responsible data uses: privacy, security, ethics & compliance

@aureliepols Stockholm –March 2015 #outfox2015

Responsible Data Uses: Privacy, Security, Ethics & Compliance

Aurélie Pols

Pan-European digital analytics veteran & Privacy geekBoard Member @MyPermissions


Before frictionless sharing


We did optimize “stuff”


The era of Data Hoarding


DATA LEECHING

While some refer to Data Puking, this is about


Data = New Asset Class

• Economic asset:

– if it’s worth something, who owns it?

• Ownership means property:

– Property law, contract law, etc.

• But


DATA IS INFINITELY TRANSFERABLE WITHOUT DECAY

#1. The specifics of Data as an Economic Asset


Familiar property types

• House, mortgage & cadaster

• A car looses 50% of it’s value the day after the purchase

• But data? What is it really?

HYPOTEK Fastighetsregistret


Infinitely transferable without decay

• Interesting type of property

• The legal world is not ready for

• Yet harm is imaginable:

– Deaths of dissidents

– Algorithmic discrimination

– Tunneled world vision

– Identity thefts

– Cyber bullying


DEFINING & RECOGNIZING DATA HARMS

#2. Often forgotten legislative challenges


Involved actors

• Legislators & governments: – make the laws & want to be re-elected

• Businesses (employee, partner & customer data): – growth strategies, max shareholder value

(not always)

• Citizens: – consuming technology,

are the product if free, co-owners of the data?

Governments Legislators (FTC, FCC, FDA, EU)

Consumers Voters Citizens

OUR GLOBAL SOCIETY

Businesses:

Brands

Data Service Providers


Data ownership? The Dutch

KPN is a Dutch Telco

Operations are in the Netherlands, Belgium & Germany

Brands: Hi, Simyo, Telfort& KPN, XS4ALL, E-Plus & Base (sold to Telefonica)


Patchworks of legislation


4 topics

1. Security

2. Compliance

3. Privacy

4. Ethics


Europe: Data Protection


Security for digital analytics

Mainly for (not mutually exclusive):

– Access: employees, partners, APIs, … <- control & revoke procedures? Strong passwords?

– Data transfers: between tools & devices, between companies <- level of encryption? Liability?

– Data merging: which data set goes (or is copied) where? <- data breach notification requirements


COMPLIANCE IS A RISK EXERCISE

#3. Related to evolving Privacy legislation


Privacy & Annoying Europeans


PII: ah but we don’t collect it!

Medical information as PII

California

Arkansas

Missouri

New Hampshire

North Dakota

Texas

Virginia

Financial information as PII

Alaska North Carolina

Iowa North Dakota

Kansas Oregon

Massachusetts South Carolina

Missouri Vermont

Nevada Wisconsin

New York* Wyoming

Passwords as PII

Georgia

Maine

Nebraska

Biometric information as PII

Iowa

Nebraska

North Carolina

Wisconsin

Source: information based on current continuous monitoring (partial results)


A Global Privacy Perspective

US & UK EU ASIA

Common Law Continental Law Partially continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Amended New

Privacy Personal Data Protection (PDP)

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Patchwork of sector based legislations: HIPAA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per US state

“Personal Data” => Risk levels: low, medium, high, extremelyhigh


Low Risk

Medium Risk

(profiling)

High Risk

(sensitive)

Risk

Level

Data type

Information Security Measures

Extremely High Risk

(profiling of sensitive data)PII

PII vs. Risk Levels


Data Science concerns?

• As a Data Scientist: doing the best analysis

• As an employee: not getting my company into trouble

• As a citizen:

– Lack of transparency <- loss of controlthat could lead to discrimination

– Identity theft

– Tunneled view of the world


What do analytics tools propose?

Let’s take Google Analytics:

• Anonymizing IP addresses

• Implementing opt-out mechanisms

• Not using cookies

• Complying with DNT

• Forcing SSL

• Disabling data sharing

Source: http://gu.illau.me/posts/privacy-and-google-analytics/

http://gu.illau.me/posts/privacy-and-google-analytics/


Source: http://dynamical.biz/blog/technical-analytics/collecting-ga-userid-into-ga-can-violate-google-analytics-tos-75.html

http://dynamical.biz/blog/technical-analytics/collecting-ga-userid-into-ga-can-violate-google-analytics-tos-75.html


Data tension due to data leeching

Analytics capabilities

Customer feelings of creepiness

Harm?

Data quality?


Privacy Role Playing in the EU


Rights & obligations

Roles and responsibilities Data controller must:• Process legally &

fairly• Collect for explicit

& legitimate purposes

• Not excessively• Keep data accurate

& updated• Allow for

rectification• Respect data

retention periods• Protect personal

data, appropriate to the type of data held


UNDERSTAND YOUR LIABILITY WITHIN THE DATA ECOSYSTEM

#4. Minimizing Privacy related Risks?


Who is liable here?


iBeacons, Mondelez: Creepy?


EU GDPR affecting Data Science

• Collaboration & Responsibility (not only legal)

– Privacy training & escalation procedures

• Data lineage & consent management

– Understanding wherethe data comes from

– Manage individualchoices & consent


EU GDPR affecting Data Science

• Change to the data value exchange

– Maintaining quality of data collected & analyzed

• Commercial advantages

– Increased Trust; reduced Brand Erosion due to unsystematic Privacy management

– Better data governance, optimized use of Data Science


1 legal concept to rule them all

FIPPs: Fair information Practice Principles

Transparency

Choice

Information review &

correction

Information protection

Accountability


Open discussion

Aurélie Pols

responsible data uses: privacy, security, ethics & compliance

Data & Analytics

data science

data puking

specifics of data

data harms

partner customer data

responsible data uses

outfox2015data ownership

property law