Data is the new oil, privacy is the new green - Eye4Travel Amsterdam

November 25th 2014Eye4Travel Amsterdam

Aurélie Pols@aureliepols

Data is the New OilPrivacy is the new Green

Presented by: Aurélie Pols

@AureliePols

The SUN went down on Privacy

“You have zero privacy anyway, get over it”, Scott McNealy, CEO of Sun Microsystems, January 1999

At eMetrics in Boston in 2006, this turned into

“Privacy is Dead Aurélie, get over it!”

Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries

Presented by: Aurélie Pols

@AureliePols

From the rooftops of Amsterdam

Source: http://www.tripadvisor.nl/LocationPhotoDirectLink-g188590-d1740219-i104248061-Wyndham_Apollo-Amsterdam_North_Holland_Province.html

Presented by: Aurélie Pols

@AureliePols

The is one I do not Trust (my data with)

Source: http://www.cnet.com/news/ftc-sues-wyndham-hotels-over-data-breaches/

Presented by: Aurélie Pols

@AureliePols

The story?

Source: http://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation

Reasonably protect the security of consumers’ personal data

Presented by: Aurélie Pols

@AureliePols

Outcome?

Source: http://www.phiprivacy.net/digging-in-their-heels-wyndham-and-labmd-challenge-ftcs-authority-in-data-security-cases/

Source :http://www.adweek.com/news/technology/ftcs-data-security-case-against-wyndham-worldwide-moves-forward-156847

Presented by: Aurélie Pols

@AureliePols

Courts writing Privacy history?

Source: http://www.economist.com/news/leaders/21602219-right-be-forgotten-sounds-attractive-it-creates-more-problems-it-solves-being

The Right to be Forgotten (RTBF)

EC J

Presented by: Aurélie Pols

@AureliePols

A Global Privacy Perspective

US & UK EU ASIA

Common Law Continental Law Partially continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Amended

New

Privacy Personal Data Protection (PDP)

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per US state

“Personal Data” => Risk levels: low, medium, high, extremelyhigh

Presented by: Aurélie Pols

@AureliePols

WYNDHAM LOST MY TRUST

For now, 0 €, no business

Presented by: Aurélie Pols

@AureliePols

I care about my data

Source: https://twitter.com/JavZamora/status/479233003710083072/photo/1

Presented by: Aurélie Pols

@AureliePols

About my online anonymity

Recent Pew Research: US citizens care about Privacy

Source: http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/

Presented by: Aurélie Pols

@AureliePols

Defining Privacy: do you need to?

Privacy & Business Ethics

vs

Data Protection & Responsible Uses of Data

Data

Legal ComplianceCustomer Trust

Balancing act =

Risk Management Exercise

Presented by: Aurélie Pols

@AureliePols

BUT WHO IS RESPONSIBLE?

Privacy is Important

Presented by: Aurélie Pols

@AureliePols

Data lifecycles

Analytics => Follow the Money

Privacy => Follow the Data

Legal: Procedures/Processes, Compliance & Risks Assessments

Presented by: Aurélie Pols

@AureliePols

Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:

Purpose

Consent

FIPPsData analysis or merging

New business

opportunity

To:

Big Data is Killing the Privacy Framework

Presented by: Aurélie Pols

@AureliePols

Why is this bubbling up now?

D-I-G-I-T-A-L makes Data Global, replicable, …

The World Economic Forum – Personal Data: The

Emergence of a New Asset Class (2011)

The EU GDPR – General Data Protection Regulation

(2012- 2015?)

The OECD – Guidelines on the Protection of Privacy &

Transborder Flows of Personal Data (1980, reviewed in 2013)

The UN – The Right to Privacy in the Digital Age (2014)

Presented by: Aurélie Pols

@AureliePols

Total Privacy fines worldwide

6 weeks into 2014, the world total in Privacy damages had reached 50% of last year’s record: $74 million

Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3

Presented by: Aurélie Pols

@AureliePols

And of course data breaches

Target, JPMorgan, Home Depot,…But what happens After the breach?

Presented by: Aurélie Pols

@AureliePols

How many lawsuits is Target facing?

140totaling over $750 million

Presented by: Aurélie Pols

@AureliePols

THE QUESTION IS NOT IF, IT’S WHEN

Presented by: Aurélie Pols

@AureliePols

Privacy ABC

Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

FIPPs:Fair Information Privacy Practices

Presented by: Aurélie Pols

@AureliePols

If you collect PII… thenUS & UK EU

Common Law Continental Law

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high

Presented by: Aurélie Pols

@AureliePols

So what is considered PII?

Personal Information (based on the definition commonly used by most US states)

i Name, such as full name, maiden name, mother‘s maiden name, or alias

ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number

iii Address information, such as street address or email address

iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)

v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information

Source: information based on

current ongoing analysis (partial

results)

Presented by: Aurélie Pols

@AureliePols

PII vs. Risk levels: US vs. EU

Risk level

Data type & Information Security Measures

Extremely high(profiling of sensitive data: probability of being pregnant => Target?)

PII

Low risk data type(clickstream data)

High(sensitive data: health, financial, political views, sexual orientation, …)Medium

(profiling: typically retargeting through cookies)

Presented by: Aurélie Pols

@AureliePols

PERSONAL DATA

EU Directive 95/46/EC, Article 2ª.

Shall mean any information relating to an identified or identifiable natural person ('data subject');

an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Presented by: Aurélie Pols

@AureliePols

EVERY TIME YOU USE THE ACRONYM PII

A cat dies!

Presented by: Aurélie Pols

@AureliePols

Privacy Role Playing in the EU

Presented by: Aurélie Pols

@AureliePols

Controller vs. Processor

Web property: Big corporation, SME

Customer: visitor, voter, citizen, …

Intermediaries: tools, agencies, consultancies,

…

Data Flow

Responsibility

Privacy Rights

Presented by: Aurélie Pols

@AureliePols

12 Responsibilities of a Data Controller1. Inform participants

2. Obtain informed consent

3. Ensure the data held is accurate

4. Delete personal data when it is no longer needed => delete or anonymize

5. Protect against unauthorized destruction, loss, alteration and disclosure => security

6. Contract with Data Processors responsibly

7. Take care transferring data out of Europe

8. If you collect “special” categories of data, get specialist advice

9. Deal with any data subject access requests

10. If the assessment is high stakes, ensure there is review of any automated decision making

11. Appoint a Data Protection Officer (DPO) and train staff

12. Work with supervisory authorities and respond to complaints

Source: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities

Presented by: Aurélie Pols

@AureliePols

Role playing example

Surveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy

Presented by: Aurélie Pols

@AureliePols

What about security?

Data Collection

Pro

cess

es R

eso

urce

s

DPO

Presented by: Aurélie Pols

@AureliePols

Implement Information Security Measures

Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/

Presented by: Aurélie Pols

@AureliePols

Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

Quality AssuranceFeedback

Presented by: Aurélie Pols

@AureliePols

Yelp said that only about 0.02 percent of users who actually completed the registration process during the time period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.”

The company had an average of about 138 million unique visitors in Q2 of 2014.

Cost? above 16$/monthly unique …

Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html

Presented by: Aurélie Pols

@AureliePols

DATA IS A RISK BECAUSE IT EXISTS

Data has become a valuable asset

Presented by: Aurélie Pols

@AureliePols

CUSTOMER ON THE MOVE & AT REST IS NOT EQUAL

What about travel?

Presented by: Aurélie Pols

@AureliePols

National Security vs. Privacy

Data Retentionvs. Data Protection

Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg

Eg. DRIP (UK, passed), SOPA (US: Stop Online Piracy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)

Presented by: Aurélie Pols

@AureliePols

Data Quality: if this is not me?

Presented by: Aurélie Pols

@AureliePols

If this was not me, what to do?

Presented by: Aurélie Pols

@AureliePols

Legislation & risk: win-win?

New headache- COPPA- ISO 14443

Presented by: Aurélie Pols

@AureliePols

Personalised pricing?

Don’t personalize on sensitive data

Source: http://privacytools.seas.harvard.edu/files/privacytools/files/p44-sweeney.pdf

Presented by: Aurélie Pols

@AureliePols

Who owns the customer?

• Who owns the data?

– Privacy policies

– Data sharing principles (& options => choice)

• Who is responsible for the relationship?

– Who gets the money?

– How does the customer know who to contact?

• Transparency & communication

• Core business & collaborative procedures with partners

Presented by: Aurélie Pols

@AureliePols

Where to start?

Compliance?

Privacy?

Security?

Moving targets

Presented by: Aurélie Pols

@AureliePols

The “Magnum” Plan• Document your data set-up

• Set-up a compliance check-list:

– Applicable legislations to your sector

– Territorial scope

• Evaluate your risk

• Follow-up with information security measures (data protection)

• Adopt global & sustainable Privacy best practices

Presented by: Aurélie Pols

@AureliePols

HQLOCAL SUBSIDIARY

1

Customer Terms & Conditions

Applicable Security Measures???

LOCAL SUBSIDIARY

1

LOCAL SUBSIDIARY

2

LOCAL SUBSIDIARY

3

LOCAL SUBSIDIARY

4

Where does it sit? Cloud/SaaS

Presented by: Aurélie Pols

@AureliePols

Example of data flow issuesQuantified self movement

Personal “health” data

Direction of flow is essential

Consequences on Privacy Policy

Presented by: Aurélie Pols

@AureliePols

5 ONLINE MARKETING RULES TO RESPECT CONSUMER’S PRIVACY

Presented by: Aurélie Pols

@AureliePols

5 Online Marketing rules to respect consumer's privacy

1. Say what you do and do what you say

2. Harness your data liability

3. Foster data frugality & documentation

Agile is the ‘mot du jour’

4. Cherish the human aspect of data protection

5. Dialogue and find common ground

Presented by: Aurélie Pols

@AureliePols

Data lifecycles

Analytics => Follow the Money

Privacy => Follow the Data

Legal: Procedures/Processes, Compliance & Risks Assessments

Presented by: Aurélie Pols

@AureliePols

Limiting Risk of holding data

Data Minimization PrincipleLimit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose

Data Retention PoliciesSet of guidelines that describes which data will be archived, how long it will be kept. Permanent deletion of the retained data is part of any effective data retention policy.

Presented by: Aurélie Pols

@AureliePols

Data Retention Policies

• Delete the data, everywhere!

• Anonymize or De-identify the data

By Ann Cavoukian and Khaled El Emam, June 2011,http://www.ipc.on.ca/images/Resources/anonymization.pdf

Presented by: Aurélie Pols

@AureliePols

Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada

1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen

2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice

3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered

4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies

5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end

6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification

7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options

Privacy by Design (PbD) 7 Fundamental Principles

THANKSFor coming