All parties and stakeholders should continue to work hand in hand for high data protection’s standards all over Europe and generate the trust that is needed to reap the benefits that the digital revolution can provide.
The biggest lie on the Internet is ‘I have read and understand the Terms and Conditions’. At best one briefly scans a document that would otherwise make for a long and tedious read in legalese, especially for a non-English speaker.
In truth, no one really reads the fine print. To be perfectly blunt, who has the time – or desire – to ponder over a lengthy legal document in order to obtain access to a service or app?
Users of these services often have no other alternative. But by accepting their terms, they weaken the control they have over their own data. It is unclear whether these conditions are always lawful and proportional.
Furthermore, users are obliged to accept regular updates. Previously, one had the option of installing them or not, but not anymore.
These obligatory updates occasionally lead to critical problems and after an update, users must verify their privacy settings, as changes can be made without explicit notification. To make matters worse, public authorities sometimes ask us to use these technologies to interact with them.
Actions can and should be taken to protect European users. New ICT technologies should guarantee the privacy of potential users prior to their introduction. Effective privacy enforcement should be guaranteed by demanding privacy by design and fostered by mechanisms that prevent the unnecessary collection of data.
The handling of personal data should be more transparent. Companies should collaborate on these issues, and regulation should define what minimum level of security is reasonable.
A number of alternative approaches are possible.
Prior to the introduction of new operating systems, services and applications, a certificate of conformity as proof of compliance with the EU General Data Protection Regulation and national Data Protection Acts could be required. A permanent independent group of experts could be established to execute mandatory checks.
Service providers could adopt a more preventive approach. The existing opt-out approach could be replaced with an opt-in model, whereby the transfer of personal data is explicitly authorised by the user and default settings initially prevent such a transfer.
Service providers could clearly inform users what data is transmitted and guarantee that none will be without their explicit authorisation. They should also ensure that third parties cannot obtain this data.
The European Commission’s recent proposal to introduce new legislation to guarantee privacy in electronic communications is a step in the right direction.
But all parties and stakeholders should work hand in hand to protect consumers and companies and generate the trust that is needed to reap the benefits that the digital revolution can provide. Together let us stop the biggest lie on the Internet.
Picture credits: InsideOut Project
The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, says Christian Wigand, EC spokesperson for Justice.
The Digital Post: Despite the reassuring statements of the European Commission, the new “Safe Harbour” does not seem out of danger. Is the Privacy Shield enough strong to resist any future attempt to challenge its legal legitimacy?
Christian Wigand: As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations. We used the ECJ ruling as a “benchmark” in the final phase of the negotiations, let me explain how three key requirements have been addressed:
– The European Court of Justice required limitations for access to personal data for national security purposes and the availability of independent oversight and redress mechanisms.
The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the US under this arrangement and for the first time, has given written commitments in this respect to the EU. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be set up, independent from the intelligence services.
– The Court required a regular review of the adequacy decisions.
There will be an annual joint review to regularly review the functioning of the arrangement, which will also include the issue of national security access.
– The Court required that all individual complaints about the way U.S. companies process their personal data are investigated and resolved.
There will be a number of ways to address complaints, starting with dispute resolution by the company and free of charge alternative dispute resolution solutions. Citizens can also go to the Data protection authorities who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsman independent from the US intelligence services
TDP: Three months ago French Interior Minister Bernard Cazeneuve and his German counterpart, Thomas de Maizière, called on the EU to adopt a law that would require apps companies to make encrypted messages available to law enforcement. What is the official position of the Commission on this particular issue? Is the Commission working on a proposal?
CW: Encryption is widely recognised as an essential tool for security and trust in open networks. It can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.
The current Data Protection Directive (which also applies to the so-called over-the-top service providers such as WhatsApp or Skype) allows Member States to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences.
The new General Data Protection Regulation (which will apply as from 25 May 2018) maintains these restrictions.
TDP: According to a survey published recently by Dell most firms are unprepared for the EU’s General Data Protection Regulations less than 18 months before it enters into force. Are you worried about that?
CW: To make the new data protection rules work in practice is a priority for us and we work closely with all stakeholders on that. The European Commission has set out a number of measures to make sure that companies operating in the European Union as well as national regulators will be ready for the new rules. There is work ongoing on all levels, with data protection authorities, industry representatives, data protection experts from Member States and of course national governments. For example, there are monthly meetings with Member States authorities on implementation. At the same time we are setting up a network between the Commission and national authorities to exchange information on the implementation of the Regulation and to share good practices.
Picture credits: U.S. Army
It wont be long before we look back and laugh at the way we approached privacy in the happy days of the web.
If only I had a penny for every time I’ve heard this aphorism!
True, most typology studies out there as well as our own experiences verify that currently most of us act like the kids that rush to the table and grab the candy in the classic delayed gratification marshmallow experiment: convenience rules over our privacy concerns.
But nothing is written in stone about this. Given enough information and some time to digest it, even greedy kids learn. Just take a look at some other things we didn’t use to care about.
Never had the pleasure of walking directly into a plane without a security check but from what I hear there was a time that this was how it worked. You would show up at the airport with ticket at hand. The check-in assistant would verify that your name is on the list and check your id. Then you would just walk past the security officer and go directly to the boarding gate. Simple as that.
Then came hijackers and ruined everything. Between 1968 and 1972, hijackers took over a commercial aircraft every other week, on average. So long with speedy boarding and farewell to smoking on planes 20 years later. If you want to get nostalgic, here you go:
Since we are in the topic of smoking and given that lots of privacy concerns are caused by personal data collection practices in online advertising I cannot avoid thinking of Betty and Don Draper with cigarettes at hand at work, in the car, or even at home with the kids.
To be honest I don’t have to go as far as the Mad Men heroes to draw examples. I am pretty, pretty, pretty sure I’ve seen some of this in real life.
Where do I start here? I could list some of my own but they are nowhere near as fun as some that I discovered with a quick search around the web. Things like:
– Glass blowing kit
– Lead casting kit
– Working electric power tools for kids
– The kerosine train
– Magic killer guns that impress, burn, or knock down your friends.
Pictures are louder than words. Just take a look at The 8 Most Wildly Irresponsible Vintage Toys. Last in this list is the “Atomic Energy Lab” which brings us to:
Recreational uses of radio active materials
I love micro-mechanics and there’s nothing more lovable about it than mechanical watches. There is a magic in listening to the ticking sound of a mechanical movement while observing the seconds hand sweep smoothly above the dial. You can even do it the dark because modern watches use super luminova to illuminate watch dial markings and hands.
I am stretching dangerously beyond my field here but from what I gather, Tritium, a radio-active material, needs to be handled very carefully. Radium is downright dangerous. I mean “you are going to die” dangerous. Just read a bit about what happened to the “Radium Girls” who used to apply radium on watch dials in an assembly line in the ’20s.
But we are not done yet. Remember the title of the section is “Recreational uses of radio active materials”. Watch dials are just the tip of the iceberg. It’s more of a useful than a recreational thing to be able to read the time in the dark (with some exceptions). Could society stomach the dangers for workers? Who knows? It doesn’t really matter because there are these other uses, that were truly recreational (in the beginning at least) for which I hope the answer is pretty clear. Here goes the list:Here
– Radium chocolate
– Radium water
– Radium toothpaste
– Radium spa
Details and imagery at 9 Ways People Used Radium Before We Understood the Risks.
Anyhow, I can go on for hours on this, talk about car safety belts, car seat headrests, balconies, furniture design etc but I think where I am getting at is clear: Societies evolve.
It takes some time and some pain but they evolve. Especially in our time with the ease at which information spreads, they evolve fast. Mark my words, it wont be long before we look back and laugh at the way we approached privacy in the happy days of the web.
Credits: JOHN LLOYD
In the context of the 7th annual EuroCloud Forum, which takes place from 5-6 October in Bucharest, Romania, Elena Zvarici, executive board member of EuroCloud Europe, talks about how Europe can take advantage of cloud computing and the data economy.
In order for Europe to take full advantage of cloud computing and the data economy, we need to strike the right balance between regulation and innovation
In the digital world the balancing act between business and regulation is a delicate one. In the past year we have seen the adoption of the new European General Data Protection Regulation, the invalidation of the Safe Harbour agreement for transatlantic data transfers and problematic discussions around its replacement the Privacy Shield.
Setting these developments into the context of the many ongoing initiatives at EU level aimed at encouraging innovation and the data economy, it is clear that getting the balance right is no easy task.
Europe is leading the way in data privacy and advocates a high level of data protection worldwide. The newly adopted General Data Protection Regulation introduces a new concept of responsibility towards data ownership, as well as new legal obligations for businesses to comply. For cloud SMEs and start-ups, getting up to speed can be problematic and they will need help.
A coordinated approach is needed between data protection authorities, policy makers and industry, in order to help organizations in this transition, by providing adequate data breach reporting tools, compliance toolkits and publicising the key issues. Let’s make sure that European SMEs and start-ups, so often the drivers of growth in Europe, are well placed to comply.
While the GDPR provides a high level of data protection we must remember that we are ever more connected through digital means and cannot think solely in terms of Europe. We are global users and exporters of digital services and need to have a strong cloud computing and data economy to be competitive. International data flows will play a key part in this. To avoid regulation clashes and to create international data-driven markets, in the future we should strive towards the creation of uniform, accepted standards of personal data protection on a global basis.
The recent agreement on the Privacy Shield for EU-US data transfers did not come a moment too soon and will hopefully bring the much needed legal certainty for the approximately 4,000 businesses who made use of the safe harbour mechanism. This legal assurance is vital. Many of these companies will rely on global information exchanges. Let’s hope that the provisions in the Privacy Shield can provide a robust enough framework to encourage data flows while providing high standards of data protection.
Global data flows are vital to international trade and economic growth and the European Commission Initiative on the free flow of data, expected at the end of 2016, should aim to enable European companies, particularly in the growing cloud computing sector, to be in the forefront of the global innovation race.
The Initiative should aim to reinforce the European cloud sector, so that companies are encouraged to develop new innovative services in the cloud, sell their services cross-border and enter the global market as exporters of technology.
This can be done by providing clarity on issues such as data ownership, liability arising from data use and data localisation across Europe.
If we really want to position Europe as a global leader in the data economy we need to ensure that we get the balance right. This means ensuring high levels of privacy while fostering new business innovation in sectors that rely on data and developing trust and confidence among users, from the individual consumer to the public and private sector.
Now is the time to move forward and encourage Europe to reap the benefits of data and the cloud.
Picture credits: Roberto Sartori
If Standard Contractual Clauses (SCCs) suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible, further threatening to balkanize the Internet and to undermine international trade.
Eight months ago the Financial Times warned in an editorial that a ruling by the Court of Justice of the European Union (CJEU) to invalidate Safe Harbour, a commonly used legal mechanism for transferring data to the US, threatened to balkanize the Internet and undermine international trade.
That threat deepened sharply last week when Ireland’s top data protection authority, the Irish Data Protection Commission, announced it would refer another legal mechanism, Standard Contractual Clauses (SCCs) to the courts too.
After Safe Harbour was invalidated companies that need to transfer data as part of their day-to-day activities scrambled to find other legal methods to allow them to continue. One such method is the Standard Contractual Clause.
If SCCs suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible.
But it’s not just transatlantic data flows that are being called into question. Companies use SCCs to transfer data all over the world.
If Europe’s courts conclude that SCCs are no safer than Safe Harbour this could effectively cut Europe out of the emerging global data economy, and that would hurt companies from almost every corner of the economy – not just the tech sector.
Global data flows are vital to international trade. Forcing companies to store their data within Europe will have serious implications for Europe’s economic prospects.
As the European Data Protection Supervisor, Giovanni Buttarelli himself said last week, it is unreasonable to ask companies to reinvent their practises all the time.
I would urge Europe’s data protection authorities to stop shifting the legal goal posts for international data transfers and to wait until Safe Harbour’s intended replacement, the Privacy Shield, has been given a chance to work.
The Privacy Shield, with its Ombudsperson role, would address the key concerns about EU citizens’ potential exposure to unwarranted surveillance by US security agencies.
Privacy activists have dismissed the Privacy Shield before it’s even been given a chance to work. Jumping to a negative conclusion when so much is at stake seems rather reckless.
Right now we need more legal certainty, not less. Give Privacy Shield a chance. If necessary make fixes once it’s in place but don’t throw companies into a legal black hole by closing down all options for international data transfers.
Picture credits: Devin Poolman
The Digital Post speaks with FTC Commissioner Julie Brill about the new ‘Safe Harbour’, the implications of the EU privacy reform, and privacy issues arising from the boom of the Internet of Thing.
The Digital Post: The European Union and the United States of America have reached an agreement on a new Safe Harbour data treaty. What are in your view the main achievements of the deal? What would have been the concrete risks if an agreement weren’t signed?
Julie Brill: The main achievement of Privacy Shield is that it provides strong privacy protections for European consumers and creates a framework for more parties to engage in active supervision and stronger enforcement cooperation. With respect to commercial data practices, Privacy Shield will provide stronger privacy protections than Safe Harbor did – through beefed up onward transfer requirements, and in other ways.
Privacy Shield will also establish more active supervision of the program in practice, so that the Department of Commerce, the European Commission, European data protection authorities (DPAs), and the FTC can detect and address any issues that come up. Privacy Shield will also provide a well-defined process for consumers to complain about the data practices of Privacy Shield companies.
The FTC will remain committed to giving priority to complaint referrals from DPAs, and there will be a better process in place for following up on these complaints. And even in the absence of referrals from DPAs, the FTC will continue to aggressively look for violations of the Privacy Shield principles.
Finally, in the area of national security, the United States agreed to take the unprecedented step of designating an ombudsperson to take complaints about surveillance activities that relate to Privacy Shield. This is in addition to the significant reforms that Congress and President Obama have made to surveillance practices in the past few years.
The risks if Privacy Shield hadn’t been agreed upon would have been that consumers and businesses would have continued in the limbo in which we currently exist, where some mechanisms to transfer personal data from the EU to the U.S. are still allowed, but they are expensive, opaque, and much more difficult for the FTC to enforce.
Of course, Privacy Shield still has many steps to take before it receives approval. If it were not approved, then companies – particularly small and medium enterprises – would lose out because of the time and resources that they have to put into alternative arrangements for data transfers.
But consumers also would lose out because they would have far less transparency into which companies are handling their data, the rules governing data transfers, and where to go to complain if they believe their rights are not being respected.
TDP: According to some observers, the new agreement won’t be sufficient to meet the concerns of the European Court of Justice. What is your opinion?
JB: It’s important to remember that the CJEU’s Schrems decision did not address national security surveillance practices in the United States. Rather, the case was based on the court’s concern that the European Commission’s adequacy decision in the year 2000 did not address U.S. privacy protections relating to national security surveillance.
It is hard to say how the CJEU would have assessed a full, accurate record concerning surveillance practices and privacy protections in the United States, had those facts been before the court. In any event, the U.S. has enacted significant reforms since the Schrems case was referred to the CJEU, and the U.S. is making further commitments through Privacy Shield.
On the whole, I believe these protections meet the CJEU’s standard of “essential equivalence to the EU legal order”, but we will have to wait to see if Privacy Shield is challenged to know whether the CJEU agrees.
TDP: Is the GDPR going to widen the chasm between EU and US regulatory approaches to data protection? How the FTC is working on this issue?
JB: The GDPR incorporates several provisions that either appeared first in the United States or are by now very familiar to companies and enforcers in the U.S. Examples include a focus on reasonable data security through a continuing process of risk assessment and mitigation, a general security breach notification requirement, heightened protections for children, privacy by design, and a recognition that deidentification can reduce privacy and security risks.
There are some differences between the European and U.S. versions of these provisions, but overall they show how developments in the U.S. can influence the direction that Europe takes.
On the other hand, some provisions of the GDPR move further away from the U.S. approach. A prime example is the GDPR’s right to be forgotten article, which extends to all data controllers. This expansion is a sharp contrast to the very targeted and specific provisions of U.S. law that help individuals keep some information about themselves obscure.
Companies and regulators on both sides of the Atlantic need to start working out answers to the many questions that the GDPR raises. That’s one reason that I think it’s so important for us to move beyond the issues surrounding mechanisms for data transfers that have dominated the discussion for the past several months.
With the announcement of an agreement on Privacy Shield in the past several weeks, I hope we now can begin to discuss the GDPR and issues like big data and the Internet of Things in a more sustained and meaningful way.
TDP: The FTC has been focusing on privacy issues related to the booming sectors of Internet of Things and Big Data. What are the risks? How regulators should deal with this very sensitive issue?
JB: There are important roles for enforcement, policy development, and business and consumer guidance in the Internet of Things and Big Data ecosystems. On the policy and guidance front, the FTC has been taking a close look at the potential benefits and risks of the Internet of Things and big data.
We have hosted public workshops, taken public comments, and written key reports on the broad range of technical and economic concerns that arise from having many more connected devices, huge volumes of personal data, and rapidly improving analytics.
We heard a lot about the exciting possibilities to solve problems in health care, transportation, the environment, education, and other areas; but we also learned about significant risks. Security is a huge challenge with the Internet of Things.
Not only are many devices being offered by companies that do not have long track records with data security, but these devices are also being used in ways that collect highly sensitive information and create physical risks to consumers.
With respect to big data, we found that there is a potential for unfairness or discrimination to enter through biases in data collection and analysis. Some of these issues could get companies into trouble under fair lending, credit reporting, or other laws. Other issues arise in settings that these laws do not cover, but companies still need to be aware of them because they may be deceptive or unfair.
Enforcement also plays an important role in the FTC’s approach. We have already brought enforcement actions relating to privacy and security violations with IoT devices. We have the authority to stop unfair or deceptive practices – whether or not they involve new technologies and business practices – and we will use it in appropriate cases.
Picture Credits: g4ll4is
The legislation agreed in mid-December by Parliament and Council negotiators marks a crucial step forward in getting away with a calamitous patchwork of national laws on data protection. However, it contains a number of inconsistencies that could negatively affect Europe’s digital ambitions.
It took nearly 4 years of bitter negotiations for the EU to strike an agreement on a sweeping overhaul of its data protection rules. But it was worth it. The legislation agreed in mid-December by Parliament and Council negotiators marks a crucial step forward in getting away with Europe’s calamitous patchwork of national laws on data protection.
The previous EU rules dated back to 1995 and their varying interpretations by Member States have contributed to create significant regulatory uncertainty while hindering innovation in critical sectors of the economy.
However, the new General Data Protection Regulation (GDPR) is far from perfect. It still presents multiple critical aspects. For instance, it fails to create a level playing field for telecom operators.
Following its introduction, the electronic communications sector will be forced to abide by a twofold regulation, complying with both the new data protection legislation and the ePrivacy Directive.
If Europe is serious about supporting growth and innovation in its digital markets, this asymmetry should be addressed as soon as possible. Otherwise it will place yet another burden on a sector which has been hit hard in recent years by a slow economic recovery while being under pressure to invest more in digital networks in order to meet the EU broadband targets.
As many know, the on-going Internet evolution has been providing breeding grounds for several new telecom-like services (including OTT services) to grow.
The point is that, unlike traditional telecom providers, such services are not necessarily bound by the terms of the ePrivacy Directive, although they are functionally equivalent to one another.
As a consequence, different rules applying to equivalent services inevitably create unfair competition between telecom operators as well as legal uncertainty and general confusion among consumers.
In order for consumers to benefit from a consistent regulation, regardless of the service provider in question, a prompt revision of the ePrivacy Directive is thus required.
But the negative implications of the new regulation on data protection could be larger, stretching far beyond the telecoms sector.
DigitalEurope, the main association representing the digital technology industry in Europe, believes that the legislation fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive.
The text agreed upon between the European Commission, European Parliament and the Council of Ministers contains a number of stringent obligations that could be very costly for IT businesses, undermining their ability to invest, innovate and create jobs.
European businesses, traditionally less equipped to meet these obligations, could be hit hard. And, of course, this is in stark contrast with Europe’s ambitions to create a generation of home-grown global leaders in the tech sector.
Another matter of concern is the so-called is the compromise reached on the so-called “one-stop-shop”, according to which tech companies operating in different countries will deal with only one data-protection authority, namely where their European headquarter is based.
As Member states managed to weaken this principle, as recently reported by Reuters, some obervers believe that this will create more legal confusion and litiges (for instance, to determine what is the concerned national authority). Again: the bill for the companies could be very expensive.
Following the political agreement reached in trilogue, the final text of the data protection regulation will be formally adopted by the European Parliament and Council in a few weeks. Maybe there is still room to fix its inconsistencies.
Photo credit: Martin Fisch
Web firms may have an interest in pursuing the monetization of users’ data with some more moderation. If they don’t, privacy concerns as well as adoption of tracking and advertisement blocking tools could grow to a point where innovation will suffer.
As part of a recent keynote during the inaugural workshop of the Data Transparency Lab (Nov 20, 2014, Barcelona) I hinted that a Tragedy of the Commons around privacy might be the greatest challenge and danger for the future sustainability of the web, and the business models that keep it going.
With this post I would like to elaborate a bit more on what I meant and maybe explain why my slides are full of happy, innocent looking cows.
What is the Tragedy of the Commons?
According to Wikipedia:
“The tragedy of the commons is an economic theory by Garrett Hardin, which states that individuals acting independently and rationally according to each’s self-interest behave contrary to the best interests of the whole group by depleting some common resource. The term is taken from the title of an article written by Hardin in 1968, which is in turn based upon an essay by a Victorian economist on the effects of unregulated grazing on common land.”
In the classical Tragedy of the Commons, individual cattle farmers acting selfishly keep releasing more cows onto a common parcel of land despite knowing that a disproportionate number of cows will deplete the land of all grass and drive everyone out of business.
All the farmers share this common knowledge, but do nothing to avoid the impending tragedy.
Selfishness dictates that it is better for a farmer to reap the immediate benefit of having more cows, diverting the damage to others and/or pushing the consequences to the future.
The utopian outcome for each farmer is that he can keep accumulating cows without having to face the tragedy because, miraculously, others will reduce the size of their herds, saving the field from becoming barren. Unfortunately, everyone thinks alike and thus, eventually the field is overgrazed to destruction.
Are there cows on the Web?
There are several.
Not only in .jpeg, .gif or .tiff but also in other formats that, unlike the aforementioned compression standards, can lead to (non-grass related) tragedies. In my talk I am hinting on the following direct analogy between the aforementioned cow-related abstraction and the mounting concerns about privacy and the web.
Farmer: A company having a business model around the monetization of personal information of users. This includes online advertising, recommendation, e-commerce, data aggregation for market analysis, etc.
Cow: A technology for tracking users online without their explicit consent or knowledge. Tracking cookies, analytics code in websites and browsers, browser and IP fingerprinting, etc.
Grass: The trust that we as individuals have on the web, or more accurately, our hope and expectation that the web and its free services are doing “more good than bad”.
The main point here is that if the aforementioned business models (farmers) and technologies (cows) eat away user trust (grass) faster than its replenishment rate (free services that make us happy), then at some point the trust will be damaged beyond repair and users … will just abandon the web.
As extreme as the last statement may sound, the reader needs to keep in mind that other immensely popular media have been dethroned in the past. Print newspapers are nowhere near when they used to be in, say, the 30’s.
Broadcast television is nowhere near where it’s height in the 60’s (think the moon-landing, JFK’s assassination, etc.).
The signs of quickly decaying trust on the web are already here.
– More than 60% of web traffic was recently measured to be over encrypted HTTPs, and all reports agree that the trend is accelerating.
– AdBlock Plus is the #1 Firefox add-on in the Mozzilla download page with close to 20 million users. Other browser or mobile app marketplaces are heavily populated with anti-tracking add-ons and services.
– Regulators on both sides of the Atlantic are mobilizing to address privacy related challenges.
If ignored, the mounting concerns around online privacy and tracking on the web may lead to mass adoption of tracking and advertisement blocking tools. Removing advertising profits from the web probably means the end of free services that we currently take for granted.
The impact on innovation will be a second negative consequence. Last, lets not forget that advertisement and recommendation is something desired by most users, provided that certain red lines are not crossed.
What constitutes a red line may change from person to person but certain categories are safe candidates (health, sexual orientation, political beliefs).
In a recent study we have shown that it is possible to detect Interest-based Behavioral Targeting (IBT) and have delved into specific categories to measure the amount of targeting that goes on.
What can we do to avoid an online tragedy of the commons?
“Sunlight is the best disinfectant”
The famous quote of American Supreme Court litigator Louis Brandeis may have found yet another application in dealing with the privacy challenges of the web.
Despite the buzz around the topic, the average citizen is in the dark when it comes to issues relating to how his personal information is gathered and used online without his explicit authorization.
A few years ago we demonstrated that Price Discrimination seems to have already creeped into e-commerce. This means that the price that one see’s on his browser for a product or service may be different than the one observed at the same time by user in a different location.
Even at the same location, the personal traits of a user, such as his browsing history, may impact on the obtained price.
To permit users to test for themselves whether they are being subjected to price description we developed (the price) $heriff, a simple to use browser add-on that shows, in real time, how the price seen by a user compares with the prices seen by other users or fixed measurement proxies around the world.
Researchers at Columbia University and Northeastern University have, in a similar spirit, developed tools and methodologies that permit end users to test whether the advertisements or recommendations they received have been specifically targeted at them, or they are just random or location dependent.
Tools like $heriff and X-ray improve the transparency around online personal data. This has multifold benefits for all involved parties:
– End users can exercise choice and decide for themselves whether they want to use ad blocking software and when.
– Advertising and analytics companies can use the tools to self regulate and prove that they abstain from practices that most users find offending.
– Regulators and policy makers can use the tools to obtain valuable data that point to the real problems and help in drafting the right type of regulation for a very challenging problem.
Mooo, who needs more tragedy????
Photo credit: b3d_
Adam Smith said that the road to certainty passes through the valley of ambiguity – Germany’s stance on cross-border data flows is no exception.
Germany is increasingly accused of being engaged in a digital protectionism, and commandeering the rest of Europe into policies aimed at ‘information sovereignty’ and counter the threat of the data-driven ‘Industrie 4.0’.
While the politically important German telecom and publishing sector openly argue for a ‘data Schengen’ that would effectively push US competition out of Germany or Europe, the government has been more cautious, preferring to talk in ambiguous terms – not least because German exporters face such barriers overseas.
Adam Smith said that the road to certainty passes through the valley of ambiguity – Germany’s stance on cross-border data flows is no exception.
The federal government recently adopted a set of guidelines aiming to increase the ‘flexibility and security’ of its government-run IT systems.
Germany’s 200 or so different government agencies run 1,300 data services centres, causing functional overlap and economic inefficiencies.
The new proposal, drafted by Germany’s interior ministry, advocates the consolidation of government-run IT systems and IT services centres.
So far, this is in good order. Efficiency and order – sound like good governance that we come to expect.However, the proposal is accompanied by a far-reaching move towards data localisation: for external cloud and software services to be purchased by Germany’s public authorities the government’s new guidelines (Resolution 2015/5 of the federal governments IT Council) stipulate that sensitive information (including government secrets and infrastructure information) have to be stored on servers within Germany.
The last nail in the coffin
At first sight, such requirements may sound reasonable in the post-Snowden environment; NSA was after all listening into the Chancellor’s phone calls.
Also, a serious attack on the IT systems of the Bundestag caused parliamentarians to question government agencies’ cyber security competences.But such notions are built on a very common misconception that data security is a function of where the data is physically located.
In contrary, centralising data in one country increases both the potential risk, but also the scale of the damage that hackers can cause.
Rather than fighting fire with fire by prosecuting business, Germany should exercise its moral higher ground to force other governments into a system built on mutual legal assistance – where governments are held accountable for their laws, not firms who try to abide by them. But it seems as the imperative of looking tough took priority over being effective.
In the long term
Many private firms increasingly or exclusively rely on cloud-based storage and data processing. According to a recent Eurostat survey, 19 per cent of European firms used cloud computing in 2014, primarily for email hosting and storage services.
46 per cent of those companies used advanced cloud services including financial and accounting software applications, customer relationship management and other business applications.
In general, a government-imposed limitation of vendor choices artificially restricts competition, incurs higher cost and prevents innovative business models from gaining ground and scale.
Accordingly, data localisation destroys well-functioning digital business models, increases the risk of successful attacks due to data concentration, and undermines the international competitiveness of digital and traditional exporters – all of which is at the detriment of the German economy.
photo credit: Erwin Brevis
The new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators are struggling to balance citizen rights with the desire to boost the competitiveness of the tech industry.
If someone were asked to guess which issue has generated the fiercest debate in Brussels in the recent months, the European Court of Justice (ECJ) Safe Harbour ruling should be the answer. Brussels has not stopped talking about it since the 6th October. Safe Harbour, which echoes a secure environment, no longer fits with the legal uncertainty and insecurity that the ruling has generated.
The ECJ ruled that the transatlantic Safe Harbour agreement, which allows American companies to use a single standard for consumer privacy and data transfer of private information between the EU and the US, is invalid.
With its ruling the ECJ has considerably challenged, if not disrupted this framework put in place to ease Trans-Atlantic information sharing, deeming it inadequate, especially in light of the surveillance allegations and scandals by USA intelligence services (including the NSA).
The upshot of the ruling is that there are now only limited pan-EU rules on data flow from Europe to the USA.
The ECJ has caused quite a stir in the tech world with its recent judgment. Tech companies, big and small, are scrambling to see what data they process and where it is transferred. Most multinationals are now legally obliged to suspend any transfer of its customers’ data to the USA and move their data storage and operations to an EU subsidiary.
Has anyone also quantified the economic implications of a real stop of data transfer between the EU and the USA? A power-generated black out is the best example I can think of.
The European Commission has therefore been put in a tough position. While it has to support the ruling by the European Court of Justice and guarantee citizens’ privacy, it had evoked the ire of the ICT industry. Trade and business associations are lobbying for a pragmatic solution namely via a transition period that would legalise the current Trans-Atlantic data flows.
The Commission has also promised guidelines for companies and data processors by early November and is working together with the national authorities to prevent fragmentation. But industry fears that this will not prevent headaches, stress and costs. A German data protection authority, for instance, has already warned it would fine non-compliant companies severely.
Meanwhile, Europe and the USA have also been negotiating a renewed Safe Harbour agreement. The ruling comes in the midst of these talks and will be an extra source of pressure. However, little can be done to accommodate the ruling unless America agrees to suspend its surveillance mechanisms on EU citizen data, which would be a very big ask.
In summary, the new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators try to balance citizen rights with the desire to boost its tech industry and remain competitive. It’s a fierce storm with no lighthouse in sight.