Slides on Privacy by Design connecting legal and regulation with practic implementation

1. Privacy by Design (PbD)
Connecting the dots between legal and technology
by Advocate Alon Saposhnik and Initech Software Services Ltd,
January, 2017

2. Main players
● “Data Subject” -An Individual who is the subject of personal data.
● “Personal data” - any information relating to an identified or identifiable natural person
● “Sensitive data” (according to the Israeli Privacy Laws) - includes “details concerning an
individual’s personality, intimate relations, health condition, financial condition, opinions
and religious belief”.
● “Controller” - is the one that is responsible for the compliance with the data protection
regulations.
● “Processor” - is the one that is only responsible for processing personal data and is
acting on behalf of the controller and according to its instructors.
● “Regulator” - Data Protection Authority (e.g, ILITA, information commissioner office
etc.)

3. Guiding principles of PBD (Privacy by Design)
1. Proactive not reactive ; Preventative not remedial
2. Privacy as the Default
3. Privacy Embedded into Design.
4. Full Functionality; Positive-Sum not Zero-Sum.
5. End-to-End Lifecycle Protection.
6. Visibility and Transparency.
7. Respect for User Privacy

4. Who’s affected?
● Developers
● Companies using third party apps / software / hosting as a part of their
product / service
● Data Controllers
● Data Processors
● Others?

5. Implementation - legal considerations
1. Infrastructure providers located outside of the EU territory - do they comply
with privacy regulations or do they offer to sign on Model Clause (or Data
Processing Addendum)?
2. Service providers located outside of the EU (Marketing, R&D) - sign on Model
Clause when transferring data abroad
3. NDA agreements with workers and service providers to assure privacy
compliance.
4. Information security - get ISO certificate for working with global companies

6. Case studies of privacy lawsuits - in Israel
● Local Israeli App (Sync.Me): was ordered by the regulator to erase all
personal data that were illegally collected on users. Activity in Israel has been
stopped.
● Data Rings (seller of databases): was ordered by court to erase all personal
data that was collected on individuals. Clients of the company who gained
access to the data were ordered to do the same.
● Israeli company (undisclosed) was fined 177,000 NIS for illegal commercial
use of personal data that as collected on individuals.

7. Case studies of privacy lawsuits - abroad
● The Hamburg regulator has ordered Facebook to halt its unlawful collection and storage of data belonging to 35
million German WhatsApp users. The Commissioner has also ordered that Facebook delete any data that they have
already collected from WhatsApp.
● £40,000 fine for healthcare organization that failed to protect patient's personal data: a general practitioner clinic that
revealed confidential details about a woman and her family to her estranged ex-partner was fined £40,000 by the
Information Commissioner.
● An EU lawmaker is calling for the European Commission to investigate dating app Tinder for potential breaches of
European data protection rules, because it uses personal data without explicit consent.
● The CNIL has issued an order giving Microsoft three months to make changes to its operating system in line with
French data protection law. According to the CNIL, Windows Store collects user data on all downloaded applications
without user consent or even awareness, monitoring the time spent on each app. Windows 10 also automatically
installs an advertising identifier, enabling Microsoft to monitor users' browsing to offer targeted ads. The CNIL will
only consider fining the company if it fails to make changes.
● Intelligent Lending, trading as Ocean Finance, was fined by the UK regulator after it sent seven million texts offering
a new credit card powered by a major lender.

8. Implementation - applicative considerations
1. Privacy Policies - Organizational practices and procedures
2. Israeli Privacy Law requires registration of certain databases with the Database
Registrar
3. Data Protection Certification - for demonstrating compliance with Data Protection
Regulation by controllers and processors
4. Conduct Privacy Impact Assessment
5. Internal Training Programs
6. Presence of Privacy Specialist in early stages of product development

9. Typical privacy issues in mobile / web applications
Collecting unnecessary sensitive data during sign-up
Failure to get approval for TOS / receiving emails during sign-up (Privacy and
Anti-Spam Laws)
Blind selection of data center in USA
Unintentional exposure of sensitive data when using 3rd party integrations (i.e.,
using Messenger to collect personal data exposes it to Facebook)

10. Typical privacy issues in mobile / web applications
Unintentional exposure of sensitive data belonging to other users due to bugs in
code
Development / testing environments are replicated from production data without
obfuscating personal data
Access of personnel to the sensitive data through direct access to database
Production data compromised through unrestricted access to backups

11. ● Privacy policy + confirmation for designated actions (account creation, etc.)
● Newsletters / promotion correspondence establishes an opt-in mechanism according to
Privacy law and the Anti-Spam Law requirements
● Infrastructure for personal data retrieval and erasure (blacklisting erased data to be
filtered out during recovery from backups)
● Back office with multiple levels of access to Personal data of Users (each role has
Implementation - examples

12. Implementation - examples
● Hosting location selection - EU or approved location by EU (Israel is approved)
● Managing the list of 3rd parties that receive access to User’s personal data (including
appropriate permissions model)
● Implement contractual mechanisms with 3rd parties (e.g., Data Processing agreement)
● Data Access Layer middleware should restrict selection of data to session / user
context

13. Implementation - takeouts and challenges for PBD
Big advantage for EU / Israel-based providers
High risk of working with providers based outside of the EU and in such places
as East-Europe / Asia (Belarus, Ukraine, India, China, Russia) where EU
privacy regulations does not apply and thus impossible to enforce
Questions to answer when starting a project:
Which criteria should we implement as a minimum default privacy by design?
At what stage should we involve a privacy specialist?

14. Thank you for listening!
For technical questions: contact@initech.co.il
For legal questions: alon.saposhnik@sr-lawoffice.co.il