_Law_Chart.pdf

26. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Purpose is taking center stage Even in US state laws now: what is the data used for? The scope of opt-outs vary by state: 1. VA, CO & CT enable consumers to opt-out of targeted advertising, sale and profiling 2. UT enables consumers to opt-out of targeted advertising and sale of data (but not profiling) 3. CA enables consumers to opt-out of sale & sharing + under CPRA, when a business sees an opt-out preference signal (eg. GPC), it must also opt the consumer out of from profiling 26

27. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Legislative evolutions: where is ePrivacy? 28

28. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – And yes there is more coming 29

29. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – But not just Europe and cookies: SDKs… 30

30. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Does section 230, DMA/DSA ring any bells? 31

31. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – ADM, ML & AI Start here Keep in mind 1. Lawful basis 2. Purpose (limitation) If PD/I 32

32. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – While AI brings back IP challenges 33 Source: https://www.theverg e.com/2023/1/17/23 558516/ai-art- copyright-stable- diffusion-getty- images-lawsuit

33. Provenance of digital raw material matters Risks lie in lack of explainability for all actors involved in the data ecosystem 34

34. aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Data governance, the sexiest job of 2023? 35

35. Thank you for coming to my presentation Aurelie.pols@protonmail.com 36 Life is like a plate of spaghetti, everthing is interconnected Life is like a box of chocolates, you never know what to expect!

Creative destruction & Privacy Whitewashing: where does risk lie?

Estás leyendo una previsualización.

Eche un vistazo a continuación

Creative destruction & Privacy Whitewashing: where does risk lie?

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Creative destruction & Privacy Whitewashing: where does risk lie? (20)

Más de Aurélie Pols (20)

Más reciente (20)