If Google cares about cookie consent, so should you.

Posted on April 16th, 2013 by Phil Lee

Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.

Posted in Consent, Cookie rule, Profiling, Targeted advertising

.............................................................................................................................................

In defence of the privacy policy

Posted on March 29th, 2013 by Phil Lee

Speaking at the Games Developers’ Conference in San Francisco yesterday on the panel “Privacy by [Game] Design”, I was thrown an interesting question: Does the privacy policy have any place in the forward-thinking privacy era?

To be sure, privacy policy bashing has become populist stuff in recent years, and the role of the privacy policy is a topic I’ve heard debated many, many times. The normal conclusion to any discussion around this point is that privacy policies are too long, too complex and simply too unengaging for any individual to want to read them. Originally intended as a fair processing disclosure about what businesses do with individuals’ data, critics complain that they have over time become excessively lengthy, defensive, legalistic documents aimed purely to protect businesses from liability. Just-in-time notices, contextual notices, privacy icons, traffic lights, nutrition labels and gamification are the way forward. See, for example, this recent post by Peter Fleischer, Google’s Global Privacy Counsel.

This is all fair criticism. But that doesn’t mean it’s time to write-off privacy policies – we’re not talking an either/or situation here. They continue to serve an important role in ensuring organisational accountability. Committing a business to put down, in a single, documented place, precisely what data it collects, what it does with that data, who it shares it with, and what rights individuals have, helps keep it honest. More and more, I find that clients put considerable effort into getting their privacy policies right, carefully checking that the disclosures they make actually map to what they do with data – stimulating conversations with other business stakeholders across product development, marketing, analytics and customer relations functions. The days when lawyers were told “just draft something” are long gone, at least in my experience.

This internal dialogue keeps interested stakeholders informed about one another’s data uses and facilitates discussions about good practice that might otherwise be overlooked. If you’re going to disclose what you do in an all-encompassing, public-facing document – one that may, at some point, be scoured over by disgruntled customers, journalists, lawyers and regulators – then you want to make sure that what you do is legit in the first place. And, of course, while individuals seldom ever read privacy policies in practice, if they do have a question or a complaint they want to raise, then a well-crafted privacy policy serves (or, at least, should serve) as a comprehensive resource for finding the information they need.

Is a privacy policy the only way to communicate with your consumers what you do with their data? No, of course not. Is it the best way? Absolutely not: in an age of device and platform fragmentation, the most meaningful way is through creative Privacy by Design processes that build a compelling privacy narrative into your products and services. But is the privacy policy still relevant and important? Yes, and long may this remain the case.

Posted in Accountability, Privacy by design

.............................................................................................................................................

ICO audits of the NHS – new powers coming

Posted on March 27th, 2013 by Stewart Room

The UK Ministry of Justice opened a public consultation yesterday on the expansion of the Information Commissioner’s compulsory audit power to the NHS. The NHS, which is one of the UK’s biggest employers and controllers of sensitive personal data, has been firmly in ICO’s sights for over a year now, as back in January 2012 the Commissioner identified “health” as his number 1 priority for regulatory action (see the “Information Rights Strategy”), which led to a series of high profile fines being imposed on NHS bodies for various data breaches (after Local Authorities the NHS was the sector that received most fines in 2012). ICO has long been arguing for the extension of its compulsory audit power to the NHS and its clear from the consultation document that the Government is supportive.

These audits, or “Assessment Notices” as the statutory language prefers, were introduced into ICO’s regulatory tool kit by the Coroners and Justice Act 2009 but while the legislation envisaged the possibility of ICO being able to audit any part of the economy, at the moment the audit power is restricted to Government departments. Many commentators regard this as odd and out of kilter with both the Parliamentary intent and the overall trajectory of data protection law. For instance, under the E-Privacy Regulations ICO has a related compulsory audit power which they can use in the electronic communications sector (principally telecoms companies and ISPs). Likewise the draft Data Protection Regulation includes a proposed wide-ranging audit power for national regulators in the EU. Similarly, the draft Cybersecurity Directive published in 2013 proposes a regulatory audit power for “Market Operators” who underpin the Internet, Cloud Computing services, health, transport, financial services and energy. In other words, compulsory regulatory audit powers are considered to be a fundamental component of mature regulation, albeit, of course, these powers should be exercised sparingly, proportionately and in a non-discriminatory manner.

The current proposal is a welcome opportunity for Government, ICO and the NHS to sort out the mess that is data protection regulation in the NHS. Currently, the “assessment” regime leads to very unfair results, in the sense that a data controller who undergoes a compulsory audit or assessment of legal compliance receives much more favourable treatment through immunity from fines than one who voluntarily reports a data handling problem to ICO for investigation. The recent pattern of fining in the NHS has not been universally welcomed, but these developments may reduce their frequency in a sector that feels harshly treated.

However, NHS bodies should not think that compulsory audits or assessments leave them free of enforcement measures. While ICO cannot fine after exercising an Assessment Notice, they can still impose Enforcement Notices, which are backed up by criminal sanctions for those controllers who do not comply with their terms. Yet, at least Enforcement Notices keep the money in the NHS, which means that the NHS can dedicate what would have been fine money to data protection improvements.

It will be very interesting to see how the NHS responds, but many bodies will be thinking about how they can avail themselves of ICO audits in the meantime to remove the spectre of fines. This is because voluntary audits and assessments carry the same immunity from fines as compulsory ones. Indeed, one might think that it will be a very unfortunate NHS body who is fined, because there is a pathway here to fine neutrality. So, will we see a rush of requests for voluntary audits and assessments? Clever NHS bodies must be thinking about this.

The Consultation closes on 17 May. If you would like to know more about Assessment Notices and how they operate, or if you would like a copy of my firm’s research into ICO enforcement actions in 2012, please contact me.

Posted in Audits

.............................................................................................................................................

The familiar perils of the mobile ecosystem

Posted on March 18th, 2013 by Eduardo Ustaran

I had not heard the word ‘ecosystem’ since school biology lessons.  But all of a sudden, someone at a networking event dropped the ‘e’ word and these days, no discussion about mobile communications takes place without the word ‘ecosystem’ being uttered in almost every sentence.   An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment.  The point of an ecosystem is that completely different organisms – each with different purposes and priorities – are able to co-exist in a more or less harmonious but eclectic way.  The parallel between that description and what is happening in the mobile space is evident.  Mobile communications have evolved around us to adopt a life of their own and separate from traditional desktop based computing and web browsing.  Through the interaction of very different players, our experience of communications on the go via smart devices has become an intrinsic part of our everyday lives. 

Mobile apps in particular have penetrated our devices and lifestyles in the most natural of ways.  Studies show that apparently an average smartphone user downloads 37 apps.  The fact that the term ‘app’ was listed as Word of the Year in 2010 by the American Dialect Society is quite telling.  Originally conceived to provide practical functions like calendars, calculators and ring tones, mobile apps bring us anything that can be digitised and has a role to play in our lives.  In other words, our use of technology has never been as close and personal.  Our mobile devices are an extension of ourselves and mobile apps are an accurate tool to record our every move (in some cases, literally!).  As a result, the way in which we use mobile devices tells a very accurate story of who we are, what we do and what we are about.  Conspiracy theories aside, it is a fact that smartphones are the perfect surveillance device and most of us don’t even know it!

Policy makers and regulators throughout the world are quickly becoming very sensitive to the privacy risks of mobile apps.  Enforcement is the loudest mechanism to show that nervousness but the proliferation of guidance around compliance with the law in relation to the development, provision and operation of apps has been a clear sign of the level of concern.  Regulators in Canada, the USA and more recently in Europe have voiced sombre concerns about such risks.  The close and intimate relationship between the (almost always on) devices and their users is widely seen as an aggravating factor of the potential for snooping, data collection and profiling.  Canadian regulators are particularly concerned about the seeming lightning speed of the app development cycle and the ability to reach hundreds of thousands of users within a very short period of time.  Another generally shared concern is the fragmentation between the many players in the mobile ecosystem – telcos, handset manufacturers, operating system providers, app stores, app developers, app operators and of course anybody else who wants a piece of the rich mobile cake – and the complexity that this adds to it.

All of that appears to compromise undisputed traditional principles of privacy and data protection: transparency, individuals’ control over their data and purpose limitation.  It is easy to see why that is the case.  How can we even attempt to understand – let alone control – all of the ways in which the information generated by our non-stop use of apps may potentially be used when all such uses are not yet known, the communication device is undersized and our eagerness to start using the app acts as a blindfold?  No matter how well intended the regulators’ guidance may be, it is always going to be a tall order to follow, particularly when the expectations of those regulators in terms of the quality of the notice and consent are understandably high.  In addition, the bulk of the guidance has been targeted at app developers, a key but in many cases insignificant player in the whole ecosystem.  Why is the enthusiastic but humble app developer the focus of the compliance guidelines when some of the other parties – led by the operator of the app, which is probably the most visible party to the user – play a much greater role in determining which data will be used and by whom?

Thanks to their ubiquity, physical proximity to the user and personal nature, mobile communications and apps pose a massive regulatory challenge to those who make and interpret privacy rules, and an even harder compliance conundrum to those who have to observe them.  That is obviously not a reason to give up and efforts must be made by anyone who plays a part to contribute to the solution.  People are entitled to use mobile technology in a private, productive and safe way.  But we must acknowledge that this new ecosystem is so complex that granting people full control of the data generated by such use is unlikely to be viable.  As with any other rapidly evolving technology, the privacy perils are genuine but attention must be given to all players and, more importantly, to any mechanisms that allow us to distinguish between legitimate and inappropriate uses of data.  Compliance with data protection in relation to apps should be about giving people what they want whilst avoiding what they would not want.

This article was first published in Data Protection Law & Policy in March 2013.

Posted in Consent, Data minimisation, Mobile telecoms

.............................................................................................................................................

Designing privacy for mobile apps

Posted on March 16th, 2013 by Phil Lee

My phone is my best friend.  I carry it everywhere with me, and entrust it with vast amounts of my personal information, for the most part with little idea about who has access to that information, what they use it for, or where it goes.  And what’s more, I’m not alone.  There are some 6 billion mobile phone subscribers out there, and I’m willing to bet that most – if not all of them – are every bit as unaware of their mobile data uses as me.

So it’s hardly surprising that the Article 29 Working Party has weighed in on the issue with an “opinion on apps on smart devices” (available here).  The Working Party splits its recommendations across the four key players in the mobile ecosystem (app developers, OS and device manufacturers, app stores and third parties such as ad networks and analytics providers), with app developers receiving the bulk of the attention.

Working Party recommendations

Much of the Working Party’s recommendations don’t come as a great surprise: provide mobile users with meaningful transparency, avoid data usage creep (data collected for one purpose shouldn’t be used for other purposes), minimise the data collected, and provide robust security.  But other recommendations will raise eyebrows, including that:

(*)  the Working Party doesn’t meaningfully distinguish between the roles of an app publisher and an app developer – mostly treating them as one and the same.  So, the ten man design agency engaged by Global Brand plc to build it a whizzy new mobile app is effectively treated as having the same compliance responsibilities as Global Brand, even though it will ultimately be Global Brand who publicly releases the app and exploits the data collected through it;

(*)  the Working Party considers EU data protection law to apply whenever a data collecting app is released into the European market, regardless of where the app developer itself is located globally.  So developers who are based outside of Europe but who enjoy global release of their app on Apple’s App Store or Google Play may unwittingly find themselves subjected to EU data protection requirements;

(*)  the Working Party takes the view that device identifiers like UDID, IMEI and IMSI numbers all qualify as personal data, and so should be afforded the full protection of European data protection law.  This has a particular impact on the mobile ad industry, who typically collect these numbers for ad serving and ad tracking purposes, but aim to mitigate regulatory exposure by carefully avoiding collection of “real world” identifiers;

(*)  the Working Party places a heavy emphasis on the need for user opt-in consent, and does not address situations where the very nature of the app may make it so obvious to the user what information the app will collect as to make consent unnecessary (or implied through user download); and

(*)  the Working Party does not address the issue of data exports.  Most apps are powered by cloud-based functionality and supported by global service providers meaning that, perhaps more than in any other context, the shortfalls of common data export solutions like model clauses and safe harbor become very apparent.

Designing for privacy
Mobile privacy is hard.  In her guidance on mobile apps, the California Attorney-General rightly acknowledged that: “Protecting consumer privacy is a team sport. The decisions and actions of many players, operating individually and jointly, determine privacy outcomes for users. Hardware manufacturers, operating system developers, mobile telecommunications carriers, advertising networks, and mobile app developers all play a part, and their collaboration is crucial to enabling consumers to enjoy mobile apps without having to sacrifice their privacy.
Building mobile apps that are truly privacy compliant requires a privacy by design approach from the outset.  But, for any mobile app build, there are some top tips that developers should be aware of:
  1. Always, always have a privacy policy.  The poor privacy policy has been much maligned in recent years but, whether or not it’s the best way to tell people what you do with their information (it’s not), it still remains an expected standard.  App developers need to make sure they have a privacy policy that accurately reflects how they will use and protect individuals’ personal information and make this available both prior to download (e.g. published on the app store download page) and in-app.  Not having this is a sure fire way to fall foul of privacy authorities – as evidenced in the ongoing Delta Airlines case.
  2. Surprise minimisation.  The Working Party emphasises the need for user consents and, in certain contexts, consent will of course be appropriate (e.g. when accessing real-time GPS data).  But, to my mind, the better standard is that proposed by the California Attorney-General of “surprise minimisation”, which she explains as the use of “enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” Just-in-time privacy notices combined with meaningful user controls are the way forward.
  3. Release “free” and “premium” versions.  The Working Party says that individuals must have real choice over whether or not apps collect personal information about them.  However, developers will commonly complain that real choice simply isn’t an option – if they’re going to provide an app for free, then they need to collect and monitise data through it (e.g. through in-app targeted advertising).  An obvious solution is to release two versions of the app – one for “free” that is funded by exploiting user data and one that is paid for, but which only collects user data necessary to operate the app.  That way, users that don’t want to have their data monitised can choose to download the paid for “premium” version instead – in other words, they have choice;
  4. Provide privacy menu settings.   It’s suprising how relatively few apps offer this, but privacy settings should be built into app menus as a matter of course – for example, offering users the ability to delete app usage histories, turn off social networking integration, restrict location data use etc.  Empowered users are happy users, and happy users means happy regulators; and
  5. Know Your Service Providers.  Apps serve as a gateway to user data for a wide variety of mobile ecosystem operators – and any one of those operators might, potentially, misuse the data it accesses.  Developers need to be particularly careful when integrating third party APIs into their apps, making sure that they properly understand their service providers’ data practices.  Failure to do proper due diligence will leave the developer exposed.

Any developer will tell you that you don’t build great products by designing to achieve compliance; instead, you build great products by designing a great user experience.  Fortunately, in privacy, both goals are aligned.  A great privacy experience is necessarily part and parcel of a great user experience, and developers need to address users’ privacy needs at the earliest stages of development, through to release and beyond.

Posted in Article 29 Working Party, Geolocation, Mobile telecoms, Privacy by design, Smartphones

.............................................................................................................................................

The Internet of Things and a balanced approach to regulatory intervention

Posted on March 14th, 2013 by Eduardo Ustaran

To say that the Internet has changed and penetrated our lives is without doubt an understatement.  As cliché as it may sound, Internet technology has already had an effect of historic proportions for humanity.  What is even more amazing is the fact that the real impact is yet to be seen and is only a few years away.  Today, using and benefiting from the wonders of the Internet typically involves a communication device – like a PC, a tablet or a mobile phone – that serves as an interface mechanism for the user.  Browsing the web, shopping online and communicating by e-mail have become second nature to anyone with access to a device connected to the Internet, and the fact that this can happen on the move in all but the most remote places on the planet only makes the whole experience more ordinary.  But the truth is that we have seen nothing yet!  A few glimpses of our current technological development show what is likely to happen next and the potential reach of the next stage in the evolution of the Internet.

The idea that things we do in the offline real world – like making breakfast, going to school, commuting to work, buying groceries, watching the telly and so on – could somehow be interconnected with each other through Internet technology in a sort of automatic way has the flavour of a 1960s science fiction cartoon.  However, that was precisely the kind of thing that a group of visionary engineers had in mind when in the late nineties – as the Internet was starting to catch on – they came up with the concept of the ‘Internet of Things’.  Their vision was that rather than having to rely on constant human intervention for feeding the Internet with instructions and information, everyday items – coffee machines, cars, fridges, central heating systems, TVs, tooth brushes…, you name it – could rely on the power of the Internet to provide even greater value and more convenient uses to their users.  Before we start thinking of this as a prequel for Terminator, this vision was not about machines running wild and taking over our lives, but about exploiting relatively straight forward and wide spread technology to make our lives… easier, more pleasant, more productive, lazier???

It is early days for some of the immediately graspable applications of the Internet of Things to become the norm.  I still text my neighbour on my last day of holiday asking him to pop into my house and turn on the heating rather than log onto my gas company smart console device to do it remotely.  We still rely on weekly shopping lists rather than ask our fridges what we have run out off.  Our everyday offline life is basically still pretty offline.  On the other hand, data from trains, crops, water pipes, smart meters and even running shoes is now being digitally collected for our efficiency and enjoyment.  As technology evolves, every object on the planet could end up being a node in a truly ubiquitous network of networks.  Not even the sky is the limit.  The possibilities are as wide as our imagination and for the more sombre thinkers, so are the risks.  Privacy and security are at the top of the risk list and that has not gone unnoticed to policy makers.

In 2012, the European Commission carried out a public consultation which sought views on an appropriate policy approach to foster a dynamic development of the Internet of Things.  The Commission has recently published its report on the consultation and the findings reflect an unfortunately common polarisation of views.  The Commission’s report shows that far from being consensus as to the need for and scope of public intervention in connection with the Internet of Things, there are two clearly distinguishable factions: the so-called industry camp and the interested citizens, civil society and consumer organisations camp.  The industry argued strongly against any kind of intervention in a sector which is still in its infancy and claimed that Internet technology should develop further before appropriate policy measures can be devised.  The other side claimed that a new and stronger data protection framework was needed so that people can be fully in control of their data.

According to the civil society group of respondents to the Commission’s consultation, the required new framework needs to incorporate elements such as consent, purpose limitation, data anonymisation, transparency, privacy by default and by design, system security, data deletion, accountability and regulatory audits.  A real mouthful of measures which according to this group must override any economic considerations, given that fundamental rights like privacy, security and other ethical issues are at stake.  As is often the case, the views expressed will be seen as antagonistic by each other and, worst of all, could have the regrettable effect of deafening the debate and preventing a balanced approach to regulatory intervention.  We cannot afford that to be the case.  Not just because of its potentially unreasonable effect on economic prosperity, but because there is a correct level of intervention that must be found and applied for everyone’s benefit.  As the Internet evolves, so does the need for privacy and security public policy.  The most appropriate outcome may be debatable but one thing is clear: responsible policies and norms must take into account real and likely opportunities as well as threats, not greedy dreams or extreme conspiracy theories.

This article was first published in Privacy Perspectives in March 2013.

Posted in Legislative reform, Uncategorized

.............................................................................................................................................

How to solve BCR conflicts with local law

Posted on March 13th, 2013 by Phil Lee

A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Posted in Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules

.............................................................................................................................................

Cabinet Office consults on cyber security standards – expression of interest by 8 April 2013

Posted on March 8th, 2013 by Dominika Kupczyk

As part of its Cyber Security Strategy, the Cabinet Office recently published a call for evidence on an organisational standard that best meets the requirements for effective cyber risk management. The aim of the consultation is to research and pick one preferred organisational standard for the private sector to protect against:

“low-end methods of compromise such as phishing and social engineering,  malware and viruses.”

The Government is aware that it cannot protect against all risks and aims at a code of standards that would be applicable to all businesses alike helping them to protect themselves from cyber security threats. The Government will endorse the selected standard as a “best practice” standard.

The consultation document provides that the standard sought should encompass an independent audit and assurance framework and be (or have potential to be) recognised or aligned internationally. The Cabinet Office wants to specifically hear about the suggested auditable requirements for the following technical and nontechnical controls:

a. The governance of cyber security across the legal entity including dependencies upon other organisations.

b. The understanding of cyber security risks based upon the likelihood of the low-end methods of compromise exploiting vulnerabilities and causing business impacts.

c. The selection of controls to mitigate cyber security risks using an appropriate mix of awareness, preventative, detective and recovery controls across the physical, personnel and technical security functions.

d. The selection of controls should cover at least the following areas as described at reference b:

    i. Network security

    ii. Malware prevention

    iii. Secure configuration of information systems

    iv. Monitoring

    v. Removable media

    vi. Home and mobile working

    vii. Managing user privileges

    viii. User education and awareness

    ix. Incident management

e. Monitoring of the threat landscape and the effectiveness of the controls against that landscape.

f. The ability to react to changes in understanding of cyber security risks.

g. Reporting cyber security performance and incidents to the organisation’s owners, customers, information owners and regulatory authorities, in a structured manner that enables monitoring of cyber security trends across industry and identification of root causes of incidents.

Organisations that are interested in contributing should express their interest by Monday 8 April 2013, with the final date for submitting the evidence being 14 October 2013.  Guidance regarding submissions will be published by Tuesday 30 April 2013.

If you intend to participate in the consultation and would like to have a discussion with a member of our Data Security team, please email antonis.patrikios@ffw.com

 

Published by Dominika Kupczyk and Antonis Patrikios

Posted in Data security

.............................................................................................................................................

Bring Your Own Device – Information Commissioner’s Office issues new guidance

Posted on March 7th, 2013 by Leonie Power

The Information Commissioner’s Office (ICO) has today published its guidance on Bring Your Own Device (BYOD) – the term used to describe the trend whereby personal devices are used to access and store corporate information.
Unsurprisingly, a key focus of the guidance is on the need to take appropriate technical and organisational measures to protect the personal data held on the device, in particular having a BYOD policy that clearly sets out the responsibilities of device owners and ensuring that compliance with the policy is monitored on an on-going basis.
In order to determine what security measures are appropriate, data controllers will need to determine the risks posed by BYOD. In this regard, the guidance sets out the factors that need to be taken into consideration when undertaking a risk assessment, for example: what type of data is held; where it may be stored; how it is transferred; how it may be used (i.e. the potential for a blurring of business and personal use); and how the device can be controlled and secured.
A large part of the guidance is dedicated to discussing the technical and organisational measures that should be considered in a BYOD context, with many of the suggestions being made in the form of practical “top tips”. Examples of top tips include using a strong password to secure devices, ensuring that any data stored on the device itself is encrypted and maintaining a clear separation between personal data processed on behalf of the data controller and personal data processed for the device owner’s own purposes. In this regard, the guidance suggests that data controllers should consider “sand-boxing” or ring-fencing personal data within certain apps.
As well as technical measures, the guidance supports the implementation of an appropriate policy framework, e.g. a clear BYOD policy, an Acceptable Use Policy and a Social Media Policy (if BYOD leads to an increased use of social media) and points to the need to ensure that there is a process in place for quickly and effectively revoking device or user access in the event of a reported loss or theft. It suggests by way of a top tip that data controllers should register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
In addition, the guidance make makes clear that a BYOD policy should facilitate compliance with all aspects of the Data Protection Act, not just security. For example, it suggests that using devices to connect to a single central repository of data (rather than allowing copies of data to be stored on many different devices) can help mitigate the risk of data being inaccurate, out-of-date or retained longer than is necessary and makes it easier to respond to a data subject access.
As well as risks to the personal data for which the data controller is responsible, the ICO also considers the potential privacy risks to the owner of the device. The guidance makes clear that any technical and organisational measures used to protect personal data must be proportionate to and justified by real benefits that will be delivered.  The ICO points out that device owners should be told about any device tracking and the consequences of such tracking for them. They should also know exactly which data might be automatically or remotely deleted and under which circumstances. The ICO refers to the existing guidance on the topic of monitoring at work and suggests that employers should be mindful of any internet monitoring software in place, especially during periods of personal use.
The ICO guidance on BYOD can be found at http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/byod.aspx

Posted in Uncategorized

.............................................................................................................................................

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

.............................................................................................................................................
« Older Entries
Newer Entries »