The DOBlog

Tag: data protection penalties

  • My personal thoughts on the Facebook Audit

    This post was originally published on the Irish Computer Society Data Protection blog. I am republishing it here as it is my original work and I am moving my Data Protection musings into one place.

    Over on my personal blog [this one] I’ve written a short piece about my thoughts re: the Facebook Audit by the DPC.

    All in all I welcome the findings (and at 40 or so discrete findings it is not a clean bill of health by any stretch of the imagination regardless of spin and positioning) but feel that, given the breadth of potential scope for any audit and the limited resources and time available to the DPC’s office, it was inevitable that some issues could be missed.

    I am personally dismayed that the DPC did not prosecute some or all of the offences that they identified, particularly those in relation to breaches of the ePrivacy directives (where clear penalties and court precedents exist). A high profile prosecution would have made it a lot easier dealing with clients and prospective clients as it would have focussed the attention on issues.

    Also a number of unasked questions remain unanswered. For example, what is the position of Apps which process data outside the EEA? Does Facebook as a Data Controller not need to ensure that these apps (processors) are undertaking their activities in “safe countries” or under terms consistent with the Model Contracts approved by the European Commission.

    I’d like to think that this is part of a long term strategy by the DPC to develop a “poster child” for compliance (“hey, look… if Facebook can do it so can you”), whittling down issues and changing the Facebook mindset over time.

    But I am fearful that proper regulation and enforcement of Data Protection rules may be seen by the Irish Government as a barrier to enticing foreign investment in the data storage and services sectors and as such the independence of the DPC’s office may be threatened and its ability to effectively carry out its duties may be weakened.

    The Office of the Data Protection Commissioner does a sterling job with a small cohort of staff, a massive remit and scope of responsibility, and a budget that, in their 2010 Annual report was less than €1.5 million. My instinct is that they opted not to blow that budget on prosecutions and instead elected to work the network of International authorities (Canada’s OPC, various German Authorities, the FTC) to keep the pressure on to drive change rather than levy penalties.

    After all, any visit to Courts with a prosecution is a roll of the dice as to whether the judge accepts the full weight of the offences and agrees the penalties requested. The DPC could have spent quite a lot to achieve, in effect, the same result.

    However, I await with interest the findings of the rematch in July 2012. Will Facebook win gold for privacy then? Or will we see the true stamina of the Data Protection Commissioner in a legal tussle? All we can hope for is either an Olympic performance from the “New Facebook” or a Herculean stand by the DPC in defence of individual privacy.

  • New Rules, Old Principles

    This was first posted on the Irish Computer Society Data Protection Blog. I am republishing it here as it is my original work and I am putting all my Data Protection musings in one place.

    So, the revised e-Privacy Directive has been given legal effect as of 1st July (only a little over a month late). The Data Protection Commissioner has issued revised guidance on the processing of personal data in the context of electronic communications. Some of what is contained in this legislation is new. However, even the new stuff is merely an incremental evolution of the underlying principles of Data Protection to address the privacy concerns presented by new technologies, the maturing of existing technologies, and the emergence of new ways of processing personal data.

    The key to ensuring compliance with these revised rules is to ensure that you have a solid understanding of the underlying principles of Data Protection and the role of information in your organisation (it’s meaning and purpose) so that you can better understand how the actions of your staff and the systems you use to interact with your customers might affect your ability to work within the regulations.

    An earlier post discussed the likely impact on Cookies from the regulations. In short, you need to understand when, where, how, and why your websites and mobile device apps are writing data to your customer’s “subscriber equipment” [aka the device that is at the end of the telecommunications service connection, be that a physical phone line, wifi, 3G, GPRS, HSPDA etc.]. Once you know that information you can figure out what data storage requires consent and what data storage is essential to the delivery of the information age service.

    Another interesting and subtle change is that the Commissioner has removed the ‘grey area’ around collecting email addresses in business networking or similar activities. Before there was an assumption of “one bite free” where you could contact people once but give them the option to opt out of future contact. This is now very categorically an opt-in thing where you are sending emails to an identifiable natural person, particularly where that person is not party to a customer relationship.

    You can still avail of the “free bite of the apple” when dealing with non-individually identifiable business entities, and with individuals in organisationswho might reasonably be interested in the product, service, or subject matter of the message.

    A worked example might help explain this better.

    • Frank is a sales man for BloggoTech. At a trade fair he meets Jerry, who is a purchasing manager from ClientCo, who BloggoTech have an existing relationship with.
    • Frank also meets Mary, a marketing manager from ProspectCo. Neither Mary nor ProspectCo are clients of Bloggotech.
    • Jerry gives Frank an email address to contact him at: Jerry.Client@ClientCo.ie
    • Frank also has ClientCo’s general contact email address: info@clientco.ie
    • Mary gives Frank her business card with email, phone, SMS etc.
    • The business card also has “info@prospectco.com” as a general contact email address.

    Frank can contact Jerry by any contact point he has for him (subject to Jerry making his preferences known) because ClientCo are an existing client who have purchased within the last 12 months. As soon as Jerry asks Frank to stop contact him by whatever contact mechanisms or for whatever purposes, Frank must do so.

    Mary, however, poses a problem in light of the revised guidance. If Frank has not gotten her permission to do a follow up contact with her then the only email address he can use is the “info@prospectco.com” email, unless he is communicating with Mary about something that he knows will be of interest to her. Of course, he has the option of sending a fax for her attention (which the company can opt out of), or posting her materials by snail mail (which she can opt out of).

    This relates to the fundamental principle that personal data must be obtained fairly, for a specified and lawful purpose.

    Many people might protest that requiring people at conferences to get consent before doing a follow up contact is unduly burdensome but it is actually quite simple. When handing over your business cards, simply ask “Is it OK if I drop you an email later in the week with some information about [insert subject matter here] and a link to our newsletter sign up?”. This simple conversation point clarifies that you will be contact the person, and clarifies the context in which you will be communicating with them.

    There.. consent obtained.

    The real challenge is presented to event organisers who might share lists of delegates at an event with other attendees. Care must be taken to remove any means of electronic contact. But most large data management events I attend provide heavily redacted delegate lists that identify the person and the company, and perhaps their country, but not enough that you could contact them directly from it. So, event organisers need to start thinking about contact information as valuable data which should not be shared.

    I’ve had experience with a business networking event sharing my details willy-nilly in an attachment sent to the other 100+ people who had registered for the event (which would be a notifiable disclosure under the Data Breach Code of Practice). The problem could have been prevented by simply having an opt-in box telling me that my details could be shared if I wanted them to be.

    In short… designing privacy into the process, not inspecting breaches out.

    Companies exhibiting at events need to up their game away from the “business card fishbowl” with a spurious raffle to collate contact details. Again, a little thought can help design a safer and more compliant process (a tick box for consent to further contact for purposes not related to the raffle for example, or clarification that anyone entering the raffle will receive one marketing email). After all, if the guidance from the DPC is that the communication needs to be relevant to the interests of the Data Subject, I might only want to receive communications from the company about the iPad I’ve won.

    The new rules are built on old principles. If you understand the principles and take them to heart you can begin to develop strategies for using the new rules to your advantage.

  • The Cookie Monster Cometh

    First published on the Irish Computer Society Data Protection Blog. Republished here as it is my original work and I’m putting all my Data Protection musings in one place.

    So, this day next week (26th May) will see the introduction into Irish Law of Directive 2009/136/EC. It’s a tweak to the existing electronic privacy regulations. The ones that relate to spamming by fax, email and SMS and carry penalties of up to €5000 per breach.

    [update: Well the deadline came and went without the Irish Government enacting the legislation. We await further developments]

    [Update 2: Legislation in effect from 1st July 2011. See Data Protection Commissioner website for Guidance Note]

    These new regulations relate to Cookies, those little text files which are written to your computer by websites. Of course, it’s not just text files. Flash also has a version of ‘cookies’ to help track your interactions with flash movies or activites (so if you go away you can restart where you left off rather than having to go back to the beginning – for example in an e-learning package). The intention of the Directive is (amongst other things) to improve the personal privacy of internet users by controlling the use of cookies.

    While the intent of the Directive (to come into effect in a Statutory Instrument next Thursday) is relatively straightforward, the practicalities of implementing it may be challenging for organisations. Added to that there is a level of unawareness about the issue in Ireland, particularly on the business side of organisations. This will actually be the biggest challenge to Compliance.

    Organisations now need to step back and stop thinking of cookies and web development as a techie issue. Cookies are a data asset of the organisation which you use to achieve certain goals and purposes. The key key issues that need to be considered are:

    • What are your processes and their objectives?
    • How do cookies help you achieve those goals?
    • What information do you need to be writing to cookies to achieve your goals?
    • What things/services that people want to use on your site won’t work without cookies?

    The Regulations set out two sets of conditions where the use of the cookies is permitted. Either:

    1. You have gotten informed consent from the Data Subject by way of providing prominent and accessible information about your use of cookies and providing some means of recording the consent to those purposes (fyi: this cannot be a ‘passive’ process) OR
    2. Being able to identify that the use of the Cookies is strictly necessary for the delivery of services explicitly requested by the subscriber

    Being a little bit blunt about this, the first condition is only slightly more onerous than the existing requirements on websites who process personal data about individuals who have to provide a coherent statement of what they are going to use the personal data for (most don’t in my experience – the standards of some that I have looked at over the past few years often leaves a lot to be desired and is indicative of a ‘tick the box’ approach to Compliance).

    The second condition however gives a conditional pass, similar to the Lawful Processing condition of ‘Necessary to complete a contract’ under section 2 of the Data Protection Acts 1988 and 2003. Basically if you can demonstrate that the thing that the customer wants to do (and has asked to do) can’t be done without having a cookie to temporarily store some data on the subscribers ‘terminal equipment’.

    So. How do you do that? And how do you identify which of the cookies your site and processes are writing fall into the camp of needing to be flagged and consented to and which ones fall into the ‘doable because we can’t deliver without it’?

    By stepping back and looking at the MEANING and PURPOSE of the information you are writing to the devices of people who are visiting your site you can start to make informed business driven choices about what needs to be changed and why in terms of how your websites work. This means having to look at the process flow and information flow underpinning your website and informing yourself about what is being done where, why, how, and by whom.

    I can’t upload graphics to this blog, but over the next few weeks I’ll post some articles over on my company website that will examine some of the approaches to doing that kind of analysis as part of an Information Governance framework that will support Data Protection goals. However, it is important to note that this is not a job (just) for techies because you need to be very clear on the “Just because you can doesn’t mean you should” aspects of Data Protection. This must be lead by the Business leadership of the organisation because, ultimately, they are the people who will have to explain to the Data Protection Commissioner, the Courts, and Joe Duffy what the cookies on the website were doing.

    When you write a cookie to someone’s device (pc, phone etc.) you are essentially renting space from them to store information about them or their behaviour or what their interactions might be. Individuals can limit your ability to rent that space using browser settings to block cookies, but at the current state of the art these are somewhat crude tools and, in the case of Flash, are not actually a complete set of tools (you need to do different things to block Flash Cookies).

    The forthcoming regulations seek to introduce a rebalancing of the rights and duties relating to the information stored by and represented in cookies in line with the spirit and practice of Data Protection law and Privacy rights. It will take time for that balance to settle, but those who take the time now to understand the meaning and purpose of cookies they are using and their role in the processes running on their websites will be in a much stronger position to meet future Compliance standards under these regulations.