European Data Protection Supervisor: Data sharing to combat COVID-19 is legit

After suggestions there might be some suspect data sharing going on to combat the coronavirus outbreak, the European Data Protection Supervisor has said it is within the rules.

The European Commission’s Internal Market chief Thierry Breton has been one of the busier bureaucrats in recent times. Last week, Breton’s calendar showed meetings with Walt Disney, Netflix and Google to ‘preserve the smooth functioning of the internet’, and this week it appears the telcos are on the speed-dial.

This week, meetings with the major European telcos have been on the agenda to discuss ways and means to which data can be used to combat COVID-19. The collection and analysis of anonymised and aggregated geo-location data is one proposed initiative which the telcos can help with.

There might be some concerns about the legality of the proposed ideas, though European Data Protection Supervisor Wojciech Wiewiórowski has attempted to calm fears.

“Firstly, let me underline that data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics,” Wiewiórowski said in an open letter to Roberto Viola, Director-General of DG CNECT.

“I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.”

While previous generations have had to go by educated assumptions to combat the spread of such pandemics, today data us one of the most valuable tools. Insight on how citizens are moving around the country can inform on the success of self-isolation demands or give clues as to where perhaps the next viral hotspot would be. Information is critical in creating the most effective response to a pandemic which caught the world by surprise.

However, the presence of coronavirus does not give authorities a blank cheque to do whatever they please; rules and regulations to protect the interest of the citizen and mitigate the risk of abuse have to be adhered to.

Sophie in’t Veld, a Dutch Member of the European Parliament, is one such person to have raised concerns.

Writing to Internal Market chief Thierry Breton, in’t Veld wanted reassurances to ensure data would be and remain anonymised, including asking how this would be done, whether the European Data Protection Supervisor has been consulted for an opinion and how the Commission will respond to academic criticism that the collection of geo-location data will not offer benefits as it is not specific enough.

Breton responded to the letter from in’t Veld in satisfactory fashion, but also added that all data collected during this initiative would be deleted once the COVID-19 outbreak is in the past. Adding to Breton’s reassurances, the opinion of the European Data Protection Supervisor further validates the actions from authorities.

In the opinion, European Data Protection Supervisor Wiewiórowski states:

  • Effectively anonymised data fall outside of the scope of data protection rules, assuming the protections applied are resilient enough
  • Should third parties be used for the purposes of collection or analysis, the Commission should ensure appropriate protections are applied
  • Data obtained should be deleted as soon as the current emergency comes to an end

Should the conditions mentioned above be met, Wiewiórowski believes the European Commission should be able to act within the boundaries of data protection rules and regulations.

What should be taken into account is whether such processes are deemed legitimate with other laws.

“The data is anonymised so its use is in compliance with UK and EU data privacy laws, but it may still be an infringement of the human right to privacy under the Human Rights Act,” said Toni Vitale, Partner and Head of Data Protection at JMW Solicitors.

“A lot depends on how the data is used.  If it is limited to creating heat maps showing where people are congregating, that might be OK. Some shopping centres already do this to show where shoppers are. This is useful to plan exits, where the cafes should be placed etc. Location data is commonly scraped from mobiles without users being aware.”

Little attention has been paid to whether the collection of personal information on this scale is a violation of the Human Rights Act, though one would hope the appropriate protections have been put in place. Data could hold the key to mitigate the worst impacts of COVID-19, so the European Commission should be applauded with its attempts to be as informed as possible.

Microsoft might be toying with European data protection compliance

The European Data Protection Supervisor has raised ‘serious concerns’ over whether Microsoft is compliant with data protection regulations.

The contracts in question are between the software giant and various European Union institutions which are making use of said products. The central issue is whether contractual terms are compliant with data protection laws intended to protect individual rights across the region from foreign bodies which do not hold data protection to the same standards.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” a statement reads.

“Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.”

The preliminary findings from the European Data Protection Supervisor follow on from investigations taking place in the Netherlands and also changes to the Microsoft privacy policies for its VoIP product Skype and AI assistant Cortana. The changes were seemingly a knee-jerk reaction to reports contractors were listening to audio clips to improve translations and the accuracy of inferences.

What is worth noting is that Microsoft is not the only company which has been bending the definition of privacy with regard to contractors and audio clips. Amazon and Google have also been dragged into the hazy definition of privacy and consent.

The issue which seems to be at the heart of this investigation is one of arm’s length. While government authorities and agencies might hand-over responsibility of data protection and privacy compliance to the cloud companies, the European Data Protection Supervisor is suggesting more scrutiny and oversight should be applied by said government parties.

Once again, the definition and extent of privacy principles are causing problems. Europe takes a much more stringent stance on the depth of privacy, as well as the rights which are affording to individuals, than other regions around the world. Ensuring the rights of European citizens are extended elsewhere was one of the primary objectives of the GDPR, though it seems there are still teething problems.

“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data,” the statement continues.

“Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.”

One development which could result in additional scrutiny is The Hague Forum, an initiative to create standardised contracts for European member states which meet the baseline data protection and privacy conditions set forward. The European Data Protection Supervisor has encouraged all European institutions to join the Forum.

Although GDPR was seen as a headache for many companies around the world, such statements from the European Data Protection Supervisor proves this is not an area which can simply be addressed once and then forgotten. GDPR was supposed to set a baseline, and there will be more regulation to build further protections. Perhaps the fact that Microsoft is seemingly non-compliant with current regulations justifies the introduction of more rules and red-tape.

UK sets out battle plan to tackle Silicon Valley’s ‘Digital Gangsters’

Facebook is only the tip of the iceberg, but Parliament is coming after Zuckerberg and his Silicon Valley cronies in the long-standing battle to understand and curb the influence of social media.

Featuring representatives from both sides of the political aisle led by the Department for Digital, Culture, Media and Sport (DCMS), this perhaps set the scene for one of the most aggressive stances against the social media giants. If all the recommendations are followed up on, there could be some major disruption on the horizon.

New regulations, new definitions for the business model, a new regulator, new fines, new competition investigations and new levies against the internet players, the outcome certainly justifies the months spend investigating the complex and diverse tapestry of social media and its impact on today’s society.

“We hope that the Government will include these considerations when it reviews the UK’s competition powers in April 2019, as stated in the Government response to our Interim Report,” the report states in its concluding statements. “Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law.”

Such is the pace of the legislative machine, nothing will change in the immediate future, but this is an important first step into the red-tape maze of regulation. This parliamentary committee, and the subsequent report, are laying the foundations for the future. The scene has been set, with the committee painting a complex picture of deception, greed and mistrust, readying bureaucrats for an assault.

To understand how we have gotten to this point you have to go back to Cambridge Analytica scandal. Until this point the data economy was thundering along relatively undisturbed, free from the worries of regulation and oversight, however this scandal pulled the curtain back ever so slightly. The data machine was slightly exposed, but ever since politicians have been clawing to understand the cogs and levers.

But what does this report recommend? Firstly, new regulatory mechanisms. The parliamentary committee has suggested the formation of a new regulatory body, which will be funded by levies placed on the internet companies wishing to operate in the UK, which would have greater insight and powers to pry open business models and processes. Another interesting recommendation is the creation of new definitions for the internet economy.

This is part of the issue today and the reason internet giants have so much freedom. Rules have been designed for different types of organizations for a bygone era. To compensate for the inadequacy of the rulebook, new clauses have been built on top. The issue has been compounded, creating a complicated red-tape maze with loop holes, secret corridors and grey areas for lawyers to expose. The shaky foundations have not provided a suitable mechanism to hold the segment accountable.

The report states what many already know but little has been done to correct. These social media companies are no-longer simply ‘platforms’ and neither are they ‘publishers’, therefore they should not be regulated as such. A new definition should be created, with rules specific to this segment. It’s amazing to think it has taken this long to come to this conclusion, but the committee is pushing for specific rules for specific circumstances.

The report also calls for a new ‘code of ethics’, designed by independent experts and overseen by the newly created regulatory body, to hold the internet giants accountable. Using the same principle as Ofcom uses for the regulation of broadcasters, these rules would be specific to the case. It would be a square peg for a square hole.

This new approach may also be extended to the murky world of political campaigning also. After the ICO called for a pause of political spending during election periods last year, the committee has responded by suggesting new powers which would:

“…define digital campaigning, including having agreed definitions of what constitutes online political advertising, such as agreed types of words that continually arise in adverts that are not sponsored by a specific political party.”

Again, this is a criticism of the sluggish nature of regulation, not recognising the world has evolved. New rules should reflect the new digital landscape, the changing methods of promoting messages and microtargeted political campaigning. More transparency will be suggested, “clear, persistent banners on all paid-for political adverts and videos, indicating the source and the advertiser”, as well as new transparency metrics for campaigns to declare such activities.

Perhaps a more dangerous area which has finally been addressed is the in-direct campaigning which benefits or detracts from parties and individuals. These are organizations such as Leave.EU, which had no direct link to political bodies but presenting questionable materials to individuals through the hyper-targeted advertising model offered by social media companies. This takes the committee into the nefarious world of foreign influence also.

Finally, the committee is also tasking the Competition Markets Authority (CMA) to conduct an extensive investigation into the power and influence of the social media companies. Again, this means little for the moment, but it could be the first step towards identifying potential ‘monopolies’, providing justification to break up the gathering empires.

This aspect of the report leans on documentation sourced by Six4Three, a tech company which is suing Facebook for in-appropriately influencing the success of its products.

“Given the contents of the Six4Three documents that we have published, it should also investigate whether Facebook specifically has been involved in any anti-competitive practices and conduct a review of Facebook’s business practices towards other developers, to decide whether Facebook is unfairly using its dominant market position in social media to decide which businesses should succeed or fail,” the report states.

The content of this report should not be dismissed as busywork for boresome bureaucrats but a direct threat to the success of Silicon Valley. The internet companies should be very worried about the content of this report, the conclusions these politicians have drawn and the potential implications of any recommendations. This is a political hot point right now, and we suspect there is enough ill-feeling towards the internet players to take these suggestions forward.

Facebook is the company which is constantly attracting the headlines, but this company is just one of many. The mentality has spread throughout the digital ecosystem, but Facebook is the scape goat. Unfortunately for all those involved, Facebook CEO Mark Zuckerberg has continued to antagonise politicians by refusing to show up to briefings, compounding the problem and rallying political enemies towards a single cause.

Although these recommendations are only the first steps into the complicated world of regulation, there is potential for significant disruption. With GDPR bubbling away in the background, and further privacy regulations in the pipeline, the basic business model of the internet giants is being challenged here. This document could be a defining factor in the future of the digital economy.