Protection of personal data in a business context

1,858 views

Published on

Slides of the course on big data by Clement Levallois from EMLYON Business School.
For business students. Check the online video connected with these slides.
-> Basic concepts relating to the protection of personal data in the EU and in China, USA, India and Russia: what are the legal frameworks and what is expected from businesses.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,858
On SlideShare
0
From Embeds
0
Number of Embeds
304
Actions
Shares
0
Downloads
122
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protection of personal data in a business context

  1. 1. MK99 – Big Data 1 Big data & cross-platform analytics MOOC lectures Pr. Clement Levallois
  2. 2. MK99 – Big Data 2 Protection of Personal Data in a Business Context
  3. 3. MK99 – Big Data 3 Preliminary distinctions to be made (1) Recognized as a creation of the mind? This piece of data in my organization (2) Recognized as personal data Neither (1) nor (2) Intellectual property rights apply Personal data protection applies Open data is possible TOPIC FOR TODAY (3) In all cases: concern for cyber security applies
  4. 4. MK99 – Big Data 4 What is “the data” we talk about? •Information to be processed automatically –Hint: data on computers, not unstructured written notes •Or intended to be processed automatically –Hint: paper records to be fed in a computer, not any pile of paper •Or structured information that can be used to facilitate the retrieval of specific information on specific individuals –Hint: paper records, filing systems
  5. 5. MK99 – Big Data 5 What can go wrong? •Users can be stripped of their right to privacy •Companies big and small can be prosecuted –February 2014: Google condemned to 150,000 euros fine by CNIL and to 900,000 euros fine by the Spanish Data Protection Authority –https://gigaom.com/2014/02/07/google-must-post-news-of-privacy-fine-after-french-court-refuses-to- suspend-order/ –15 July 2014: The owner of a marketing company trading as Vintels has been prosecuted for failing to notify the ICO of changes to his notification at Willesden Magistrates Court today. Jayesh Shah was fined £4000, ordered to pay costs of £2703 and a £400 victim surcharge. –http://ico.org.uk/enforcement/prosecutions (but the amounts are not powerful deterrents?)
  6. 6. MK99 – Big Data 6 EU: the most restrictive legal framework •Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data •To guarantee and facilitate the free movement of personal data across EU States. •No right to export personal to a non EU-country with a lower level of personal data protection.
  7. 7. MK99 – Big Data 7 Who is in charge of data protection? •EU Directive of 1995 distinguishes between –Data controller •The one in charge of setting up the data protection policy. •Ex: in the UK, the DC is in charge of declaring the personal data being processed to the ICO register. •See for instance: http://ico.org.uk/ESDWebPages/DoSearch?reg=498470 –Data processor •The one in charge of implementing the policy
  8. 8. MK99 – Big Data 8 What is personal data •Personal data relates to a living individual who can be identified: •(a) from those data, or •(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, •and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
  9. 9. MK99 – Big Data 9 What is personal data •France – National Commission on Informatics and Liberties (CNIL) –Data which relates directly or indirectly to an individual who is or can be identified from this data –To know if a person can be identified from the data, one should consider all means available to the agents holding the data, or to anyone else. –Datasets must be declared to the CNIL, by law.
  10. 10. MK99 – Big Data 10 U.S.A. •Framework on data protection for data collected / held by the Federal government •But no general framework on data protection outside the Fed. gov •Safe Harbor Act –Managed by the Federal Trade Commission –Reason: EU orgs can’t transfer EU data to the US because US is less protective than the EU –US companies joining the SH Act voluntarily comply to the spirit of the EU directive
  11. 11. MK99 – Big Data 11 India •IT Act of 2000 + IT Rules 2011 •Focus on sensitive personal information –Passwords –Financial information –Health condition –Sexual orientation –Biometric information •No need to declare data processing activities to an authority
  12. 12. MK99 – Big Data 12 China •Not enacted a single piece of legislation for the protection of data –Except for general laws: National People’s Congress Standing Committee Decision concerning Strengthening Network Information Protection (http://tinyurl.com/npcdecision) •Rather, sector based pieces of legislation –Such as: Regulation on Personal Information Protection of Telecom and Internet Users (MIIT Regulation) (http://tinyurl.com/miitdecision)
  13. 13. MK99 – Big Data 13 Brazil •Data privacy regulations –Made of the Brazilian constitution, the civil code, the Brazilian consumer protection and defense code •Notion of “Habeas data”, in reference to the Habeas Corpus. –The right for individual to access and edit their personal information in public and consumer databases, even after their consent has been granted •No privacy regulation authority
  14. 14. MK99 – Big Data 14 Russia •Sensitive data (relating to race, politics, etc.) requires consent in written form before processing •A processor of personal data must notify the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor) before it begins to process personal data •No specific regulations on cookies
  15. 15. MK99 – Big Data 15 Basic principles 1.Consent: users must give their approval on sharing their data 2.Adequacy: data is collected for the purposes stated, not more, not for a longer duration 3.Transparency: under the control of the user (view / edit / delete) 4.Safety: reasonable procedures should be in place to insure points 1 to 3 are applied, and to make sure the data is secure.
  16. 16. MK99 – Big Data 16 Consent •Prior consent is required before collecting personal data in view of processing it –Data collection policy should be made clearly available to users –Opt out should be possible –Consent should be presented clearly (as in the new EU regulation) •Some exemptions: cookies used to deliver the core service delivered to the user (session cookies, purchase basket cookies…) •Bear in mind that cookies are just one kind of many tracers to identify users
  17. 17. MK99 – Big Data 17 Adequacy •Websites, mobile apps and social media logins should ask for permissions exactly necessary to run the service, not more •Time out: information should be deleted when service stops –in France, there is a 13 month limit after which consent must be renewed
  18. 18. MK99 – Big Data 18 Transparency •Information should be available on request –In 2011, an Austrian student requested all his Facebook data. He got 1,200 pages of it. –As of 2014, you can download all your FB data in one click. •Users should be able to edit, update, delete their information -> See European ruling on “Right to be forgotten”
  19. 19. MK99 – Big Data 19 Safety •All reasonable precautions should be taken against data breaches. •Precautions taken should be scaled to the damage which would result from a breach in security •Basics: define and manage access rights to each relevant aspects of the data. •Users should be told about security breaches potentially affecting their data
  20. 20. MK99 – Big Data 20 Where big data changes the deal •One dataset in itself does not always reveal personal information. However: several datasets combined, + use of data mining techniques, + knowledge of the domain, + hacker approach (clever guesses etc.) = identification often possible Big data
  21. 21. MK99 – Big Data 21 Harvard Researchers Accused of Breaching Students' Privacy •1.2 million Facebook accounts from 4 different Universities collected by a Harvard research team •Little info on each account (age, gender…), all anonymized •But… tracing who befriends whom + demographics info can de-anonymize the dataset Source: http://chronicle.com/article/Harvards-Privacy-Meltdown/128166/ “One issue, Mr. Zimmer says, is that someone might be able to figure out individual students' identities. People with unique characteristics could be discovered on the basis of what the Harvard group published about them. (For example, the original code book lists just three students from Utah.) “He's right about how easy it is to identify people who are presumably part of the data set. By searching a Facebook group of Harvard's Class of 2009, a Chronicle reporter quickly tracked down one of those three Utah students. Her name is Sarah M. Ashburn. The 24-year-old is in Haiti working for a foundation that helps AIDS victims.”
  22. 22. MK99 – Big Data 22 London’s bike-share program unwittingly revealed its cyclists’ movements for the world to see “Those are journeys made between 4am and 10am [by a single bike-share user]. They head in one direction: towards King’s Cross (in fact, to the only cycle docking station near the Guardian’s headquarters). And they come from two places, suggesting this person spends the night at a location that is not home.” Source: http://qz.com/199209/londons-bike-share-program-unwittingly-revealed-its-cyclists-movements-for-the-world-to-see/
  23. 23. MK99 – Big Data 23 Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset Source: http://research.neustar.biz/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc- taxicab-dataset/ Bradley Cooper Jessica Alba “In Brad Cooper’s case, we now know that his cab took him to Greenwich Village, possibly to have dinner at Melibea, and that he paid $10.50, with no recorded tip.”
  24. 24. MK99 – Big Data 24 Best practices for data protection in a big data world •Basic rule: this is not because users granted access to different pieces of data that they granted rights to access / dissemination to all the personal information that can be reconstructed from it. •Beware access rights to geolocalized, network, timestamped and textual data –All are very informative even when anonymized, especially when crossed together. •Beware the long tail –While very common profiles (“average joe”) might be hard to identify in a dataset, odd profiles stand out easily and might be put at risk of being de- anonymized.
  25. 25. MK99 – Big Data 25 Last note: data protection in a post-Snowden world •Assumption: your national state and surely others have access to the servers and communications of organizations. •If not, states can issue legal injunctions to organizations to deliver private information. •This means that data protection for individuals, by companies, has limits: it is not free from state surveillance. •Except… for companies that put personal data protection at the heart of their business model? Snowden cites https://spideroak.com/ as an example. July 2014: Snowden on data privacy, technology, cloud companies and more.
  26. 26. MK99 – Big Data 26 This slide presentation is part of a course offered by EMLYON Business School (www.em-lyon.com) Contact Clement Levallois (levallois [at] em-lyon.com) for more information.

×