Event Recording

EU Privacy Regulation


The proposed new data protection regulation aims at European data protection standards which are better harmonized than the current legislation and also suit the technical standards in times of transformation. A unified data protection Regulation that is directly applicable as part of the EU’s Digital Single Market shall make it easier for all parties to understand what their rights and obligations are and what compliance risks they need to manage.  One of the main changes  foresees that EU data protection law is valid whenever the European market is targeted – whether from within or outside of the EU. Amongst other regulatory novelties, strict enforcement and data protection by design will mean a truly new data protection environment.

Very warm. Welcome to our second day of trying to find out what risk is all about. We're gonna start today with a perspective on the EU privacy legislation that is going to change very soon. Some of you might have seen a keynote yesterday of Quan and myself. Introducing major thoughts on that. And parts of it was about the impact on businesses that there might be. So today we're gonna go a bit deeper into that starting right there with first an introductory part of my colleague, fellow Analyst, Analyst of copy your call, Scott David, introducing like a world overview. Someone said that's a pretty large approach. However, we're gonna see if you're gonna stick up to that, how global that's gonna be after that, we are gonna go a bit more into the pillars of the upcoming regulation. And we have, I think, excellent speakers here starting with RH Davis partner of DSC.
Beachcraft from London, introducing the privacy impact assessment. That's a strictly legal issue. That's introduced by the European commission and before and already today, it's part of the UK privacy legislation. So it's a very UK driven issue. That's why Renna is gonna take that up. Thanks for being here today. After it's gonna be Quan, Hans turn, she's here from the queen Mary university of London with various hats on. You're gonna take the chance to introduce yourself a bit further maybe, and after your keynote together, in which you introduced already some major pillars today, you'll have a chance to introduce us more to the progress of legislation, but majorly focusing in your part on seals, on the code of conduct and issues of certification that are going to be part of that upcoming legislation. And third, we are very happy to have Andrew Luman from Dell software here. That will introduce us to his perspective on privacy, by design, which again is something that for sure must be assured not only by software producing entities by, but also by the market using software. So again, that's a legal issue. Upcoming privacy by design is a must half in the future, according to that legislation. So welcome everyone. Thanks for being here and everyone enjoy.
Thank you, Carson. So I just wanted to take seven and seven minutes and 35 seconds to talk about the introduction kind of the area and as Carson observed. And if you could put up the slides, please, as Carson observed, this is a big subject globally, but if you recall the keynote earlier, we had the entire universe. So we're bringing it down to a much smaller scope. Do you have the slides?
There we go. Oh, no. The one that I sent earlier, the other said, not that KuppingerCole said the one that I sent before for the first 10 minutes. So what I wanna talk about as they're putting up the slides is the notion of really understanding what the law can do for us. This is usually the lawyers are called in and it's a cost center and it's a hassle. And you don't really want to deal with the lawyers because they tell you things that you wanna do that you can't, you wanna do, but you, they tell you why you can't do them. There we go. And, but here, one of the things that is happening is law really is an enabler. And what it, if you think about the financial markets, you think about intellectual property, the value is in the legal enforceability. There's in they're intangibles.
And I wanna talk about that a little bit. So you can start to understand how law can actually help in your R and D cycling and really help you understand what the parameters are. Just like laws of physics, there's laws that are external to your products. And they influence what the products look like and how well they perform. So the one fundamental issue is everyone talks about data rights, but data rights are in Nuy without data duties. We have to establish duties in order to form the rights so that we understand them. If I say I have the right to something, and none of you recognizes it, it's a Nuy, it doesn't exist. If you act in conformance with my interest, my rights, you have duties, then that makes my rights come alive. That's a very important concept. So the first question is where are the people in this?
And if you saw my keynote the other day, you saw this Paul Barron diagram, where it was the idea that the internet is the right hand diagram. We haven't distributed nodes. All the dots are in the same positions in all three of those diagrams. It's just, they're connected differently by different edges. And fundamentally what we need to do the internet is the right hand diagram. We need to recruit all those dots and figure out how do we get those dots working in a coordinated fashion so that when you release a product out into the world, which is now the dots, it's no longer that left hand diagram, then how can we have a predictable experience in reliable experience and make some money off it? If you're a company. So what I wanted to, I'm not gonna read the slides, but I, the other day, some people said, I talk too quickly and I understand why that would be language differences, et cetera.
And I'm from New York originally. So I, the slides are there for you to read. And I'm just gonna talk a little bit on the slides. But the bottom line is that intangibles don't exist anywhere. Where is copyright in this room? Where's patent, where is it? Point to it? It doesn't exist. So when we're talking about intangibles, how do we describe where they are? They're everywhere and they're nowhere at the same time. So the way they exist is because the contracts and law laws create a choreography of duties. I wanna talk a little bit about that and think about that. When you think about your customers, your supply chain, et cetera, how do you get that choreography? How do you get them to do the dance that you're trying to describe when you're doing R and D your products, essentially, you're doing choreography. So where are the intangibles?
As I said, they're very slippery. They're valuable, but they don't have substance they're non-rival risk, which means that you and I look right in this room right now, a number of people are enjoying the copyright in their materials that are carried on their devices at the same time, with no interference to each other. So how do you protect something that's everywhere and nowhere at the same time to use fences dogs, how do you do that? It creates a feeling of risk. You don't know where's the edge. I wanna know where's the fence. Where's the border. Where's the boundary? Well, the problem is that hackers are bad dancers. They don't really dance to your choreography, right? They, you have three sources of risk out there, force majo, which is basically acts of God. They're called in legal context, which means hurricanes, earthquakes, things like that. You have accidents, which happens through negligence.
Somebody doesn't act in conformance with a rule, and then you have attack. We focus on attack very often, but some of the scenarios are similar in all three of those situations that can bring your system down, how to get the system back up. So those are things to think about, and you don't want to exacerbate and make worse the risk by not being prepared. The second order risk is lack of preparation. You can't stop an earthquake, but you're gonna respond better or worse to it. So we want to create some choreography. Well, the problem is that the internet is global, right? The, the it's been deployed all over the earth, but the but re but the laws and the cultures are not. So you see the different kinds of dance here. Those are all very fine, fine dances in the, in the context in which they're developed.
But people may not think of them as the aesthetically pleasing when they go to another area. So the law is local, just like dance. So what we need what's what's happening is we used to sell to customers. And now essentially it's a change. We're recruiting customers, not just as the good, the idea of a good customer relationship. So it has, so you can keep selling 'em stuff, but they're also part of your system. If they don't perform in accordance with the dance, the choreography, the duties, your system has problems. Now they may be hackers. They may just be bad users, whatever. But the idea is you need both tools and rules. You need to take care. How do you make the people reliable in your system and the technology and there's different techniques. So for tools, we know how to make tools reliable. You do technical specifications.
So if I'm, if we have a technical specification and you build to it in Germany, and I build to it in the United States, and someone else builds to it in China, if we're sufficiently conformant with the spec and there's sufficient metrics, we're gonna have a system that interoperates we don't even ever have to meet each other. Right? The technical specification is our common language. Well, the challenge is do we make, we make tools interoperable through conformity to technology, but we don't make people interoperable through the conformity technology. We make people interoperable through conformity to rules. So the dancers there get, they have the choreography and they're all dancing to it. And they form something larger as a result of that. And similarly, what we need is among your employees, customers, and suppliers need to understand what's the dance of duties that they need to engage in, in order for the IP in new kind of property here, the, or not property necessarily, but new kind of value to be, to perform as it's expected.
Now, as Ian said, the other day, when he was talking about don't confuse your employees and your customers, they're not the same dances. You have to have one dance routine for your employees, one dance routine for your customers, one dance routine for your suppliers, but then the larger performance they need to come together. So these are different qualities of legal specifications. You know, we have some that come from legislation, and we're gonna talk about in the first session, the things that come from government authority, well, they're a little different they're compulsory, they're bound to jurisdictions, right? They don't, or European law doesn't yet apply in the United States. Although there is some stretching going on there with the fine fines that are proposed, and then other qualities here, contracts is different. You don't have to wait for legislative processes. They're voluntary. It's not bound to a jurisdiction.
Most of my practice legal practice was international contract. We were essentially creating bridges between jurisdictions. Think about the New York stock exchange, London stock exchange, Tokyo stock exchange. They're all conformant with local law, but they're bound together with contracts. They're not bound together by the laws of any one country, but obviously there's a global financial market. It has nothing to do directly with what's going on in the country. Those are brought together by contracts. I mean, not that has nothing to do with it, but it's dependent on the contracts as well. So this is the, our last slide is what we're gonna do is talk about public law, kind of sources and talk about contract sources, but I'm inviting you to not think of them just as cost centers, not just as externalities, but actually to think of them as value producing because they are the fences. They are the containers for value in the, in the use of data. And the use of data is where information happens and information is the difference that makes a difference. And that's where value arises. And if your company can capture that value appropriately, then you'll have more success versus less. Well, thank you. And I hope you enjoy the two panels that are, thank you.
Thank you very much, Scott. That was excellent introduction. I think I like the picture about the dancers going on. Yep. I won't keep you long. All the three of you have lots of things to say. I think we are co choreography. You are the first dancer in a way of the three rest, three resting parts that we will see and its privacy impact assessments. I think it's one of those rules that was, was mentioning that you're supposed toey in order to have the right choreography. So thank you for being here again, and I'm excited to have you here.
That's okay. Thank you very much for inviting me. Do we have my slides? Thank you very much. So I'm gonna talk about privacy impact assessments. And this is one of the things which is gonna come in in the new data protection regulation. So that data protection regulation, just as a recap, is expected to be finalized the text probably by the end of this year. And then it'll have a two year implementation period and then it will apply in all member states across Europe equally. So at the moment we have a very checkered regime across Europe. We have one directive, but it's been implemented locally at all different levels. Rarely the UK are actually the trailblazer for one of the new requirements of the new data protection regulation, which is privacy impact assessments. The UK are definitely known as one of the least stringent regimes in Europe for data protection. So that's why I say it's rare.
So what is a privacy impact assessment? When it's a tool used by organizations to identify, understand and address any privacy issues that might arise when developing new products and services or enter taking any new activities that involve the processing of personal data. So although the UK may have been responsible for chocolate bars, light bulbs, steam engines, we can't actually claim ownership of the privacy impact assessment weirdly. And I say weirdly because the us are known as not having that stringent data protection laws, either this concept was coined in the United States, but the UK was the first regulator across the world. And in Europe to issue guidance on this, which it did in 2007, to be honest, it was a bit of a mess, the guidance they produced in 2007, it was a huge, huge document that not even I could bear reading. And so actually, although they bought in this guidance saying that privacy impact assessment should be undertaken.
I'm not sure if any really happened, mainly because if you looked at this horrendous a hundred paid document, nobody actually wants to comply with the terms of it. Thankfully in 2014, the information commissioner produced and updated guidance note on it. And now we have a very workable thing that organizations across all different sectors are beginning to use and kind of implement when they're bringing in new privacy systems or new systems, which might affect privacy. So if we look at that ICO guidance, when does it say that a privacy impact assessment is required, will it's for new or intrusive information technologies for the use or reuse of identifiers existing identifiers or intrusive identity authentication processes for new changes of handling of data on individuals for processing of data, which is exempt from legislative privacy protection. So for example, if you using data for crime or taxation, when it's exempt from many purposes under the data protection legislation, then you should look at a privacy impact assessment just to make sure you are complying with the obligations that you should be.
And if there are multiple organizations or changes to data handling arrangements, I thought I'd give you two examples of privacy impact assessments that I'm working on for clients at the moment, try and bring this to life. So I've got one big multinational organization that is, has got branches all over the world, to be honest. And it is trying to combine all its data that it has on individuals and their marketing preferences and the things that they might like to buy, combine that with. So that's thought they collected locally within their organization. They want to then combine it with publicly available information. So, so when they first came to me said, they've said, well, that's not protected by data protection law. Yes it is. And I was combine all in one big database in order to let's call it profile individuals in order to send out targeted marketing to them.
And so when the in-house lawyer rang me about that, I said, I think we should do a privacy impact assessment and have a look from the very beginning now about how you are going to comply with all those data protection principles. Another example, and I've just been working on in the last few weeks is a fraud data sharing database that a big insurer wanted to put together. So it had lots of intelligence on fraud that was committed against that particular insurer. So that was all on its internal systems. Other insurers were giving it data about fraud that was being kind of conducted against that other insurer. So it wanted to combine that it also wanted to combine it from fraud organizations in the UK who share data and combine and actually publicly available sources too. So they wanted to put all that in one big database in order to see that when somebody made a claim against this insurer, whether there was a possibility that that particular claimant was committing fraud.
So again, we looked at it from the very beginning and did a privacy impact assessment. So what does that privacy impact assessment look like? Well, to start off with, you need to identify the need. Well, that was the phone call from the in-house lawyer, to me saying they want to combine all this data. What should we do is this compliant with data protection? So the next thing to do is look at the, is the preparation stage. So you identify the stakeholders and you plan what you're gonna do. So the key point of a privacy impact assessment is you do it right at the beginning before you've done anything about building the system or sharing the data. You look at it right at the beginning. So you can form your project and form your it database compliant with data protection law, right from the start. And you make changes in your system so that it complies with data protection law.
So then you, there's a consult consultation analysis stage. So we analyze the risk. We log in, share findings with a view to reaching and implementing decisions. So to give you an idea of what that privacy impact assessment looked like when I first did the one for the data sharing initiative, I had scanned information available to me about what they were gonna do and where they were gonna get their data from. So I did my best to kind of let's call it rag, rating it red Amber Green, about what I thought was probably gonna be a breach of data protection could. So Amber then could be a breach of data protection unless they put certain measures in place and green was that that's fine to do it as you anticipate doing it at the moment. So you go back to them with that initial stage of the red Amber Green, and you get them to change their system and change the way they're going to do it so that you can bring everything into the Amber and green categories.
So the important thing about it is that it's a live document so that it's constantly changing and it's got different versions of it going through. And then the system gets changed so that it complies with that privacy impact assessment. And then there's a review in audits at stage, which we haven't got to in this point, when the system is built, we check that it has addressed all those different privacy issues. So why do you do a privacy impact assessment? What are the benefits? Well, there are commercial reasons. There are so many times that I've been involved in a big initiative of data sharing or, or new use of data. And it's too late. The system has been built, they're doing it. And then they've said, oh no, I need to work out. Whether it's compliant with data protection law, the point of a privacy impact assessment is you do it from the very beginning.
And you build the system in compliance, which means it's much more economical. It's much more expensive to try and fix a system that's already been built rather than to build a system in compliance with the laws. So you understand and avoid risks at an early stage. You can avoid commercial damage and negative reputation, and you consider the best way if applicable of communicating with the public. So for this particular fraud data sharing initiative, we need to make sure that our privacy notices. So they're the things which tell people how you use data are up to date and, and they include this data sharing and fraud initiative. But then coming to the point where I'm here today, this is why we should have it legal reasons. And that's because end of the new data protection regulation, these privacy impact assessments are gonna become compulsory. I don't think there's any doubt that even though the text still hasn't been finalized, that we are gonna have an obligation to have privacy impact assessments.
What is end in dispute at the moment is when they will actually be required. We have three drafts of the, we have two drafts in circulation at the moment the commission draft and the parliament draft and the council are just finalizing their draft. And then it will all be the trial procedure begins for it to all be negotiated. You'll see, from my slide that this various different, the differences, the commission thinks that it should privacy impact assessment should only be whether there are specific risks, but it gives the commission power to set the criteria. And the parliament draft, which I think is probably the most sensible regarding privacy impact assessments is that risk analysis should be made of all different systems processing personal data, but there should be an in-depth privacy impact assessment for specific risks. Then the council position at the moment is that it should be for high risk processing. And they're not saying it's particularly prescriptive and they give discretion to the local data protection authorities about when a privacy impact assessment should be made. But in conclusion, these are, so we're talking about the dancers kind of in tools. These are, I don't think people should be scared of these. These are really good things, which if used properly can be, make your systems compliant with data protection law, and actually save you money and save your reputation along with term.
Thank you very much ran.
So I think it's important to understand that in certain situations, which we haven't defined yet properly by the legislator, there might be the essential need, the must to carry out such privacy impact assessment. I think that's a large, a big change for everyone setting up systems. And it's a, it's a maybe more narrow framework than we are all used to. On the other hand, there's parts that Quan will introduce to us now that are not a must bus, maybe a nice to have it, seals, certifications, issues like that. And I'm not talking about technical standards such as ISO standards. It's more legal standards that we are probably aiming to, but you'll tell 'em tell us more about that. Thank you for
Thanks C, got my slide up. Okay. So just by way of a recap, the under the current data protection directive, the obligations are on controllers who process personal data. They control the purposes and means of processing personal data and controllers may use processes, service providers who at the moment are not directly liable for data protection, law obligations in most countries and data protection. Authorities regulate this across in different countries across the E a and there is also a group called the article 29 working party, which is basically the data protection authorities acting together collectively, which at the moment has an advisory role, but is going to have a much more enhanced role under the new regulation. So at the moment, under the current directive, they want to encourage codes of conduct, including getting the article 29, working, working parties to prove them. But there hasn't really been much take up now in the UK, the information commissioner information ER's office, which is the UK privacy regulator.
It has got a, a code of practice on anonymization. It's also introducing a privacy seals program, which is hopefully going to be up and running next year at the moment, they're considering who to invite and, and evaluating their responses. And so on to run this scheme, the commission, the European commission has got a select industry group on cloud computing, specifically on a code of conduct for cloud computing. They drafted something last year that was put forward to the article 29 working party, which said, go away. It's not good enough. You have to rewrite this. So we, we dunno what's happening at the moment. So there are some attempts at the moment at this sort of thing. Now, this is just a recap for those who weren't here at the session yesterday on the draft regulation. So the commission produced a draft regulation in 2012 last year, the European parliament, they produced their own version, which is different at the moment.
Han said the council of ministers, which is basically EU member EA member states, governments. They are debating their own version internally, and there's a lot of political pressure for them to agree that soon, but it's on the basis that nothing is agreed until everything is agreed. So they could go back and revisit bits that they've agreed before. And when they finalize the package, then they can start negotiating with parliament. And it's only when all the institutions agree on the same text that it can become law. So there's gonna be more horse trading and it might not come in until next year. And even if it does come in, there's gonna be a one or two year lead time to prepare, but it will be. And I put a link to a flow chart for people interested in the, in this rather convoluted process, but there will be a one or two year lead time, as I said, and this is gonna be a regulation, not a directive.
So it's gonna be directly applicable in all the member state. They don't have to pass any national laws. It's gonna be directly applicable, but there may still be inconsistencies and lack of harmonization because there are some ambiguities and also some areas where they deliberately are going to give member states room to do their own thing. So code certifications and seals under the regulation. I had mentioned yesterday that processes, service providers are going to be directly liable under the draft regulation when currently they aren't. And that's a major issue, the article 29 work party that I've mentioned, they're going to become, what, what were we called the European data protection board. And that's gonna have a greater role, particularly in relation to certifications cetera. So the purpose of course, of certifications, which will result in a mark or a seal being awarded to the organization, concerned it's fairly obvious.
It's transparency, compliance, and trust, and both controllers and processes will be able to obtain these certifications, et cetera. And there are some attempts to say, well, and if you misuse a seal, a mark, you might be fine. So I'll start first with codes of conduct to facilitate compliance. Again, there are variations depending on which version you're looking at, but the counts, sorry, the commission would say the industry will be able to draft codes of conduct consulting with stakeholders. The council would, would allow data protection authorities to produce codes of conduct. And basically these codes are to be submitted to the local regulator, which will have to approve it according to the council, if it provides appropriate safeguards and then publish it. And if it's something which actually affects multiple member state, it might have to be submitted to the European data protection board for its opinion.
And if the commission approves a code of conduct and says, it is in line with the regulation, according to the Parliament's version, then it would be valid across the whole of the EU. One uncertain element is that they want data subjects to have enforceable rights under the code. It's not entirely clear what rights and how, and these codes of conduct will be able to cover a range of things, which I don't have time to go into. But there are again, differences between parliament council, et cetera, as to what these codes of conduct could cover such as international transfers, pseudonymization security, et cetera. So the effect of this code for an organization that has subscribed to a code is that it can demonstrate compliance. Unfortunately, according to the council is gen just an element to demonstrate compliance. So it might not be enough to show compliance, but it will help to show compliance.
And in particular, when a controller uses a service provider, a processor, there are certain requirements applying to the controller. So the processor, the service provider is signed up to a code. Then the controller can say, yes, I've complied. Or I think I've complied because I'm using a processor, that's signed up to a code. So that helps controllers if their service providers are signed up and there also issues like security, where again, it can help to show compliance. If an organization has signed up to a code and it might be relevant to data protection, impact assessments, but not for some reason, data protection by design. And another issue is that a code of conduct will be a factor in deciding whether to find an organization or how much to find it. So if an organization has subscribed to a code that again, maybe a risk reduction mechanism, that it might be exposed to fewer fines.
If it's signed up to a code and there will be mandatory monitoring, according to the council of compliance with this code with accredited bodies, bodies encrypted by the supervisory authority with detailed requirements, but public sector bodies will be exempt from this proposed monitoring. So certifications, this is the council has produced very, very detailed provisions on certifications. I've, I've put the details on the slide again, no time to go into detail, but again, this, the procedure is very similar about the approval there requirements about the validity, et cetera, and, and public registers of valid and invalid certifications. But the main point is the effect of having a certification. Again, having a certification is an element to demonstrate compliance security, data protection by design, et cetera, or provide safeguards for data exports. And again, it's a factor in deciding how much to find, and here the European data protection board does have power to actually approve technical standards and say, yes, these are going to be compliant with data protection law.
So according to the council's version, at least so that may, that's where technical standards may have relevance. Now here's another concept of the European data protection seal. The parliament does not want to have certifications in the same way as the council did that. I just described. Instead they want to have something called a European data protection seal. And here it's going to be the data protection authority, which actually awards these seals rather than a third party accredited third party. However, the authority can actually use third party auditors to help it in making the assessment and awarding these seals. And there is some attempt to say that the mechanisms for these seals and the fees etcetera, will be harmonized across the E a. Now the, and similarly, there's also gonna be a register, a public register of valid or invalid so-called certificates. And the commission will have power to specify mechanisms, criteria, accreditation, et cetera.
Again, with enforceable data, subject rights, with possible fines for misuse, which the parliament has actually deleted. Not quite sure why, but the effect of this seal is that it will allow international transfers without specific authorization. So data exports, personal data being held outside the EA with a seal, if the controller and the recipient both have a seal, this doesn't cover transfers by service providers, by processes. For some strange reason, I think it should. It should be whoever does the exporting should be covered and a major point, which is not present in the other two mechanisms is that a seal will be a shield against fines. So if you have a valid European data protection seal and you have a breach and it's not negligent, it's not intentional. Then if you have a seal, you have a defense against fines, which is really helpful. So there are some uncertainties still about the regulations on seals, which I'm not gonna go into as in non-compliance, whether your seal remains valid, et cetera.
And it's not clear, unfortunately, whether these seals could be recognized within the whole of the EU or outside, because ideally you want it to be, you know, get a seal in one country and have it recognized. And again, there's this issue of data subject, right? And enforceability, which is not clear enough. So really the issue is it's gonna cost time and money to get a seal, a certification to code. We need incentives for organizations to get certified. Obviously a big organization can afford to do it for trust and reputational reasons for smaller organizations. There is some attempt to make it affordable, but I think that the best way is basically the seal, the council's European data protection seal, because that it will of offer a defense, a shield against fines in some situations, which is much better than the others, which don't offer any defense. It's just a factor that can help reduce your risk effectively. And there are other liability issues, but again, there's no time to go into, so thank you very much. And, and that's, that's my presentation. And there's a link to a general paper on the impact of the draft regulation on cloud computing. Thank you very much.
Thank you very much. Quan.
Now we have heard about the privacy impact assessment seals, certifications. That's a very formalistic view. Some of you might think so, what am I supposed to do in order to pass a privacy impact assessment in order to maybe even achieve a seal or any other reward or any other step towards more trust parts of that will be handle your access rights, take care of data minimization, watch your erasure times of data, all respective personal identifiable information, certainly, but also respective IP, for example. So having all that in mind, it's something that we have had in the past. We had all those regulations before about data minimization, et cetera. So even though they are adding with a new legislation coming up new rules to that, another formalistic approach to it will be that in order to achieve privacy impact assessments or seals, you will need to take care of something called privacy by design embracing all of those, those regulations. And so that goes very nice together. If you first think about your privacy design, trying to set up your software, according to all those measures that are important to fulfill, then you might eventually be able to pass a privacy impact assessment or even have that seal. So I think we are getting closer to the core part. Privacy by design is the, the issue of your presentation. Thanks for being here and Ray, and I'm excited to listen to your thoughts on that.
Yeah. I will talk about the convergence of technology with the privacy by design demand, to some extent. So the main question here is what is privacy actually all about? So at the end of a day, it's privacy is all about the accountability of the organizations to data subjects, meaning a real person. What's the data related to a real person, to some extent, and the organizational practices around handling the information of a real person to some extent. So we already heard about the news and the data protection directive, and also there are other things going on from this cybersecurity standpoint that may converge somehow with demands and recommendations requirements that we have to consider in technical implementations for the future as well. So things like transparency over who has access to bot. What about the notification part? We already talked about that and also the pre-assessment before you actually implement any technology. And the question is, what about fines behind that? So what can you actually do to bring all these parts together? So they, as a demand, if you think about privacy for, for design, what is, what is behind that is anonym anonymity, UN linkability and observability. So the anonymity in this case, assures that data cannot be related to the owner. The unlink UN linkability makes sure that data or different data sets cannot be linked to special person and kind of brought together.
So my question is, what does it mean if you think about the big data approach that we already use nearly in every company and nearly every internet company is using that think about Google or Amazon or anybody that would like to think to know more about their customers and how they behave, what are their interests? Another point is UN observability that ensures that an observer unable to identify the identities of the parties involved, meaning your end customers in this case, in a transaction. So what is their to counter those requirements from a technology standpoint or that very fast in this case? So there have been different security technologies that think about encryption and how prevent people from looking into data. So the latest evolution of that is a U funded project that is called ABC for trust, who actually joined one of the sessions around ABC for trust here on the USC two only two. So you don't know what ABC for trust is all about. Okay, you, you also do. So it's a concept that on new fund project was established with certain universities, but also industry companies around that. So it's all about a concept that needs, how can we lock into a service? How can we authenticate with other certain parties with companies or organizations, public authorities without revealing too much information to our counterparts, to the company. For example,
The technology behind that allows for minimum disclosure of attributes of the bearer. In this case, for example, we had this example yesterday where you would like to have, or enter a streaming service that is providing video to you, a video, a movie, and actually to do that, the only thing the company needs to know is do you have a valid subscription? And in second, are you at the age that is necessary to review this special movie, for example, a plus 10 plus 12 movie in this case.
So in this case, this, this whole technology is based on certificates. To some extent you will be able to generate your certificate said for you or staff, and then be able to create data sets in a certificate way that contain the data that is needed to do the transaction or to interact with the company. And this is all done on a need to know basis. So it will always only reveal the information to the third party, the company, for example, that you need to reveal to actually to do, do the transaction. In this case, I would highly recommend you to actually look into this technology. There's very good information going on. For example, we had yesterday, those presentations by the IBM research center in Switzerland, and also Bobby Jones, also a nice block from Microsoft, the problem with ABC for trust. And this is how can we actually implement that? So technology-wise, we are ready to do authentication in a privacy by design way.
How can we actually implement that for any of our business applications or for our private interactions over the internet, for example. So the classic a B, C for trust or IEM stuff. So credential is held in a search store on the user's desktop. This is, could, could be protected for example, by smart card, for example, your ID or the password problem with that is, is probably the first attack vector for any hacker. So how many of you actually changed your password for your bank account in the last 12 months? Did anybody, oh, there are few. Okay. I asked that same question on a conference a few days ago and nobody actually pulled up hand, so we never change it, but we're all security guys. You can also deploy that on the enterprise based level. So, and credentials behind held behind an enterprise directory and processing is still done on a device or desktop basis could also be a mobile device as well.
The problem with that technology is it only thinks about privacy in the authorization or authentication process. It doesn't think about what do you reveal while communicating with this party, an authority vendor, whatever. So it's not really so privacy by design solving everything. So ABC for trust is marketed at the moment as the cure to every privacy concern you have. And it's actually not the cure because only thinking about authentication and nothing else. The question is, if you look on, for example, an Amazon webpage, Amazon is still able to track, where did you click? How long did you stay on the page? What products did you view? For example, I will also be able to fingerprint your browser, all the stuff we don't like from a privacy perspective. So from a communication perspective, it's not solving the problem. You're still review more than you want. And I actually took this example from TV song, from France.
It's a little different just to show the thing you probably know about that beginning of April TV song was hacked. It's a TV broadcasting company. They were hacked by Islam hackers. The problem with this was they still reviewed more than they actually wanted to because they actually put stickers with passwords and credentials in the background. And this was really broadcasted in the normal news in the news show and frequently. So everybody could actually access this infrastructure in this case. And it's the same with the communication you do with any third party using your browser, something like that, because you're still revealing more information besides the simple authentication methods in general, generally the Enza. So the European union agency for network information security is something like the B design in Germany for the European union actually issued a paper on privacy and data protection by design and how that could be done in technology. So I actually recommend you to download this paper because this is very, very, very long and actually very detailed. So you will have some of the answers, how can we introduce applications? How can we do identity and access management, for example, and still be
In a good position to adopt the upcoming privacy directives. It actually demands for things that you would things in last years were more on the hacker side of the world. For, for example, it thinks about privacy and communication. It thinks about it recommends or doesn't require actually, but it recommends, for example, people accessing your business application, your end, you end customers accessing your, your business application using a proxy mixer or the on, or an onion router like the tour project. Have you ever heard you commission talking about yes. Take to that's actually completely opposite to what they actually have, for example, with the, from the locking perspective, interesting. It also talks about privacy and databases. How can we encrypt data? How can we actually design applications so that nobody's able to see the content in the database or link information from different database tables?
So what we see here is a new paradigm for vendors. So I'm from there that software in this case, but also for you as the people designing new solutions around new applications or access to new applications from the more I know from a security perspective, for example, I would like to have a seam system logging everything. And also from a marketing perspective, I would like to know everything about my customers to a new paradigm that is the less I know. So data privacy will become a key in every it project. We also heard about the impact assessment. So before I actually start doing some, doing something, and you should be familiar with the, with your colleagues in data privacy or data protection department, and obviously actually think about doing architecture in a way that fits the needs of the future in this case, or at least give you an option to implement like this. So the question is, are you ready in this case? So go be ready to start something like this. And we'll probably be hearing very much more of this in the future. Thank you very much
For your presentation.
Well, to me, that sounds like a whole lot of homework to do for all the companies. Are you ready? I think it's a very good picture. Very good question. And I really wonder from my practice as a lawyer in data protection, how, how large, the percentage of companies out there is that is ready because honestly, a lot of the organizations already struggle with nowadays legislation. And I really wonder, will this all really become true? Your statement was, this will be a core data. Privacy data protection will be a core part of every it project. Will it not, will it be beyond that even will data protection finally become a core part of value in organizations beyond the implementation of it systems? Will it be sneaking through that legislation to people's hats finally? Or is it gonna be remain something that's ugly? I don't want to have it. I don't care about data protection. It's very cost intensive. This is what I really wanna use the remaining minutes for trying to see your perspective on, is this gonna be part of real life? Yes or no? And if yes, how long is this gonna take? If maybe some companies are struggling still with what is required today and therefore need to catch up for that before they come and get the second step after that.
So we see, we see a lot more, more attention actually at the company side, thinking about how can we set up services, design IC for the future with privacy in mind? So there's a, is a two dimensional problem. To some extent something or some awareness was raised during the NSA affair. And the other thing is the upcoming UE legislation. The problem is I think the attention may be lowered. If something like a get off, get off jail, free card, like the seal will come. The attention is high because of the fines that were actually put up in the original drafts. And that is the reason I think it could be great differentiator for every company to take care of the privacy of their end customers.
So is that, is that yes, it will come now or is it even, yes, it's already there, even though we have some time remaining before we are forced to put it into practice,
It's absolutely at the top of the agenda of the vendors as well. It's very high in the agenda of our customers. For example, the question is how will be how the final submitted draft of the legislation will look like, because if there's no fine, the actual CEOs and the companies will probably say, okay, it's not so important anymore.
Okay. You're surrounded by four lawyers working on data protection. I hope you're okay by the way. And maybe we are a bit by profession, a bit taking a different perspective, but then again, we see a lot of companies and organizations working on that every day. Can you all agree on Andrea's perspective saying yes, it's on the top agenda or is it that you feel like you have to really be very intense on argumentation? Why this is really necessary? Is it defines only, is it a compliance thought that has developed in the past? Or is there there no good argumentation for some companies to say, well, still I don't care. I want to take the risk because this today is all about risk and doing that. Maybe the risk will rise. And how do people think about that risk? That's at least rising. If you don't care about it,
Shall I go first? Both of you, maybe. So from a UK perspective, it's been quite interesting cause we own the information. Commissioner has only had the power to find for the last few years and can only find up to 500,000 pounds and only find has only find for breaches of security. The new regulation is all stretches so that it gives guidance for fines. And then the parliament draft is up to 5% of annual worldwide turnover. So that has got the ear of the board. And so my clients come into me more often knowing that that is coming, but more interestingly, they're looking at things other than security. I know most data protection breaches only come to light in the event of a breach. And then you go back and see, well actually it was in breach of all the other principles too, but it's definitely, if you just look over the last few years, I've had a lot more work in the last few years. It's the information commissioners had the power to find because the board is listening. I've got a lot of work at the moment. As the boards are sitting there kind of going, oh my gosh, these fines could be 5% of annual worldwide turnover. We really need to listen up and work out what to do.
So you think companies are ready by knowhow to set up privacy impact assessments, which was your subject or is that something you really need to show people step by step? Because it's really something new because technical standards, everyone is used to, but data protection audits or assessments, even though the word assess is a bit misleading, sounds like homework. You must have been doing already, even though it's in the beginning of a process. Is that something you think there is? There's a lot of issues in, in real life in the future. Are people ready to do that? Privacy
Impact assessments? Thankfully the guidance that our information commissioner has produced is quite flexible. It doesn't say you have to particularly follow it. It's just about embedding, looking at data protection, risks from the beginning and working it through. So I don't think companies are particularly scared cause they don't have to form produce particularly formalized approach, but it's definitely been an education for people coming rather than creating a system. And then looking backwards, it's been an education for them to say, oh gosh, we've got to look at data protection issues right at the beginning. But I mean, I haven't been particularly advocating it for my clients. My clients are coming to me saying, we've got to do a privacy impact assessment. Haven't we, can you help?
Okay. That's probably very much a UK perspective because you have already the implementation done and the rest of Europe still waiting for. Cool. And what's your perspective on that?
Well, it's similar in many ways because I agree with all of you that the prospect of 5% global turnover and one or 100 million euros is higher. I mean that is going to make the board sit up and take notice. Having said that there are some issues where for example, SMEs might have lighter obligations or fewer obligations. We dunno the final shape of that yet. So it might not be that all organizations are going to have to do all this, but separate from the fine perspective, there's also the issue of competitive advantage in saying you are data protection, compliant, et cetera, etcetera. So for example, Microsoft got its model clauses for exporting personal data approved by the article 29 working party, Amazon, which notoriously has not been quite so flexible in its approach actually recently got its model clauses approved because they can sell it to customers and say, Hey, come and use my service. I'm compliant. I have these model clauses that have been approved. And similarly, for example, if a service provider gets a seal or certification, then it can say to its customers, you could come and use me and you know, you'll be compliant because, or hopefully you'll be compliant depending on which version, because I've got a seal, I've got a certification, et cetera. So I'm safe to use for you. So, you know, there are different aspects there.
Okay. If you're counting backwards, what do you think is the period of time that we have to think on before everything, everything will be realized in organizations, will that take a couple of decades? Are we gonna be there in two years by the time the law is going to be implemented? Is, is it hard to predict for you or are you pretty certain that it will be just on time that organizations will be having prepared and, and done to have a structure, to do all that?
I'm going to be a typical lawyer and say, it depends because you know, like the big organizations they've thought about this, they've got the resources, they've got the lawyers, they've got the it people so they can afford to think ahead and, and put this in place. Whereas smaller organizations might not really have this on the radar so much. So it's hard. It's hard to say, but
Isn't it easier for smaller organizations because they have better communication because lawyers need to discuss with it people and so on as already today. But this is gonna be more intense, I think, intense need for communication in the company. Isn't it maybe nice to have a smaller company. So you get done faster isn't that even in advance?
Well, some small companies may not even have, you know, in-house lawyers or anything like that, but I think it's not just small companies, it's all companies, whereas really important that the it people and the risk people and the security people and the legal people all talk together at the start. And not like one day before something goes live. Okay. It that's, that's, the communication is really important across the board at an early stage.
Okay. Let me rephrase my question then, since you, since for a good reason, you, you, you can't tell me a period of time. Are we going to be there eventually, or are we going to be, be be behind all times trying to achieve this setup that we just saw
Is gonna be? I think the problem we probably are going to be behind all the time. I think that's the nature of, of what it is. You know, law lacks technology. It's not clear what technology has to do to comply with the law and we are playing catch up, but hopefully things will, we can be optimistic and hope that things will improve over time, but it it's hard to say at the moment. Okay.
What
Do you two think about that?
I think that'll be a, I think there might be a bit of a lag for a few years. Once the needs age protection regulation is in until you get the first big fines and the first big reputational issues. And then I think companies will start listening up after then. So I say, if it's implemented in the next two years, it'll probably be five years before companies actually probably start complying.
You know, it's, it's so interesting because hearing the conversation is fascinating. We have the risk of hacking and the risk of privacy and all these risks. And now what I hear is that there's the risk of government regulation, right? I mean, we're talking about it as if it's like, oh, this is coming from the sky. And it's fascinating cuz in the us, and just by putting a contrast there, not that this is superior in any way, it's just different. The IDE E SG and NS stick process was intended to be a participatory process and we're involved in drafting the rules right now, the notion is so that it's kind of, self-constructed, it's ultimately the same goal in a sense, but it's interesting. And one of the questions I had is how does a company in Europe get involved in the process or is that laughable? Is there, is there an opportunity for actual impact on this or is it just gonna fall outta the sky? And everyone's gonna say here it is, we have to like a hurricane, like, do we have to deal with it now?
So there's so much lobbying going on regarding the legislation. And then one of the reasons, some of the actual drafts that already passed the European parliament have been changed is because of that. So I think there's a huge force of people actually trying to influence these legislation. And you see the same in, sorry, in particular in Germany, if you see the draft of the ITZ Heights, cuz it's so it security legislation, same thing.
So it seems in that, just in that regard, it seems like if that's the case in Europe, that's certainly the case in the United States. So it seems like the companies, if they got together in both regions could then create an interoperability legal regime because the regimes aren't necessarily talking to each other as much as the company's interest is greater than the regime's interest. So it feels like that that a lobbying in both places is an opportunity for companies, if there's an organized approach, like is happening in this conference. And in fact, we're sharing that information across different regions. Again, it's not that easy. I recognize there's a lot of between here and the rule. It feels like there's an opportunity there for companies.
The good, yeah. There may be an opportunity for companies to actually let or somehow lessen the burden, but there's also the good thing at the moment is, and we really appreciate that is that people are more informed and more aware about the problem. At least since the NSA affair, even it's not really data privacy problem in the beginning, people know what this information gathering and information sharing really means to them. And there are lots of actually nerds also on the EU basis that were seen as nerds the past years, but they know actually valued as advisors. Okay, this is technically possible. You can do that and we can avoid like this. They are actually now heard and have a voice in the U as well. Really
Interesting. So this is gonna be a pretty international issue after what we discussed yesterday, this applies really not only on European companies, but beyond once the European costume customer will be involved in the picture. I would love to carry on with that discussion. I think we are out of time now. So I thank you all very much for your contributions and thanks first.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #118: A first look at the new Trans-Atlantic Data Privacy Framework

On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy…

Analyst Chat

Analyst Chat #115: From Third-Party Cookies to FLoC to Google Topics API

Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called…

Analyst Chat

Analyst Chat #108: Privacy and Consent Management

"Privacy and Consent Management" is an exciting topic in a continuously changing market. Annie Bailey has just completed her latest Leadership Compass, which researches this market segment. To mark the release of this document, she joined Matthias for an Analyst Chat episode where she…

Analyst Chat

Analyst Chat #79: DNS and Privacy

Your DNS server knows what websites you use, what the name of your mail server is, and which corporate services you use while working from your home office. And there are even broader challenges when it comes to protecting sensitive personal data in that context. Alexei Balaganski and…

Event Recording

Alan Bachmann: Bringing Accountability to the Digital Identity While Preserving Privacy and Security

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00