Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Interoperability in Digital will take a Global Village

819 views

Published on

It's a never ending game of whack-a-mole, where Peter Swire already talked about technological escalation wars back in 2012 when chairing the W3C DNT efforts.

It used to be "it's not PII hence privacy legislation doesn't apply". The scope of action with respect to data privacy legislation has broadened, on both sides of the Atlantic.

Yet similar dodging techniques are now also being applied to actual existing and enforced legislation. Under the CCPA, the California Consumer Privacy Act, it's about not going beyond 25 million $ a year in revenue, avoiding employee data and this US based legislation not being applicable to governmental institutions (hail to surveillance capitalism fed by public authorities!).

We've long talked about ePrivacy being unclear while the legislator does move towards applying the GDPR also to digital data.

Those are the legislative loopholes but then also come the technical techniques Simo is going to talk about as we both come to the same conclusion: players are influencing the data, possibly seeing a way to compete not on analytics but on privacy?

As companies, even US based ones such as Apple and Microsoft, recognise privacy to be a fundamental right, let's explore which risks companies are facing and what some of the emerging best practices could look like.

Published in: Data & Analytics
  • Be the first to comment

Interoperability in Digital will take a Global Village

  1. 1. It takes a global village Superweek January 29th 2020 Aurélie Pols – DPO CDP mParticle 1
  2. 2. @aureliepols Data Governance & Privacy Engineer Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • DPO for mParticle (Customer Data platform) – contractor (USA, New York) • Chief Visionary Officer – Competing on Privacy; Founder – Aurélie Pols and Associates • Professor of Ethics & Privacy in Big Data & Business Analytics Master – Instituto de Empresa (IE), Madrid (ES); visiting fellow DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B) • Board Member European Center On Privacy and Security, Maastricht University (NL) • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics • Former Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co-founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) 2
  3. 3. @aureliepols Let me start with some questions & data • How many of you play Xbox, PlayStation, …? Asking for my son • Talking of bringing your children as a working mother... An outlier looking for role models for the next generation Worried about data “leaching” since 2008 5 female speakers out of 36? • Nothing is perfect! 3
  4. 4. @aureliepols From log files to seamless data sharing My 1st (web) analytics experience? • webtrends log analyzer 6 landed on my desk • adservers • CMS: Spectra from Allaire Issues: • Flash! Remember? • Flash cookies, zombie cookies (Verizon) • No real time 4
  5. 5. @aureliepols My first privacy worries? • Cross-domain tracking (early 2000s) • cookies of NY times that could synch with people’s preferences around sports (that was the example at the time) • Legal: the biggest blunder in legal history in the US “cookies are not PII” • Acquisition of DoubleClick by Google (2007) • FTC dissenting opinion because of competition worries (ie marketshare) => asymmetric power relationships 5 Source: https://www.ftc.gov/public- statements/2007/12/dissenting-statement-commissioner- harbour-matter-googledoubleclick
  6. 6. @aureliepols Happy (belated) Data Protection/Privacy Day! 6 Margrethe Vestager: A Europe Fit for the Digital Age https://ec.europa.eu/commission/commissioners/2019-2024/vestager_en
  7. 7. @aureliepols Data leakage = data breach? 7 https://brave.com/RTB-updates/ https://www.slideshare.net/JohnnyRyan/presentation-at-cpdp
  8. 8. @aureliepols The other geeks in my world 8Source: https://twitter.com/johnnyryan/status/1220798819354533889
  9. 9. @aureliepols The 2 objectives of the GDPR From recital 6 & 1: 1. “Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations,…” 2. “The protection of natural persons in relation to the processing of personal data is a fundamental right.” 9 Sources: • GDPR https://eur-lex.europa.eu/eli/reg/2016/679/oj • Tim Cook, October 2018, Debating Ethics: Dignity and Respect in Data Driven Life
  10. 10. ePrivacy Where are we now? • No where? • Cf. Thierry Breton.. • Off the table or further amended? • Stuck in council • January 21 update from Croatia: on the roadmap https://iapp.org/news/a/croati an-presidency-tempers- expectations-on-eprivacy- progress/
  11. 11. @aureliepols Autonomy, beyond Dignity 11 Charter of Fundamental Rights of the European Union Article 1: “Human dignity is inviolable. It must be respected and protected”. Charter articles Charter text GDPR Art. 8: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. ePrivacy Art. 7: Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.
  12. 12. @aureliepols So Johnny helped explain RTB Today DMPs – Data Management Platforms - want to become CDPs – Customer Data Platforms?
  13. 13. @aureliepols From DMP to CDP: from acronyms to subtle legal differences!
  14. 14. Interlocking liabilities & obligations People Company (Telco, Bank, Insurance..) Company (Agency, consultancy, vendor, ...) Cloud provider• Aligning contract obligations • (+ enforcement?) • Providing • Security • Privacy features • Privacy engineering B2C B2B B2B Privacy policies Consent MSA SOW T&C 14
  15. 15. Preparing for the future: Role Playing under the GDPR (and now CCPA) 15
  16. 16. Source: https://noyb.eu/three-gdpr-complaints-filed-against-grindr-twitter-and-the-adtech-companies-smaato-openx-adcolony-and-atts-appnexus/ 16
  17. 17. @aureliepols 17
  18. 18. @aureliepols Data Subject Data Controller (first / initial) Data Processor Data Controller (receiving) Consent? Purpose? The challenge is interoperability! Notice obligations for (behind the scenes) service provider(s) 18 How to provide notice?
  19. 19. @aureliepols Call to Google: Customer Match legal notice pretty please? 19 • https://support.google.com/google- ads/answer/7361372?hl=en&ref_topic=6296507
  20. 20. @aureliepols 20
  21. 21. @aureliepols
  22. 22. @aureliepols Step 1 Consumer mindset 22 How do we aim to improve the consumer experience, from awareness and consideration to initial product trial and repeat purchase? What data do we have or need to collect to improve the consumer experience at each of these steps? In what situations (e.g., for what types of data or what types of analyses) should we seek consumer consent or allow them to opt-in, as opposed to defaulting to collecting/using their data? How do we avoid collecting or storing “excess” consumer data that we do not use or do not need? If we have excess data that could be harmful to consumers if breached, what do we do about it? Which of our attempts to improve the consumer experience could be viewed as “creepy” or intrusive instead of helpful? How transparent, timely, coordinated, and comprehensive are we if or when there is a breach? Source: Deloitte, Building Consumer Trust
  23. 23. @aureliepols Step 2 Develop privacy policies as if they were a marketing tool rather than only a legal disclosure. 23 What personal data does the company collect? How does the company use the data? How does the company protect the data? How do consumers opt in and opt out of the collection or use of their data? How do consumers benefit from the collection and analysis of their data?
  24. 24. @aureliepols Steps 3 to 5 24 Expand Expand risk management around data privacy and security to guard against not just external malicious breaches, but also inadvertent internal breaches and thirdparty partner breaches. •Pre-ventive risk management for certain clients such as dating apps Deploy Deploy supporting processes and systems consistently across the enterprise to reduce exposure and mitigate threats •Sensitive vs. special categories of data explicit training at mParticle (Cambridge Analytica) Elevate Elevate the seniority of the executive with ultimate responsibility for data privacy and security •At mParticle, DPO reports to the COO who is also the Chief Privacy Officer
  25. 25. @aureliepols About step IV: Mind the Pond gap (US vs. EEA) 25 What is our legal strategy going to be? And how will this affect your data operations? Source: Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies, W. Gregory Voss and Kimberly A. Houser
  26. 26. @aureliepols Privacy laws strategies 1. Avoidance Eg. Newspapers “no access” policy under the GDPR 2. Compliance “strategic opportunities do not exist unless executives make a deliberate decision to engage in noncompliance activities after taking into account the consequences and costs of doing so. Indeed, some managers might appreciate the legal duties imposed on their business but choose noncompliance after a careful cost-benefit analysis.” 3. Prevention DPIAs, balancing tests, audit logs, … 4. Advantage No data forking: one baseline law? Convention 108+ 5. Transformation New business strategy? * COPRA = Consumer Online Privacy Rights Act; CDPA = Consumer Data Privacy Act Source: https://iapp.org/media/pdf/resource_center/COPRA_CDPA_Comparison_WP.pdf * 26
  27. 27. Data Subject Request (DSRs) flows/ data subject angle Data Subject Entity (company or public service) Data Subject Request Answer 1 month? Answer acceptable?Supervisory authority NO YES NO YES Back to entity? Templates Some form of structure & workflow for reception and communication. Actors exist in the market STOP NO YES Time management? Reminders + communication received by entity 27
  28. 28. Ideal Data Subject Request flows: OpenDSR Data subject Data controller Data processor Data processor or sub-processor Request Request Request Reception confirmation Data trail Reception confirmation Data trail Reception confirmation Data trail mParticle OpenDSRfor CDPs OpenDSR.org 28 Call for interoperability and standards!!! See https://github.com/opengdpr/OpenDSR
  29. 29. Use the power of Big Data to support DPOs? It’s there, it’s just about surfacing to support accountability! 29
  30. 30. Templates to empower data subjects? Source: https://www.aepd.es/reglamento/derechos/index.html#section1 30
  31. 31. Or the tribe? To regain balance 31 #superweektribe
  32. 32. Data is the new infrastructure Privacy is the new green Trust is the new currency Welcoming pull requests on https://github.com/opengdpr/OpenDSR

×