General Data Protection Regulation
Auto Added by WPeMatico
Auto Added by WPeMatico
Data is the most valuable asset for any business in 2021. If your business is online and collecting customer personal information, your business is dealing in data, which means data privacy compliance regulations will apply to everyone — no matter the company’s size.
Small startups might not think the world’s strictest data privacy laws — the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) — apply to them, but it’s important to enact best data management practices before a legal situation arises.
Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes.
For example, failing to comply with the GDPR can result in legal fines of €20 million or 4% of annual revenue. Under the CCPA, fines can also escalate quickly, to the tune of $2,500 to $7,500 per person whose data is exposed during a data breach.
If the data of 1,000 customers is compromised in a cybersecurity incident, that would add up to $7.5 million. The company can also be sued in class action claims or suffer reputational damage, resulting in lost business costs.
It is also important to recognize some benefits of good data management. If a company takes a proactive approach to data privacy, it may mitigate the impact of a data breach, which the government can take into consideration when assessing legal fines. In addition, companies can benefit from business insights, reduced storage costs and increased employee productivity, which can all make a big impact on the company’s bottom line.
Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes. For example, Vodafone Spain was recently fined $9.72 million under GDPR data protection failures, and enforcement trackers show schools, associations, municipalities, homeowners associations and more are also receiving fines.
GDPR regulators have issued $332.4 million in fines since the law was enacted almost two years ago and are being more aggressive with enforcement. While California’s attorney general started CCPA enforcement on July 1, 2020, the newly passed California Privacy Rights Act (CPRA) only recently created a state agency to more effectively enforce compliance for any company storing information of residents in California, a major hub of U.S. startups.
That is why in this age, data privacy compliance is key to a successful business. Unfortunately, many startups are at a disadvantage for many reasons, including:
Powered by WPeMatico
As businesses gather, store and analyze an ever-increasing amount of data, tools for helping them discover, catalog, track and manage how that data is shared are also becoming increasingly important. With Azure Purview, Microsoft is launching a new data governance service into public preview today that brings together all of these capabilities in a new data catalog with discovery and data governance features.
As Rohan Kumar, Microsoft’s corporate VP for Azure Data, told me, this has become a major pain point for enterprises. While they may be very excited about getting started with data-heavy technologies like predictive analytics, those companies’ data and privacy-focused executives are very concerned to make sure that the way the data is used is compliant or that the company has received the right permissions to use its customers’ data, for example.
In addition, companies also want to make sure that they can trust their data and know who has access to it and who made changes to it.
“[Purview] is a unified data governance platform which automates the discovery of data, cataloging of data, mapping of data, lineage tracking — with the intention of giving our customers a very good understanding of the breadth of the data estate that exists to begin with, and also to ensure that all these regulations that are there for compliance, like GDPR, CCPA, etc, are managed across an entire data estate in ways which enable you to make sure that they don’t violate any regulation,” Kumar explained.
At the core of Purview is its catalog that can pull in data from the usual suspects, like Azure’s various data and storage services, but also third-party data stores, including Amazon’s S3 storage service and on-premises SQL Server. Over time, the company will add support for more data sources.
Kumar described this process as a “multi-semester investment,” so the capabilities the company is rolling out today are only a small part of what’s on the overall road map already. With this first release today, the focus is on mapping a company’s data estate.
“Next [on the road map] is more of the governance policies,” Kumar said. “Imagine if you want to set things like ‘if there’s any PII data across any of my data stores, only this group of users has access to it.’ Today, setting up something like that is extremely complex and most likely you’ll get it wrong. That’ll be as simple as setting a policy inside of Purview.”
In addition to launching Purview, the Azure team also today launched into general availability Azure Synapse, Microsoft’s next-generation data warehousing and analytics service. The idea behind Synapse is to give enterprises — and their engineers and data scientists — a single platform that brings together data integration, warehousing and big data analytics.
“With Synapse, we have this one product that gives a completely no-code experience for data engineers, as an example, to build out these [data] pipelines and collaborate very seamlessly with the data scientists who are building out machine learning models, or the business analysts who build out reports for things like Power BI.”
Among Microsoft’s marquee customers for the service, which Kumar described as one of the fastest-growing Azure services right now, are FedEx, Walgreens, Myntra and P&G.
“The insights we gain from continuous analysis help us optimize our network,” said Sriram Krishnasamy, senior vice president, strategic programs at FedEx Services. “So as FedEx moves critical high-value shipments across the globe, we can often predict whether that delivery will be disrupted by weather or traffic and remediate that disruption by routing the delivery from another location.”
Powered by WPeMatico
Capcom, the Japanese game maker behind the “Resident Evil” and “Street Fighter” franchises, has confirmed that hackers stole customer data and files from its internal network following a ransomware attack earlier in the month.
That’s an about-turn from the days immediately following the cyberattack, in which Capcom said it had no evidence that customer data had been accessed.
In a statement, the company said data on as many as 350,000 customers may have been stolen, including names, addresses, phone numbers and, in some cases, dates of birth. Capcom said the hackers also stole its own internal financial data and human resources files on current and former employees, which included names, addresses, dates of birth and photos. The attackers also took “confidential corporate information,” the company said, including documents on business partners, sales and development.
Capcom said that no credit card information was taken, as payments are handled by a third-party company.
But the company warned that the overall amount of data stolen “cannot specifically be ascertained” due to losing its own internal logs in the cyberattack.
Capcom apologized for the breach. “Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” the statement read.
The video games maker was hit by the Ragnar Locker ransomware on November 2, prompting the company to shut down its network. Ragnar Locker is a data-stealing ransomware, which exfiltrates data from a victim before encrypting its network, and then threatens to publish the stolen files unless a ransom is paid. In doing so, ransomware groups can still demand a company pays the ransom even if the victim restores their files and systems from backups.
Ragnar Locker’s website now lists data allegedly stolen from Capcom, with a message implying that the company did not pay the ransom.
Capcom said it had informed data protection regulators in Japan and the United Kingdom, as required under European GDPR data breach notification rules. Companies can be fined up to 4% of their annual revenue for falling foul of GDPR rules.
Powered by WPeMatico
Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.
Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.
Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.
A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:
Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.
Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.
Powered by WPeMatico
New vehicles today can produce a treasure trove of data. Without the proper tools, that data will sit undisturbed, rendering it worthless.
A number of companies have sprung up to help automakers manage and use data generated from connected cars. Israeli startup Otonomo is one such player that jumped on the scene in 2015 with a cloud-based software platform that captures and anonymizes vehicle data so it can then be used to create apps to provide services such as electric vehicle management, subscription-based fueling, parking, mapping, usage-based insurance and emergency service.
The startup announced this week it has raised $46 million to take its automotive data platform further. The capital was raised in a Series C funding round that included investments from SK Holdings, Avis Budget Group and Alliance Ventures. Existing investors Bessemer Venture Partners also participated. Otonomo has raised $82 million, to date.
The funds will be used to help Otonomo scale its business, improve its products and help it remain competitive, according to the company. Otonomo is also aiming to expand into new markets, particularly South Korea and Japan.
“We now have the expanded resources needed to deliver on our vision of making car data as valuable as possible for the entire transportation ecosystem, while adhering to the strictest privacy and security standards,” Otonomo CEO and founder Ben Volkow said in a statement.
Otonomo’s pitch focuses on creating opportunities to monetize connected car data while keeping it safe from the moment it is captured. Once the data is securely collected, the platform modifies it so companies can use it to develop apps and services for fleets, smart cities and individual customers. The platform also enables GDPR, CCPA and other privacy regulation-compliant solutions using both personal and aggregate data.
Today, Otonomo’s platform takes in 2.6 billion data points a day from more than 20 million vehicles through partnerships with more than automakers, fleets and farm and construction manufacturers. Otonomo has more than 25 partnerships, a list that includes Daimler, BMW, Mitsubishi Motor Company and Avis Budget Group. The company said it’s preparing to bring on seven more customers.
That opportunity for Otonomo is growing based on forecasts, including one from SBD Automotive that predicts connected cars will account for more than 70% of cars sold in North American and European markets in 2020.
Powered by WPeMatico
A European coalition of techies and scientists drawn from at least eight countries, and led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI), is working on contacts-tracing proximity technology for COVID-19 that’s designed to comply with the region’s strict privacy rules — officially unveiling the effort today.
China-style individual-level location-tracking of people by states via their smartphones even for a public health purpose is hard to imagine in Europe — which has a long history of legal protection for individual privacy. However the coronavirus pandemic is applying pressure to the region’s data protection model, as governments turn to data and mobile technologies to seek help with tracking the spread of the virus, supporting their public health response and mitigating wider social and economic impacts.
Scores of apps are popping up across Europe aimed at attacking coronavirus from different angles. European privacy not-for-profit, noyb, is keeping an updated list of approaches, both led by governments and private sector projects, to use personal data to combat SARS-CoV-2 — with examples so far including contacts tracing, lockdown or quarantine enforcement and COVID-19 self-assessment.
The efficacy of such apps is unclear — but the demand for tech and data to fuel such efforts is coming from all over the place.
In the UK the government has been quick to call in tech giants, including Google, Microsoft and Palantir, to help the National Health Service determine where resources need to be sent during the pandemic. While the European Commission has been leaning on regional telcos to hand over user location data to carry out coronavirus tracking — albeit in aggregated and anonymized form.
The newly unveiled Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project is a response to the coronavirus pandemic generating a huge spike in demand for citizens’ data that’s intended to offer not just an another app — but what’s described as “a fully privacy-preserving approach” to COVID-19 contacts tracing.
The core idea is to leverage smartphone technology to help disrupt the next wave of infections by notifying individuals who have come into close contact with an infected person — via the proxy of their smartphones having been near enough to carry out a Bluetooth handshake. So far so standard. But the coalition behind the effort wants to steer developments in such a way that the EU response to COVID-19 doesn’t drift towards China-style state surveillance of citizens.
While, for the moment, strict quarantine measures remain in place across much of Europe there may be less imperative for governments to rip up the best practice rulebook to intrude on citizens’ privacy, given the majority of people are locked down at home. But the looming question is what happens when restrictions on daily life are lifted?
Contacts tracing — as a way to offer a chance for interventions that can break any new infection chains — is being touted as a key component of preventing a second wave of coronavirus infections by some, with examples such as Singapore’s TraceTogether app being eyed up by regional lawmakers.
Singapore does appear to have had some success in keeping a second wave of infections from turning into a major outbreak, via an aggressive testing and contacts-tracing regime. But what a small island city-state with a population of less than 6M can do vs a trading bloc of 27 different nations whose collective population exceeds 500M doesn’t necessarily seem immediately comparable.
Europe isn’t going to have a single coronavirus tracing app. It’s already got a patchwork. Hence the people behind PEPP-PT offering a set of “standards, technology, and services” to countries and developers to plug into to get a standardized COVID-19 contacts-tracing approach up and running across the bloc.
The other very European flavored piece here is privacy — and privacy law. “Enforcement of data protection, anonymization, GDPR [the EU’s General Data Protection Regulation] compliance, and security” are baked in, is the top-line claim.
“PEPP-PR was explicitly created to adhere to strong European privacy and data protection laws and principles,” the group writes in an online manifesto. “The idea is to make the technology available to as many countries, managers of infectious disease responses, and developers as quickly and as easily as possible.
“The technical mechanisms and standards provided by PEPP-PT fully protect privacy and leverage the possibilities and features of digital technology to maximize speed and real-time capability of any national pandemic response.”
Hans-Christian Boos, one of the project’s co-initiators — and the founder of an AI company called Arago –discussed the initiative with German newspaper Der Spiegel, telling it: “We collect no location data, no movement profiles, no contact information and no identifiable features of the end devices.”
The newspaper reports PEPP-PT’s approach means apps aligning to this standard would generate only temporary IDs — to avoid individuals being identified. Two or more smartphones running an app that uses the tech and has Bluetooth enabled when they come into proximity would exchange their respective IDs — saving them locally on the device in an encrypted form, according to the report.
Der Spiegel writes that should a user of the app subsequently be diagnosed with coronavirus their doctor would be able to ask them to transfer the contact list to a central server. The doctor would then be able to use the system to warn affected IDs they have had contact with a person who has since been diagnosed with the virus — meaning those at risk individuals could be proactively tested and/or self-isolate.
On its website PEPP-PT explains the approach thus:
Mode 1
If a user is not tested or has tested negative, the anonymous proximity history remains encrypted on the user’s phone and cannot be viewed or transmitted by anybody. At any point in time, only the proximity history that could be relevant for virus transmission is saved, and earlier history is continuously deleted.Mode 2
If the user of phone A has been confirmed to be SARS-CoV-2 positive, the health authorities will contact user A and provide a TAN code to the user that ensures potential malware cannot inject incorrect infection information into the PEPP-PT system. The user uses this TAN code to voluntarily provide information to the national trust service that permits the notification of PEPP-PT apps recorded in the proximity history and hence potentially infected. Since this history contains anonymous identifiers, neither person can be aware of the other’s identity.
Providing further detail of what it envisages as “Country-dependent trust service operation”, it writes: “The anonymous IDs contain encrypted mechanisms to identify the country of each app that uses PEPP-PT. Using that information, anonymous IDs are handled in a country-specific manner.”
While on healthcare processing is suggests: “A process for how to inform and manage exposed contacts can be defined on a country by country basis.”
Among the other features of PEPP-PT’s mechanisms the group lists in its manifesto are:
Having a standardized approach that could be plugged into a variety of apps would allow for contacts tracing to work across borders — i.e. even if different apps are popular in different EU countries — an important consideration for the bloc, which has 27 Member States.
However there may be questions about the robustness of the privacy protection designed into the approach — if, for example, pseudonymized data is centralized on a server that doctors can access there could be a risk of it leaking and being re-identified. And identification of individual device holders would be legally risky.
Europe’s lead data regulator, the EDPS, recently made a point of tweeting to warn an MEP (and former EC digital commissioner) against the legality of applying Singapore-style Bluetooth-powered contacts tracing in the EU — writing: “Please be cautious comparing Singapore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder.”
Dear Mr. Commissioner, please be cautious comparing Singapoore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder.
— Wojtek Wiewiorowski (@W_Wiewiorowski) March 27, 2020
A spokesman for the EDPS told us it’s in contact with data protection agencies of the Member States involved in the PEPP-PT project to collect “relevant information”.
“The general principles presented by EDPB on 20 March, and by EDPS on 24 March are still relevant in that context,” the spokesman added — referring to guidance issued by the privacy regulators last month in which they encouraged anonymization and aggregation should Member States want to use mobile location data for monitoring, containing or mitigating the spread of COVID-19. At least in the first instance.
“When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security (Art. 15),” the EDPB further noted.
“If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.”
We reached out to the HHI with questions about the PEPP-PT project and were referred to Boos — but at the time of writing had been unable to speak to him.
“The PEPP-PT system is being created by a multi-national European team,” the HHI writes in a press release about the effort. “It is an anonymous and privacy-preserving digital contact tracing approach, which is in full compliance with GDPR and can also be used when traveling between countries through an anonymous multi-country exchange mechanism. No personal data, no location, no Mac-Id of any user is stored or transmitted. PEPP-PT is designed to be incorporated in national corona mobile phone apps as a contact tracing functionality and allows for the integration into the processes of national health services. The solution is offered to be shared openly with any country, given the commitment to achieve interoperability so that the anonymous multi-country exchange mechanism remains functional.”
“PEPP-PT’s international team consists of more than 130 members working across more than seven European countries and includes scientists, technologists, and experts from well-known research institutions and companies,” it adds.
“The result of the team’s work will be owned by a non-profit organization so that the technology and standards are available to all. Our priorities are the well being of world citizens today and the development of tools to limit the impact of future pandemics — all while conforming to European norms and standards.”
The PEPP-PT says its technology-focused efforts are being financed through donations. Per its website, it says it’s adopted the WHO standards for such financing — to “avoid any external influence”.
Of course for the effort to be useful it relies on EU citizens voluntarily downloading one of the aligned contacts tracing apps — and carrying their smartphone everywhere they go, with Bluetooth enabled.
Without substantial penetration of regional smartphones it’s questionable how much of an impact this initiative, or any contacts tracing technology, could have. Although if such tech were able to break even some infection chains people might argue it’s not wasted effort.
Notably, there are signs Europeans are willing to contribute to a public healthcare cause by doing their bit digitally — such as a self-reporting COVID-19 tracking app which last week racked up 750,000 downloads in the UK in 24 hours.
But, at the same time, contacts tracing apps are facing scepticism over their ability to contribute to the fight against COVID-19. Not everyone carries a smartphone, nor knows how to download an app, for instance. There’s plenty of people who would fall outside such a digital net.
Meanwhile, while there’s clearly been a big scramble across the region, at both government and grassroots level, to mobilize digital technology for a public health emergency cause there’s arguably greater imperative to direct effort and resources at scaling up coronavirus testing programs — an area where most European countries continue to lag.
Germany — where some of the key backers of the PEPP-PT are from — being the most notable exception.
Powered by WPeMatico
As part of its response to the public health emergency triggered by the COVID-19 pandemic, the European Commission has been leaning on Europe’s telcos to share aggregate location data on their users.
“The Commission kick-started a discussion with mobile phone operators about the provision of aggregated and anonymised mobile phone location data,” it said today.
“The idea is to analyse mobility patterns including the impact of confinement measures on the intensity of contacts, and hence the risks of contamination. This would be an important — and proportionate — input for tools that are modelling the spread of the virus, and would also allow to assess the current measures adopted to contain the pandemic.”
“We want to work with one operator per Member State to have a representative sample,” it added. “Having one operator per Member State also means the aggregated and anonymised data could not be used to track individual citizens, that is also not at all the intention. Simply because not all have the same operator.
“The data will only be kept as long as the crisis is ongoing. We will of course ensure the respect of the ePrivacy Directive and the GDPR.”
Earlier this week Politico reported that commissioner Thierry Breton held a conference with carriers, including Deutsche Telekom and Orange, asking for them to share data to help predict the spread of the novel coronavirus.
Europe has become a secondary hub for the disease, with high rates of infection in countries including Italy and Spain — where there have been thousands of deaths apiece.
The European Union’s executive is understandably keen to bolster national efforts to combat the virus. Although, it’s less clear exactly how aggregated mobile location data can help — especially as more EU citizens are confined to their homes under national quarantine orders. (While police patrols and CCTV offer an existing means of confirming whether or not people are generally moving around.)
Nonetheless, EU telcos have already been sharing aggregate data with national governments.
Orange in France is sharing “aggregated and anonymized” mobile phone geolocation data with Inserm, a local health-focused research institute — to enable them to “better anticipate and better manage the spread of the epidemic,” as a spokeswoman put it.
“The idea is simply to identify where the populations are concentrated and how they move before and after the confinement in order to be able to verify that the emergency services and the health system are as well armed as possible, where necessary,” she added. “For instance, at the time of confinement, more than 1 million people left the Paris region and at the same time the population of Ile de Ré increased by 30%.
“Other uses of this data are possible and we are currently in discussions with the State on all of these points. But, it must be clear, we are extremely vigilant with regards to concerns and respect for privacy. Moreover, we are in contact with the CNIL [France’s data protection watchdog]… to verify that all of these points are addressed.”
Germany’s Deutsche Telekom is also providing to national health authorities what a spokesperson dubbed “anonymized swarm data” to combat the corona virus.
“European mobile operators are also to make such anonymized mass data available to the EU Commission at its request,” the spokesperson told us. “In fact, we will first provide the EU Commission with a description of data we have sent to German health authorities.”
It’s not entirely clear whether the Commission’s intention is to pool data from such existing local efforts — or whether it’s asking EU carriers for a different, universal data-set to be shared with it during the COVID-19 emergency.
When we asked about this it did not provide an answer. Although we understand discussions are ongoing with operators — and that it’s the Commission’s aim to work with one operator per Member State.
The Commission has said the metadata will be used for modelling the spread of the virus and for looking at mobility patterns to analyze and assess the impact of quarantine measures.
A spokesman emphasized that individual-level tracking of EU citizens is not on the cards.
“The Commission is in discussions with mobile operators’ associations about the provision of aggregated and anonymised mobile phone location data,” the spokesman for Breton told us.
“These data permit to analyse mobility patterns including the impact of confinement measures on the intensity of contacts and hence the risks of contamination. They are therefore an important and proportionate tool to feed modelling tools for the spread of the virus and also assess the current measures adopted to contain the Coronavrius pandemic are effective.”
“These data do not enable tracking of individual users,” he added. “The Commission is in close contact with the European Data Protection Supervisor (EDPS) to ensure the respect of the ePrivacy Directive and the GDPR.”
At this point there’s no set date for the system to be up and running — although we understand the aim is to get data flowing asap. The intention is also to use data sets that go back to the start of the epidemic, with data-sharing ongoing until the pandemic is over — at which point we’re told the data will be deleted.
Breton hasn’t had to lean very hard on EU telcos to share data for a crisis cause.
Earlier this week Mats Granryd, director general of operator association the GSMA, tweeted that its members are “committed to working with the European Commission, national authorities and international groups to use data in the fight against COVID-19 crisis.”
Although, he added an important qualifier: “while complying with European privacy standards.”
The @GSMA and our members are committed to working with the @EU_Commission, national authorities and international groups to use data in the fight against COVID-19 crisis, while complying with European privacy standards. https://t.co/f1hBYT5Lqx
— Mats Granryd (@MatsGranryd) March 24, 2020
Europe’s data protection framework means there are limits on how people’s personal data can be used — even during a public health emergency. And while the legal frameworks do quite rightly bake in flexibility for a pressing public purpose, like the COVID-19 pandemic, it does not mean individuals’ privacy rights automatically go out the window.
Individual tracking of mobile users for contact tracing — such as Israel’s government is doing — is unimaginable at the pan-EU level. Certainly unless the regional situation deteriorates drastically.
One privacy lawyer we spoke to last week suggested such a level of tracking and monitoring across Europe would be akin to a “last resort.” Though individual EU countries are choosing to respond differently to the crisis — such as, for example, Poland giving quarantined people a choice between regular police check ups or uploading geotagged selfies to prove they’re not breaking lockdown.
While former EU Member the U.K. has reportedly chosen to invite in the controversial U.S. surveillance-as-a-service tech firm Palantir to carry out resource tracking for its National Health Service during the coronavirus crisis.
Under pan-EU law (which the U.K. remains subject to, until the end of the Brexit transition period), the rule of thumb is that extraordinary data-sharing — such as the Commission asking telcos to share user location data during a pandemic — must be “temporary, necessary and proportionate,” as digital rights group Privacy International recently noted.
This explains why Breton’s request is for “anonymous and aggregated” location data. And why, in background comments to reporters, the claim is that any shared data sets will be deleted at the end of the pandemic.
Not every EU lawmaker appears entirely aware of all the legal limits, however.
Today the bloc’s lead privacy regulator, data protection supervisor (EDPS) Wojciech Wiewiórowski, could be seen tweeting cautionary advice at one former commissioner, Andrus Ansip (now an MEP) — after the latter publicly eyed up a Bluetooth-powered contacts tracing app deployed in Singapore.
“Please be cautious comparing Singapore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder,” wrote Wiewiórowski.
So it remains to be seen whether pressure will mount for more privacy-intrusive surveillance of EU citizens if regional rates of infection continue to grow.
Dear Mr. Commissioner, please be cautious comparing Singapoore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder.
— Wojtek Wiewiorowski (@W_Wiewiorowski) March 27, 2020
As we reported earlier this week, governments or EU institutions seeking to make use of mobile phone data to help with the response to the coronavirus must comply with the EU’s ePrivacy Directive — which covers the processing of mobile location data.
The ePrivacy Directive allows for Member States to restrict the scope of the rights and obligations related to location metadata privacy, and retain such data for a limited time — when such restriction constitutes “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system” — and a pandemic seems a clear example of a public security issue.
Thing is, the ePrivacy Directive is an old framework. The previous college of commissioners had intended to replace it alongside an update to the EU’s broader personal data protection framework — the General Data Protection Regulation (GDPR) — but failed to reach agreement.
This means there’s some potential mismatch. For example the ePrivacy Directive does not include the same level of transparency requirements as the GDPR.
Perhaps understandably, then, since news of the Commission’s call for carrier metadata emerged concerns have been raised about the scope and limits of the data sharing. Earlier this week, for example, MEP Sophie in’t Veld wrote to Breton asking for more information on the data grab — including querying exactly how the data will be anonymized.
Fighting the #coronavirus with technology: sure! But always with protection of our privacy. Read my letter to @ThierryBreton
about @EU_Commission’s plans to call on telecoms to hand over data from people’s mobile phones in order to track&trace how the virus is spreading. pic.twitter.com/55kZo9bMhN
— Sophie in ‘t Veld (@SophieintVeld) March 25, 2020
The EDPS confirmed to us that the Commission consulted it on the proposed use of telco metadata.
A spokesman for the regulator pointed to a letter sent by Wiewiórowski to the Commission, following the latter’s request for guidance on monitoring the “spread” of COVID-19.
In the letter the EDPS impresses on the Commission the importance of “effective” data anonymization — which means it’s in effect saying a technique that does genuinely block re-identification of the data must be used. (There are plenty of examples of “anonymized” data being shown by researchers to be trivially easy to reidentify; while location data typically includes many easily identified individual tells, such as a home address and workplace address.)
“Effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers,” warns the EDPS, adding too that aggregated data “can provide an additional safeguard.”
We also asked the Commission for more details on how the data will be anonymized and the level of aggregation that would be used — but it told us it could not provide further information at this stage.
So far we understand that the anonymization and aggregation process will be undertaken before data is transferred by operators to a Commission science and research advisory body, called the Joint Research Centre (JRC) — which will perform the data analytics and modelling.
The results — in the form of predictions of propagation and so on — will then be shared by the Commission with EU Member States authorities. The datasets feeding the models will be stored on secure JRC servers.
The EDPS is equally clear on the Commission’s commitments vis-a-vis securing the data.
“Information security obligations under Commission Decision 2017/464 still apply [to anonymized data], as do confidentiality obligations under the Staff Regulations for any Commission staff processing the information. Should the Commission rely on third parties to process the information, these third parties have to apply equivalent security measures and be bound by strict confidentiality obligations and prohibitions on further use as well,” writes Wiewiórowski.
“I would also like to stress the importance of applying adequate measures to ensure the secure transmission of data from the telecom providers. It would also be preferable to limit access to the data to authorised experts in spatial epidemiology, data protection and data science.”
Data retention — or rather the need for prompt destruction of data sets after the emergency is over — is another key piece of the guidance.
“I also welcome that the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end,” writes Wiewiórowski. “It should be also clear that these special services are deployed because of this specific crisis and are of temporary character. The EDPS often stresses that such developments usually do not contain the possibility to step back when the emergency is gone. I would like to stress that such solution should be still recognised as extraordinary.”
teresting to note the EDPS is very clear on “full transparency” also being a requirement, both of purpose and “procedure.” So we should expect more details to be released about how the data is being effectively rendered unidentifiable.
“Allow me to recall the importance of full transparency to the public on the purpose and procedure of the measures to be enacted,” writes Wiewiórowski. “I would also encourage you to keep your Data Protection Officer involved throughout the entire process to provide assurance that the data processed had indeed been effectively anonymised.”
The EDPS has also requested to see a copy of the data model. At the time of writing the spokesman told us it’s still waiting to receive that.
“The Commission should clearly define the dataset it wants to obtain and ensure transparency towards the public, to avoid any possible misunderstandings,” Wiewiórowski added in the letter.
Powered by WPeMatico
The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.
The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing anyone to access the files inside.
The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.
A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.
None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.
A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)
Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.
Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”
“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.
“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.
Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”
“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.
The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.
Companies can be fined up to 4% of their annual turnover for GDPR violations.
Powered by WPeMatico
Europe’s competition commissioner Margrethe Vestager, set for a dual role in the next Commission, faced three hours of questions from members of four committees in the European Parliament this afternoon, as MEPs got their chance to interrogate her priorities for a broader legislative role that will shape pan-EU digital strategy for the next five years.
As we reported last month, Vestager is headed for an expanded role in the incoming European Commission with president-elect Ursula von der Leyen picking her as an executive VP overseeing a new portfolio called “Europe fit for the digital age.”
She is also set to retain her current job as competition commissioner. And a question she faced more than once during today’s hearing in front of MEPs, who have a confirming vote on her appointment, was whether the combined portfolio wasn’t at risk of a conflict of interest?
Or whether she “recognized the tension between objective competition enforcement and industrial policy interests in your portfolio,” as one MEP put it, before asking whether she would “build Chinese walls” within it to avoid crossing the streams of enforcement and policymaking.
Vestager responded by saying it was the first question she’d asked herself on being offered the role — before laying out flat reasoning that “the independence in law enforcement is non-negotiable.”
“It has always been true that the commissioner for competition has been part of the College. And every decision we take also in competition is a collegial decision,” she said. “What justifies that is of course that every decision is subject to not one but 2x legal scrutiny if need be. And the latest confirmation of this set up was two judgments in 2011 — where it was looked into whether this set up… is in accordance with our human rights and that has been found to be so. So the set up, as such, is as it should be.”
The commissioner and commissioner-designate responded capably to a wide range of questions reflecting the broad span of her new responsibilities — fielding questions on areas including digital taxation; platform power and regulation; a green new deal; AI and data ethics; digital skills and research; and small business regulation and funding, as well as queries around specific pieces of legislation (such as ePrivacy and Copyright Reform).
Climate change and digital transformation were singled out in her opening remarks as two of Europe’s biggest challenges — ones she said will require both joint working and a focus on fairness.
“Europe is filled with highly skilled people, we have excellent infrastructure, fair and effective laws. Our Single Market gives European businesses the room to grow and innovate, and be the best in the world at what they do,” she said at the top of her pitch to MEPs. “So my pledge is not to make Europe more like China, or America. My pledge is to help make Europe more like herself. To build on our own strengths and values, so our society is both strong and fair. For all Europeans.”
In her opening remarks Vestager said that if confirmed she will work to build trust in digital services — suggesting regulation on how companies collect, use and share data might be necessary to ensure people’s data is used for public good, rather than to concentrate market power.
It’s a suggestion that won’t have gone unnoticed in Silicon Valley.
“I will work on a Digital Services Act that includes upgrading our liability and safety rules for digital platforms, services and products,” she pledged. “We may also need to regulate the way that companies collect and use and share data — so it benefits the whole of our society.”
“As global competition gets tougher we’ll need to work harder to preserve a level playing field,” she also warned.
But asked directly during the hearing whether Europe’s response to platform power might include breaking up overbearing tech giants, Vestager signaled caution — saying such an intrusive intervention should only be used as a last resort, and that she has an obligation to try less drastic measures first. (It’s a position she’s set out before in public.)
“You’re right to say fines are not doing the trick and fines are not enough,” she said in response to one questioner on the topic. Another MEP complained fines on tech giants are essentially just seen as an “operating expense.”
Vestager went on to cite the Google AdSense antitrust case as an example of enforcement that hasn’t succeeded because it has failed to restore competition. “Some of the things that we will of course look into is do we need even stronger remedies for competition to pick up in these markets,” she said. “They stopped their behavior. That’s now two years ago. The market hasn’t picked up. So what do we do in those kind of cases? We have to consider remedies that are much more far reaching.
“Also before we reach for the very, very far reaching remedy to break up a company — we have that tool in our toolbox but obviously it is very far reaching… My obligation is to ensure that we do the least intrusive thing in order to make competition come back. And in that respect, obviously, I am willing to explore what do we need more, in competition cases, for competition to come back.”
Competition law enforcers in Europe will have to consider how to make sure rules enforce fair competition in what Vestager described as a “new phenomenon” of “competition for a market, not just in a market” — meaning that whoever wins the competition becomes “the de facto rule setter in this market.”
Regulating platforms on transparency and fairness is something on which European legislators have already agreed — earlier this year. Though that platform to business regulation has yet to come into force. “But it will also be a question for us as competition law enforcers,” Vestager told MEPs.
Making use of existing antitrust laws but doing so with greater speed and agility, rather than a drastic change of competition approach, appeared to be her main message — with the commissioner noting she’d recently dusted off interim measures in an ongoing case against chipmaker Broadcom; the first time such an application has been made for 20 years.
“It’s a good reflection of the fact that we find it a very high priority to speed up what we do,” she said, adding: “There’s a limit as to how fast law enforcement can work, because we will never compromise on due process — on the other hand we should be able to work as fast as possible.”
Her responses to MEPs on platform power favored greater regulation of digital markets (potentially including data), markets which have become dominated by data-gobbling platforms — rather than an abrupt smashing of the platforms themselves. So not an Elizabeth Warren “existential” threat to big tech, then, but from a platform point of view Vestager’s preferred approach might just sum to death by a thousand legal cuts.
“One of course could consider what kind of tools do we need?,” she opined, talking about market reorganization as a means of regulating platform power. “[There are] different ways of trying to re-organize a marketplace if the competition authority finds that the way it’s working is not beneficial for fair competition. And those are tools that can be considered in order to sort of re-organize before harm is done. Then you don’t punish because no infringement is found but you can give very direct almost orders… as to how a market should be organized.”
On artificial intelligence — which the current Commission has been working on developing a framework for ethical design and application — Vestager’s opening remarks contained a pledge to publish proposals for this framework — to “make sure artificial intelligence is used ethically, to support human decisions and not undermine them” — and to do so within her first 100 days in office.
That led one MEP to question whether it wasn’t too ambitious and hasty to rush to control a still emerging technology. “It is very ambitious,” she responded. “And one of the things that I think about a lot is of course if we want to build trust then you have to listen.
“You cannot just say I have a brilliant idea, I make it happen all over. You have to listen to people to figure out what would be the right approach here. Also because there is a balance. Because if you’re developing something new then — exactly as you say — you should be very careful not to over-regulate.
“For me, to fulfill these ambitions, obviously we need the feedback from the many, many businesses who have taken upon them to use the assessment list and the principles [recommended by the Commission’s HLEG on AI] of how to create AI you can trust. But I also think, to some degree, we have to listen fast. Because we have to talk with a lot of different people in order to get it right. But it is a reflection of the fact that we are in hurry. We really need to get our AI strategy off the ground and these proposals will be part of that.”
Europe could differentiate itself — and be “a world leader” — by developing “AI with a purpose,” Vestager suggested, pointing to potential applications for the tech such as in healthcare, transportation and combating climate change, which she said would also work to further European values.
“I don’t think that we can be world leaders without ethical guidelines,” she said of AI. “I think we will lose it if we just say no let’s do as they do in the rest of the world — let’s pool all the data from everyone, no matter where it comes from, and let’s just invest all our money. I think we will lose out because the AI you create because you want to serve humans. That’s a different sort of AI. This is AI with a purpose.”
On digital taxation — where Vestager will play a strategic role, working with other commissioners — she said her intention is to work toward trying to achieve global agreement on reforming rules to take account of how data and profits flow across borders. But if that’s not possible she said Europe is prepared to act alone — and quickly — by the end of 2020.
“Surprising things can happen,” she said, discussing the challenge of achieving even an EU-wide consensus on tax reform, and noting how many pieces of tax legislation have already been passed in the European Council by unanimity. “So it’s not undoable. The problem is we have a couple of very important pieces of legislation that have not been passed.
“I’m still kind of hopeful in the working way that we can get a global agreement on digital taxation. If that is not the case, obviously we will table and push for a European solution. And I admire the Member States who’ve said we want a European or global solution, but if that isn’t to be we’re willing to do that by ourselves in order to be able to answer to all the businesses who pay their taxes.”
Vestager also signaled support for exploring the possibility of amending Article 116 of the Treaty on the Functioning of the EU, which relates to competition-based distortion of the internal market, in order to enable tax reform to be passed by a qualified majority, instead of unanimously — as a potential strategy for getting past the EU’s own current blocks to tax reform.
“I think definitely we should start exploring what would that entail,” she said in response to a follow-up question. “I don’t think it’s a given that it would be successful, but it’s important that we take the different tools that the treaty gives us and use these tools if need be.”
During the hearing she also advocated for a more strategic use of public procurement by the EU and Member States — to push for more funding to go into digital research and business innovation that benefits common interests and priorities.
“It means working together with Member States on important projects of common European interest. We will bring together entire value chains, from universities, suppliers, manufacturers all the way to those who recycle the raw material that is used in manufacturing,” she said.
“Public procurement in Europe is… a lot of money,” she added. “And if we also use that to ask for solutions well then we can have also maybe smaller businesses to say I can actually do that. So we can make an artificial intelligence strategy that will push in all different sectors of society.”
She also argued that Europe’s industrial strategy needs to reach beyond its own Single Market — signaling a tougher approach to market access to those outside the bloc.
And implying she might favor less of a free-for-all when it comes to access to publicly funded data — if the value it contains risks further entrenching already data-rich, market-dominating giants at the expense of smaller local players.
“As we get more and more interconnected, we are more dependent and affected by decisions made by others. Europe is the biggest trading partner of some 80 countries, including China and the U.S. So we are in a strong position to work for a level global playing field. This includes pursuing our proposal to reform the World Trade Organization. It includes giving ourselves the right tools to make sure that foreign state ownership and subsidies do not undermine fair competition in Europe,” she said.
“We have to figure out what constitutes market power,” she went on, discussing how capacity to collect data can influence market position, regardless of whether it’s directly linked to revenue. “We will expand our insights as to how this works. We have learned a lot from some of the merger cases that we have been doing to see how data can work as an asset for innovation but also as a barrier to entry. Because if you don’t have the right data it’s very difficult to produce the services that people are actually asking for. And that becomes increasingly critical when it comes to AI. Because once you have it then you can do even more.
“I think we have to discuss what we do with all the amazing publicly funded data that we make available. It’s not to be overly biblical but we shouldn’t end up in a situation where ‘those who have shall more be given.’ If you have a lot already then you also have the capabilities and the technical insight to make very good use of it. And we do have amazing data in Europe. Just think about what can be assessed in our supercomputers… they are world-class… And second when it comes to both [EU sat-nav] Galileo and [earth observation program] Copernicus. Also here data is available. Which is an excellent thing for the farmer doing precision farming and saving in pesticides and seeds and all of that. But are really happy that we also make it available for those who could actually pay for it themselves?
“I think that is a discussion that we will have to have — to make sure that not just the big ones keep taking for themselves but the smaller ones having a fair chance.”
During the hearing Vestager was also asked whether she supported the controversial EU copyright reform.
She said she supports the “compromise” achieved — arguing that the legislation is important to ensure artists are rewarded for the work they do — but stressed that it will be important for the incoming Commission to ensure Member States’ implementations are “coherent” and that fragmentation is avoided.
She also warned against the risk of the same “divisive” debates being reopened afresh, via other pieces of legislation.
“I think now that the copyright issue has been settled it shouldn’t be reopened in the area of the Digital Services Act,” she said. “I think it’s important to be very careful not to do that because then we would lose speed again when it comes to actually making sure there is remuneration for those who hold copyright.”
Asked in a follow-up question how, as the directive gets implemented by EU Member States, she will ensure freedom of speech is protected from upload filter technologies — which is what critics of the copyright reform argue the law effectively demands that platforms deploy — Vestager hedged, saying: “[It] will take a lot of discussions and back and forth between Member States and Commission, probably. Also this parliament will follow this very closely. To make sure that we get an implementation in Member States that are similar.”
“One has to be very careful,” she added. “Some of the discussions that we had during the adoption of the copyright directive will come back. Because these are crucial debates. Because it’s a debate between the freedom of speech and actually protecting people who have rights. Which is completely justified… Just as we have fundamental values we also have fundamental discussions because it’s always a balancing act how to get this right.”
The commissioner also voiced support for passing the ePrivacy Regulation. “It will be high priority to make sure that we’re able to pass that,” she told MEPs, dubbing the reform an important building block.
“One of the things I hope is that we don’t just always decentralize to the individual citizens,” she added. “Now you have rights, now you just go and force them. Because I know I have rights but one of my frustrations is how to enforce them? Because I am to read page after page after page and if I’m not tired and just forget about it then I sign up anyway. And that doesn’t really make sense. We still have to do more for people to feel empowered to protect themselves.”
She was also asked for her views on adtech-driven microtargeting — as a conduit for disinformation campaigns and political interference — and more broadly as so-called “surveillance capitalism.” “Are you willing to tackle adtech-driven business models as a whole?,” she was asked by one MEP. “Are you willing to take certain data exploitation practices like microtargeting completely off the table?”
Hesitating slightly before answering, Vestager said: “One of the things I have learned from surveillance capitalism and these ideas is it’s not you searching Google it is Google searching you. And that gives a very good idea about not only what you want to buy but also what you think. So we have indeed a lot to do. I am in complete agreement with what has been done so far — because we needed to do something fast. So the Code of Practice [on disinformation] is a very good start to make sure that we get things right… So I think we have a lot to build on.
“I don’t know yet what should be the details of the Digital Services Act. And I think it’s very important that we make the most of what we have since we’re in a hurry. Also to take stock of what I would call digital citizens’ rights — the GDPR [General Data Protection Regulation] — that we can have national authorities enforce that in full, and hopefully also to have a market response so that we have privacy by design and being able to choose that. Because I think it’s very important that we also get a market response to say, well, you can actually do things in a very different way than just to allow yourself to feel forced to sign up to whatever terms and conditions that are put in front of you.
“I myself find it very thought-provoking if you have the time just once in a while to read the T&Cs now when they are obliged, thanks to this parliament, to write in a way that you can actually understand that makes it even more scary. And very often it just makes me think, thanks but no thanks. And that of course is the other side of that coin. Yes, regulation. But also us as citizens to be much more aware of what kind of life we want to live and what kind of democracy we want to have. Because it cannot just be digital. Then I think we will lose it.”
In her own plea to MEPs, Vestager urged them to pass the budget so that the Commission can get on with all the pressing tasks in front of it. “We have proposed that we increase our investments quite a lot in order to be able to do all this kind of stuff,” she said.
“First things first, I’m sorry to say this, we need the money. We need funding. We need the programs. We need to be able to do something so that people can see that businesses can use funds to invest in innovation, so that researchers can make their networks work all over Europe. That they get the funding actually to get there. And in that respect I hope that you will help push for the multi-annual financial framework to be in place. I don’t think that Europeans have any patience for us when it comes to these different things that we would like to be real. That is now, that is here.”
Powered by WPeMatico
The unchecked digital land grab for consumers’ personal data that has been going on for more than a decade is coming to an end, and the dominoes have begun to fall when it comes to the regulation of consumer privacy and data security.
We’re witnessing the beginning of a sweeping upheaval in how companies are allowed to obtain, process, manage, use and sell consumer data, and the implications for the digital ad competitive landscape are massive.
On the backdrop of evolving privacy expectations and requirements, we’re seeing the rise of a new class of digital advertising player: consumer-facing apps and commerce platforms. These commerce companies are emerging as the most likely beneficiaries of this new regulatory privacy landscape — and we’re not just talking about e-commerce giants like Amazon.
Traditional commerce companies like eBay, Target and Walmart have publicly spoken about advertising as a major focus area for growth, but even companies like Starbucks and Uber have an edge in consumer data consent and, thus, an edge over incumbent media players in the fight for ad revenues.
Image via Getty Images / alashi
By now, most executives, investors and entrepreneurs are aware of the growing acronym soup of privacy regulation, the two most prominent ingredients being the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act).
Powered by WPeMatico