10 Burning Questions on Privacy

2

This presentation gives an overview of the most important issues related to privacy on the web and mobile. It also provides insights and recommendations on what you need to do for your mobile services and marketing campaigns to create the best environment for users to share their data.

Introduction The author, Agathe Caffier, graduated as a business

lawyer in London and is now a Certified Information Privacy Professional (CIPP/E). As well as being the general council for Golden Gekko, one of the leading mobile solution providers in the world, her expertise in privacy matters related to mobile has led her to provide privacy guidelines and audits to companies such as Vodafone, Telefonica and many more.

Index

1. What is Privacy

2. What are the different regimes?

3. Which are the OECD principles?

4. Who are the different players?

5. What is the definition of personal data?

6. What does consent mean?

7. What is Active Consent in mobile?

8. Why is user data collected?

9. What is the Privacy debate about?

10. Why is there a debate about cookies?

3

4

Defined as the right to be left alone, anonymity. Control over the use of personal information. The ability of an individual or group to seclude themselves or information about themselves, and thereby reveal themselves selectively.

What is Privacy? There is no single privacy law that applies universally.

Some languages do not have a word for privacy and only 80 countries have data protection regimes. Four categories of privacy: bodily (physical), territorial (house), communication (mail, telephone), information

.

5

Comprehensive model (EU)

General law covering data protection in public and private sector, with an agency responsible for covering its enforcement (DPA). France CNIL, Spain AEPD, UK ICO

What are the different regimes? (1)

Sectoral Model (US) No general framework but some existing laws addressing specific industry sectors. Eg: finance, healthcare. Each law will have a different enforcement authority.

.

6

Co-regulatory, Self-regulatory Model (Canada) Mix of government and non governmental institutions that protects personal information. Co: law which states that each industry must develop enforceable codes

What are the different regimes? (2) Self: no law but existence of codes of practice for protection by company industry or independent body. No general Privacy / data protection law (China) No general law. No industry guidelines.

.

7

Collection limitation principle - data subject should know of collection when possible

Data quality principal - data to be relevant for the purpose of collection

Which are the OECD principles? (1) Purpose specification principle – purpose of collection

must be specified at time of collection

Use limitation principle – data to be used according to purpose

.

8

Security safeguards principle – data should be protected

Openness principle – no secrecy about data controller identity and the way the data is used

Which are the OECD principles? (2) Individual participation principle – data subject right of

access (if refused there must be valid reasons)

Accountability principle- accountable for complying with measures in principles

.

9

Data Processor Is an individual or organization, often a third party outsourcing service, that processes data on behalf of the data controller. Is not authorized to do additional data processing outside of the scope of what is permitted from the data controller itself.

Who are the different players? Data Subject

Individual whose information is being processed, Eg: employee, end-user of an App. Data Controller An organization who has the authority to decide how and why personal information is to be processed

10

“Any data that relates to an identified or identifiable individual” There are certain differences from one country to another. For example, in the EU, an IP address is personal whereas this is not the case in the US Examples of what is classified as personal data includes name, gender, contact information, age and birth date, marital status, social security number.

What is the definition of personal data? (1)

11

A sub category is sensitive data, which covers for example, racial or ethnic origin, political opinion, biometric data, trade union membership or sexual orientation. Non- personal data is anonymized data, for example, the date and time someone visits a specific webpage.

What is the definition of personal data? (2)

12

“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. Consent must be unambiguous. Valid consent assumes the individuals’ capacity to consent.

What does consent mean? Individuals who have consented should be able to

withdraw their consent, preventing further processing of their data. Consent must be provided before the processing of personal data starts, but it can also be required in the course of processing, where there is a new purpose to the data.

.

13

The definition of Active Consent in mobile is: Voluntary, informed, express and revocable permission.

This means a user is given a clear opportunity to agree a specific and notified use of their personal information. Permission must be captured in a way that is not the default option.

What is Active Consent in mobile?

Active consent applies to secondary, non-obvious use of a user’s personal information, and/or applications that have additional privacy implications for users For example, an app requesting a user’s location, where such data is not necessary for the functioning of the app.

.

14

Golden Gekko recommends not only to comply with the minimum legal requirements imposed by the law but to go the extra mile and involve the user. Ensure they are able to actively approve of their data being processed.

A great way to involve the user in participating is to educate them.

Our recommendation The user should own the consent process and be given

a choice. They should also be allowed to retract their permission easily, for example in the main ‘Settings’ menu. Another great way to involve the user in participating in giving consent is to educate them. Education is very efficient when the app includes a simple wizard which takes the user through all the privacy parameters included in the app. .

.

15

Your data can help app makers take important decisions related to future feature enhancements helping the app to work for you in a more personalized way. Some apps gather your personal data so that they can target specific ads to you. If your data shows you meet certain criteria, advertisers will tailor their marketing efforts accordingly.

Why is user data collected? In the case of a malicious app, your personal data could

be sold or used for illegal purposes. For example, this type of app might send text messages without your consent to premium numbers. In such instances some users have reported being charged as much as $10 per message. Getting access to your contact list can be a goldmine for malware authors and spammers.

.

16

App users are aware that most applications will need to use at least some basic personal data in order to allow proper use. The problem that most users encounter is not necessarily centred around the idea of sharing their personal data, but rather, around the lack of transparency and the loss of ownership of said information.

Our recommendation Our recommendation: Be transparent and clearly

communicate to your user the reasons for collecting their personal data.

Be transparent and clearly communicate

the reasons for data collection.

17

App developers´ standpoint: Privacy requirements should be respected to gain users’ trust through being transparent. Security measures need to be put in place to protect users’ Privacy.

What is the privacy debate about? Users’ standpoint:

Privacy may be voluntarily sacrificed in exchange for perceived benefits.

Info can be stolen, misused and carries the threat of identity theft.

18

We refuse to follow a rigid approach which could mean an overload of pop up notifications reducing the users’ positive experience.

We recommend a flexible approach to privacy.

Our recommendation We recommend a flexible approach to privacy.

A flexible approach should mean a leverage of best practices from each sector in addition to a smart user flow and privacy settings implemented within the app.

19

In the EU, the first cookie law was introduced in 2002 where choosing to opt out was sufficient. With the new Cookie law from 2009, opt in is required with clear and comprehensive information about the purposes of the storage of, or access to, that data. Clear consent must be given.

Why is there a debate about cookies?

An example of a typical notice is: “This website uses

cookies. By using this website you approve to the use

of cookies. Please check our Privacy policy for more

information.”

There are different implementations of the law

depending on the jurisdictions:

http://cookiepedia.co.uk/cookie-laws-across-europe

20

It is important to understand privacy and put in place appropriate legal and security measures. Understanding privacy matters linked to mobile application solutions will play in your favour and help you retain your customers. By tackling privacy from the outset of the development of your app, you will gain users’ trust more rapidly.

Our recommendation We recommend you give your user the choice to share or not his personal data as well as explaining the reason for which the data is collected. The customer should also be given the option to go back and change their permission status easily. The idea is not to overload the user with pop up notifications at each step of the app but rather, by thinking about how to integrate privacy upfront, allowing them to be in control through education.

21

A great way to do so is by adding a wizard that will guide them when starting to use the app. Moreover, by doing audits of your current application on a regular basis you will gain users’ trust. The impact of the latest breaches of personal data is raising awareness amongst customers who are becoming more demanding in regards to privacy settings.

Our recommendation We recommend proactivity and adherence to the latest industry recommendations by adjusting your user journey accordingly.

We recommend proactivity and adherence to the latest industry guidelines.

Fighting for a world full of mobile solutions since 2005

web www.goldengekko.com

email

Agathe Caffier

Legal Adviser

info@goldengekko.com