Data Privacy: What you need to know about privacy, from compliance to ethics

Digital Intelligence SolutionsDigital Intelligence Solutions

DATA PRIVACYWHAT YOU NEED TO KNOW ABOUT PRIVACY, FROM COMPLIANCE TO ETHICS

Aurélie Pols & Samia Abara, June 2

Digital Intelligence Solutions

OUR AGENDA

› Introduction› Privacy in the news› Privacy foundations› Friction might be causing opportunity› A tool that works for your business

› Q&A


INTRODUCTION


YOUR DATA PRIVACY DREAM TEAM

Samia Abara-BaslyProduct EvangelistAT Internet

Aurélie PolsData Privacy Expert & Advocate

With 9+ years of experience in digital analytics, Samia has guided some of AT Internet’s largest accounts (Vente Privée, Rue du Commerce, Carrefour, etc.) and created the AT Insight department dedicated to data exploitation and optimisation. Today she acts as AT Internet’s Product Evangelist.

Aurélie designs Data Privacy best practices: documenting data flows in order to limit Privacy backlashes, minimizing risk related to ever-increasing data uses while solving for data quality. She recently joined leading DMP Krux Digital Inc. as Data Governance and Privacy Advocate while also being part of the European Data Protection Supervisor’s Ethics Advisory Group.


AT INTERNET & DATA PRIVACY

› Data is multiplying, coming from everywhere. Our lives are increasingly digital!

› We understand the need for rich data to drive business opportunity…

› … But we also get the absolute need to respect user privacy

› An independent player with European roots We take a stringent approach to privacy

› Hear it from an expert: How you should be viewing and approaching privacy matters?

DATA IS THE HEART OF WHAT WE DO

Digital Intelligence SolutionsDigital Intelligence SolutionsDigital Intelligence SolutionsDigital Intelligence Solutions

Digital Ads & Targeting Online Advertising surpasses TV to record annual spend of €36.2bn

DATA load

2.5 quintillion bytes of data are created everyday

Perpetually connected consumer

3 connected devices used per person in 2014

9h53m is the average time spent by US adults on connected screens every day. Sources : IAB (2016), IBM (2014), Statistica (US, 2014), eMarketer (US, 2015)

DATA PRIVACYTHE NEW ERA


The scandalous revelations of Edward

Snowden have exacerbated the need for

transparency and data protection related

to privacy.

DATA PRIVACYTHE NEW ERA

The French DPA recommends AT INTERNET for its compliance with cookie regulations



DATA PRIVACYTHE PARADOX

65% of consumers do not have confidence in the security of their personal data.

67% are willing to share personal data in exchange for additional services.

Source: Accenture



PRIVACY IN THE NEWSYOU’D BE SURPRISED!


RANDOM SAMPLE OF GLOBAL PRIVACY NEWSWHICH MIGHT HAVE CONSEQUENCES, OR NOT

› Remember Ashley Madison and the data breach?› The breached data is not receivable in court. How’s that for legal irony?

› How about global Privacy legislation?› Do you think the UN could play a role?

› Do you think an exam should be considered personal data?› It’s what is in front of the European Court of Justice, also touching upon data ownership…

› Do you think blocking AdBlockers is illegal, according to the (2nd revision of) the ePrivacy Directive?› The EU Commission might seem to…



OLD AND NEW EU PRIVACY RULES

STABLE EU PRIVACY LEGISLATIONSafeHarborfor international transfers of personal data

EU Data Protection Directive (95/46/EC)regulates personal data within the EU

EU ePrivacy Directive* on Privacy & Electronic Communication – think cookies!

* (2002/58/EC amended 2006/24/EC & 2009/136/EC)

FUTURE EU PRIVACY LEGISLATION

PrivacyShieldstrong enough?

EU General Data Protection Regulation (GDPR) strengthens & unifies data protection for EU citizens

Revision of the ePrivacy Directive Regulation? Confidentiality for all communications (Skype, WhatsApp, …) + strengthen consent rules?

May 25 2018


PRIVACY FOUNDATIONSMAKING SURE WE ALL KNOW WHAT THIS IS ABOUT


PRIVACY ACTORSWHO ARE YOU WITHIN THE DATA ECOSYSTEM? WHO ARE YOU REPRESENTING?

DATAECOSYSTE

M

CitizensConsumers

Voters

Authorities

decide the law &

enforce it

CompaniesBusinesses


WHAT PRIVACY IS REALLY ABOUTB-A-L-A-N-C-E: INTERLOCKING LIABILITIES THROUGH CONTRACTS AND FEATURES

› If it’s the easy thing to do and the right thing to do, let’s do it› All others will require a carrot


IN ORDER TO PREVENT HARM

› Laws on cyberstalking› Issue if you were in the wrong state, just like GDPR

› Laws on cyberbullying› Education? Parental responsibility

› Responsibilities related to data protection & security to avoid identity theft

› Discrimination in behavioural targeting“Anti-Choice Groups Use Smartphone Surveillance to Target ‘Abortion-Minded Women’ During Clinic Visits”

› Uber & non employees => jobless economies

› Platforms: capital vs. Job related (mechanical turc)

PRIVACY IS ABOUT PEOPLE: HOW USES OF THEIR DATA COULD INFLUENCE THEIR LIVES

https://rewire.news/article/2016/05/25/anti-choice-groups-deploy-smartphone-surveillance-target-abortion-minded-women-clinic-visits/


DATA IS TRANSFORMING OUR VERY LIVES

PRESERVATION OF HUMAN DIGNITY IS AT STAKE


FRICTION MIGHT BE CAUSING OPPORTUNITYDO NOT TRY TO DEFINE PERSONALLY IDENTIFIABLE INFORMATION (PII) OR PERSONAL DATA


PRIVACY LAWS ACROSS THE GLOBEUS PERSONALLY IDENTIFIABLE INFORMATION (PII) VS. EU PERSONAL DATA


DATA TYPES & THE LAW: OBLIGATIONS VARY

General Data Protection Regulation(GPDR) - May 25 2018


TENSION BETWEEN US PII & EU PERSONAL DATA

Personally Identifiable Information (PII) Personal Data

1. Name, such as full names, maiden name, mother’s maiden name, or alias;

2. Personal identification #: social security # (SSN), passport #, driver’s license #, account and credit card #;

3. Address information: street address or email;4. Asset information: Internet Protocol (IP) or Media

Access Control (MAC);5. Phone #, including mobile, business and personal.

Information identifying personally owned property such as vehicle registration # or title # and related information.

“Personal data shall mean any information relating to an individual or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular or by reference to an identification number or to one or more factors specific to his physical, mental, economic, culturaal or social identity”

Based on the definition commonly used by most US States Directive 95/46/EC, the Data Protection Directive


DE-IDENTIFICATION IS A COMPLIANCE EXERCISE

From Shades of Grey: Seeing the full spectrum of Practical Data De-Identification by Jules Polonetsky, Omer Tene & Kelsey Finch, April 1st 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709


IDENTIFICATION CAPABILITIES IS A TRUST ISSUE

From Data Privacy: Understanding Privacy principles and ensuring compliance of your digital activities by Aurélie Pols for AT Internet, May 2016


DIGITAL ETHICS

› Move beyond compliance› Layer approach for data driven companies

› Promise to your clients: TRUST› Bare minimum: Compliance!

VALUE / ETHICSRespect individuals Corporate Social

Responsibility

RISKDo not harm Standard Operating

Procedure

COMPLIANCEDon’t hit people! Legislation

ETHICS

PROCESS

LAW


HAND OUT FOR YOUR DATA TEAM

I shall remember data are not only numbers but actual people, that could be harmed by my work;

I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as

well as security best practices;

I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;

I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for

help or escalate in order to take the appropriate measures;

I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective

consent mechanisms;

a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);

b) I will never sell non consented data about individuals;

c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.

I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;

I shall align security protocols with how personal &/or sensitive the data is;

I will keep trace and document the data used in order to minimize risk related to data uses.

ETHICS OF THE DATA ANALYST


FROM COMPLIANCE TO ETHICAL DATA USES

MOVING BEYOND COMPLIANCE IS THE SOLUTION

Ethics Competing on Privacy Risk Compliance


A TOOL THAT WORKS FOR YOUR BUSINESSALIGNING TO YOUR ETHICAL DATA CHOICES


DIGITAL ANALYTICS & DATA PRIVACY


DIGITAL ANALYTICS & DATA PRIVACY WHAT YOU NEED TO WATCH OUT FOR

› Digital analytics has evolved into a process of Digital Intelligence gathering as true data-driven decisions can only be achieved through guided and knowledgeable synchronization of collected data

› It’s fundamental to ensure that this collected data is ‘clean’ so that it can be properly exploited in full legal compliance

› Finding a trustworthy digital analytics partner able to balance legal risk with economic data opportunities can be a challenge

› Partner(s) of this transformation journey must…

› BE COMMITTED TO DATA PRIVACY by understanding & respecting the Privacy challenges faced today and in the future

› ENSURE FLEXIBILITY in order to find new, effective ways of working for and with their clients

› BE RESPONSIVE, RELIABLE & TRANSPARENT

› BE INDEPENDENT in the sense that data shouldn't be the provider’s revenue source

› GUARANTEE DATA OWNERSHIP TO CLIENTS who should always maintain full control of all data collected



› AT Internet clients enjoy functional as well as specialised consultancy support related to Data Privacy best practices & legislation

› CNIL / COOKIE EXEMPTION› In December 2013, the CNIL published a recommendation called the Cookie Directive› After the publication, AT Internet and the CNIL negotiated an agreement permitting AT Internet to offer an exempted audience measurement solution, available in France since

2015.29› It has uniquely come to an understanding regarding consent exemption: marketers in France are wavered from obtaining users’ consent when using AT Internet’s exempted

solution

› TÜV SAARLAND CERTIFICATION› This renowned independent certification organization has awarded its TÜV certification to AT Internet GmbH (the German subsidiary of AT Internet), recognizing that the data

collection and processing procedures associated with AT Internet’s solution conform to data protection and security standards.

› DATA HOSTED in EU› The collection and hosting in its proprietary servers in France

BEST IN CLASS / FUNCTIONAL



› USER COMMUNICATION (UX + legal)› Which cases require consent / How to best word consent requirements to ensure optimal results (either opt-in or opt-out, depending upon preliminary analysis)

› DATA RETENTION PERIODS› Detailed as aggregated data / Cookie duration to assure optimal data quality

› SECURITY FOR DATA IMPORTS OF 3RD PARTY DATA› When data is aggregated from, or shared with 3rd party data sources only upon customer’s request

› CHANNEL MEASUREMENT AND ATTRIBUTION› Mainly related to customer feelings of “creepiness”)

› IP ADDRESS ANONYMISATION, ENCRYPTION AND DELETION

› GEOLOCATION AND GPS COORDINATES

› OPT-OUT METHODS› Ensure consumer choices are respected and the consent trail is not lost / Opt-out for mobile applications through a specific SDK

BEST IN CLASS / CONSULTING


AT INTERNET & DATA PRIVACYBEST IN CLASS



DATA PRIVACY WHITE PAPERDOWNLOAD OUR WHITEPAPER AND CONTINUE THE CONVERSATION

› Data Privacy: Understanding privacy principles and ensuring compliance by Aurélie Pols for AT Internet, May 2016

Including:

› A 5-step process for minimizing data risk› Best practices for applying Privacy principles to your

operations› A checklist to minimize data risk of your digital tools› Privacy glossary


Aurelie [email protected]

Samia [email protected]

THANK YOU!

Data & Analytics

Data Privacy: What you need to know about privacy, from compliance to ethics