Privacy International lines up US firms for GDPR breaches

UK data protection and privacy advocacy group Privacy International has submitted complaints to European watchdogs suggesting GDPR violations at several US firms including Oracle, Equifax and Experian.

The complaints have been submitted to regulators in the UK, Ireland and France, bringing the data broker activities of Oracle and Acxiom into question, as well as ad-tech companies Criteo, Quantcast and Tapad, and credit referencing agencies Equifax and Experian. The complaints are specifically focused on the depth of personal data processing, which Privacy International believes violates Articles five and six of the General Data Protection Regulation (GDPR).

“It’s been more than five months since the EU’s General Data Protection Regulation (GDPR) came into effect,” a Privacy International statement read. “Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers – in theory. In practice, the real test for GDPR will be in its enforcement.

“Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people’s data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.”

The GDPR Articles in question relate to the collection and processing of information. Article Five dictates a company has to be completely transparent in how it collects and processes information, but also the reasons for doing so. Reasonable steps must be taken to ensure data is erased once the purpose has been fulfilled, this is known as data minimisation. Article Six states a company must seek consent from the individual to collect and process information for an explicit purpose; broad brush collection, storage and continued exploitation of data is being tackled here.

In both articles, the objective is to ensure companies are being specific in their collection of personal information, and that it is utilised in a timely manner before being deleted once it has served its purpose. These are two of the articles which will hit the data-sharing economy the hardest, and it will be interesting to see how stringently GDPR will be enforced if there is any evidence of wrong-doing.

This is where Privacy International is finding issue with the firms. The advocacy group is challenging the business practises on the principles of transparency, fairness, lawfulness, purpose limitation,

data minimisation, accuracy and integrity and confidentiality. It is also requesting further investigations into Articles 13 and 14 (the right to information), Article 15 (the right of access), Article 22 (automated decision making and profiling), Article 25 (data protection and by design and default) and Article 35 (data protection impact assessments).

While GDPR sounds very scary, the reality is no-one has been punished to the full extent of the regulation yet. This might be because every company has taken the guidance on effectively and is operating entirely within the legal parameters, though we doubt this is the case. It is probably a case of no-one being caught yet.

The threat of a €20 million fine, or one which is up to 3% of a business’ total revenues, is nothing more than a piece of paper at the moment. If there is no evidence or fear authorities will punish to the full extent of the law, GDPR doesn’t act as much of a protection mechanism or a deterrent. When a genuine violation of GDPR is uncovered, Europe needs to bear its teeth and demonstrate there will be no breathing room.

This has been the problem for years in the technology industry; fines have been dished out, though there has been no material impact on the business. The staggering growth of revenues in the industry has far exceeded the ability of regulators to act as judge and executioner. Take the recent fines for Apple and Samsung over planned obsolescence in Italy. The $10 million and $5 million fines for Apple and Samsung would have taken 20 and 16 minutes respectively to pay off. This is not good enough.

Regulators now have the authority to hold the suspect characters in the industry accountable for nefarious actions concerning data protection and privacy, but it has to prove itself capable of wielding the axe. Until Europe shows it has a menacing side, nothing will change for the better.

Facebook referred to EU over suspect tracking methods

The UK’s Information Commissioners Office has referred an investigation into Facebook to the EU’s lead data protection watchdog over concerns about how the internet giant is tracking users.

The investigation, which was initially launched in May 2017, is primarily focused on the Cambridge Analytica scandal, though this might only be the tip of the iceberg for Facebook. Aside from fining the social media giant, the ICO has referred the case to the Irish Data Protection Commission, as the lead supervisory authority for Facebook under the General Data Protection Regulation (GDPR). As you can see below, Cambridge Analytica might only be the beginning of Facebook’s headache.

“Since we began, the scope of our investigation has extended to 30 organisations, we have formally interviewed 33 individuals and are working through forensic analysis of 700 terabytes of data,” said Information Commissioner Elizabeth Denham. “In layman’s terms, that’s the equivalent of 52 billion pages.

“Now I have published a report to Parliament that brings the various strands of our investigation up to date. It sets out what we have found and what we now know. But it is not the end. Some of the issues uncovered in our investigation are still ongoing or will require further investigation or action.”

Those who practise the dark arts of hyper-targeted advertising rarely give explanations as to how what information is being specifically held and how much of a detailed picture is being built up through primary sourced data and third-party sources. Few have a genuine understanding of the complexities of these advertising machines, though this is the foundation of various investigations. Transparency is the key word here, with many wanting the curtain to be pulled aside and the mechanics explained.

The fine is clear evidence the ICO is not happy with the state of affairs, though continuation of the investigation and referral to the EU overlords suggests there are more skeletons to be uncovered in-between Zuckerberg’s V-neck jumpers and starch ironed chinos.

“We have referred our ongoing concerns about Facebook’s targeting functions and techniques that are used to monitor individuals’ browsing habits, interactions and behaviour across the internet and different devices to the to the IDPC,” said Denham.

The initial focus of the investigation might have been political influence, though the more details which emerge, the less comfortable pro-privacy bureaucrats in Brussels are likely to feel. Regulating the slippery Silicon Valley natives has always been a tricky job, but with the Facebook advertising machine becoming increasingly exposed, the rulebook governing the data sharing economy might well be in need of a refresh.

50 million accounts breached at Facebook, but Europe needs to find the bad guy

Details of 50 million accounts have been lost to unknown nefarious individuals, but Facebook might get away with just a heavy hand-slapping from European watchdogs until the full consequences have been identified.

Last week, data from 50 million Facebook accounts was lost due to a vulnerability in the ‘View As’ feature, though as the incident was reported in the 72-hour window set forward by the European Commission, the social media giant might avoid serious penalties under GDPR. The maximum fine would be $1.63 billion.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” said Guy Rosen, VP of Product Management. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”

Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature which allows users to view their profile from the perspective of another. This vulnerability allowed the attacker/s to steal ‘Access Tokens’, allowing them to hijack user accounts. Access tokens are the equivalent of digital keys keeping people logged in to Facebook so they don’t need to re-enter their password each time they use the platform.

While this might seem like a significant oversight from the Facebook security, it might just avoid a significant fine. The incident was reported to the relevant authorities after two-days, well within the required window, while the consequence of this incident is also unknown for the moment. As part of GDPR, those companies who report an incident within the required window and who are deemed to be compliant with investigators, will not receive the heaviest fines. The objective here is to remove the stigma of self-reporting, essentially rewarded those who come clean and do not try to hide the incident.

The consequence of the breach is also an important factor. Until misuse of the data can be identified, political persuasion for example, watchdogs are unlikely to be heavy handed. Using both the consequence and compliance with investigators as reasons to reduce the fine are important factors in ensuring the industry works with regulators. The less time these watchdogs spend policing the industry and searching for potential incidents means more time can be spent proactively making security features and processes more resilient. If watchdogs appear rational in their approach to punishments, industry will be much more of an ally.

“The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements,” said Dan Pitman, Principal Security Architect at Alert Logic. “New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.

“This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge.”

The very path to ensuring a more engaging platform might well be what is causing Facebook problems, but in the pursuit of relevance, the Facebook business model might be undermined. Just as with the Cambridge Analytica scandal, users might be discouraged from putting additional information onto the platform, or even encouraged to remove some. At first, this will not have a significant impact on Facebook, but straws piling up on the camel’s back will eventually cause some damage.

While exiting users might be incrementally impacting the Facebook business, the advertisers might start looking at the platform as well. This is not to say people will stop advertising on Facebook, but the more incidents impacting the brand and the more stories of people becoming disengaged might have an influence. Facebook might have led the way when it comes to hyper-targeted advertising but others are catching up. Google is arguably the only platform which can compete toe-to-toe with Facebook, but it doesn’t have the suspect clouds lurking overhead. Twitter has upped its game, Microsoft’s Xbox platform is one worth keeping an eye on, as is AT&T’s advertising business Xandr. Even when you look at companies like Sky, the AdSmart platform offers an incredibly targeted offering. These security breaches might start to weigh heavy considering there are other options out there.

Another very important factor to consider with this incident is GDPR. Since being passed in May, this is the first major incident to test the resiliency and credibility of the rules. How European investigators, currently being led by the Irish data protection watchdog, react will set precedent and also impact the way which other companies view the rules. The next few weeks are very important for Europe in terms of validation.

The issues which the regulators are facing at the moment are consequence and bad guys. To make an appropriate ruling, demonstrate the importance of security and dish out the appropriate fine, there needs to be someone or something to point the naughty finger at.

“Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles,” said Greg Foss, Senior Manager of Threat Research at LogRhythm. “It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.

“If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”

When a bad guy has been found, the threat becomes real and there are tangible consequences. This is when the appropriate punishment can be justifiably dished out, while also maintaining a positive relationship with industry, and the dangers of the digital economy can be effectively communicated to the general public. This will scare Facebook more than anything else.

Fines are okay, they are a one off hit, but negative PR and public outcry will mean less people engage with the Facebook community. This will have an impact on the bottom line. Managing this negative impact will be significantly more important than any fine dished out by the European Commission.

US contemplates its own version of GDPR

The U.S. National Telecommunications and Information Administration has started a 30-day public hearing process to gather comments on its policy options towards consumer privacy protection.

Shortly after Europe’s General Data Protection Regulation (GDPR) came into force in late May, “a global tidal wave of new and updated privacy regulations” have followed hot on the heels of GDPR as it was called at the recent Digital Futures conference (see the picture). Regulations and laws passed in jurisdictions from India to California with other markets in between have largely modelled after the European legislation.

In the latest move, on Tuesday September 25, the US federal government, through the National Telecommunications and Information Administration (NTIA), kick-started a month-long process to hear from the public on the approach towards privacy protection.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said David Redl, NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

The feedback requested is two-fold. The first part is on the outcome of any future privacy legislation. This includes:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

All these are rather similar to what GDPR and the up-coming e-Privacy regulation are designed to achieve.

Meanwhile the NTIA is also requesting comments on the overall “High-Level Goals for Federal Action”, the key points including:

  • “Harmonize the regulatory landscape” between existing and future legislations;
  • “Legal clarity while maintaining the flexibility to innovate” to enable new business models and technologies while privacy is protected;
  • “Comprehensive application” to “all private sector organizations that collect, store, use, or share personal data in activities that are not covered by sectoral laws”;
  • “Incentivize privacy research” in technologies and services that improve privacy protections.
  • FTC should be the enforcement agency

However a few other points stand out that deserve a closer look. One probably deserves a full quote:

Employ a risk and outcome-based approach.  Instead of creating a compliance model that creates cumbersome red tape—without necessarily achieving measurable privacy protections—the approach to privacy regulations should be based on risk modeling and focused on creating user-centric outcomes.  Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.  Outcome-based approaches also enable innovation in the methods used to achieve privacy goals.  Risk and outcome-based approaches have been successfully used in cybersecurity, and can be enforced in a way that balances the needs of organizations to be agile in developing new products, services, and business models with the need to provide privacy protections to their customers, while also ensuring clarity in legal compliance.

NTIA’s focus is clearly to avoid heavy-handed measures to regulate what can be done, but rather giving flexibility to businesses to make their own judgement what measures to take. This is also in the same spirit as the first part of the consultation which is “focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be.”

Another point that draws our attention is related to “Scalability”, which stresses that small companies operating in good faith, and 3rd party processing data on behalf of other organisations should be treated differently from big companies that own and control personal data.

The two points above combined make a balanced message for the internet giants, which are not necessarily the biggest fans of privacy regulations. While they are afforded more flexibility, they are also going to be treated more strictly if they contravene. However as we wrote earlier, because of their size, the Googles and Facebooks of the world are much quicker in ticking the compliance boxes.

One more point that worth highlighting, probably for entertainment purposes than anything else, relates to “Interoperability” with other major global legislations. Here, for whatever reason it pointedly does not refer to GDPR but uses the example of “APEC Cross-Border Privacy Rules System.”

In general, the NTIA’s approach is balanced and measured, which is largely in line with our attitude towards privacy protection. On one hand we deplore the blatant abuse of privacy by companies like Facebook and Cambridge Analytics. On the other hand, we also sympathise with the small and medium-sized businesses operating in Europe, most of which had to scramble some policies at the eleventh hour, but may still fall foul of consumers. France’s private data protection agency CNIL (Commission nationale de l’informatique et des libertés) registered a 64% increase in consumer complaints after GDPR came to force over the same four months last year.

As Mary Meeker highlighted, draconian laws could limit the exploratory nature of tech innovators. That many countries model their privacy legislation after GDPR confirmed that Europe’s policymakers are “world-class in setting standards”, as a recent article in The Economist put it. But in the same article the newspaper also highlighted the gap between Europe and the AI leaders, China and US, neither of which is role model in guarding individual privacy, though for entirely different purposes.

In a recent Telecoms.com online poll, a third of the respondents agreed with the statement that there should be “flexible rules to allow users to trade privacy for benefits”. An optimal regulatory environment should give this minority group the freedom to do so while providing the other two third consumers with strict privacy protection.

The security of Polar users’ data could be comprised, in a big way

The Finnish fitness device and software maker Polar has found itself in the centre of a data leaking scandal, which it’s feared could jeopardise the security of personnel on sensitive missions.

In a country where personal space and privacy is highly respected, Finland can be rather transparent too. Every year at the beginning of November, the tax office will grant public access to data on how much income and capital gains made by everyone in the previous year as well as how much tax has been paid.

The country also produced Polar, the company that invented the portable heart beat reader. More recently its professional heart beat monitor system was credited to be largely behind the scientific training at Leicester City Football Club, which went on to win the Premier League in 2016.

But it is safe to say Polar has taken transparency too far. After months’ investigation, the Dutch independent media De Correspondent, in conjunction with the British “citizen journalism” website Bellingcat, and the Finnish investigative journalist Hanna Nikkanen on Long Play (in Finnish), published the findings on how anyone with a Polar account was able to see all the details of anyone else who publicly shared their workout sessions on Polar’s user interface app Flow.

Data extracted include the names, as well as time-stamped GPS data of all the workouts uploaded since 2014. When zoomed out, the aggregated data would generate a clustered view of the user’ activity pattern on the map. This could lead to a rather accurate estimate of the user’ home base, where most exercises started and ended, including places in sensitive locations, e.g. military bases in Iraq or Afghanistan. With some additional cross-search on social networks, the user’s professional affiliation including those of the military and secret service, could be made available.

By the time they published their reports, the journalists had managed to gather personal and professional details of more than 6,000 Polar users, including those working for the NSA of the US, Britain’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, the Finnish military, as well as the Dutch MIVD.

The journalists notified the Dutch and Finnish authorities as well as reaching out to Polar before they published the findings. The app was disabled remotely on official phones issued to its employees by the Dutch and Finnish Defence Ministries, and warnings were sent out to private device users. However Polar did not formally take down the feature until yesterday (9 July), more than two weeks after being contacted by the journalists and after a forlorn attempt to defend itself by claiming that the company had not leaked the users’ data.

Finland’s Data Protection Ombudsman is looking into the matter. Because its failure to safeguard user data has affected users in other EU countries, the possibility that the case could be brought under the new GDPR cannot be ruled out.

Polar was not the first fitness app to score own goals. As a matter of fact, it was the high-profile case of Strava leaking training data in military bases, which made headlines at the beginning of the year, that prompted the independent journalists to look into the vulnerability of other apps, including Polar. What makes the Polar case stand out is the ease with which users’ private data could be extracted, and the slow reaction from the company.

The ramification of the case could be profound. The journalists have found that similar data could also be extracted from other fitness apps like Endomondo, Runkeeper, Garmin, albeit with a bit more skill. This could result in authorities banning all similar apps from use by employees in sensitive functions, just to be on the safe side. The Finnish military had already banned the sharing of location data on social networks even before the Strava case, but the rank and file servicemen and the reservists largely ignored the order, according to Long Play.

In her testimony to the Congress, the newly appointed Director of the CIA, Gina Haspel, declared she has no social network accounts. This could move from voluntary decision to mandatory order for employees on sensitive missions. Profiles on social networks like LinkedIn and Facebook have made it straightforward for the journalists to join dots and put together the Polar users’ personal and family details, functions, and locations.

In our latest annual survey published at the end of last year, nearly 95% of the network operators called security as being either critical (69%) or important (25%) to their company’s overall technology and business. Clearly other service providers including device makers and app developers should also enhance their awareness and subject their products to more rigorous security tests.

GDPR seems to benefit Silicon Valley but harm US relations

The initial effects of GDPR seems to be that the biggest companies have benefitted but the US government thinks it’s harming relations.

The Wall Street Journal reports that Google and Facebook have had a significant advantage over all other digital advertisers as their size has enabled them to tick all the GDPR boxes at scale far more quickly than anyone else. In fact Google’s own DoubleClick Bid Manager is apparently sending more traffic towards Google’s own ad inventory as a result.

It’s far from surprising that a massive new layer of bureaucracy benefits the largest companies the most, as we previously observed. All the kinky talk of compliance and forced consent gives larger organisations a natural advantage as they’re able to devote more resources to ticking all the bureaucratic boxes and have more lawyers to protect them if they transgress regardless.

The European Union is, of course, one of the largest organisations of all and thus has much more natural affinity with the likes of Google than it does some relatively insignificant SME. That’s not to say the EU sought to deliberately favour a company it recently hit with a massive fine, just that the more it meddles with business, the more advantage it gives big companies.

While Google and Facebook might be quietly pleased with how GDPR is playing out, the US government is growing increasingly agitated. Writing in the FT US Commerce Secretary Wilbur Ross said “We in the US are deeply concerned about the way the EU’s new privacy guidelines, which came into effect last week, will force big changes in the way US and European companies do business.”

“GDPR creates serious, unclear legal obligations for both private and public sector entities, including the US government. We do not have a clear understanding of what is required to comply. That could disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-ordination, and important commerce.”

If even the US government doesn’t know how to comply then what hope does some small business have? Furthermore there have been some reports that even the European Commission itself is struggling with compliance and may be looking to exempt itself from its own rules, which would be a classic EC move.

This public grumbling from the US government comes as trade tensions between the EU and the US have escalated after the two were unable to come to a compromise over the trade of steel and aluminium, which President Trump seems to think needs correcting in favour of the US. As a result the US has imposed tariffs on the import of these metals from the EU, creating the prospect of retaliatory tariffs and further escalation.

“I am concerned by this decision,” said EC President Jean-Claude Juncker. “The EU believes these unilateral US tariffs are unjustified and at odds with World Trade Organisation rules. This is protectionism, pure and simple. Over the past months we have continuously engaged with the US at all possible levels to jointly address the problem of overcapacity in the steel sector.

“By targeting those who are not responsible for overcapacities, the US is playing into the hands of those who are responsible for the problem. The US now leaves us with no choice but to proceed with a WTO dispute settlement case and with the imposition of additional duties on a number of imports from the US. We will defend the Union’s interests, in full compliance with international trade law.”

The EU is the joint biggest exporter of steel to the US along with Canada, according to the BBC. Canada and Mexico have also been hit with the same tariffs and the affected regions seem likely to slap tariffs on the import of bourbon, jeans and hot air. It’s not inconceivable that the GDPR moans are part of a broader negotiating strategy but it looks like things will get worse before they get better.

Facebook and Google accused of GDPR ‘forced consent’

It turns out that imposing extra layers of bureaucracy on companies can bring about unintended consequences, who knew?

Among the inevitable deluge of emails sent by companies desperate to be seen to be doing the bare minimum in compliance with the General Data Protection Regulation (GDPR) that came into effect in Europe today, have been those requesting blanket opt-ins. They usually feature handy one-click buttons that most people presumably use just to be able to put this trying week behind them. The underlying threat is that users either agree to everything or get kicked off the service.

Campaigning group noyb.eu (none of your business), headed by prominent data privacy complainer Max Schrems, is not happy with how Facebook and Google have gone about interacting with their users on this matter. So it has filed complaints against the two and also Facebook subsidiaries Instagram and WhatsApp, in four different countries to make sure it’s nice and pan-European.

“The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR),” says the complaint. “Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.

Using language apparently taken from the pages of 50 Shades of Grey, companies seem to be imposing forced consent on their users in order to achieve basic compliance with the GDPR regulations. But if this complaint has merit, which it seems to, then these tech giants might end up getting a thorough spanking from the European Commission.

GSMA warns of regulatory inconsistencies

Ahead of the introduction of the EU’s General Data Protection Regulation (GDPR), the GSMA has highlighted the busybody bureaucrats should not get too excited with their favourite pastime of coating the industry with red-tape.

The regulation comes into effect this Friday (May 25th) launching a mad dash for the finish line. Insiders have told us many firms are doing their best duck impression, calmly floating on the surface, while flapping vigorously below trying to get in-line with Europe’s demands. It’s almost like some were caught by surprise by the rule changes, because it was only the privileged who were given almost two years to prepare.

While the risk of hefty fines, 3% of annual revenues or €20 million (whichever is greater), is enough to keep you awake at night, this is not what is worrying the GSMA. The associations concerns are more to do with the red-tape fiends over-complicating rules, and creating inconsistencies, mostly with the upcoming ePrivacy Regulation (ePR).

“Consumers should rightfully celebrate the new protections the GDPR brings them,” said John Giusti, Chief Regulatory Officer at the GSMA. “The GDPR is driving up standards of responsible data governance, not only in the EU, but also around the world, stimulating efforts to find a common ground for data privacy.

“However, the benefits of GDPR could easily be undermined if the current regulatory imbalance between the telecommunications industry and other players in the digital world is not resolved. Telecom operators are still subject to additional obligations vis-à-vis other digital players imposed by the ePrivacy Directive. When the European Council shortly decides on their position on the proposal to replace the current directive with an ePrivacy Regulation (ePR), we must not ignore the impact of the ePR on both existing and future services that are critical to Europe’s digital growth.”

These are rules which have not been fully addressed by the industry as of yet, primarily because most are panicking about getting everything in order for GDPR. The rules will be an update of the EU’s existing ePrivacy legal framework, specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009. A lot has changed in the last nine years, so it would be fair to assume ensuring compliance for ePR might be as complicated as GDPR.

ePR focuses specifically on electronic communications and the right of confidentiality and data/privacy protection. In short, ePR builds on definitions of privacy and data that will be introduced within GDPR, and acts to clarify and enhance it. In particular, the areas of unsolicited marketing, Cookies and Confidentiality are covered in a more specific context. While GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, ePR will enshrine Article 7 in respect to a person’s private life.

The legal and regulatory world is a complicated one, but in enhancing an individual’s privacy through ePR, regulators will have to ensure they don’t contradict anything which is said in GDPR, but also leave enough flexibility in rules for companies to explore new business models and services for the future digital economy. It is a complicated task, and the GSMA isn’t being paranoid in expressing its concerns.

GDPR: time to cross your T’s and dot your I’s

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Rob McBride, Director of Enterprise and Telco Solutions at Versa Networks offers some timely advice about what it will take to become GDPR-ready.

The new General Data Protection Regulations (GDPR) rules come into effect on May 25th, 2018. With less than a month to go, most companies are now scurrying to secure the finishing touches to their GDPR plan. The failure to comply to GDPR can have massive consequences, from loss of reputation and customer trust to significant monetary losses levied in terms of penalties. However, complying to the stringent data protection regulations is not going to be an easy feat- for it not only encompasses guidelines on how enterprises collect and consume data but also how they can build and embed security policies right into the very foundations of their enterprise IT architectures.

Let’s take a look at the new GDPR guidelines, what they mean for the enterprise and customers and how IT leaders can leverage existing technologies to better monitor, manage and secure critical data.

GDPR: What It Means

The European Parliament adopted the General Data Protection Regulations (GDPR) in April 2016, replacing an outdated data protection directive from 1995. According to the GDPR official website, the aim of the new regulations is to protect the interest of all European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 EU Data Protection Directive was established.

GDPR consolidates existing fragmented laws across EU into one single compliance and regulatory framework that will be applicable to all 28 EU member states. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also lays down specific guidelines around the exportation of personal data outside the EU.

Whom Does GDPR Apply to?

Companies that are registered or have any form of operation in the EU will need to comply with GDPR. Any organization that collects, processes or stores personal data of EU residents must comply with the GDPR regardless of where the processing takes place.

However, any company, irrespective of the country of operation, is subject to the regulations under GDPR if they process personal data of EU residents in connection with providing goods or services to consumers in the EU or if they monitor the behaviour of EU residents, such as in connection with targeted advertising.

The GDPR regulation lays down specific guidelines for ‘Data Controllers’ and ‘Data Processors’ and to understand how GDPR will impact your business, it is important to understand which of these two categorizations will apply to you.

The GDPR defines a Data Controller as the entity that collects the data or decides how the data it collects will be processed or used. Most business entities who sell products or services or have operations in the EU would typically fall under this category. A Data Processor on the other hand is the entity that merely processes data in accordance with instructions given by a data controller. These could be vendors who provide services that involve processing the data of EU citizens (cloud vendors, analytics, marketing, HR or payroll agencies etc).

Companies in the EU are also required to contractually commit vendors outside the EU to compliance with the GDPR. This means that a US-based company selling a product or service to a customer in the EU may also need to comply with the GDPR even if it does have a subsidiary in the EU. The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. The regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.

Rights of Data Subjects

The aim of the GDPR guidelines is to primarily uphold the privacy rights of the consumers in EU states. The guidelines not only lay down strict rules governing how data is processed but also clearly defines the Rights of Data Subjects in the EU. These rights and what they entail are as shown in the fig below. t and grow a digital business.

Versa GDPR diagram

Getting GDPR Ready

One of the most critical and important points under the GDPR guidelines is the provision of Privacy by Design. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. This provision requires data controllers to build and implement appropriate technical and organisational measures to meet the requirements of the GDPR guidelines and ensure data privacy and security for all of EU’s data subjects.

This might sound too simple but any organization that has any security solutions put in place would testify that it is much more complicated than that. As enterprises embrace Multi-cloud and SaaS, organizations must rethink their entire IT landscape and if using Internet for connecting to SaaS or public clouds, must implement a highly secure infrastructure. As businesses adopt new software-defined technologies like SD-WAN as an enabler for their broader connectivity strategies, they must look beyond dynamic connectivity but to an integrated security and SD-WAN approach to further harden their infrastructure for GDPR.

There is no single solution that can help enterprises achieve a complete framework that will assist them in becoming fully GDPR compliant. But CIOs can wisely choose small blocks of smart technologies that can, in conjunction with other security measures, help them to reach their ultimate goal.

Conclusion

There are going to be very few organizations, if at all any, who would face the 25th of May with a full and comprehensive plan for GDPR compliance. For most data collectors and processors, the coming months are going to be a phase of learning, discovering and experimenting with new ideas and technologies. The key here is not to be overwhelmed but take one small step at a time and find the right set of technologies to help get you there.

 

Rob McBride_PhotoRob McBride is responsible for Versa Networks’ software-defined solutions portfolio – SD-WAN, SD-Security and SD-Branch. Rob has spent the last 15+ years designing, marketing and bringing to market a wide range of solutions and products covering SDN/NFV, SD-WAN, Voice (TDM/VoIP), and DC virtualization. He brings a wide range of experience from senior roles in sales engineering, field support, product management and marketing. Prior to Versa Networks, Rob held senior positions at Viptela, Brocade Communications, Enterasys Networks, Alcatel-Lucent and Enterprise Data Solutions (EDS).