Privacy in Europe eMetrics Summit London2012

Data Collection & Privacy:
Are you ready to avoid fines and build customer trust?
René Dechamps Otamendi – eMetrics Summit London - 2012

About me

Entrepreneur
Analytics Pioneer in Europe (Formerly OX2 in Belgium)
CEO of Mind Your Group (Spain)
Cofounded with Aurélie Pols

MYG Shareholders & Advisors:
Avinash Kaushik
Bryan Eisenberg
Jeffrey Eisenberg
Jim Sterne

More: Visit my LinkedIn Profile | Follow me: @rdo

©Mind Your Privacy, S.L. @rdo

What Mind Your Privacy does

EU PRIVACY AUDIT EU PRIVACY FINE MAINTENANCE EU COOKIES
TUNING / PRIVACY BY DESIGN SPECIAL

Compliance level EU legislation Privacy by Design internal For any Company active
assessment compliance (Directive procedures & Privacy in Europe using cookies
and Regulation) support (mainly CMO)

Helping companies to comply with EU Privacy legislations


The idea?

2007

@AureliePols The West Wing

http://www.youtube.com/watch?v=pj4PwyfDNuI


Let’s talk about Privacy


Let’s do some history


2006-2008

Privacy is dead, get over it?
vs.
“Data Chernobyl”


2009:
“EU Cookie law” (Directive) passes

http://web.archive.org/web/2
0091117195452/http://aurelie
.webanalyticsdemystified.com/
2009/11/10/eu-cookie-law-
interpretation-is-
breathtakingly-stupid/


2009-2012
Countries implement the Directive
into their national legislations

Resulting ‘potentially’ in…
27 interpretations!
A mess!!!

2004 - 2009

Viviane Reding EU Commissioner for Information Society


2009 -

Viviane Reding EU Commissioner for Justice, Fundamental Rights and Citizenship


2009 -

Neelie Kroes - EU Commissioner for Digital Agenda


Media is starting to talk…

http://online.wsj.com/article/SB10000872396390443389604578026473954094366.html


Media is starting to talk…

http://topics.nytimes.com/top/reference/timestopics/subjects/p/privacy/index.html


25 th January 2012
New EU Personal Data Protection Regulation announced by…

http://www.youtube.com/watch?v=uFyw_4OYWdo


How the EU explains the need
of the new rules

http://www.youtube.com/watch?v=5ByVaZ0rg8U


11th October 2012
Viviane Reding reminds everyone
That Privacy is a EU fundamental right

http://europa.eu/
rapid/press-
release_SPEECH-
12-716_en.htm


Why is it a fundamental right?
Let’s get back 70 years ago…


The Netherlands during WWII…


Back to present
A variety of commissions are set to review
and it’s being fast tracked

EXPECTED APPROVAL
2013

The EU PDP rules are shaping Privacy policies
in other regions of the world as Asia

What´s going on with privacy?
Do we really need the new
regulation?
Why now?


Why and what? 1/2
A real single digital market based Reform eliminates unnecessary
on TRUST administrative burden & costs
EU international standard setter 1 rule for the 27 member states
for privacy and 500 million people
The former EU PDP rules date 1 single point of contact for PDP:
from 1995… The national data protection
agency (DPA)
Dangers: loss of control of one’s
personal data For SMEs (less than 250 people)
exemption of appointing a DPO
72% of EU citizens are concerned
(Data Protection Officer) + not
that personal data are misused:
obliged to do all paperwork
companies passing data over to
other companies without
permission
Businesses faced with
contradictory legislation and load
of notification requirements 
legal fragmentation is bad for
business, innovation and growth


Why and what? 2/2
Clear rules for international data Citizens know what happens
transfers inside multi-national to their data
companies (1 DPA OK)
Explicit consent
DPA 1 stop shop where the
Data portability: data belongs
company is based and where the
to them so they can move
citizen is based
providers (can be…)
Strong and independent DPAs
Notification of data breaches
(from politicians and companies)
(24hours)
New sanctions
Right to be forgotten (not
Personal data belongs to the always easy)
individual
Privacy policies must be clear and
understandably written in clear
language

KEY IDEA: individuals always own their personal
data; companies just manage them (trust)

Let’s have a closer look
at the notion of consent
PRIOR consent


Consent required anyway
(explicit consent)
Proposal for Data Protection Regulation requires (“consent should be given explicitly”)
BUT the European Parliament* included a line:
“the consent can be implicit only when the data subject acts in such a way that a
certain amount of personal data must necessarily be processed, for instance by asking
for particular goods or services, and in such a case the consent is referred only to the
minimum necessary”.

*Committee on the
Internal Market
and Consumer
Protection

@rdo

A basic rule to understand
how to manage consent
Let us imagine PERSONAL DATA as a LEGO brick

You can use it to build many different things!
The hand that handles that brick is the one deciding
how to use that brick
if (and only if)
The brick owners (individuals) agree with that specific use
SO
The hand (controller/company) will ask incremental
consent for each possible use


Asking for consent?


How to ask for consent!


How to ask for consent 


And what about Cookies?
I N F O R M A T I O N R E Q U I R E D U N D E R A L L C A S E S

CONSENT NOT REQUIRED CONSENT REQUIRED

1st party cookies 3rd party cookies

Merely tech cookies Tech cookies saving personal information
(passwords/log-in remembered)

Essential data to provide adequate service (no Others purposes not directly related to the
acceptance of collection = no service) service to be provided (*)


With the current Directive it depends


What we implemented in June


Current level of internet websites
Non compliant in Spain

Over 99%


The Right to be Forgotten
The Directive contains the Right to have personal data erased

 always? No, just in case this data is no longer necessary in relationship
with the purpose for which the data were collected

 exceptions? Data retention for allowed reasons (historical, statistics, and
scientific reasons or for reasons of public interest – law habilitation required)

The European Parliament (Committee on the Internal Market and
Consumer Protection) amended the article regarding the Right to
be Forgotten modifying “the right to be forgotten” into “the right
to have such personal data erased”

• It seems everything will remain as usual (erase right)


The Data Portability Right
Proposal for the Data Protection Regulation (Article 18)

2. Where the data subject has provided the personal data and the processing is
based on consent or on a contract, the data subject shall have the right to
transmit those personal data and any other information provided by the data
subject and retained by an automated processing system, into another one, in
an electronic format which is commonly used, without hindrance from the
controller from whom the personal data are withdrawn.

SOME QUESTIONS IN THE AIR:

How will formats be standardized?
Will the original controller lose data anyway? If so, will the
original controller get the right to received from the recipient
controller any compensation for administrative cost?
Its seems rather unreasonable… This Article will need some
legal development


Data Breaches notification
Proposal for Data Protection Regulation (Article 31) originally provides 24 hours
to notify data breaches but amendment by European Parliament (Committee on
the Internal Market and Consumer Protection) erased that limit:

In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 24 hours after having become aware of
it, notify the personal data breach to the supervisory authority. The notification
to the supervisory authority shall be accompanied by a reasoned justification in
cases where it is not made within 24 hours.

SOME QUESTIONS IN THE AIR:
As the text is not definitive: which option will prevail?
Some concerns exist due to no specific consequences
regarding applicable sanctions, or not


Blackmailing as the main risk


Non EU Company based?


EU RULES WILL APPLY TO COMPANIES NOT ESTABLISHED IN THE EU, IF THEY OFFER
GOODS OR SERVICES IN THE EU OR MONITOR THE ONLINE BEHAVIOR OF CITIZENS

UNDERSTANDING EUROPEAN SCHEMAS:
WHO IS WHO?

• Labour
consultants
• Analytics
services
• Logistics services
• Billing services


EU RULES WILL APPLY TO COMPANIES NOT ESTABLISHED IN THE EU, IF THEY OFFER
GOODS OR SERVICES IN THE EU OR MONITOR THE ONLINE BEHAVIOR OF CITIZENS

A new scope (Article 3.2):

This Regulation applies to the processing of personal data of data subjects residing in the Union by a
controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behavior.

And (Article 25): the controller shall designate a representative in the Union.

This obligation shall not apply to:

(a) a controller established in a third country where the Commission has decided that the third
country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise
employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering
only occasionally goods or services to data subjects residing in the Union.

The representative shall be established in one of those Member States where the data subjects
whose personal data are processed in relation to the offering of goods or services to them, or
whose behavior is monitored, reside.

The designation of a representative by the controller shall be without prejudice to legal actions
which could be initiated against the controller itself.


And the fines…

1.000.000 € or 2% Global Turnover

With the current Spanish legislation (not yet the Directive):

In 2011 companies have paid 20.000.000 € in fines!


A new risk scenario…
Privacy standards expected by EU customers will increase so...

• not providing these privacy standards will
o impact on trust
o increase the risk of suffering penalties


…means a new opportunities scenario

Until regulation is enforced...

• Companies can optimize privacy by
design solutions while testing

• Users and consumers demanding
privacy appreciate organizations
pioneering privacy


Some examples
(real examples taken from the toughest legislation
in terms if enforcement and fines: SPAIN)


Carrefour Credit Card
50.000 €

Cortefiel video camera
2.000 € instead of 60.000 €


Vodafone
60.000 €

France Telecom
6.000 € instead of 40.000 €


A final (practical and not lawful) recap:

EU lawmakers are decided to improve data protection and privacy
level of Europeans (EU Regulation contains fines up to 1 000 000 EUR
or, in case of an enterprise up to 2 % of its annual worldwide turnover).

Online Marketing Industry is aware about privacy’s importance
while feel unprepared. Note that privacy discussions is much
older than new marketing strategies.

While consumers want to be in control of their personal data
none in marketing/advertisement industry (from my own
experience) seem to feel comfortable by asking clearly for
consent.


FOOD FOR THOUGH
Privacy is:

Increases trust
A brand value
& customer experience


Becoming compliant
It will take time as it encompasses Online and Offline

Online means: websites, mobile, applications,
cloud services/computing…

You don’t want to be in the newspapers because
you’ve done nothing about it!


René Dechamps Otamendi

Thank you for your attention

www.MindYourPrivacy.com

Get your free document:
rene@MindYourPrivacy.com


Privacy in Europe eMetrics Summit London2012

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (18)

Similar a Privacy in Europe eMetrics Summit London2012

Similar a Privacy in Europe eMetrics Summit London2012 (20)

Más de FLUZO

Más de FLUZO (15)

Privacy in Europe eMetrics Summit London2012