Data privacy and digital strategy

Privacy 2.0JacquesFolonPartnerEdgeConsulting

MaîtredeconférencesUniversitédeLiègeProfesseurICHECProfesseurinvitéUniversitédeLorraine(Metz)VisitingprofessorESCRennesSchoolofBusiness

JacquesFolonPartnerEdgeConsulting

MaîtredeconférencesUniversitédeLiègeProfesseurICHECProfesseurinvitéUniversitédeLorraine(Metz)VisitingprofessorESCRennesSchoolofBusiness

This presentation and other

resources are available on

MOODLE

http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg

Average number of Facebook « friends » in France: 170

30

privacy ?????

6http://www.fieldhousemedia.net/wp-content/uploads/2013/03/fb-privacy.jpg

7http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg

The person who took the photo is a real friend

8http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg

privacy and graph search ?

From Big Brother to Big Other

http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def

Antonio Casili

• Importance of T&C

• Everybody speaks

• mutual surveillance

• Lateral surveillance

geolocalisation

http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png

data collection

19

Interactions controlled by citizens in the Information Society

http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

Interactions NOT controlled by citizens in the Information Society

http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

some definitions

'personal data' shall mean any information relating to an identified or identifiable natural person ('data

subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by

reference to an identification number or to one or more factors specific to his physical, physiological,

mental, economic, cultural or social identity

'processing of personal data' ('processing') shall mean any operation or set of operations which is performed

upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking,

erasure or destruction

personal data filing system' ('filing system') shall mean any structured set of personal data which are

accessible according to specific criteria, whether centralized, decentralized or dispersed on a

functional or geographical basis

121

controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others

determines the purposes and means of the processing of personal data; where the purposes and means of processing are

determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be

designated by national or Community law;

29

'the data subject's consent' shall mean any freely given specific and informed indication of his

wishes by which the data subject signifies his agreement to

personal data relating to him being processed

30

Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

31

Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed

32

Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life

125

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject

34

Right of access Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort

OPT IN

Coockies

international transfer

Sub contractor

Sub-contractor

129

The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures

41

The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor

INTERNAL TRAININGS

SECURITY

SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-security-2/

Source : https://www.britestream.com/difference.html.

Everything must be transparent

Article 16 Confidentiality of processing Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

86

SECURITY IS A LEGAL OBLIGATION

What your boss thinks...

Employees share (too) many information and also with third parties

Where do one steal data?

•Banks•Hospitals•Ministries•Police•Newspapers•Telecoms•...

Which devices are stolen?

•USB •Laptops•Hard disks•Papers•Binders•Cars

63

RESTITUTIONS

154Source de l’image : http://ediscoverytimes.com/?p=46

4

By giving people the power to share, we're making the world more transparent.

The question isn't, 'What do we want to know about people?', It's, 'What do

people want to tell about themselves?'Data privacy is outdated !

Mark Zuckerberg

If you have something that you don’t want anyone to know, maybe you shouldn’t be

doing it in the first place.

Eric Schmidt

PRIVACY VS SOCIAL NETWORKS

https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQgeY4ij8U4o1eCuVJ8Hh3NlI3RAgL9LjongyCJFshI5nLRZQZ5Bg

11

Privacy statement confusion

• 53% of consumers consider that a privacy statement means that data will never be sell or give

• 43% only have read a privacy statement

• 45% only use different email addresses

• 33% changed passwords regularly

• 71% decide not to register or purchase due to a request of unneeded information

• 41% provide fake info

112Source: TRUSTe survey

http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies

72SOURCE: http://mattmckeon.com/facebook-privacy/

79http://e1evation.com/2010/05/06/growth-of-facebook-privacy-events/

80

http://blogs.iq.harvard.edu/netgov/2010/05/facebook_privacy_policy.html

Evaluation and Comparison of Privacy Policies-Accessibility/User-Friendliness Facebook Foursquare Google Buzz LinkedIn TwitterNumber of words 5860 words 2,436 words 1,094 words 5,650 words 1,287 wordsComparison to average Privacy Policy (based on 2,462 words)

Above average Below average (but very close to the average)

Below Average Above average Below average

Amount of time it takes one to read (based on an average person reading speed--244 words /minute)

Approx. 24 minutes Approx. 10 minutes Approx. 5 minutes Approx. 23 minutes Approx. 5 minutes

Direct link to its actual privacy policy from the index page

No Yes Yes Yes Yes

Availability in languages other than English

Yes Yes Yes Yes Yes

Detailed explanation of privacy control/protection

Yes Yes Yes No No

Trust E-Verified Yes No No Yes NoLinking and/or mentioning to U.S. Dept. of Commerce “Safe Harbor Privacy Principles”

Yes No Yes Yes No

Availability of contact information in case of questions

Yes Yes No Yes Yes

Coverage of kids privacy Yes Yes No Yes Yes

Containing the clause that it reserves the right to change the privacy policy at any time

Yes, but users will be notified

Yes, but users will be notified

http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/

Yes, but users will be notified of material changes

Yes, but users will be notified of material changes


Evaluation and Comparison of Privacy Policies – “Content”

Facebook Foursquare Google Buzz LinkedIn Twitter

Allowance of an opt-out option

Yes Yes Yes Yes Yes

Allowance of third-party access to users’ information

Yes/No, depending on a user’s sharing setting and the information shared

Yes Yes Yes Yes

Discussion of the usage of cookie or tracking tools

Yes Yes Not specified; but Google states that it records users’ use of their products

Yes Yes

Explicit statement of what type of information they share with third-parties

Yes Yes Yes Yes Yes

Sharing of users’ location data

Yes Yes Yes Unclear; not mentioned in the Privacy Policy

Yes


Evaluation and Comparison of Account Creation Process

Facebook Foursquare Google Buzz LinkedIn Twitter

Number of fields required during the initial account creation

9 10 Zero if you have a Gmail account

4 6

Details that are required for a user to create an account

First name, last name, email, password, gender, birthday

First name, last name, password, email, phone, location, gender, birthday, photo

None if you have a Gmail account

First name, last name, email, password

First name, username, password, email, “let others find me by my email,” “I want the inside scoop”

Availability of explanation on required information

Yes Yes Information on how Google Buzz works is available

No Yes, actually includes the entire Terms of Service in a Text area box


DATA PRIVACY & THE EMPLOYER

45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg

SO CALLED HIDDEN COSTS

46http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/

E-recruitment

74http://altaide.typepad.com/.a/6a00d83451e4be69e2015393d67f60970b-500wi

RISKS

SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html

Source: The Risks of Social Networking IT Security Roundtable Harvard TownsendChief Information Security Officer Kansas State University

The new head of MI6 has been left exposed by a major personal security breach after his wife published intimate photographs and family details on the Facebook website.

Sir John Sawers is due to take over as chief of the Secret Intelligence Service in November, putting him in charge of all Britain's spying operations abroad.

But his wife's entries on the social networking site have exposed potentially compromising details about where they live and work, who their friends are and where they spend their holidays.

http://www.dailymail.co.uk

Social Media Spam

Compromised Facebook account. Victim is now promoting a shady pharmaceutical

Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education

Social Media Phishing

To: T V V I T T E R.com

Now they will have your username and password


Social Media Malware

Clicking on the links takes you to sites that will infect your computer with malware


Phishing

Sources/ Luc Pooters, Triforensic, 2011

DATA THEFT

Social engineering

Sources/ Luc Pooters, Triforensic, 2011

Take my stuff, please!


3rd Party Applications

•Games,quizzes,cutesiestuff•UntestedbyFacebook–anyonecanwriteone•NoTermsandCondi=ons–youeitheralloworyoudon’t•Installa=ongivesthedevelopersrightstolookatyourprofileandoverridesyourprivacyseFngs!


Right to be forgotten

• On 13.05.2014 the European Union Court of Justice backed a ruling called “the right to be forgotten,” which allows individuals to control their data and ask search engines, such as Google, to remove inadequate personal results from the Internet.

• However, the decision cannot be interpreted as a “victory” for the protection of the personal data of Europeans, according to privacy experts.

• In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc.

• The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these was entirely irrelevant.

• He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared;

• and second, that Google Spain or Google Inc. be required to remove the personal data

• In its ruling of 13 May 2014 the EU Court said :

• a)On the territoriality of EU rules: Even if the physical server of a company processing data islocated outside Europe, EU rules apply to search engine operators if they have a branch or a sub sidiary in a Member State which promotes the selling of advertising space offered by the search engine;

• b)On the applicability of EU data protection rules to a search engine : Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European lawwhen handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten.

• c) On the “Right to be Forgotten” : Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data

• At the same time, the Court explicitly clarified that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media

• Right to erasure (future rules?)

• 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data, where one of the following grounds applies:

• (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

• (b) the data subject withdraws consent on which the processing is based according

• (c) when the storage period consented to has expired and where there is no other legal ground for the processing of the data

New EU Regulation• right to be forgotten

• no more notification to data privacy authorities

• data privacy officer

• up to 2% turnover penalty

• information of data theft

Control by the employer

161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/

what your boss thinks

BUT…

May the employer control everything?

Who controls what?

Could my employer open my emails?

169

112

CODE OF CONDUCTS

TELEWORKING

Employer’s control

177http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux

Big data

182

SOLOMO

184http://www.youngplanneur.fr/wp-content/uploads/2011/06/companies-innovating.jpg

Biometry

186

facial recognition

187

RFID & internet of things

188http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg

SECURITY ???

Résistance au changement

crainte du contrôle

Imposer ou convaincre ?

Positionnement du DPO

atteinte à l’activité économique

Culture d’entreprise et nationale

Besoins du business

les freins

87

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

C. Darwin

ANY QUESTIONS ?

Data privacy and digital strategy

Education

Transcript of Data privacy and digital strategy