The DOBlog

Category: Information Quality

  • Calling The Tweet Police

    [updated 2012-12-27@17:11 to reflect comments from TJ McIntyre] [edited introductory paragraphs at 20:34 2012-12-27 reflecting feedback from Aoife below, fair comment made and responded to] [Note: This has been posted today because RTE are doing a thing about “social media regulation” which means that levers are being pulled that need to be red flagged] I drafted this post on Christmas Eve morning 2012. The original post had the introduction below. One person (out of the 600+ who have read this post by now, a few hours after I posted it) felt that the opening was too hyperbolic. Perhaps it was, so I decided to tweak it. I did hope I wouldn’t have to publish the piece I’d drafted. But the fact that the opening item on the 6pm news on the 27th of December 2012 was a piece about the Chairman of the Dáil communications committee announcing that the committee would meet in the New Year to discuss regulating ‘Social Media’ meant that my misgivings about the approach of the Irish political classes to the use of Social Media were not entirely misplaced. I’m writing this on Christmas Eve morning 2012. I dearly hope I never have to publish it. If I do it will be because the Government I helped elect will have abandoned any pretence of being a constitutional democracy and will have instead revealed its true insular, isolated, clientelist nature in a manner that will disgust and appal people. And this will be all the more disturbing as the Government will have used real personal tragedies to justify this abandonment of principles. But I am not hopeful. If this post sees the light of day something will have gone horribly wrong with the Irish Body Politick. That the content of the media coverage today echoed the expectation I set out in the paragraphs below for the rationale of any review of regulation (“cyber bullying” and other misuses/abuses of social media) suggests that, perhaps, this post might contribute a useful counterpoint to a perspective that appears to dominate the mainstream.

    The Issue

    I fully expect within the early weeks of 2013 for the Irish Government to propose regulations requiring that users of social media be required to tweet or blog in an identifiable way. No more anonymous tweets, no more anonymous blogs. The stated reason will be to “combat cyber bullying”. Sean Sherlock TD is quoted in today’s Irish Times (2012/12/24) calling for action on anonymous posting. This is ominous. Others quoted in that article are calling for “support systems” to help TDs deal with the “venom” being targeted at them via social media. While the support systems suggested are to be welcomed, the categorisation of expressions of opinion by citizens as “venom” is, at best, unhelpful and, at worst, disingenuous. What seems to be in pipeline to be proposed to stem this tide is almost inevitably going to be some form of requirement that people verify their identity in some way in blog posts or tweets. Remove the veil of anonymity, the reasoning will go, and this venom will go away. The “keyboard warriors” will put their weapons beyond use and step in line with the process of government and being governed. The fact that politicians are lumping Facebook in with these other platforms illustrates the tenuous grasp many have on the facts – Facebook already requires “real identity”  policy, which raises problems about what your real identity is and has been flagged as potentially in breach of EU law by at least one German Data Protection Authority.

    Why this is a bad idea

    In Orwell’s 1984 a shadowy figure of the State ultimately breaks the protagonist Smith, requiring him to give up on love and private intimacy and resubmit to a surveillance culture in which the Thought Police monitor the populace and the media tells everyone it is necessary to protect against the “enemy”. That shadowy figure is called O’Brien. My passion for data privacy is a reaction to my namesake, and from that perspective I can see three reasons why this is A VERY BAD IDEA.

    Bad Idea Reason #1  – What is Identity?

    Requiring people to post comments, write blogs, or tweet under their own identity creates a clear and public link between the public persona and the private individual. The supporters of any such proposal will argue that this is a deterrent to people making harsh or abusive comments. However, in a fair society that respects fundamental rights, it is important to think through who else might be impacted by a “real names” policy. There are quite a number of examples of this, the most famous recent example being Salman Rushdie having his Facebook account suspended because it didn’t think he was him. Identity is a complex and multifaceted thing. We all, to borrow a phrase from T.S Eliot, “prepare a face to meet the faces that we meet”. The GeekFeminism Wiki has an excellent list of scenarios where your “real name” might not be the name you are really known by. In Ireland, people who would be affected by a “real names” policy in social comment would include:

    • Public servants who cannot comment publicly on government policy but may be affected by it
    • Survivors of abuse
    • People with mental health concerns or problems
    • Whistleblowers
    • Celebrities.

    A real names policy would require that every time Bono tweets or blogs about Ireland, Irishness, or Irish Government policies he would have to do it under the name Paul David Hewson. And who the heck would be interested in an opinion expressed by Paul Crossan about epilepsy?

    Bad Idea Reason #2 – How will it work exactly?

    It is one thing to say that you want people to post comments using their identity, but it is another thing entirely to get a system in place that actually works. Identity is a “flexible” thing, as outlined above. Facebook require evidence of your identity in the form of personal ID (passport/driver’s license). They have the resources to process that data securely. But they still get it wrong (see the Salman Rushdie example cited above). If verifiable identities are required for comment, then how exactly would a small personal blog that is used to exercise my mental muscles outside of my work persona (domestic use) be expected to handle the overhead of verifying the identity of commenters in a verifiable way. Would I be expected to get people to register with the blog and provide evidence of ID? Would I be able to get a grant to help implement secure processes to obtain and process copies of passports and drivers licenses? Or will the State just require that I shut up shop? Would the State indemnify me if this blog was compromised and data held on it about the identity of others was stolen? Every few years we used to hear similar calls about the registration of mobile phones. The argument in favour of registration usually goes: “If they have to register, bad people won’t use these phones”.  That argument is bunkum. I’ve written about it at length here but the short form:

    1. If people have to register and provide ID for verification, they will use fake ID (as is happening in China with their mobile phone registration requirement)
    2. If the law is to register, strangely it is unlikely that that would bother criminals by definition they find the law an inconvenience rather than a barrier.
    3. If people are required to register without some form of identity verification then you’ll wind up with Mr D. Duck of  The Pond owning a lot of phones. A pseudonym, so no more identifiable than a picture of an egg.

    Applying this to a proposal for a “real names” policy for tweets, blogs, comments and other social media discourse and we wind up with a situation where, to achieve the objective that the proposers of non-anonymised comment seem to be seeking, would result in a disproportionate burden being placed on those of us who engage in debate on-line. Even then it would not be fool proof. And a non-verified identity is nothing more than another pseudonym. I could, for example, use the name of another person when “registering” to comment. Or a fictional duck. It is worth noting that South Korea is abandoning its “Real Names” policy for social media for a variety of reasons.

    Bad Idea Reason #3  –  The logical principle must be technology neutral

    Blogging, tweeting, social media… these are all technologies for self-expression and social interaction that barely existed five years ago and where unheard in the mainstream of a decade ago. Therefore any regulation that requires identification of commenters must be framed in such a way as to anticipate new technologies or new applications of existing technology or risk near instant obsolescence. Therefore the regulation would need to be technology neutral. Which means that, in order to avoid it being discriminatory and to ensure it has the fullest possible effect, it would need to be applicable to other forms of technology.

    When debating this on Twitter with Harry McGee on the 22nd December I asked him if he saw a difference between Twitter and a malicious phone call or an anonymous pamphlet. His response was they were, in his opinion, the same. So, if tweets are the same as anonymous pamphlets, the logical extension of needing to be able to identify the tweeter is a need to be able to identify the pamphleteer. The State would want to be able to identify the author of a published thought. We have seen this before. In fact, the seeing of it before is one of the reasons that the EU has a right to personal Data Privacy (introduced in the Lisbon Treaty) and why the strictest interpretations of Data Protection laws in Europe tend to be in Germany and former Soviet bloc countries. Have we managed to forget that, within the lifetime of people now in their mid thirties, governments in Eastern Europe required people to register their typewriters with the State so the State could identify the writers of letters, plays, pamphlets and other communications? As Mikko Hypponen of F-Secure (one of the world’s leading experts on information security) says in one of his many presentations:

    In the 1980s in the communist Eastern Germany, if you owned a typewriter, you had to register it with the government. You had to register a sample sheet of text out of the typewriter. And this was done so the government could track where text was coming from. If they found a paper which had the wrong kind of thought, they could track down who created that thought. And we in the West couldn’t understand how anybody could do this, how much this would restrict freedom of speech. We would never do that in our own countries. But today in 2011, if you go and buy a color laser printer from any major laser printer manufacturer and print a page, that page will end up having slight yellow dots printed on every single page in a pattern which makes the page unique to you and to your printer. This is happening to us today. And nobody seems to be making a fuss about it. And this is an example of the ways that our own governments are using technology against us, the citizens.

    So, if we can uniquely identify the typewriter or the printer shouldn’t we take the logical step and have the owner register it, just like in communist East Germany in the 1980s? So that when a pamphlet or letter is sent that has the wrong kind of thought the relevant authorities can take action and immediately stop that kind of thing. But sure, we’d never do that in our own country. We’d just ask everyone register their identity before blogging or tweeting. Totally different. The Government would never propose the creation of a register of printer owners. Would they? {update: here’s an article from EFF.org outlining their take (from the US) on why “real name” policies and regulation are a bad idea }

    Use the laws we have, don’t create crazy new ones

    But something must be done!! This is an intolerable thing, this “cyberbullying”. And indeed it is. But let’s not get hung up on the label. It is not “cyberbullying”. That is bullying by a fictional race from the TV show Dr. Who.

    What this is is inappropriate and/or malicious use of communications networks and technologies. It is no different from a smear poster campaign, a co-ordinated letter writing campaign, or a malicious calling campaign. And there are already laws a-plenty to combat this in a manner that is proportionate with the curtailment of freedoms of speech and rights to privacy. Bluntly: If your conduct on-line amounts to a criminal act or defamation it is almost inevitable that your illusion of privacy will evaporate once the blow-torch of appropriate and existing laws are applied.

    The power to pierce privacy in this case comes from the pursuit of a criminal investigation of what are deemed under the Communications (Retention of Data) Act 2011 as serious offences. Any social media provider will provide information about users where a serious offence is being investigated. It’s in their terms and conditions (see Twitter’s here – Section 8). This would allow the identification of the IP address used at a date and time for transmitting a message via twitter and could be used to compel a telecommunications provider to provide the name of the account holder and/or the location of the device at the time and at present. But it is done under a clear system of checks and balances. And it would be focussed just on the people who had done a bold thing that was complained about, not placing a burden on society as a whole just in case someone might do something naughty. I would ask the Government to use the laws we already have. Update them. Join them up. Standardise and future proof their application. But do so in a technology neutral way that isn’t swiping at flies while ignoring larger concerns. And please don’t mandate non-anonymised comment – it simply doesn’t work.

    The Risk

    When proposing any course of action it is advisable to prepare for the unintended consequence. With this chatter of requiring comment to be identifiable comes the risk that, should it happen, the social media data of Irish citizens will become either more valuable (because marketers will be able to mine the “big data” more efficiently) or less valuable (because we switch off and there is less data to meaningfully mine). There is also the risk that our Government will, yet again, send a signal to the world that it just doesn’t understand On-Line, for all its bleating about a “Knowledge Economy”. And at that point we may become less attractive to the foreign new media firms who are setting up base here. Like Twitter, LinkedIn, Facebook, etc.

    Conclusion

    Requiring identifiable comment is a dumb move and a silly non-solution to a non-problem. The problem is not anonymity. The problem is actually how we evolve our laws and culture to embrace new communication channels. We have always had anonymous comment or pseudonymous dispute. Satire thrives on it, art embraces it, and literature often lives through it. Just because every genius, wit, and idiot now has a printing press with a global reach does not mean we need to lock down the printing presses. It didn’t work in Stasi East Germany or other Soviet Bloc dictatorships. Other solutions, such as working the laws we already have, are preferable and are more likely to work. Educating users of social media that there are still social standards of acceptable behaviour is also a key part of the solution.

    Tagging the typewriters is NEVER the answer in a democracy. This O Brien stands firmly against this particular Thought Crime.

  • Europe v Facebook–a lesson in clarity

    I was on the news this afternoon. The radio. So the world was spared my visage. My words were quick in response to rapid fire questions about why Europe v Facebook had announced they were suing Facebook in Ireland and their comments about the Irish Data Protection Commissioner.

    To put some clarity on my comments (which I believe were reasonably balanced) I thought I’d write a short post here in my personal rant zone. Note I am not a lawyer but am renowned for my Matlock impressions.

    Europe v Facebook are suing?

    That’s nice. Who are they suing? Why?

    Well, it would seem they want to sue Facebook in Irish Courts for breaches of the Data Protection Acts. That’s nice. Section 7 of the Data Protection Acts allows for the Data Subject to sue for specific breaches of the Acts – the Duty of Care is contained in Section 7 and the Standard of Care is effectively Section 2 (and given the level of specificity that Accuracy as a test is defined with the recent Dublin Bus v DPC case would suggest that a strict interpretation would be applied by the Courts as to what the standard would be).

    But that is not Europe v Facebook suing. That’s a single punter. Or a series of single punters. Individually. Because we (as Europe v Facebook acknowledge) don’t have Class Actions here in Ireland. So each person rolls the dice and takes their chances in an area of law with little jurisprudence or precedent behind it in Ireland. Oh. And it would likely be a case taken at Circuit Court level unless the individuals wanted to risk large costs if they lost.

    Of course, Europe v Facebook could take a case against the State to the ECJ on the basis that the State hasn’t properly implemented the Directive. But as we basically photocopied it in a hurry that might be a long shot. The ECJ tends not to get directly involved in telling Member States how to spend money, particularly when the rest of the EU machinery is trying to get us to spend less money. But it is an option.

    Europe v Facebook itself can’t sue under Section 7. No duty of care is owed under the Data Protection Acts to a body corporate.

    What it could do is appeal a decision taken by the Data Protection Commissioner on foot of one of the 22 complaints the organisation has submitted. But apparently Europe v Facebook won’t state clearly what the specific complaint is so that a decision can be taken or what specific complaints they require decisions to be taken on, ergo there can be no decision from the DPC and ergo there is nothing to appeal against.

    But suing under Section 7 is entirely separate to any DPC investigation (just as suing someone for personal injuries arising from an assault is separate to a criminal investigation of assault). Just as the DPC Audit is a separate process from any investigation of a complaint.

    Why the focus on Ireland and the Irish DPC?

    Well Facebook have decided that, for a variety of reasons to set up shop in Ireland. (Europe v Facebook seem obsessed with tax breaks but there are other reasons multinationals come to Ireland. The scenery. The nice people. The multilingual skill sets, the cluster effect of other companies).

    In setting up Facebook Ireland Ltd Facebook also decided that, for any Facebook User outside of the US and Canada, Ireland would be the country and legislative framework and enforcement framework they would comply with.

    So the Irish DPC became responsible for policing the activities of Facebook globally.

    Hence Europe v Facebook are dealing with them.

    Dealing with the DPC

    Europe v Facebook are making some odd demands. They want the evidence from the investigation of their complaints before they will decide to proceed with their complaints. Nuts.

    That’s like asking the gardaí for the Book of Evidence before deciding if you will press charges against a thief. Lets ignore the fact that the ‘evidence’ might contain personal data of other individuals or may include commercially sensitive information or other confidential information.  If Europe v Facebook believe they have valid complaints they should specify which ones they want to move to a decision on and then take the process on.

    Personally and commercially I have found the DPC to be both a pleasure and a frustration to engage with. But the process is straight forward. Pissing around like a spoiled teenager is frankly, in my opinion, just a waste of the limited time and resources of the DPC.

    Europe v Facebook have highlighted that they have the support of German Data Protection Authorities. For balance it is worth pointing out that they have the public support of one of FIFTEEN German Data Protection Authorities, not counting the Federal Data Protection Authority for Germany.

    It’s a bit like having the backing of Carlow County Council on a matter of Foreign Affairs policy. Great to have it but not conclusive until the Feds (who represent Germany at the A29 Working Group) back the position. Yes it is important and needs to be noted and considered, but it is not in and of itself decisive.

    Time and Resources

    The audit of Facebook and subsequent reviews have taken up over 25% of the resources of the Office of the DPC. External technical support was resourced from UCD Campus company pro bono. Europe v Facebook’s press release say they couldn’t find the company. They didn’t look very hard. All the details about the company and the qualifications of the person doing the work were in the first Audit Report.

    Europe v Facebook does have a point though: the DPC has no “legally qualified” people. Now, that’s an interesting phrase. Do they mean qualified solicitor or barrister entered into the Roll of the relevant professional society here, or do they mean someone with a legal qualification (such as a BBLS degree) who has not gone on to qualify. Frankly if it is the latter I’m quids in… I’ve a legal qualification and I’m a recognised expert internationally on Data Governance practices.

    They point out that the DPC is faced with armies of lawyers when dealing with companies. No shit. A policeman. Having to deal with lawyers. Who’d a thought it? The implication is that they are outclassed in the legal skillz department. And guess what… they are. And they will be forever. For the simple reason that the salary scale of a civil servant wouldn’t match that of the hired guns on retainer. The smarter people go where the money is. Just as the Attorney General and the DPP and Revenue and other high-skill arms of Government lose skilled resources to the private sector so to would the DPC. I would be surprised if they haven’t already lost members of staff to law firms.

    And frankly the focus on a tick box skill set is narrow minded in my view. Hiring people who understand how businesses use data, the kinds of technology that are there, the actual best practices in Governance etc. is equally if not more important to driving compliance.

    The Upshot

    Max Schrems, the law student behind Europe v Facebook, will likely sue Facebook in Ireland. Likely at the Circuit Court level. The DPC will likely be called to give evidence, and they will submit the Audit Report. Facebook will probably be asked in discovery to provide information about their communications with the DPC.

    Europe v Facebook will do diddly squat, given they have no standing in the case. They might float a case up to the European Court re the effectiveness of the implementation of the Directive and the adequacy of resourcing and skills of the DPC. But the Directive is largely silent on those questions (as is the Regulation). Beyond that they can and will do nothing until they piss or get off the pot and tell the DPC what complaints they want decisions on. Then they are free to appeal the decisions.

    The real upshot is that this kerfuffle and the commentary surrounding it should focus attention on the resourcing, training, skills, qualifications, and competence of the Data Protection Commissioner’s office. They are diligent hard working servants of the public who could probably benefit from upskilling in a variety of areas either through hiring or training. They could also do with more resources, but the focus needs to be on brains not bodies.

    The continuing failure of the Courts to properly apply the criminal sanctions in the Acts should also be looked at. Having cases struck out as it is a “first offence” is feck all use when the DPC engagement model is to only prosecute after a second or third occurrence of an offence. I would consider the need for written judgements in DP cases to be important. I would also consider the need for a published archive of Enforcement notices and penalties, similar to the publications from the ICO in the UK, to be a useful step forward.

    I wish Europe v Facebook luck in their endeavours. A binding precedent on Data Protection compliance would be nice. But they would do well to remember that the Audit and the investigation of their complaints are two different processes and they need to engage with their process to bring the investigation leg to a close.

    Only by specifying the complaints they require a decision on can Europe v Facebook conclude the criminal investigation, either through findings they agree with or an appeal that is upheld.

    The potential for legal action by a Data Subject under Section 7 is interesting and has already lead to a number of key cases moving their way through the Irish Courts System at the moment. It would be a valuable contribution to Data Protection law here and elsewhere in Europe. But I can’t help but feel that the better approach would have been to engage positively with the Irish DPC and work towards clarity rather than calling the independence of the DPC into question and being confrontational.

    But maybe we are all just pixie heads.

  • The Anti-Choice Robodialler–some thoughts

    The Intro

    Robodialling, autodialling, power dialling. Call it what you will. It is the use of computers and computer telephony integration to save the tired fingers of call centre workers and turn the job into a battery farm of talk… pause.. talk.

    I know. I’ve worked with them. Heck, I designed the backend data management and reporting processes for one of the first big installations of one in Ireland back in the late 1990s. It was fun.

    I also learned a lot about how they work and some of the technical limitations and capabilities of them. Such as the lag that can happen when there is no agent available to take a call so the person dialled hears noise and static. Or the fact that you can trigger the dump of a recorded message either as a broadcast or based on the machine’s interpretation of whether it’s hit an answering machine or not (at least on the snazzy RoboDial9000 we were putting in).

    And I also remember the grizzled CRM and Direct Marketing consultant who was helping advise on best practice for using it telling the management team:

    “Don’t. For the love of all that is sacred don’t. Doing that shit just gets our industry a really bad name because it freaks people out.”

    Today – Fallout and penalties

    Today I’m trying to reengage brain after a night on twitter helping to advise people how to register their complaints about the use of a Robodialler to push anti-choice messages to unsuspecting households. The DPC is now getting up to 3 complaints every 5 minutes on this.

    Each complaint could carry a €5000 penalty on summary conviction. That is the tricky bit as this requires evidence gathering etc. This could take time. But the DPC has time available to them to conduct investigations and bring prosecutions. And if it is a case that this is an individual acting on their own behalf, the DPC has the powers to enter domestic premises to conduct searches and can levy a significant personal penalty of up to €50,000.

    Oh.. and if the dialler is in the UK the maximum penalty per offence is £500k and the DPC and ICO do talk to each other. A lot. They’re co-hosting an event in Newry at the end of the month.

    The unintended consequences

    My thoughts now turn to the unexpected consequences this robodialling will have.

    1. All future market research or polling that may be done on this topic by phone is borked and broken. People will be suspicious, even when the nice man from the polling agency ticks all the boxes and explains who they are etc.
    2. There will be a wave of “false positive” complaints to the DPC arising from any phone polling on this topic (for the reason outlined above). This will tax the resources of the DPC, and will tax the resources of market research and polling organisations as they work to deal with complaints and investigations etc.

    The impact of this on debate is that the published results of any polling will be distorted and will be potentially unreliable as barometers of public opinion. Face to face field work results will likely be less tainted by the robodialler experience but will be a LOT more expensive and time consuming for media and other organisations to run. So there may be less of them.

    The dialler incident will tie up resources in the ODPC that would otherwise be spent dealing with the wide range of complaints they get every day, driving investigations, conducting audits, and managing the large number of existing open cases they are working through.

    22 staff. In total. 25% of their staff regularly being tied up dealing with Facebook alone. With a mandate that covers ANY non-domestic processing of personal data. (by comparison the Financial Services Regulatory Authority has three times the number of staff at Director level alone).

    Another consequence of this is that we might get a little debate about how this is no different from the placard waving and leaflet shoving of the Anti-choice camp historically. But it is different. Disturbingly different. If I am walking on the street with my daughter and a leaflet or picture is thrust in her face, I can turn away, walk another route, or some other strategy to help shield my daughter from disturbing imagery.

    Last night I read of parents whose small children or young tweenagers answered the call and listened and have been upset by the calls.

    The wrap up

    I worked in a telemarketing business early in my career. Even then (nearly 2 decades ago) we were cautious about ringing people in the evenings. It is an invasion of the private family time of individuals, an abrupt interruption of what Louis Brandeis called “the right to be left alone”. No recorded messages were left. Human interaction was key to ensuring we only continued to encroach where welcomed, and requests to be removed from lists were treated respectfully. “Do Not Call in Evenings” was a call outcome code in the robodialler that prevented that number ever being called again (at least in theory when the software worked correctly and the teams did their jobs right).

    To tread on that right to be left alone to ram a pre-recorded message into the ears of an unsuspecting and unidentified audience belies an arrogance and ignorance on the part of those who thought it would be a good idea to choose to commit a criminal offence to push their message, ignoring both the law and the choices people had made with respect to their own personal data privacy (a fundamental right of all EU citizens).

    _____

    If you have received a call from a robodialler with an automated message or where the caller did not identify themselves to you you should register a complaint with the Data Protection Commissioner

    Investigations can be complex and it may be impossible to verify who to prosecute, but by registering the complaint you can help build the case against people who are acting illegally.

    Try to find the number that called you (in your phone’s call log). Note the date and time of the call. If the number is blocked, include that fact in your complaint. While numbers are blocked from being presented to you, the phone network will still know who called you and having the date and time you received the call will potentially enable ComReg and the Data Protection Commissioner to request data from the telecommunications companies to trace calling numbers. They may subsequently require you to give consent to accessing your phone records as part of their investigation but only to identify the number that phoned you on that date/time from the network call logs that are generated.

  • Triskaidekaphobia Cars and Information Economics

    So, the Irish Government has decided – based it would seem solely on the analysis and advice of the Society for the Irish Motor Industry- to introduce a revised licence plate system for Irish cars starting from January of next year.

    The reasoning put forward is that fear of the number 13 will hamper car sales (superstition) and people don’t like the current system because they don’t know for certain when a car was manufactured (snobbery).

    Snobbery

    To address the snobbery element first, according to comments from SIMI quoted in the Irish Independent:

    Even though 70pc of new cars are bought during the first four months of the year, some consumers believe that it doesn’t accurately reflect the real age of a new car since cars bought in January are obviously manufactured the previous year while those bought later in the year are actually made in the same year

    So. 70% of all new cars are purchased in the first four months of the year. That’s a good statistic. It means that, on average, 3.75% of all new cars are sold in each of the remaining 8 months of the year. From that a reasonable guesstimate of the value at risk in each month can be worked out.

    What is not a good statistic is “some consumers”. Is that one consumer, one consumer and their friend from the gym, 1000 consumers, or every consumer who buys a car in the first 4 months of the year? If is the latter it obviously doesn’t bother them that much or they wouldn’t buy until later in the year.

    Surely a better and more cost effective approach would be for the SIMI to educate purchasers about the manufacture and supply chain processes that apply to vehicles. Bluntly – car manufacturers don’t build cars in the hope they will sell them. That’s too expensive. They apply logistics principles to build enough to just about meet forecast demand. And no more. So a car purchased in January will not have been sitting in a storage facility for a dozen months. It will be relatively recent.

    And does the fact that it was manufactured in the previous calendar year actually matter if features, specifications, and price are the same in December 2012 versus January 2013. I know from experience that the announcement of a new model of a car affects book value, but, excluding the change of model for a moment, logistics need to be considered when we think about the idea of the year of manufacture being a real decision point for people. After all, a car manufactured in January 2013 will be using parts that were on-hand at end December 2012, that were probably ordered at the start of December 2012, and were probably being manufactured by the downstream supplier from October 2012 in anticipation of a glut of orders from car manufacturers in December/January 2012.

    The new iPhone isn’t due out for a while yet, but already there are rumours of supply chains having been ramping up for months… that’s how logistics works.

    And as the supply chain for vehicles is largely a pull supply chain (building to respond to demand), the easiest way to avoid having a car that was assembled in 2012 delivered to you as a new car in 2013 is to order it in Month 2 or 3 of 2013.

    But even then it doesn’t matter as the actual age of components going into the car will depend on the vagaries of supply chain management down the line from the dealership to the nice man in Schenzen whose company makes the screws that hold your sun visor in place.

    I can remember a few years ago looking to buy a particular model of car. The dealership didn’t have any in stock and when they (and this is the CSI moment) looked at the logistics system from the manufacturer they were able to tell me when the next one of the model I wanted would be manufactured. There was no great holding pen of stocks waiting for me to turn up and buy.

    So… I would really like to see some objective evidence that people actually give a rats ass about when their car is assembled, given that the majority of new cars are purchased in a time period when it would be logical that the supply chain inputs to the delivery of that car would have taken place in the previous year. The data does not correlate.

    Superstition

    It’s a number. Currently there are vehicles on the roads in Ireland with the number 13 in their license plate. Not in the year, but in the other element of the license plate.

    Surely insurance companies can provide data on the number of claims involving vehicles registered within the past 10 years with the number 13 in their license plate against which we can determine if superstition is borne out by evidence. If it is… brilliant, we can establish an economic value case for changing an otherwise logical and straight forward system.

    The National Vehicle database (where registration numbers come from) would likewise have data on how many cars currently have a 13 in their license plate. If people are already avoiding it then the data will be there… lots of 12s, lots of 14s, no 13s.

    If not. Then there’s no actual reason to change other than a vague (and quantified) assertion that people won’t buy new cars because they have a 13 in the license plate.

    Reality

    This sounds like a simple change. But it isn’t. Many of the systems that your licence plate goes into are old and could require systems changes to accommodate the new format. Many of these are government departments. For example:

    • National Vehicle Driver File (Dept of Transport)-  reg number and registered owner
    • VRT tax systems (Revenue Commissioners)
    • Gardaí (PULSE system, asset registers for garda vehicles)
    • Insurers
    • Car park ticketing systems such as the Pay-by-SMS service in Dublin (Local Authorities)
    • Car clamping operator systems
    • CIE (they need to log busses)
    • Car Rental operators

    It would be interesting to know if the Government commissioned any form of economic impact assessment to off-set the cost of catering to one industry lobby group for a problem that would exist in one year against the costs to the State and other private sector organisations of making systems changes to support the new format.

    Particularly given that the changes would need to be implemented before mid December to allow for them to be in place for cars being registered in January.

    The reality is that life is not like Star Trek and data is not well managed. I would doubt if there is the required metadata available to do a quick Impact Assessment on the change. At a minimum you would need to know the maximum field lengths for reg numbers in key systems. Other data required would be information on data transfers, batch processing functionality, or edit checking that might be applied to make sure that the full extent of the changes is understood and addressed to avoid any systems or process failures.

    I was involved in a lot of that kind of activity in Call Centre systems for Y2K in a former life. It is not easy if things aren’t documented. And they are never documented.

    My prediction: It this suggestion goes ahead without any rigorous impact assessment here will be at least one major process failure in January/February 2013 arising from this. It is an idea that, while it may have merits, risks being rushed in without proper impact assessment being performed or any examination of the costs of implementation across the public sector or other private sector users of this information.

    In reality there has been a tentative Value case put forward with no corresponding assessment of the costs associated with delivering that value. And a horrendously ambitious time scale to make what is actually a deceptively complicated change.

  • Daisy (chain) cutters needed

    Brian Honan (@brianhonan on twitter) has been keeping me (and the omniverse) updated via Twitter about the trials and tribulations of Wired.com columnist Matt Honan who was the subject of a Social Engineering attack on his Amazon, Apple, Gmail, and ultimately twitter accounts which resulted in every photograph he had of his young daughter being deleted, along with a whole host of other problems.

    Matt writes about his experience in Wired.com today.

    Apart from the salutary lesson about Cloud-based back-up services (putting your eggs in their basket leaves you at the mercy of their ability to recover your data if something goes wrong), Matt’s story also raises some key points about Information Quality and Data Governance and the need to consider Privacy as a Quality Characteristic of data.

    Part of the success of the attach on Matt’s accounts hinged on the use of his Credit Card number for identity verification:

    …the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

    So, Amazon view the last four digits as being useful to the customer (quality) so they can identify different cards on their account so they are exposed. But Apple considers that short string of data to be sufficient to validate a person’s identity.

    This is a good example of what I call “Purpose Shift” in Information Use. Amazon uses the credit card for processing payments, and need to provide information to customers to help them select the right card. However, in Apple-land, the same string of data (the credit card number) is used both as a means of payment (for iTunes, iCloud etc.) and for verifying your identity when you ring Apple Customer Support.

    This shift in purpose changes the sensitivity of the data and either

    • The quality of its display in Amazon (it creates a security risk for other purposes) or
    • The risk of its being relied on by Apple as an identifier (there is no guarantee it has not been swiped, cloned, stolen, or socially engineered from Amazon)

    Of course, the same is true of the age old “Security Questions”, which a colleague of mine increasingly calls INsecurity questions.

    • Where were you born?
    • What was your first pet’s name?
    • Who was your favourite teacher?
    • What is your favourite book?
    • What is your favourite sport?
    • Last four digits of your contact phone number?

    In the past there would have been a reasonable degree of effort required to gather this kind of information about a person. But with the advent of social media it becomes easier to develop profiles of people and gather key facts about them from their interactions on Facebook, Twitter, etc. The very facts that were “secure” because only the person or their close friends would know it (reducing the risk of unauthorised disclosure) are now widely broadcast – often to the same audience, but increasingly in a manner less like quiet whispers in confidence and more like shouting across a crowded room.

    [update: Brian Honan has a great presentation where he shows how (with permission) he managed to steal someone’s identity. The same sources he went to would provide the data to answer or guess “security” questions even if you didn’t want to steal the identity. http://www.slideshare.net/brianhonan/knowing-me-knowing-you)

    The use of and nature of the data has changed (which Tom Redman highlights in Data Driven as being one of the Special Characteristics of Information as an Asset). Therefore the quality of that data for the purpose of being secure is not what it once may have been. Social media and social networking has enabled us to connect with friends and acquaintances and random cat photographers in new and compelling ways, but we risk people putting pieces of our identity together like Verbal Kint creating the myth of Kaiser Sose in the Usual Suspects.

    Building Kaiser Soze

    Big Data is the current hype cycle in data management because the volumes of data we have available to process are getting bigger, faster, more full of variety. And it is touted as being a potential panacea for all things. Add to that the fact that most of the tools are Open Source and it sounds like a silver bullet. But it is worth remembering that it is not just “the good guys” who take advantage of “Big Data”. The Bad Guys also have access to the same tools and (whether by fair means or foul) often have access to the same data. So while they might not be able to get the exact answer to your “favourite book” they might be able to place you in a statistical population that likes “1984 by George Orwell” and make a guess.

    Yes, it appears that some processes may not have been followed correctly by Apple staff (according to Apple), but ‘defence in depth’ thinking applied to security checks would help provide controls and mitigation from process ‘variation’. Ultimately, during my entire time working with Call Centre staff (as an agent, Team Leader, Trainer, and ultimately as an Information Quality consultant) no staff member wanted to do a bad job… but they did want to do the quickest job (call centre metrics) or the ‘best job they thought they should be doing’ (poorly defined processes/poor training).

    Ultimately the nature of key data we use to describe ourselves is changing as services and platforms evolve, which means that, from a Privacy and Security perspective, the quality of that information and associated processes may no longer be “fit for purpose”.

    As Matt Honan says in his Wired.com article:

    I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.

    And that can result in poor quality outcomes for customers, and (in Matt’s case) the loss of the record of a year of his child’s life (which as a father myself would count as possibly the lowest quality outcome of all).

  • Olympic betting scandal and Data Protection

    An Irish athlete is under investigation less than 24hrs into the Olympics arising from allegations that they, in effect, bet against themselves.

    An anonymous source became aware of the pattern of betting and notified the authorities.

    This blog post is being written to help media commentators avoid either putting their feet in it or wasting the scarce time of the Data Protection Commissioner raising spurious enquiries about whether the disclosure of the data in this was legal.

    Bluntly – you don’t want to come out swinging against the bookies if they were acting correctly as you’ll look like a fool. And, if they were in the wrong, you don’t want to throw the Data Protection Act around like snuff at a wake as there’s enough bullshit out there about what it is and what it does to fertilise the Rose Gardens in St Anne’s Park until doomsday.

    First things first: we need to bone up on some of the law governing gambling, specifically section 11 of the Gaming and Lotteries Act 1956. That legislation makes it an offence to cheat.

    11.—Every person who by any fraud or cheat in promoting or operating or assisting in promoting or operating or in providing facilities for any game or in acting as banker for those who play or in playing at, or in wagering on the event of, any game, sport, pastime or exercise wins from any other person or causes or procures any person to win from another anything capable of being stolen shall be deemed guilty of obtaining such thing from such other person by a false pretence, with intent to defraud, within the meaning of section 10 of the Criminal Justice Act, 1951 (No. 2 of 1951), and on conviction shall be punished accordingly.

    That is important as Section 8 of the Data Protection Acts permits the disclosure of personal data where necessary to allow the prevention, detection, or investigation of a crime. In this case cheating.

    Note: I’m not saying that any cheating actually took place here, just that circumstances appear to exist which seem to require investigation of the possibility of such cheating.

    As winning bets were drawn down that might fit the bill under the Gaming Acts.

    I always advise clients to have at least two lawful processing conditions to rely on. In this case the bookmakers could probably argue the “Legitimate Interest” grounds… It is in their interest to red flag potential cheating in the placing of bets or rigging of events. And the remedy to that would be to alert the appropriate body who would in turn have a legitimate interest in ensuring the propriety of the Games.

    Of course, the complicating factor is that the information was sent to the OCI from an “anonymous email”. If the sender was an employee of the bookmakers then, if they had permission from their employer to alert the OCI then that might be an allowable disclosure. But if they aren’t an employee (for example if they work with the police and came into possession of information relating to an investigation) or didn’t have permission to disclose the details of the athlete then that could be a breach of the Data Protection Acts.

    So. Before we start chasing hares that aren’t there, let’s all step back and remember what the law actually is here. Far more important to focus on google and their ‘factual inexactitude’ on street view and the paltry resources of our DPC.

    Thus endeth the rant

  • Describe what you do in one word…

    This is a challenge an old boss of mine used to set. He was an alpha male. The answer he was looking for was usually a variant of “lead” like “inspire”, “command” or “drink”.

    But it is a good exercise to set yourself.

    This evening I was responding to an retweet of an article I published on my company website last year. Vish Agashe retweeted this post about data modelling and Data Protection. In response I asked him if he was still finding the ramblings of a legodatapsychoeconotechnoqualitatrian interesting.

    Then it hit me. That’s a word. A bloody good word. A “kicking my dad’s arse in scrabble” kind of word. Because it almost perfectly describes me.

    Lego

    No. I am not made of plastic and if you separate my legs from my body you will find it very difficult to reattach them.

    But I spent four years half a life time ago studying law and business in UCD. From that study I developed a love of law and all things legal. In particular I developed the skills of legal interpretation and research that all lawyers need to possess.

    And, just as (if not more) importantly I developed a network of friends who are lawyers. Yes. Some of my best friends are lawyers. Who’d a thunk it?

    Data

    No. I am not an android with a positronic brain and the strength of 10 men (I wish). And if you poke me in the back between the shoulder blades I’m more likely to turn around and put you in a painful joint lock or punch you in the face than calmly power down and go lifeless (hint: if you want that, a few bottles of good wine is the best option).

    But I am obsessed with data. The capturing and creation of it, the analysis of it, the value of it. It’s what I do. I’m a Data Scientist, but in the “lives in a castle in the mountains and don’t ask about the missing corpses” sense of “scientist” (at least at times).

    Pyscho

    No. I don’t own a run down motel and I haven’t hacked a young lady to death in the shower. At least not since the dried frog pills kicked in.

    However I have been a closet psychologist for years. And once I realised that closets had very few hidden secrets (if you discount fantastical lands ruled by big lions) I turned my attention to the Human Equation in the context of change management and how we perceive and value information.

    So, BF Skinner was a lovely man who pigeons experimented on to see just how far would he go to have them support his flawed hypothesis that extrinsic reward/punishment is a key motivator of behaviour. At least that’s my opinion.

    Econo

    Last time I checked I’m not a gas guzzling American mini-van that is anything but economical to run. But, linked to my love of data and the interfaculty degree I did in law and business, I am a fan of economics and economic theory and practice. In particular I’m an advocate of the branch of economics that applies economic principles to the study of law and legal principles, and the application of economic principles to the valuation of and management of data.

    What is the value at risk?

    Where is the economic equilibrium of risk and reward/supply and demand?

    Is the economic deal fair when Entity A gives data to Entity B… what is the valuable consideration given for the exchange of assets?

    Techno

    No. I don’t play annoying 9000 beats per minute europop techno. Except for Saturdays. And even then only when there is a total eclipse of the moon.

    But I do enjoy my technology and my tools. I was the first customer in the world for Informatica’s Data Quality offering (back before it was Informatica). And I’ve coded countless Visual Basic skunkworks to do data reformatting, consolidation, reporting etc. And I do like Sharepoint and Drupal and WordPress and Unix and Linux and…..

    …  I think you get the picture. I know a few things about databases and database technology. But unfortunately not with a parchment attached to it (yet).

    Qualitarian

    it’s all about quality. Quality of outcomes for the end customer in a value chain. And quality of outcomes for the data controller, or the regulator, or society. Everything comes down to this.

    • Laws exist to regulate outcomes. Often badly
    • How we internalise and conceptualise the customer and the outcome are key to achieiving the right balance.
    • Technology is a tool to getting us there but is not a destination.
    • The economic value is the point at which things are good enough to achieve the outcome that is required… and no more… anything beyond that is a value-add luxury that we can charge premium price for.

    Now. Where’s my scrabble board?

  • Why Apple’s iOS6 changes mean increased work for Irish Data Protection Commissioner

    At Apple’s WWDC conference this week nerds, fanbois and developers were greet by the news that Apple will be shipping iOS6 later in the autumn (or “fall” for non European readers). Among the features that Apple is touting are:

    1. Ditching Google Maps for its own mapping product and GPS tools
    2. More deeply integrating Facebook with iOS, similar to the deep integration with twitter that emerged in iOS5.

    I personally have some privacy concerns about this level of integration and the potential for Apple to become even more the “Big Brother” they so eloquently mocked in their 1984 TV advert.

    Maps

    By ‘baking in’ an application (Apple Maps) that will likely require me to disclose my location to Apple in order to work (and which at first glance appears to be less useful than Google Maps), I’m getting a less good deal on which to base the sharing of my personal data. And Apple aren’t giving me a map for the good of my health or because they want me to know where I am.

    Location data is part of the “Big Data” gold rush. Traditionally it has been mobile telcos who have access to this data and can analyse it to determine a variety of offerings for customers (next time you get a “pleasantly surprising” SMS message telling you about a special offer in the coffee shop you just happen to be near, congratulations, you’ll have walked within range of a ‘geo-fence’ that will have triggered the SMS. Assuming of course you opted-in to that kind of thing. Like that voucher service you signed up to).

    Google tracks you as well when you used Google Maps on your iphone. But, in the absence of a Google login that tracking is relatively anonymous, going down at most to being able to identify that a particular device was in a particular location (unless you’re logged into a Google service on your device, in which case rest assured Google is probably making associations on the fly).

    Apple on the other hand can also link your location to your phone. And your phone is registered to you. Through iTunes. So Apple will potentially have access to a more granular level of data about who is where, when, who is near them, who they are contacting (iMessage makes your SMS free to another iPhone user… congratulations, Apple now knows who you are messaging). Apple knows what kind of music you like, what movies you rent, your demographic segment… (it’s the iTunes platform!)

    By adding maps to the mix in the iOS/iTunes platform, Apple can also tap information about you in motion – where you are travelling from, to, how fast and can probably make assumptions about your mode of transport (moving fast, not on a road, in a relatively straight line… means you’re probably on a train. Well done, Apple now knows you are probably a user of public transport).

    As CNET reporter Rafe Needleman writes:

    …the more users you have running your geolocation software, the more data you have about how fast people are moving. Apple’s adoption of its own mapping platform means it will now get access to that data from its iPhone users, assuming (and it’s a big assumption) that Apple can hurdle the privacy issues over gathering that data.

    And as Apple’s European HQ is based in Cork, it will be the Irish Data Protection Commissioner who will be in the vanguard of haggling with Apple with regard to the nature of the terms and conditions and controls that will be placed on the processing of the valuable and very identifiable personal data in question.

    Facebook

    I use Facebook. I have a Facebook profile. I am a believer in Sun Tzu’s mantra that one must know your enemy.

    By tightly integrating Facebook with iOS6 Apple potentially gets access to a valuable array of data about who you know, your interests, etc. Facebook get an easier to manage interface and a more ‘baked in’ and reflexive sharing of content and information by Facebook users.

    And the individual gets another avenue by which personal data by and about them may wind up in places they were not expecting or being used in ways they didn’t anticipate.

    Later this month Facebook will be facing into the return visit of the Irish Data Protection Commissioner who made relatively negative findings in their audit report earlier this year (but not as negative as many may have hoped). As the integration with iOS was not in the scope of their original review, I suspect it will not be on the table for discussion (at least not formally).

    But again it is the Irish Data Protection Commissioner who is in the vanguard of protecting the fundamental rights to Data Privacy which are enshrined in EU law and which Facebook, through it’s terms and conditions, extends to Facebook users everywhere outside of the US and Canada.

    And it means Apple don’t have to waste any more time and effort trying to put the bounce into Ping. They will have effectively outsourced that to Facebook. So Apple wins something. Facebook wins something. Where is the consumer’s win (and is it big enough to balance the impact on privacy).

    Evolving the Platform

    Any minute now I expect my friend Phil Simon to fire out a blog post about how Apple’s ditching of Google and locking in and locking down of Facebook represents a platform strategy play in The Age of the Platform. Apple is simply adding more “planks” to its platform, pushing out a competitor platform and reducing the incentive for another platform to start competing in devices (or at least minimising the impact of any such competition by leveraging the critical mass of the iOS/iTunes platform).

    But to stretch and mangle Phil’s Platform analogy to the nth degree, any form of large scale construction requires permits and clearance and needs to balance the utility and convenience of what is being built (whether it is a shopping mall or a social media data sucking behemoth) with the impediments it may cause to the rights and enjoyments of individuals.

    And the “Building Control Inspector” in this case will more than likely be the Irish Data Protection Commissioner.

    • With less than 22 full time staff
    • A budget of less than €1.5million

    I fear that the back-end complexity of Apple’s move to front-end simplicity may be a killer blow to the efficiency and effectiveness of the Office of the Data Protection Commissioner, which is already creaking under the strain.

    Given the influx of DataSuck Platform companies in to Ireland (LinkedIn, Facebook, Twitter, Google, Apple –admittedly here for years, Zynga etc.) the Irish Data Protection Commissioner is rapidly becoming the “Local Sheriff” in the Wild West of ‘Big Data’ exploitation for more than just the 4.5 Million people living on our little island.

    #SupportyourLocalSheriff

  • An Enforcement Reality supporting my “Penalty Points” idea

    Over my morning coffee this morning I read this story from eConsultancy.com about the UK ICO beginning ‘soft enforcement’ of the ePrivacy regulations around cookies.

    Good news: They are starting to enforce the law. They will be taking a balanced approach. I assume that the letters will take the form of Information Notices and possibly Enforcement Notices.

    Bad news: The level of breach that not complying with the Cookie provisions of the ePrivacy Directive constitutes is not likely to meet the standard of severity required for the ICO to levy a fine.

    So businesses will receive a letter. But we can be assured it will be a strongly worded one. But, given the mental discounting that management do in compliance situations, this is inevitably going to lead to precisely no change in compliance behaviour. When faced with the question “So, what’s the worst that is likely to happen?” Data Protection Officers or advisors will have nowhere to go in their persuasion. It is all carrot and no stick. And CxO level managers are pure carnivores, so carrots are not that enticing on their own.

    • There will be no financial penalty for the Cookie breach
    • Any penalty that might arise will be for failing to comply with an Enforcement notice or provide information requested under an Information Notice. But that would require another cycle or three of communication between the ICO and the infringing company.

    There is no sting in the tail. The arc that must be travelled between Breach and Penalty is too long. And as every parent of a toddler knows, there is no point putting them on the naughty step days or weeks after their valiant but doomed attempt to juggle with kittens.

    Hence the need, in my view, to have something else that allows a sting to be put in the tail, that wraps the polite letter from the ICO (or the Irish DPC for that matter) in a small brick that will get attention. In my opinion, if the EU is serious about changing attitudes to Data Protection amongst businesses it needs to ensure that the laws that are passed can be enforced with both carrot and stick so that culture and values in business will change.

    Breaches of the Cookies rules fit the bill nicely for a structured penalty system that allows for cumulative penalties to build towards a more serious fine or enforcement action. Assume, for argument, that writing a non-essential cookie without notice and consent was a 1 point offence carrying a fixed penalty notice of €120/£100 for first offence (with higher penalties for subsequent offences). Audit tools such as those developed by CookieQ.com could be used to audit the site, tot up the number of cookies, an investigator could make a judgement as to the essentialness and generate a fixed penalty notice attached to the letter.

    Perhaps the 1st offence would be a “freebie”, with a second failure leading to a penalty (after all, we want this to be fair and graduated). At some threshold (let’s say 20 points) more serious penalties would kick in (perhaps the €2million outlined in the proposed Regulation, or mandatory multi-year privacy audits such as being imposed on firms in the US by the FTC). As this is an evolving thought doodle I won’t waste time mapping specifics here.

    If the penalty points for the Cookie infringement formed part of the overall “scorecard” that a company would accumulate, adding to the risk of a more severe penalty (and the inevitability for hard core recidivists). If, as with parking tickets and speeding fines, the Data Controller had the right to appeal the fixed penalty to the Courts (at the risk of a greater penalty and increased publicity), the “mental discounting’” would need to change. This would change the conversation for Data Protection Officers and advisors when the letter comes.

    Boss: "What is the worst that they can do?

    DP Team: “Well,50 cookies being written has already cost you €5000 in fixed price penalties. You can appeal them to Court, but that carries a risk of the penalty being increased further and a conviction being recorded against you.”

    Boss: “OK, so pay the fine and then we keep going.”

     Boss: “Oh shit. Let’s fix this then”

    Just as cumulative breaches of Road safety lead to serious penalties, cumulative breaches of Data Protection rules could lead to more serious penalties.

    The benefit of this approach is it would encourage and incentivise organisations to focus on the small stuff. And as repeated studies in risk management and accident investigation have shown, the major disasters are usually a result of an accumulation of small things.

    According to econsultancy, the ICO is considering applying penalties based on a scale. It is not a significant jump from a scale for a specific penalty to a framework for levying administrative sanctions in a structured and transparent manner.

  • An open letter to Viviane Reding

    Dear Commissioner Reding,

    I’m writing to you as an EU Citizen who is passionate about data, is use, its quality, and its protection. I’m not writing to you as the Managing Director of a company that offers Data Protection training and consulting services, but in the interests of transparency I think it best to disclose that that is my day job.

    I am writing to you about the new Data Protection Regulation. In particular I’m writing to you about the penalties contained in the current draft proposal. Frankly I think they suck. I don’t think they’ll have the effect that you think they will have. I’m basing my opinion on a number of bases:

    1. I have worked in Regulatory Operations in a Regulated industry that you are familar with, telecommunications.
    2. I’m a keen student of human psychology and economics, particularly the psychology and economics of risk and reward.Understanding this “theory of psychology” is important in the world of Information Quality.
    3. I like to observe and learn from other industries and areas of life to see what can be applied to improving quality systems for and the governance of information.
    4. I’m the parent of a toddler. This might not appear immediately relevant but, in the context of Data Protection, my immediate experiences dealing with a stubborn personality in development who is programmed to push boundaries and infuriate me with apparent disregard for the standard of behaviour expected of her all too often find their parallels in the management teams and staff of organisations I’ve worked with.

    Taking these elements together I am afraid that 5% of Global turnover will not work as a penalty. It’s a great soundbite but will, in practical terms, amount to little more. There are a few reasons for this.

    (more…)