IT and Society Lecture 3: Organizational Privacy PDF
Document Details
Uploaded by HardWorkingAestheticism
Technical University of Munich
2024
Prof. Jens Grossklags, Ph.D.
Tags
Summary
This lecture covers privacy and organizations, including data analytics and monetization, and issues related to the GDPR regulation. Provided by the Technical University of Munich.
Full Transcript
IT and Society Lecture 3: Privacy – Privacy and Organizations Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich April 29, 2024 Recap – Privacy Introduction Data enables many ne...
IT and Society Lecture 3: Privacy – Privacy and Organizations Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich April 29, 2024 Recap – Privacy Introduction Data enables many new business models; data analytics may lead to important new insights in many contexts Collection and monetization of data is pursued aggressively Individuals‘ understanding and options to react are often inadequate to „solve“ privacy challenges Discussion of merits of different solution approaches needed 2 Lecture 3 Privacy – Privacy and Organizations 3 Data protection is necessary. Suggested Reading: Chris Hoofnagle (2009) Beyond Google and evil: How policy makers, journalists and consumers should talk differently about Google and privacy https://firstmonday.org/ojs/index.php/fm/article/view/2326/2156 4 75% of the world’s population will have personal data covered under modern privacy regulations, up from 10% in 2020. [Gartner, Inc.; Gartner identifies top five trends in privacy through 2024] 5 Major data breach incidents Data protection and privacy laws and regulations 6 General Data Protection Regulation Regulation on data protection and privacy – For all individuals located in the European Union (EU) and the European Economic Area (EEA) – Transport of data outside these areas (i.e., globally relevant) Replaces Data Protection Directive 95/46/EC GDPR is a Regulation („Verordnung“)! Not a directive („Richtlinie“). – Enforceable immediately as law in all member states – In contrast, directives need to be transposed into domestic laws 7 Development of the GDPR 24/10/1995 25/01/2012 12/03/2014 23/03/2012 8 For more details: https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en Development of the GDPR (2) 15/12/2015 24/05/2016 10/01/2017 25/05/2018 9 In Germany & Bavaria Implemented as Datenschutz-Grundverordnung (DSGVO) Adjustments to existing data protection framework in Germany necessary – New Bundesdatenschutzgesetz (BDSG) – New Bayerisches Datenschutzgesetz (BayDSG) Also became effective on May 25, 2018 Some flexibility allowed in GDPR, which can be implemented in national laws 10 Excerpt of matching provisions in the BayDSG and DSGVO https://www.datenschutz-bayern.de/ datenschutzreform2018/synopse.pdf 11 Selected Definitions (short version) Personal data: Any information relating to an identified or identifiable data subject Data subject: Natural living person Controller: Determines the purposes for which and the means by which personal data is processed (decides ‘why’ and ‘how’) Processor: Acts on behalf of the controller Special categories: Health, race, religion etc. Processing: Collection, storage, disclosure, transfer, profiling etc. 12 Selected Definitions (2) Automated individual decision-making – Making a decision solely by automated means without any human involvement Profiling – Automated processing of personal data to evaluate certain things about an individual – Profiling can be part of an automated decision-making process 13 Overview of Regulation Focus on GDPR 14 First, Some Good News for You Lots of jobs: For example, Data Protection Officer (DPO) 2019 Update: - Estimate of 500,000 organizations have registered data protection officers across Europe - Germany: Estimate of close to 200,000 organizations with a registered DPO https://iapp.org/news/a/study-an-estimated- 500k-organizations-have-registered-dpos- across-europe/ 15 More Good News IAPP Salary Survey 2019 16 Appointment of a Data Protection Officer – Article 37 Mandatory for controller & processor when one of the three conditions holds: – Public authority or body – Core activities consist of operations that require regular and systematic monitoring of data subjects on a large scale – Core activities require processing of special categories of personal data (or criminal convictions and offences), on a large scale 17 Discussion of Terms Regular: Ongoing, at intervals or recurring Systematic: Pre-arranged, scheduled, methodical, according to a system Large scale: Number of people, volume of data, duration, geographic extent Special categories: Information that may lead to discriminations Convictions & offences: Requires justification why needed; only if absolutely necessary 18 DPO: Position Description – Art. 38 https://dataprivacymanager.net/ 19 who-is-a-data-protection-officer-roles-and-responsibilites/ What could be Conflicts of Interest? DPO vs any position that requires taking instructions on data protection issues European Data Protection Board (EDPB) “rule of thumb”: Certain job roles are in conflict with the tasks of a Data Protection Officer: “chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing department, head of Human Resources or head of IT departments” Not a strict rule 20 Tasks of DPO – Art. 39 https://dataprivacymanager.net/ 21 who-is-a-data-protection-officer-roles-and-responsibilites/ Want this job? Ok, more details of the GDPR. 22 Data Protection Principles – Art. 5 Figure: ServeIT.com 23 Lawfulness of Processing – Art. 6 Typically only with Consent Without consent when: – Contractual obligation – Legal obligation – Vital interest – Public interest – Overriding legitimate interest 24 Conditions for Consent and Further Conditions Applicable to Children - Art. 7 & 8: Obligation to demonstrate consent Separate consent for different processing Clear, plain language; suitable for children Right to withdraw consent Guardian’s consent for information services offered directly to children 25 Worrisome Example of Compliance from the U.S. Regarding Children‘s Protection We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S. Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of third-party Software Development Kits (SDKs). While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we observed that 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we show that efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID. 26 Rights of Data Subjects – Art. 12-22 Transparent information provided when data collected from the person, or from a third party Right to access one’s own data (free of charge) Rectification of inaccurate/ incomplete data 27 Rights of Data Subjects – Art. 12-22 Erasure (Right to be Forgotten): – When data are no longer necessary – Or consent is withdrawn – Or person objects for legitimate grounds – Or data have been unlawfully processed – Or there is legal obligation for erasure – Or data collected in relation to information society services 28 Rights of Data Subjects – Art. 12-22 Data portability: – Two versions: 1) A data subject can receive data that he/she has provided, in machine-readable, structured, and common format & 2) ask to transmit these data directly from one controller to another controller Rights applying to more specific circumstances: – Restriction of processing: E.g., when accuracy is contested or unlawful processing or legal claims or decision is pending on exercised right to objection – Objection (including profiling): Article applies when processing is based on public interest or legitimate interest 29 Rights of Data Subjects – Similarities and Differences Access (Art. 15) vs. Data Portability (Art. 20) sound similar but are substantially different rights: Access (Art. 15) Data Portability (Art. 20) Purpose Allow users to “know” their data Allow users to “control” their data Data Format Human-readable Machine-readable, structured, common Data Scope Data provided by user, purposes of Data provided by user processing, recipients of data, envisaged storage period, existence of other subject rights, … What data is “data provided by user”? 30 Rights of Data Subjects – “Data provided by user” De Hert et al. (2018) argue that companies can obtain four types of personal data: Received data: Actively provided by user, e.g. the text of a social media post Observed data: Passively collected, e.g. location data measured by GPS chip of smartphone Inferred and predicted data: Data “produced” by companies using other existing data, e.g. viewing habits on video streaming platforms Current view: Companies do not have to include inferred or predicted data in their responses to Art. 15 or Art. 20 requests As of today, it is not clear whether “data provided” should be interpreted widely (received and observed data) or narrowly (only received data) in terms of the GDPR De Hert et al. (2018):The right to data portability in the GDPR: Towards user-centric interoperability of digital services 31 Responsibilities of Controller & Processor; Cooperation with DPA & Security - Art. 31,32 The controller & the processor & where appropriate their representatives shall cooperate with the DPA, on request Must implement appropriate security measures, taking into account state of the art technology, costs and possible risks In addition to: Data protection by design and by default (Art. 25) Separate obligations for controller and processor in Art. 24-28; other joint obligations in Art. 30 32 Responsibilities of Controller & Processor Data Breach Notification - Article 33 Controller notifies the DPA about data breach within 72 hours unless there is no risk – Justification required, after 72 hours Processor informs the controller about data breach immediately Notification includes: – Nature of breach – Number of persons affected – Risks involved – Measures taken or considered to mitigate risks 33 Communication of Data Breach – Art. 34 If the breach is likely to result in high risks, the controller informs the affected persons without delay – In plain language: nature of breach, risks involved, measures taken, or to be taken No obligation to inform if there is no risk or if measures were taken to mitigate risk Public announcement: if informing individually is difficult DPA may instruct the controller to inform the affected persons 34 Impact Assessment & Prior Consultation - Art. 35,36 If a new measure is likely to result in high risks, the controller must carry out a Data Protection Impact Assessment (DPIA) – If an organization has a DPO, the controller must seek his advise for the DPIA DPIA is mandatory, in particular when: – Profiling, processing of special categories or convictions/ offenses on a large scale, and when monitoring public areas on a large scale 35 36 Impact Assessment & Prior Consultation – Art. 35, 36: DPIA + prior consultation = 4 + 1 steps: 1. Description/ purpose of foreseen measure 2. Legal basis, necessity, data minimization 3. Identify possible risks 4. Identify measures to mitigate these risks 5. If you cannot find any measures to mitigate the risks or if you are not 100% sure that the foreseen measures mitigate the risks, you must consult with the DPA 37 Codes of Conduct & Their Monitoring - Art. 40, 41: Adherence to a code of conduct is voluntary, but it can be a useful tool in at least three cases: I. To demonstrate compliance with the GDPR – Accountability is mandatory II. Transfers to third countries & international organizations, in the absence of other tools III. Associations, bodies representing categories of controllers and regulated professions – Can help to build public trust and confidence in your sector’s ability to comply with data protection laws 38 Codes of Conduct & Their Monitoring - Art. 40, 41: EU codes of conduct are approved by the European Data Protection Board (EDPB) – National codes are approved by DPAs All codes of conduct must be monitored by an expert body: DPA or accredited by DPA Regulator (Bar Association etc.) – Code of conduct can be used as a tool for transfers, if it creates binding & enforceable commitments to controllers & processors 39 Certification & Certification Bodies – Art. 42, 43: EU certifications are approved by the EDPB – National certifications can be approved by the DPA or by a certification body (which in turn has been accredited, either by the DPA or the national accreditation authority or both) – Certification can be used as a tool for transfers, if it creates binding & enforceable commitments to controllers & processors 40 Transfers to Third Countries and International Organizations - Art. 44-50: “Tools” for transfers of data outside the EU: Adequacy Decision (if yes, then no authorization required): – Transfer must only happen to countries deemed as having adequate data protection laws – The European Commission determines that a country or an organization ensures an adequate level of protection U.S. generally does not meet this requirement – HOWEVER: Privacy Shield: Free transfer to companies in the U.S., which register in the Privacy Shield under the 3 regulators for trade (FTC), transport (DoT) & commerce (DoC) Self-regulatory tool – ECJ declared the EU–US Privacy Shield invalid on July 16, 2020 41 Transfers to Third Countries and International Organizations - Art. 44-50: Appropriate safeguards (if yes, then no authorization from DPA required): – Legally binding instrument (public authorities) – Binding corporate rules (group of companies) Standard clauses adopted by the Commission Standard clauses adopted by DPA & approved by the Commission Codes of conduct Certification mechanisms 42 Supervisory Authority (DPA) - Art. 51-59: Independent Monitors the implementation of the GDPR Raises awareness Cooperates with other DPAs – Joint inspections & mutual assistance – Acts as lead, competent or concerned DPA Examines complaints & imposes sanctions Extensive investigative, corrective, advisory and authorization powers 43 Corrective Powers – Art. 58: Warnings & reprimands Temporary or permanent ban of processing Order compliance with GDPR Order communication of data breach Order rectification, erasure, restriction Withdraw certifications Suspend transfers Impose fines 44 Liability and Fines – Art. 82, 83: Liability to controllers, processors & their representatives – Shared liability to joint controllers For violations of obligations of controllers & processors and certifications: – €10 million or 2% of last year’s global turnover For violations of principles, rights, transfers & for non- compliance with other sanctions: – €20 million or 4% of last year’s global turnover 45 Liability and Fines – Art. 82, 83: https://www.enforcementtracker.com/ 46 Summary: Key changes of the GDPR Source: Deloitte 47 More than “just” privacy? Economic implications of the GDPR 48 Data Portability: Privacy Regulation as a Competitive Measure The “Right to Data Portability” (Art. 20) has the purpose to help users to switch between services more easily Formulated goals: Give users more control over their data Foster competition between online services Foster the development of new services Article 29 Data Protection Working Party: Guidelines on the right to data portability 49 How is compliance to the GDPR evolving? (Certainly) Not all companies are ready. 50 The Right to Data Portability: Empirical Study Study with 182 services finds limited effectiveness of data portability as of 2020 Observed barriers: Only 75% of services answer a request for data portability Data exports can take up to 30 days (with a possible extension to 90 days) Syrmoudis et al. (2021): Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20 51 The Right to Data Portability: Empirical Study Art. 20 does not require standardization or interoperability Minimal requirement: Data has to be in “common, structured, machine-readable format”, e.g. CSV, JSON, XML 49% of services fail to fulfill even these format requirements Import possibilities are missing There is no established infrastructure to transfer data from one service to another 77% of services offer no way to import any data 52 Syrmoudis et al. (2021): Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20 Just Before GDPR Effective Date UK Survey: – October and December 2017 – Featured responses from 1,519 businesses and a sample of registered charities (569 in total) Percentage of entities who have heard of GDPR – Businesses: 38% (large businesses 80%) – Charities: 44% Cyber Security Breaches Survey 2018 53 One year after GDPR becoming effective “Data protection will be as significant as antitrust or anti-corruption in terms of compliance risk.” – Hunton & Williams – Even in 2019, some companies including news sites blocking EU users (screenshot from 2019) Since 2020, the Chicago Tribune is accessible again. 54 Following a Sample of Apps Through Time: Empirical Study 1745 popular apps with English language privacy policy Collected from the German version of the Google Play Store Mentions terms such as DPO, data portability etc. indicative of GDPR adoption Suggests quite slow adoption Share of Privacy Policies which mention GDPR (unpublished masters thesis) 55 Still Only Few Empirical Studies Two sets of 6,278 unique English-language privacy policies from inside and outside the EU, covering their pre-GDPR and the post- GDPR versions EU and Global privacy policies have become significantly longer, with (+35%, +25%) more words and (+33%, +22%) more sentences on average Observe improvements in coverage, and compliance 56 Read Page 1 and 2 Compliance with User Rights: Empirical Findings A majority of data processors is still not fully GDPR compliant: Right to data portability (Art. 20): 29% of services fulfill all criteria of Art. 20 (Syrmoudis et al., 2021) Right of access by the data subject (Art. 15): 15% (2015, pre-GDPR) / 53% (2018) / 41% (2019) of popular app vendors respond and transmit a sufficient amount of data (Kröger et al., 2020: How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps) The number of GDPR fines per month is slowly rising Number of GDPR fines per month (https://www.enforcementtracker.com/?insights) 57 Essays of Privacy Experts Discussion of achievements and challenges at the second anniversary (May 25, 2020) of the GDPR – See: https://iapp.org/resources/article/gdpr-at-two-expert-perspectives/ – Read for example, German DPA perspective: 58 Technical Changes 59 Variety of Changes Required Product team compliance includes: – Changes, often major, to back-end data logging – User interface changes – New tools for access, correction, portability, etc. – Security – Privacy by Design Legal team compliance includes: – Data Impact Assessments – Internal record-keeping – Renegotiating commercial contracts – Changing user Terms of Service – In some cases, appointing Data Protection Officer resident in EU 60 What is Privacy by Design? Seven Core Principles: 1. Proactive not Reactive: Preventative, not Remedial; 2. Privacy as the Default setting; 3. Privacy Embedded into Design (early on in the process); 4. Full Functionality: Positive-Sum, not Zero-Sum; 5. End-to-End Security: Full Lifecycle Protection; 6. Visibility and Transparency: Keep it Open; 7. Respect for User Privacy: Keep it User-Centric. 61 Recommendations on the Internet of Things (EU Working Party) Make privacy the default setting, and follow Privacy by Design; – Delete all raw data after processing; – Respect a user’s self-determination over their own data, and seek consent in a user-friendly way; – Be transparent about how a user’s data is being used; – When sensors are continuously collecting one’s personal data, remind users of this surveillance activity; – Ensure that data published to social platforms remain private, by default; – Users should not be penalized for failing to consent; – Data should be de-Identified, except when necessary Easy to implement? 62 Implementation Challenges Lots of challenges across all categories of GDPR ruleset – For example, consent requirements: Organizations ask for a productive dialogue with DPAs on how to make consent workable for individuals and organizations in compliance with the new GDPR requirements, such as that consent should be distinguishable, unbundled, based on clear affirmative action, specific, informed, etc. It is not apparent what would qualify as unambiguous or explicit consent mechanisms designed for different customer experiences. Centre for Information Policy Leadership: GDPR Implementation Challenges 63 Takeaways GDPR is a behemoth: We have not even discussed Germany-specifics Will consumers benefit? Other competing regulations: – For example, ePrivacy Directive (2002/58/EC); in the process of being replaced with ePrivacy Regulation (ePR) Cookies and Opt-out Espn.com 64 Once Again, the End. For Today. See you next week. 65