EU to Google: We Really Mean it About Data Retention Limits

April 22, 2013

Are these data and privacy protection regulations serious or are they just for show?”  I’ve been hearing that question lately from the tech reporters and journalists who’ve been contacting me. Even after pointing out extensive case files and other documented incidents on government and legal sites, I’m still left with the feeling that it’s just not proof enough.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed aletter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Clash of Compliance Cultures: Old vs. New World

February 11, 2013

In the last few years, US companies have not been shy about expressing their feelings on the EU’s Data Protection Directive (DPD). There’s a major social media player, for example, with a European HQ in Ireland that’s been publicly critical of a proposed “right to be forgotten” rule for letting consumers delete their online data. There’s also a search engine service that, while not openly objecting, is instead suggesting it’s already doing a darn good job of meeting the DPD’s rules.

US companies have begun to learn that the data privacy rules and expectations they’re accustomed to in the US are viewed differently on the other side of the Atlantic. The EU Charter–the European constitution—explicitly lists data protection as a fundamental right. That’s roughly like having a US amendment devoted to encryption, which, at this time, there isn’t.

This is not to say there’s a complete privacy compliance chasm between the US and EU.

Healthcare companies have long had extensive regulatory obligations under HIPAA for securing health information, alerting consumers about breaches, and gaining consent on information transfers. US companies in the banking and credit sectors could point to parallels in Gramm-Leach-Bliley and the Fair Credit Reporting Act.

While US medical and financial companies have had to deal with privacy and security legal burdens, that’s not been the case with the social media players. Because the Data Protection Directive covers all companies collecting data—not just ones in select, albeit important, industries—and through its Safe Harbor treaty it snags US firms as well, it’s not surprising that US Internet-based companies face the most culture shock when conducting business in the EU.

The ultimate issue is that in the new information economy data is revenue, and so deleting it is like, well, burning legacy paper currency.

Besides the right to data erasure differences, another sticking point between US social media companies and the EU is on rules for reasonable data retention limits. But this again reflects mostly differences between old and new economies.  After all, outside the social media world, it’s generally considered good security policy—limiting data breach liabilities—to keep PII data to a minimum and erase it when it’s no longer necessary. For example, the credit card vendors, through their PCI industry standard, emphatically remind corporations with regard to credit card numbers that “if you don’t need it, don’t store it! ”

But new regulatory forces along with changes in consumer attitudes may tilt social media companies towards a European view.

The FTC’s new privacy framework that was published earlier last year—and that I always come back to—calls for minimizing data collection of consumer data and sensible retention limits. There’s a (stalled) bill in the Senate, revealingly entitled “The Commercial Bill of Rights”, which will implement some EU-style data and privacy protections. The bill’s scope, by the way,  covers anycompany that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals.”

Good data protection and privacy best practices may one day become as American as espressos and lattes.

2 Comments | Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The New Privacy Environment: European Union Leads the Way on Personal Data Protection

October 24, 2012

We all understand the risks in accidentally revealing a social security number. But are there other pieces of less identifying or even anonymous information that taken together act like a social security number? The European Union is breaking new ground on consumer privacy as it begins to reform its own regulations. The EU’s broader ideas on personal identity have even made their way across the pond into proposed new US regulations.

The history of the European Union’s consumer privacy and data security regulations begins with its 1995 Data Protection Directive–or EU 96/46EC for security wonks. EU directives provide guidance to its member nations’ legislatures, who then are free to craft their own specific laws. The DPD has been influential in shaping the vocabulary and, less charitably, the jargon of the consumer privacy discussion on both sides of the Atlantic.

In the US, the starting point for discussion on data security is Sarbanes-Oxley, which became law in 2002. In comparing and contrasting the two, it’s fair to say the DPD was more focused on securing consumer information, but more inclusive—unlike SOX–in covering both public and private companies. To this day in the US there’s currently no single comprehensive law on consumer privacy.

The EU’s original directive is significant because it defined personal data as “information relating to an identified or identifiable natural person”. For example, by EU rules, street address, name, and phone number are personal data; height, eye color, and model of car you drive are not. This notion of personal data as a type of key is part of the definition used in privacy laws outside the EU–including the US. In North America, though, we’ve come up with our own term for personal data, calling it instead “personally identifiable information” or PII.

By the way, the EU regulators intentionally created a less explicit definition of personal data so that it would encompass new technologies. In 2012, data related to an identifiable person could now be an email address, IP address, and for some EU nations, even a photo image.

To bring the story up to date, security experts began to realize that along with personal data there was other data–let’s call it quasi-personal–that if released could also be used to relate back to an individual. The data magic to accomplish identification typically requires matching a collection of anonymous data points– birth dates (or years), zip codes, ethnicity, and perhaps car model driven–against publicly available databases .

For example, there are well documented cases involving anonymized hospital discharge records subsequently used to re-identify the original patients!

With Facebook now up to 1 billion active users, it’s fair to say that the Web is overflowing with personal data at all levels of detail. Essentially social networks have provided hackers—the new ominous player on the scene—with a huge public repository to match against (c.f. Matt Honan).

To get a better understanding of how it’s possible to re-identify an individual, let’s review a variation on the aforementioned case. While the technique is not always guaranteed to uniquely identify a person (this depends on the available related information), it can often produce a narrowed down list of highly likely subjects.

Suppose, for argument’s sake, a European mortgage company analyzes a health report from a large public hospital. The records show that five individuals were being treated for a rare disease. Their ages were also published. Assuming the patients live near the hospital, the mortgage lender then simply filters its database on zip code and birth year. Working with a smaller set of records, it then scans social media sites or other online forums, filtering on the retrieved names and other data, all the while looking, for say, “get well” messages. If it finds a few matches, and with the additional new data points from the social site … I think you see where this is leading.

The good news is that the EU countries have long recognized that their laws have not kept pace. And the EU governing body is currently in the process of reforming the 1995 directive, taking into account the new realities of public data on the Web and the blurring of personal and anonymous data. To get a sense of the EU’s new thinking on personal data, refer to this work-in-progresspaper.

And there are also rumblings of change in the US along the same lines as the EU reforms.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

European Data Protection Reform Update: Summary of the 25 January 2012 Announcement

May 30, 2012

I know we are a few months out, but we spotted this information refernece European Data Protection Reform that is really interesting:

Summary of the Changes

The following key areas of the reform will impact on privacy and data protection compliance for organisations:

  • A Single Set of Rules: The Proposed Regulation provides for a single set of rules for all organisations processing personal data in the European Union. It will replace the first Data Protection Directive (published in 1995), which will be repealed. This Proposed Regulation will have direct effect in all Member States and, as a result, will achieve greater harmonisation than if the reform was made by a revised Directive, which carries with it a risk of inconsistent implementation by Member States, as witnessed with the implementation of the Data Protection Directive. In addition to the Proposed Regulation, there will be a new Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
  • Fines: National data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation. The 2011 proposal had set this amount at 5% of worldwide gross revenue.
  • “One-Stop Shop”: The Proposed Regulation implements a “one-stop shop” approach to data protection compliance in the European Union, meaning that an organisation only needs to comply with the data protection laws in place in the jurisdiction in which it has its main establishment. This is similar to the passporting system and principle of home state supervision, which is already reflected in European financial services regulation. In addition, the Proposed Regulation will have extra-territorial effect. This means it will apply to organisations (such as many U.S. businesses) that are not established in the European Union, but are active in the European Union market and offer their services to European Union citizens.
  • Data Breach Notification: The Proposed Regulation imposes a general requirement on all businesses to notify data protection authorities and data subjects in the event of a data breach. Notice of data breaches must be provided to the data protection authority “where feasible” within 24 hours, and to affected data subjects “without undue delay.” While breach notification has recently become a requirement for telecommunications and internet service providers, the Proposed Regulation extends this requirement to all organisations. Given the increase in global cyber risks and the reputational impact and associated costs of data losses and breaches, this aspect of the reform is likely to have a significant impact on organisations.
  • Consent: Where consent is to be used as a justification for processing personal data, the Proposed Regulation requires that it must be given explicitly, rather than assumed. This will cause particular concern for e-commerce organisations worried about how to obtain consent without detrimentally affecting the user experience.
  • Data Portability: The Proposed Regulation also introduces a new individual right of data portability, which is designed to facilitate an individual’s access to personal data. This requires organisations to permit customers to move their data to new organisations offering similar products or services. This is also intended to improve competition among services. While this may sound relatively straightforward, in practice the costs of migrating data from one system to another can vary significantly, and may be particularly burdensome for cloud providers and social networks.
  • The “Right to be Forgotten”: The Proposed Regulation also adds a new “right to be forgotten” which allows an individual to require an organisation to delete personal data where there is no longer any legitimate reason for keeping it. This new right is more stringent in nature to the existing obligation for data controllers not to keep data for longer than is necessary.
  • International Transfer of Data: The Proposed Regulation provides for a shift in the rules to reflect the way that data is currently transferred internationally. They seek to address the problem that current data protection laws function only within a given territory, usually defined along national borders, and do not reflect the reality of international business. In particular, organisations making use of the cloud will be collecting data in one territory and subsequently processing it in numerous other territories. The Proposed Regulation will simplify the requirements for organisations seeking to do this. In addition, it also aims to improve the current system of “binding corporate rules” to make compliance less burdensome – “binding corporate rules” are typically a set of intra-corporate global privacy policies that satisfy the European Union standard of adequacy when organisations are seeking to transfer the data outside of the EEA. The Proposed Regulation would require all data protection authorities to recognise “binding corporate rules” approved by an individual data protection authority.
  • Data protection by design and by default: The Proposed Regulation requires data controllers to only collect and retain personal data to the minimum extent necessary in relation to the purposes for which they are intended by design to be processed. This will be particularly controversial for organisations seeking to undertake data analytics of their mass repositories of data.
  • Accountability and Data Protection Officers: The Proposed Regulation seeks to increase the accountability of data controllers and data processors, including by requiring that they carry out data protection impact assessments prior to risky data processing activities. In addition, organisations with over 250 full time employees will be required to have a Data Protection Officer.

 

Related articles

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers