Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy in Europe eMetrics Summit London2012


Published on

  • Be the first to comment

Privacy in Europe eMetrics Summit London2012

  1. 1. Data Collection & Privacy:Are you ready to avoid fines and build customer trust? René Dechamps Otamendi – eMetrics Summit London - 2012
  2. 2. About me Entrepreneur Analytics Pioneer in Europe (Formerly OX2 in Belgium) CEO of Mind Your Group (Spain) Cofounded with Aurélie Pols MYG Shareholders & Advisors: Avinash Kaushik Bryan Eisenberg Jeffrey Eisenberg Jim Sterne More: Visit my LinkedIn Profile | Follow me: @rdo©Mind Your Privacy, S.L. @rdo
  3. 3. What Mind Your Privacy does EU PRIVACY AUDIT EU PRIVACY FINE MAINTENANCE EU COOKIES TUNING / PRIVACY BY DESIGN SPECIAL Compliance level EU legislation Privacy by Design internal For any Company active assessment compliance (Directive procedures & Privacy in Europe using cookies and Regulation) support (mainly CMO) Helping companies to comply with EU Privacy legislations©Mind Your Privacy, S.L. @rdo
  4. 4. The idea? 2007 @AureliePols The West Wing©Mind Your Privacy, S.L. @rdo
  5. 5.©Mind Your Privacy, S.L. @rdo
  6. 6. Let’s talk about Privacy©Mind Your Privacy, S.L. @rdo
  7. 7. Let’s do some history©Mind Your Privacy, S.L. @rdo
  8. 8. 2006-2008 Privacy is dead, get over it? vs. “Data Chernobyl”©Mind Your Privacy, S.L. @rdo
  9. 9. 2009: “EU Cookie law” (Directive) passes 0091117195452/http://aurelie 2009/11/10/eu-cookie-law- interpretation-is- breathtakingly-stupid/©Mind Your Privacy, S.L. @rdo
  10. 10. 2009-2012 Countries implement the Directive into their national legislations Resulting ‘potentially’ in… 27 interpretations! A mess!!!©Mind Your Privacy, S.L. @rdo
  11. 11. 2004 - 2009 Viviane Reding EU Commissioner for Information Society©Mind Your Privacy, S.L. @rdo
  12. 12. 2009 - Viviane Reding EU Commissioner for Justice, Fundamental Rights and Citizenship©Mind Your Privacy, S.L. @rdo
  13. 13. 2009 - Neelie Kroes - EU Commissioner for Digital Agenda©Mind Your Privacy, S.L. @rdo
  14. 14. Media is starting to talk…©Mind Your Privacy, S.L. @rdo
  15. 15. Media is starting to talk…©Mind Your Privacy, S.L. @rdo
  16. 16. 25 th January 2012 New EU Personal Data Protection Regulation announced by…©Mind Your Privacy, S.L. @rdo
  17. 17. How the EU explains the need of the new rules©Mind Your Privacy, S.L. @rdo
  18. 18. 11th October 2012 Viviane Reding reminds everyone That Privacy is a EU fundamental right rapid/press- release_SPEECH- 12-716_en.htm©Mind Your Privacy, S.L. @rdo
  19. 19. Why is it a fundamental right? Let’s get back 70 years ago…©Mind Your Privacy, S.L. @rdo
  20. 20. The Netherlands during WWII…©Mind Your Privacy, S.L. @rdo
  21. 21. Back to present A variety of commissions are set to review and it’s being fast tracked EXPECTED APPROVAL 2013 The EU PDP rules are shaping Privacy policies in other regions of the world as Asia©Mind Your Privacy, S.L. @rdo
  22. 22. What´s going on with privacy? Do we really need the new regulation? Why now?©Mind Your Privacy, S.L. @rdo
  23. 23. Why and what? 1/2 A real single digital market based Reform eliminates unnecessary on TRUST administrative burden & costs EU international standard setter 1 rule for the 27 member states for privacy and 500 million people The former EU PDP rules date 1 single point of contact for PDP: from 1995… The national data protection agency (DPA) Dangers: loss of control of one’s personal data For SMEs (less than 250 people) exemption of appointing a DPO 72% of EU citizens are concerned (Data Protection Officer) + not that personal data are misused: obliged to do all paperwork companies passing data over to other companies without permission Businesses faced with contradictory legislation and load of notification requirements  legal fragmentation is bad for business, innovation and growth©Mind Your Privacy, S.L. @rdo
  24. 24. Why and what? 2/2 Clear rules for international data Citizens know what happens transfers inside multi-national to their data companies (1 DPA OK) Explicit consent DPA 1 stop shop where the Data portability: data belongs company is based and where the to them so they can move citizen is based providers (can be…) Strong and independent DPAs Notification of data breaches (from politicians and companies) (24hours) New sanctions Right to be forgotten (not Personal data belongs to the always easy) individual Privacy policies must be clear and understandably written in clear language KEY IDEA: individuals always own their personal data; companies just manage them (trust)©Mind Your Privacy, S.L. @rdo
  25. 25. Let’s have a closer look at the notion of consent PRIOR consent©Mind Your Privacy, S.L. @rdo
  26. 26. Consent required anyway (explicit consent)Proposal for Data Protection Regulation requires (“consent should be given explicitly”)BUT the European Parliament* included a line:“the consent can be implicit only when the data subject acts in such a way that acertain amount of personal data must necessarily be processed, for instance by askingfor particular goods or services, and in such a case the consent is referred only to theminimum necessary”. *Committee on the Internal Market and Consumer Protection @rdo
  27. 27. A basic rule to understand how to manage consent Let us imagine PERSONAL DATA as a LEGO brick You can use it to build many different things! The hand that handles that brick is the one deciding how to use that brick if (and only if) The brick owners (individuals) agree with that specific use SO The hand (controller/company) will ask incremental consent for each possible use©Mind Your Privacy, S.L. @rdo
  28. 28. Asking for consent?©Mind Your Privacy, S.L. @rdo
  29. 29. How to ask for consent!©Mind Your Privacy, S.L. @rdo
  30. 30. How to ask for consent ©Mind Your Privacy, S.L. @rdo
  31. 31. And what about Cookies? I N F O R M A T I O N R E Q U I R E D U N D E R A L L C A S E S CONSENT NOT REQUIRED CONSENT REQUIRED 1st party cookies 3rd party cookies Merely tech cookies Tech cookies saving personal information (passwords/log-in remembered) Essential data to provide adequate service (no Others purposes not directly related to the acceptance of collection = no service) service to be provided (*)©Mind Your Privacy, S.L. @rdo
  32. 32. With the current Directive it depends©Mind Your Privacy, S.L. @rdo
  33. 33. With the current Directive it depends©Mind Your Privacy, S.L. @rdo
  34. 34. With the current Directive it depends©Mind Your Privacy, S.L. @rdo
  35. 35. What we implemented in June©Mind Your Privacy, S.L. @rdo
  36. 36. Current level of internet websites Non compliant in Spain Over 99%©Mind Your Privacy, S.L. @rdo
  37. 37. The Right to be Forgotten The Directive contains the Right to have personal data erased  always? No, just in case this data is no longer necessary in relationship with the purpose for which the data were collected  exceptions? Data retention for allowed reasons (historical, statistics, and scientific reasons or for reasons of public interest – law habilitation required) The European Parliament (Committee on the Internal Market and Consumer Protection) amended the article regarding the Right to be Forgotten modifying “the right to be forgotten” into “the right to have such personal data erased” • It seems everything will remain as usual (erase right)©Mind Your Privacy, S.L. @rdo
  38. 38. The Data Portability Right Proposal for the Data Protection Regulation (Article 18) 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. SOME QUESTIONS IN THE AIR: How will formats be standardized? Will the original controller lose data anyway? If so, will the original controller get the right to received from the recipient controller any compensation for administrative cost? Its seems rather unreasonable… This Article will need some legal development©Mind Your Privacy, S.L. @rdo
  39. 39. Data Breaches notification Proposal for Data Protection Regulation (Article 31) originally provides 24 hours to notify data breaches but amendment by European Parliament (Committee on the Internal Market and Consumer Protection) erased that limit: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours. SOME QUESTIONS IN THE AIR: As the text is not definitive: which option will prevail? Some concerns exist due to no specific consequences regarding applicable sanctions, or not©Mind Your Privacy, S.L. @rdo
  40. 40. Blackmailing as the main risk©Mind Your Privacy, S.L. @rdo
  41. 41. Blackmailing as the main risk©Mind Your Privacy, S.L. @rdo
  42. 42. Non EU Company based?©Mind Your Privacy, S.L. @rdo
  44. 44. EU RULES WILL APPLY TO COMPANIES NOT ESTABLISHED IN THE EU, IF THEY OFFER GOODS OR SERVICES IN THE EU OR MONITOR THE ONLINE BEHAVIOR OF CITIZENS A new scope (Article 3.2): This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behavior. And (Article 25): the controller shall designate a representative in the Union. This obligation shall not apply to: (a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering only occasionally goods or services to data subjects residing in the Union. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, reside. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.©Mind Your Privacy, S.L. @rdo
  45. 45. And the fines… 1.000.000 € or 2% Global Turnover With the current Spanish legislation (not yet the Directive): In 2011 companies have paid 20.000.000 € in fines!©Mind Your Privacy, S.L. @rdo
  46. 46. A new risk scenario… Privacy standards expected by EU customers will increase so... • not providing these privacy standards will o impact on trust o increase the risk of suffering penalties©Mind Your Privacy, S.L. @rdo
  47. 47. …means a new opportunities scenario Until regulation is enforced... • Companies can optimize privacy by design solutions while testing • Users and consumers demanding privacy appreciate organizations pioneering privacy©Mind Your Privacy, S.L. @rdo
  48. 48. Some examples (real examples taken from the toughest legislation in terms if enforcement and fines: SPAIN)©Mind Your Privacy, S.L. @rdo
  49. 49. Carrefour Credit Card 50.000 € Cortefiel video camera 2.000 € instead of 60.000 €©Mind Your Privacy, S.L. @rdo
  50. 50. Vodafone 60.000 € France Telecom 6.000 € instead of 40.000 €©Mind Your Privacy, S.L. @rdo
  51. 51. A final (practical and not lawful) recap: EU lawmakers are decided to improve data protection and privacy level of Europeans (EU Regulation contains fines up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover). Online Marketing Industry is aware about privacy’s importance while feel unprepared. Note that privacy discussions is much older than new marketing strategies. While consumers want to be in control of their personal data none in marketing/advertisement industry (from my own experience) seem to feel comfortable by asking clearly for consent.©Mind Your Privacy, S.L. @rdo
  52. 52. FOOD FOR THOUGH Privacy is: Increases trust A brand value & customer experience©Mind Your Privacy, S.L. @rdo
  53. 53. Becoming compliant It will take time as it encompasses Online and Offline Online means: websites, mobile, applications, cloud services/computing… You don’t want to be in the newspapers because you’ve done nothing about it!©Mind Your Privacy, S.L. @rdo
  54. 54. René Dechamps Otamendi Thank you for your attention Get your free document:©Mind Your Privacy, S.L. @rdo