Lecture 3 - Organizational_Privacy.pdf

Full Transcript

IT and Society
Lecture 3: Privacy – Privacy and Organizations

Prof. Jens Grossklags, Ph.D.
Professorship of Cyber Trust
Department of Computer Science
School of Computation, Information and Technology
Technical University of Munich
April 29, 2024
Recap – Privacy Introduction
Data enables many new business models; data analytics
may lead to important new insights in many contexts
Collection and monetization of data is pursued
aggressively
Individuals‘ understanding and options to react are often
inadequate to „solve“ privacy challenges
Discussion of merits of different solution approaches
needed

2
 Lecture 3

Privacy – Privacy and Organizations

3
 Data protection is necessary.
Suggested Reading: Chris Hoofnagle (2009)
Beyond Google and evil: How policy makers, journalists
and consumers should talk differently about Google and privacy
https://firstmonday.org/ojs/index.php/fm/article/view/2326/2156 4
75% of the world’s population will have personal data
covered under modern privacy regulations, up from 10%
in 2020.

[Gartner, Inc.; Gartner identifies top five trends in privacy through 2024]

5
Major data
breach incidents

Data protection
and privacy laws
and regulations

6
General Data Protection Regulation
Regulation on data protection and privacy
– For all individuals located in the European Union (EU) and the
European Economic Area (EEA)
– Transport of data outside these areas (i.e., globally relevant)
Replaces Data Protection Directive 95/46/EC
GDPR is a Regulation („Verordnung“)! Not a directive
(„Richtlinie“).
– Enforceable immediately as law in all member states
– In contrast, directives need to be transposed into domestic laws
7
 Development of the GDPR
24/10/1995 25/01/2012

12/03/2014 23/03/2012

8
For more details: https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
Development of the GDPR (2)
15/12/2015
24/05/2016

10/01/2017

25/05/2018

9
In Germany & Bavaria

Implemented as Datenschutz-Grundverordnung (DSGVO)
Adjustments to existing data protection framework in
Germany necessary
– New Bundesdatenschutzgesetz (BDSG)
– New Bayerisches Datenschutzgesetz (BayDSG)
Also became effective on May 25, 2018
Some flexibility allowed in GDPR, which can be
implemented in national laws
10
Excerpt of matching
provisions in the BayDSG
and DSGVO

https://www.datenschutz-bayern.de/
datenschutzreform2018/synopse.pdf 11
Selected Definitions (short version)
Personal data: Any information relating to an identified or
identifiable data subject
Data subject: Natural living person
Controller: Determines the purposes for which and
the means by which personal data is
processed (decides ‘why’ and ‘how’)
Processor: Acts on behalf of the controller
Special categories: Health, race, religion etc.
Processing: Collection, storage, disclosure, transfer,
profiling etc.
12
Selected Definitions (2)

Automated individual decision-making
– Making a decision solely by automated means without any
human involvement
Profiling
– Automated processing of personal data to evaluate certain
things about an individual
– Profiling can be part of an automated decision-making process

13
Overview of Regulation

Focus on GDPR

14
First, Some Good News for You

Lots of jobs: For example, Data Protection Officer (DPO)

2019 Update:
- Estimate of 500,000 organizations
have registered data protection officers
across Europe
- Germany: Estimate of close to 200,000
organizations with a registered DPO

https://iapp.org/news/a/study-an-estimated-
500k-organizations-have-registered-dpos-
across-europe/

15
More Good News

IAPP Salary Survey 2019

16
Appointment of a Data Protection
Officer – Article 37
Mandatory for controller & processor when one of the
three conditions holds:
– Public authority or body
– Core activities consist of operations that require regular and
systematic monitoring of data subjects on a large scale
– Core activities require processing of special categories of
personal data (or criminal convictions and offences), on a large
scale

17
Discussion of Terms

Regular: Ongoing, at intervals or recurring
Systematic: Pre-arranged, scheduled, methodical,
according to a system
Large scale: Number of people, volume of data, duration,
geographic extent
Special categories: Information that may lead to discriminations
Convictions & offences: Requires justification why needed; only if
absolutely necessary

18
DPO: Position Description – Art. 38

https://dataprivacymanager.net/ 19
who-is-a-data-protection-officer-roles-and-responsibilites/
What could be Conflicts of Interest?

DPO vs any position that requires taking instructions on
data protection issues

European Data Protection Board (EDPB) “rule of thumb”:
Certain job roles are in conflict with the tasks of a Data Protection Officer:
“chief executive, chief operating officer, chief financial officer, chief medical
officer, head of marketing department, head of Human Resources or head of
IT departments”
 Not a strict rule

20
Tasks of DPO – Art. 39

https://dataprivacymanager.net/ 21
who-is-a-data-protection-officer-roles-and-responsibilites/
 Want this job?

Ok, more details of the GDPR.

22
Data Protection Principles – Art. 5

Figure:
ServeIT.com

23
Lawfulness of Processing – Art. 6

Typically only with Consent
Without consent when:
– Contractual obligation
– Legal obligation
– Vital interest
– Public interest
– Overriding legitimate interest

24
Conditions for Consent and Further
Conditions Applicable to Children - Art. 7 & 8:

Obligation to demonstrate consent
Separate consent for different processing
Clear, plain language; suitable for children
Right to withdraw consent
Guardian’s consent for information services offered
directly to children

25
Worrisome Example of Compliance
from the U.S. Regarding Children‘s
Protection
We present a scalable dynamic analysis framework that allows for the automatic evaluation of the
privacy behaviors of Android apps. We use our system to analyze mobile apps’ compliance with the
Children’s Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the U.S.
Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a
majority are potentially in violation of COPPA, mainly due to their use of third-party Software
Development Kits (SDKs). While many of these SDKs offer configuration options to respect COPPA
by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do
not make use of these options or incorrectly propagate them across mediation SDKs. Worse, we
observed that 19% of children’s apps collect identifiers or other personally identifiable information
(PII) via SDKs whose terms of service outright prohibit their use in child-directed apps. Finally, we
show that efforts by Google to limit tracking through the use of a resettable advertising ID have had
little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other,
non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of
the advertising ID.

26
Rights of Data Subjects – Art. 12-22

Transparent information provided when data collected
from the person, or from a third party
Right to access one’s own data (free of charge)
Rectification of inaccurate/ incomplete data

27
Rights of Data Subjects – Art. 12-22

Erasure (Right to be Forgotten):
– When data are no longer necessary
– Or consent is withdrawn
– Or person objects for legitimate grounds
– Or data have been unlawfully processed
– Or there is legal obligation for erasure
– Or data collected in relation to information society services

28
Rights of Data Subjects – Art. 12-22
Data portability:
– Two versions: 1) A data subject can receive data that he/she has
provided, in machine-readable, structured, and common format & 2) ask
to transmit these data directly from one controller to another controller
Rights applying to more specific circumstances:
– Restriction of processing: E.g., when accuracy is contested or unlawful
processing or legal claims or decision is pending on exercised right to
objection
– Objection (including profiling): Article applies when processing is based on
public interest or legitimate interest

29
Rights of Data Subjects –
Similarities and Differences
 Access (Art. 15) vs. Data Portability (Art. 20) sound similar but are
substantially different rights:
Access (Art. 15) Data Portability (Art. 20)
Purpose Allow users to “know” their data Allow users to “control” their data
Data Format Human-readable Machine-readable, structured, common
Data Scope Data provided by user, purposes of Data provided by user
processing, recipients of data,
envisaged storage period, existence of
other subject rights, …

 What data is “data provided by user”?

30
Rights of Data Subjects –
“Data provided by user”
 De Hert et al. (2018) argue that companies can obtain four types of personal
data:
 Received data: Actively provided by user, e.g. the text of a social media post
 Observed data: Passively collected, e.g. location data measured by GPS chip of
smartphone
 Inferred and predicted data: Data “produced” by companies using other existing data,
e.g. viewing habits on video streaming platforms
 Current view: Companies do not have to include inferred or predicted data in
their responses to Art. 15 or Art. 20 requests
 As of today, it is not clear whether “data provided” should be interpreted widely
(received and observed data) or narrowly (only received data) in terms of the
GDPR
De Hert et al. (2018):The right to data portability in the GDPR: Towards user-centric interoperability of digital services
31
Responsibilities of Controller & Processor;
Cooperation with DPA & Security - Art. 31,32

The controller & the processor & where appropriate their
representatives shall cooperate with the DPA, on request
Must implement appropriate security measures, taking
into account state of the art technology, costs and
possible risks
In addition to: Data protection by design and by default (Art. 25)
Separate obligations for controller and processor in Art.
24-28; other joint obligations in Art. 30
32
Responsibilities of Controller & Processor
Data Breach Notification - Article 33

Controller notifies the DPA about data breach within 72 hours
unless there is no risk
– Justification required, after 72 hours
Processor informs the controller about data breach immediately
Notification includes:
– Nature of breach
– Number of persons affected
– Risks involved
– Measures taken or considered to mitigate risks

33
Communication of Data Breach – Art. 34
If the breach is likely to result in high risks, the controller
informs the affected persons without delay
– In plain language: nature of breach, risks involved, measures
taken, or to be taken
No obligation to inform if there is no risk or if measures
were taken to mitigate risk
Public announcement: if informing individually is difficult
DPA may instruct the controller to inform the affected
persons
34
Impact Assessment &
Prior Consultation - Art. 35,36
If a new measure is likely to result in high risks, the
controller must carry out a Data Protection Impact
Assessment (DPIA)
– If an organization has a DPO, the controller must seek his
advise for the DPIA
DPIA is mandatory, in particular when:
– Profiling, processing of special categories or convictions/
offenses on a large scale, and when monitoring public areas on
a large scale
35
36
Impact Assessment &
Prior Consultation – Art. 35, 36:
DPIA + prior consultation = 4 + 1 steps:
1. Description/ purpose of foreseen measure
2. Legal basis, necessity, data minimization
3. Identify possible risks
4. Identify measures to mitigate these risks
5. If you cannot find any measures to mitigate the risks or if you
are not 100% sure that the foreseen measures mitigate the
risks, you must consult with the DPA

37
Codes of Conduct &
Their Monitoring - Art. 40, 41:
Adherence to a code of conduct is voluntary, but it can be a useful
tool in at least three cases:
I. To demonstrate compliance with the GDPR
– Accountability is mandatory
II. Transfers to third countries & international organizations, in the
absence of other tools
III. Associations, bodies representing categories of controllers and
regulated professions
– Can help to build public trust and confidence in your sector’s ability to
comply with data protection laws
38
Codes of Conduct &
Their Monitoring - Art. 40, 41:
EU codes of conduct are approved by the European Data
Protection Board (EDPB)
– National codes are approved by DPAs
All codes of conduct must be monitored by an expert
body: DPA or accredited by DPA Regulator (Bar
Association etc.)
– Code of conduct can be used as a tool for transfers, if it creates
binding & enforceable commitments to controllers & processors

39
Certification &
Certification Bodies – Art. 42, 43:
EU certifications are approved by the EDPB
– National certifications can be approved by the DPA or by a
certification body (which in turn has been accredited, either by
the DPA or the national accreditation authority or both)
– Certification can be used as a tool for transfers, if it creates
binding & enforceable commitments to controllers & processors

40
Transfers to Third Countries and
International Organizations - Art. 44-50:
“Tools” for transfers of data outside the EU:
Adequacy Decision (if yes, then no authorization required):
– Transfer must only happen to countries deemed as having adequate data
protection laws
– The European Commission determines that a country or an organization
ensures an adequate level of protection
U.S. generally does not meet this requirement
– HOWEVER: Privacy Shield: Free transfer to companies in the U.S., which
register in the Privacy Shield under the 3 regulators for trade (FTC),
transport (DoT) & commerce (DoC)  Self-regulatory tool
– ECJ declared the EU–US Privacy Shield invalid on July 16, 2020
41
Transfers to Third Countries and
International Organizations - Art. 44-50:
Appropriate safeguards (if yes, then no authorization from DPA
required):
– Legally binding instrument (public authorities)
– Binding corporate rules (group of companies)
Standard clauses adopted by the Commission
Standard clauses adopted by DPA & approved by the
Commission
Codes of conduct
Certification mechanisms
42
Supervisory Authority (DPA)
- Art. 51-59:
Independent
Monitors the implementation of the GDPR
Raises awareness
Cooperates with other DPAs
– Joint inspections & mutual assistance
– Acts as lead, competent or concerned DPA
Examines complaints & imposes sanctions
Extensive investigative, corrective, advisory and authorization
powers
43
Corrective Powers – Art. 58:
Warnings & reprimands
Temporary or permanent ban of processing
Order compliance with GDPR
Order communication of data breach
Order rectification, erasure, restriction
Withdraw certifications
Suspend transfers
Impose fines
44
Liability and Fines – Art. 82, 83:

Liability to controllers, processors & their representatives
– Shared liability to joint controllers
For violations of obligations of controllers & processors
and certifications:
– €10 million or 2% of last year’s global turnover
For violations of principles, rights, transfers & for non-
compliance with other sanctions:
– €20 million or 4% of last year’s global turnover
45
Liability and Fines – Art. 82, 83:
https://www.enforcementtracker.com/

46
Summary: Key changes of the GDPR

Source: Deloitte 47
 More than “just” privacy?
Economic implications of the GDPR

48
Data Portability: Privacy Regulation
as a Competitive Measure
 The “Right to Data Portability” (Art. 20) has the purpose to help
users to switch between services more easily
 Formulated goals:
 Give users more control over their data
 Foster competition between online services
 Foster the development of new services

Article 29 Data Protection Working Party: Guidelines on the right to data portability
49
 How is compliance to the GDPR
evolving?

(Certainly) Not all companies are ready.

50
 The Right to Data Portability:
Empirical Study
 Study with 182 services finds
limited effectiveness of data
portability as of 2020
 Observed barriers:
 Only 75% of services
answer a request for data
portability
 Data exports can take up to
30 days (with a possible
extension to 90 days)

Syrmoudis et al. (2021): Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20 51
 The Right to Data Portability:
Empirical Study
 Art. 20 does not require standardization
or interoperability
 Minimal requirement: Data has to be in “common,
structured, machine-readable format”, e.g. CSV,
JSON, XML
 49% of services fail to fulfill even these format
requirements

 Import possibilities are missing
 There is no established infrastructure to transfer
data from one service to another
 77% of services offer no way to import any data

52
Syrmoudis et al. (2021): Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20
Just Before GDPR Effective Date

UK Survey:
– October and December 2017
– Featured responses from 1,519 businesses and a sample of
registered charities (569 in total)
Percentage of entities who have heard of GDPR
– Businesses: 38% (large businesses 80%)
– Charities: 44%

Cyber Security Breaches Survey 2018 53
One year after GDPR becoming
effective
“Data protection will be as significant as antitrust or anti-corruption in terms of
compliance risk.” – Hunton & Williams

– Even in 2019, some companies including news sites blocking EU users
(screenshot from 2019)

Since 2020, the
Chicago Tribune
is accessible again.

54
Following a Sample of Apps
Through Time: Empirical Study
 1745 popular apps with
English language
privacy policy
 Collected from the
German version of the
Google Play Store
 Mentions terms such
as DPO, data
portability etc.
indicative of GDPR
adoption
 Suggests quite slow
adoption
Share of Privacy Policies which mention GDPR
(unpublished masters thesis) 55
Still Only Few Empirical Studies

Two sets of 6,278 unique English-language privacy policies from
inside and outside the EU, covering their pre-GDPR and the post-
GDPR versions
EU and Global privacy policies have become significantly longer,
with (+35%, +25%) more words and (+33%, +22%) more
sentences on average
Observe improvements in coverage, and compliance
56
Read Page 1 and 2
Compliance with User Rights:
Empirical Findings
 A majority of data processors is still not fully GDPR compliant:
 Right to data portability (Art. 20):
29% of services fulfill all criteria of Art. 20
(Syrmoudis et al., 2021)

 Right of access by the data subject (Art. 15):
15% (2015, pre-GDPR) / 53% (2018) / 41% (2019)
of popular app vendors respond and transmit a
sufficient amount of data
(Kröger et al., 2020: How do app vendors respond to
subject access requests? A longitudinal privacy study on
iOS and Android Apps)

 The number of GDPR fines per month
is slowly rising Number of GDPR fines per month
(https://www.enforcementtracker.com/?insights) 57
Essays of Privacy Experts

Discussion of achievements and challenges at the second
anniversary (May 25, 2020) of the GDPR
– See: https://iapp.org/resources/article/gdpr-at-two-expert-perspectives/
– Read for example, German DPA perspective:

58
Technical Changes

59
Variety of Changes Required
Product team compliance includes:
– Changes, often major, to back-end data logging
– User interface changes
– New tools for access, correction, portability, etc.
– Security
– Privacy by Design
Legal team compliance includes:
– Data Impact Assessments
– Internal record-keeping
– Renegotiating commercial contracts
– Changing user Terms of Service
– In some cases, appointing Data Protection Officer resident in EU
60
What is Privacy by Design?

Seven Core Principles:
1. Proactive not Reactive: Preventative, not Remedial;
2. Privacy as the Default setting;
3. Privacy Embedded into Design (early on in the process);
4. Full Functionality: Positive-Sum, not Zero-Sum;
5. End-to-End Security: Full Lifecycle Protection;
6. Visibility and Transparency: Keep it Open;
7. Respect for User Privacy: Keep it User-Centric.

61
Recommendations on the Internet
of Things (EU Working Party)
Make privacy the default setting, and follow Privacy by
Design;
– Delete all raw data after processing;
– Respect a user’s self-determination over their own data, and seek consent
in a user-friendly way;
– Be transparent about how a user’s data is being used;
– When sensors are continuously collecting one’s personal data, remind
users of this surveillance activity;
– Ensure that data published to social platforms remain private, by default;
– Users should not be penalized for failing to consent;
– Data should be de-Identified, except when necessary
Easy to implement? 62
Implementation Challenges

Lots of challenges across all categories of GDPR ruleset
– For example, consent requirements:

Organizations ask for a productive dialogue with DPAs on how to make
consent workable for individuals and organizations in compliance with the
new GDPR requirements, such as that consent should be
distinguishable, unbundled, based on clear affirmative action, specific,
informed, etc. It is not apparent what would qualify as unambiguous or
explicit consent mechanisms designed for different customer
experiences.
Centre for Information Policy Leadership: GDPR Implementation Challenges 63
Takeaways
GDPR is a behemoth: We have not even discussed
Germany-specifics  Will consumers benefit?
Other competing regulations:
– For example, ePrivacy Directive (2002/58/EC); in the process
of being replaced with ePrivacy Regulation (ePR)
Cookies and Opt-out

Espn.com
64
Once Again, the End. For Today.

See you next week.

65