Embed Size (px)
Citation preview
Privacy by Design (PbD)Connecting the dots between legal and technology
by Advocate Alon Saposhnik and Initech Software Services Ltd, November, 2016
Main players● “Data Subject” -An Individual who is the subject of personal data.
● “Personal data” - any information relating to an identified or identifiable natural person
● “Sensitive data” (according to the Israeli Privacy Laws) - includes “details concerning an individual’s personality, intimate relations, health condition, financial condition, opinions and religious belief”.
● “Controller” - is the one that is responsible for the compliance with the data protection regulations.
● “Processor” - is the one that is only responsible for processing personal data and is acting on behalf of the controller and according to its instructors.
● “Regulator” - Data Protection Authority (e.g, ILITA, information commissioner office etc.)
Guiding principles of PBD (Privacy by Design)
1. Proactive not reactive ; Preventative not remedial
2. Privacy as the Default
3. Privacy Embedded into Design.
4. Full Functionality; Positive-Sum not Zero-Sum.
5. End-to-End Lifecycle Protection.
6. Visibility and Transparency.
7. Respect for User Privacy
Who’s affected?
● Developers
● Companies using third party apps / software / hosting as a part of their
product / service
● Data Controllers
● Data Processors
● Others?
Implementation - legal considerations
1. Infrastructure providers located outside of the EU territory - do they comply
with privacy regulations or do they offer to sign on Model Clause (or Data
Processing Addendum)?
2. Service providers located outside of the EU (Marketing, R&D) - sign on Model
Clause when transferring data abroad
3. NDA agreements with workers and service providers to assure privacy
compliance.
4. Information security - get ISO certificate for working with global companies
Implementation - applicative considerations
1. Privacy Policies
2.Israeli Privacy Law requires registration of certain databases with the Database Registrar
3. Data Protection Certification - for demonstrating compliance with Data
Protection Regulation by controllers and processors
4. Conduct Privacy Impact Assessment
5. Internal Training Programs
6. Presence of Privacy Specialist in early stages of product development
7. Standard settings of products
8. Contractual Mechanism with third parties
Implementation - examples● Privacy policy + confirmation for designated actions (account creation, etc.)
● Newsletters / promotion correspondence establish an opt-in mechanism according to Privacy law and the Anti-Spam Law requirements
● Infrastructure for personal data retrieval and erasure (blacklisting erased data to be filtered out during recovery from backups)
● Back office with multiple levels of access to Personal data of Users (each role has access only to need-to-know data + protocols of handling data)
● Hosting location selection - EU or approved location by EU (Israel is approved)
● Managing the list of 3rd parties that receive access to User’s personal data (including appropriate permissions model).
● Implement contractual mechanisms with 3’rd parties (e.g, Data Processing agreement)
Typical privacy issues in mobile / web applications
Collecting unnecessary sensitive data during sign-up
Failure to get approval for TOS / receiving emails during sign-up (Privacy and
Anti-Spam Laws)
Blind selection of data center in USA
Unintentional exposure of sensitive data when using 3rd party integrations (i.e.,
using Messenger to collect personal data exposes it to Facebook)
Development / testing environments are replicated from production data without
obfuscating personal data
Access of personnel to the sensitive data through direct access to database
Implementation - takeouts and challenges for PBD
Big advantage for EU / Israel-based providers
High risk of working with providers based outside of the EU and in such places
as East-Europe / Asia (Belarus, Ukraine, India, China, Russia) where EU
privacy regulations does not apply and thus impossible to enforce
Which Criteria should we implement as a minimum default privacy by design
How to raise privacy awareness in development phase of new products.
At what stage should we involve a privacy specialist.
Case studies of privacy lawsuits - in Israel
● Local Israeli App (Sync.Me): was ordered by the regulator to erase all
personal data that were illegally collected on users. Activity in Israel has been
stopped.
● Data Rings (seller of databases): was ordered by court to erase all personal
data that was collected on individuals. Clients of the company who gained
access to the data were ordered to do the same.
● Israeli company (undisclosed) was fined 177,000 NIS for illegal commercial
use of personal data that as collected on individuals.
Case studies of privacy lawsuits - abroad● The Hamburg regulator has ordered Facebook to halt its unlawful collection and storage of data belonging to 35
million German WhatsApp users. The Commissioner has also ordered that Facebook delete any data that they have already collected from WhatsApp.
● £40,000 fine for healthcare organization that failed to protect patient's personal data: a general practitioner clinic that revealed confidential details about a woman and her family to her estranged ex-partner was fined £40,000 by the Information Commissioner.
● An EU lawmaker is calling for the European Commission to investigate dating app Tinder for potential breaches of European data protection rules, because it uses personal data without explicit consent.
● The CNIL has issued an order giving Microsoft three months to make changes to its operating system in line with French data protection law. According to the CNIL, Windows Store collects user data on all downloaded applications without user consent or even awareness, monitoring the time spent on each app. Windows 10 also automatically installs an advertising identifier, enabling Microsoft to monitor users' browsing to offer targeted ads. The CNIL will only consider fining the company if it fails to make changes.
● Intelligent Lending, trading as Ocean Finance, was fined by the UK regulator after it sent seven million texts offering a new credit card powered by a major lender.
Thank you for listening!
For technical questions: [email protected]
For legal questions: [email protected]
