The Canadian government’s Canadian Centre for Cyber Security (“CCCS”) has released Baseline cybersecurity controls for small and medium organizations in an effort to help small and medium-sized businesses improve their cybersecurity practices and their overall resiliency to cybersecurity threats.
Small and medium-sized businesses face a range of cyber threats in the form of cybercrime, often with immediate financial or privacy implications, such as compromised customer, financial and proprietary information. With this in mind, the baseline controls provide a condensed set of advice, guidance and security controls on how such businesses can maximize the effectiveness of their cybersecurity investments. In this bulletin, we review key features of the guidance.
Cybersecurity ostensibly depends on a multitude of factors. As such, businesses are encouraged to apply the controls that are most appropriate for their circumstances and that best suit their cybersecurity needs. Businesses should conduct a five-step assessment to appraise those needs:
1) Size assessment: The proposed baseline controls are intended for businesses with fewer than 499 employees.
2) Information systems and assets that fall within the scope of cyber-protection: Information systems and assets refer to all computers, servers, network devices, mobile devices, information systems, applications, services and cloud applications that are used to conduct business. It is strongly recommended that all information systems and assets be considered within the scope for baseline controls.
3) Value of information systems and assets: The injury level related to the confidentiality, integrity and availability of information systems and/or data should be assessed. The baseline controls are intended for situations where all potential injuries are at or below a medium threat level.
4) Primary threat of concern: If a business operates in a strategic sector of the economy or faces more advanced cybersecurity threat levels, it should invest in more comprehensive cybersecurity measures.
5) Primary cybersecurity investment levels: Someone in a leadership role who is specifically responsible for IT security should be identified. Then, the business’s financial spending levels as well as internal staffing levels for IT and IT security should be assessed.
Identification of Baseline Controls
Once the five-part assessment has been conducted, a business is in a position to determine which baseline controls are relevant to implement to reduce the risk of cybersecurity incidents and data breaches.
The CCCS proposes the following thirteen baseline controls:
1) Develop an incident response plan: Businesses should have a basic plan for how to respond to incidents of varying severity, namely a written incident response plan (both in soft and hard copy) that details who is responsible for handling incidents including any relevant contact information for communicating to external parties, stakeholders, and regulators. Businesses should also consider purchasing a cybersecurity insurance policy and implementing a security information and event management system.
2) Automatically patch operating systems and applications: Businesses should enable automatic updates for all software and hardware or establish full vulnerability and patch management solutions, as well as conduct risk assessment activities.
3) Enable security software: Businesses should configure and enable anti-virus and anti-malware software that update and scan automatically, on all connected devices.
4) Securely configure devices: Businesses should implement secure configurations for all devices, namely changing default passwords, turning off unnecessary features, and enabling relevant security features.
5) Use strong user authentication: Businesses should implement two-factor authentication wherever possible and require it for important accounts, namely financial accounts, system administrators, cloud administration, privileged users, and senior executives. Businesses should also have clear policies on password protection and only enforce password changes on suspicion or evidence of compromise.
6) Provide employee awareness training: As a first line of defence, businesses should train employees on basic security practices and focus on practical and easily implementable measures, such as effective password policies, identification of malicious emails and links, approved software, appropriate usage of the Internet, and safe use of social media.
7) Backup and encrypt data: Businesses should backup systems that contain essential business information at a secure offsite location and ensure that recovery mechanisms operate as expected. Backups should be stored in an encrypted state, with restricted access for testing or restoration activities only.
8) Secure mobility: Businesses should implement a mobility management solution for all mobile devices and decide on an ownership model for mobile devices. Whether mobile devices are business or employee-owned, there should be a separation between work and personal data, including apps, email accounts, and contacts. Businesses should ensure that employees download mobile apps from a list of trusted sources and require that all mobile devices store sensitive information in a secure, encrypted state. Businesses should also require users to disable automatic connections to open networks, avoid connecting to unknown Wi-Fi networks, limit the use of Bluetooth and NFC for the exchange of sensitive information, and use corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi.
9) Establish basic perimeter defences: Businesses should have a dedicated firewall, with a DNS firewall for outbound DNS requests to the Internet, and activate software firewalls on devices within their networks. Businesses should require secure connectivity to all corporate IT resources and VPN connectivity with two-factor authentication for all remote access into corporate networks. Only secure Wi-Fi, never public Wi-Fi networks, should be used. Businesses should follow the Payment Card Industry Data Security Standard for all point-of-sale terminals and financial systems and further isolate these systems from the Internet and should ensure the implementation of DMARC on all of the business’s email services.
10) Secure cloud and outsourced IT services: Businesses should require that all their cloud service providers comply with Trust Service Principles or, alternatively, evaluate their comfort level with how and where their outsourced IT providers handle, access, store, and use their sensitive information. Businesses should also ensure that their IT infrastructure and users communicate securely with the cloud.
European Citizens have a fundamental right to privacy, it is important for organisations which process personal data to be cognisant of this right. When carried out effectively, anonymisation and pseudonymisation can be used to protect the privacy rights of individual data subjects and allow organisations to balance this right to privacy against their legitimate goals.
Read this guide to find out about using these techniques.
Irreversibly and effectively anonymised data is not “personal data” and the data protection principles do not have to be complied with in respect of such data. Pseudonymised data remains personal data.
If the source data is not deleted at the same time that the ‘anonymised’ data is prepared, where the source data could be used to identify an individual from the ‘anonymised’ data, the data may be considered only ‘pseudonymised’ and thus still ‘personal data’, subject to the relevant Data Protection legislation.
Data can be considered “anonymised” from a data protection perspective when data subjects are not identified or identifiable, having regard to all methods reasonably likely to be used by the data controller or any other person to identify the data subject, directly or indirectly.
What is personal data?
Personal data means any information relating to an identified or identifiable individual. This individual is also known as a ‘data subject’.
An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
The definition above reflects the wording of both the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. Accordingly, data about living individuals which has been anonymised such that it is not possible to identify the data subject from the data or from the data together with certain other information, is not governed by the GDPR or the Data Protection Act 2018, and is not subject to the same restrictions on processing as personal data.
What is anonymisation?
"Anonymisation" of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. Data can be considered effectively and sufficiently anonymised if it does not relate to an identified or identifiable natural person or where it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.
There is a lot of research currently underway in the area of anonymisation, and knowledge about the effectiveness of various anonymisation techniques is constantly changing. It is therefore impossible to say that a particular technique will be 100% effective in protecting the identity of data subjects, but this guidance is intended to assist with identifying and minimising the risks to data subjects when anonymising data. In the case of anonymisation, by 'identification' we mean the possibility of retrieving a person's name and/or address, but also the potential identifiability by singling out, linkability and inference.
What is pseudonymisation?
"Pseudonymisation" of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.
The GDPR and the Data Protection Act 2018 define pseudonymisation as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that (a) such additional information is kept separately, and (b) it is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual.
Although pseudonymisation has many uses, it should be distinguished from anonymisation, as it only provides a limited protection for the identity of data subjects in many cases as it still allows identification using indirect means. Where a pseudonym is used, it is often possible to identify the data subject by analysing the underlying or related data.
Uses of anonymisation and pseudonymisation
Data which has been irreversibly anonymised ceases to be “personal data”, and processing of such data does not require compliance with the Data Protection law. In principle, this means that organisations could use it for purposes beyond those for which it was originally obtained, and that it could be kept indefinitely.
In some cases, it is not possible to effectively anonymise data, either because of the nature or context of the data, or because of the use for which the data is collected and retained. Even in these circumstances, organisations might want to use anonymisation or pseudononymisation techniques:-
As part of a "privacy by design" strategy to provide improved protection for data subjects.
As part of a risk minimisation strategy when sharing data with data processers or other data controllers.
To avoid inadvertent data breaches occurring when your staff is accessing personal data.
As part of a “data minimisation” strategy aimed at minimising the risks of a data breach for data subjects.
Even where anonymisation is undertaken, it does retain some inherent risk. As mentioned, pseudonymisation is not the same as anonymisation and should not be equated as such – the information remains personal data. Even where effective anonymisation takes place, other regulations may apply – for instance the ePrivacy directive applies in many regards to information rather than personal data. And finally, even where effective anonymisation can be carried out, any release of a dataset may have residual privacy implications, and the expectations of the concerned individuals should be accounted for.
Identification – the test under the Data Protection Acts
In order to determine whether data has been sufficiently anonymised to bring it outside the scope of Data Protection law, it is necessary to consider the second element of the definition, relating to the identification of the data subject, in greater detail.
The Article 29 Working Party on Data Protection (now replaced by the European Data Protection board, or ’EDPB’) has previously suggested the following test for when an individual is identified or identifiable:
“In general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is "distinguished" from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it…”
Thus, a person does not have to be named in order to be identified. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still “be identified”.
“Identifiers are pieces of information which are closely connected with a particular individual, which could be used to single them out.”
In determining whether a person can be distinguished from others in a group, it is important to consider what “identifiers” are contained in the information held. Identifiers are pieces of information which are closely connected with a particular individual, which could be used to single them out. Such identifiers can be “direct”, like the data subject’s name or image, or “indirect”, like their phone number, email address or a unique identifier assigned to the data subject by the data controller. As a result, removing direct identifiers does not render data sets anonymous. Data which are not identifiers may also be used to provide context which may lead to identification or distinction between users – e.g. a series of data about their location, or perhaps their shopping or internet search history. Indeed, these kinds of data series on their own may be sufficient to distinguish and identify an individual.
However, just because data about individuals contains identifiers does not mean that the data subjects will be identified or identifiable. This will depend on contextual factors. Information about a child’s year of birth might allow them to be singled out in their family, but would probably not allow them to be distinguished from the rest of their school class, if there are a large number of other children with the same year of birth. Similarly, data about the family name of an individual may distinguish them from others in their workplace, but might not allow them to be identified in the general population if the family name is common.
On the other hand, data which appears to be stripped of any personal identifiers can sometimes be linked to an individual when combined with other information, which is available publicly or to a particular individual or organisation. This occurs particularly in cases where there are unique combinations of connected data. In the above case for instance, if there was one child with a particular birthday in the class then having that information alone allows identification.
Identifiability and anonymisation
The concept of “identifiability” is closely linked with the process of anonymisation. Even if all of the direct identifiers are stripped out of a data set, meaning that individuals are not “identified” in the data, the data will still be personal data if it is possible to link any data subjects to information in the data set relating to them.
Recital 26 of the GDPR provides that when determining whether an individual is identifiable or not “[…] account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly” and that when determining whether means are ‘reasonably likely to be used’ to identify the individual “[,,,] account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.” Recital 26 also clarifies that the principles of data protection do not apply to anonymous information. …”
Therefore, to determine when data is rendered anonymous for data protection purposes, you have to examine what means and available datasets might be used to re-identify a data subject. Organisations don’t have to be able to prove that it is impossible for any data subject to be identified in order for an anonymisation technique to be considered successful. Rather, if it can be shown that it is unlikely that a data subject will be identified given the circumstances of the individual case and the state of technology, the data can be considered anonymous.
Some different ways that re-identification can take place are discussed below.
If the source data is not deleted at the time of the anonymisation, the data controller who retains both the source data and the anonymised data will normally be in a position to identify individuals from the anonymised data. In such cases, the anonymised data must still be considered to be personal data while in the hands of the data controller, unless the anonymisation process would prevent the singling out of an individual data subject, even to someone in possession of the source data.
PIPEDA is broken down into 10 core principles. They reflect and evaluate how a business is required to handle personal information and to ensure that best practices are in place and used. Following is an overview of each of these principles as well as one guidance on how they relate to cloud service providers.
PIPEDA is broken down into 10 core principles. They reflect and evaluate how a business is required to handle personal information and to ensure that best practices are in place and used. Following is an overview of each of these principles as well as one guidance on how they relate to cloud service providers.
An organization is required to accept responsibility for any and all personal information that is under its control. This is accomplished by designating a representation who is accountable and responsible for the organization’s compliance. The business is further required to use various means, including contractual, to ensure that it remains compliant with third parties. It also has a responsibility to uphold PIPEDA by developing and implementing relevant policies and procedures.
Organizations should include contractual obligations that uphold PIPEDA including reporting procedures, security policies, non-disclosure, and limitations.
2. Identifying Purposes
An organization is responsible for identifying and documenting their purpose for collecting personal information. They are required to notify their customers, clients, users, visitors, and guests if they intend to use the information for any purpose that was not identified at the time of collection prior to using that information.
Organizations should share the organization’s outlook on policies and procedures, particularly as it related to the purpose of collecting personal data.
Businesses should evaluate their requirements to handle personal information and to ensure that best practices are in place and used.
An organization is responsible for obtaining the informed consent of individuals when it is engaged in the practice of collection of personal information or data, except where such knowledge and consent is inappropriate.
Organizations should share the organization’s policies and outlook regarding how sensitive data is handled.
4. Limiting Collection
An organization is responsible for limiting the collection of personal information to only what is necessary for purposes identified by the organization. All collection methods should be fair and compliant with all applicable laws.
Organizations should follow the best practices for securing storing personal information on the behalf of the business.
5. Limiting Use, Disclosure, and Retention
An organization is responsible for never using or disclosing personal information for any purpose other than that for which it was collected. They are to retain any personal information collected for only as long as is necessary to fulfill the intent or purpose of the collection.
Organizations should follow best practices for securely handling the destruction or disposal of data that is no longer needed and storage is no longer required. They should also have policies in place regarding third party disclosure.
An organization is responsible for ensuring that all information is accurate, complete, and up to date. It should be only what is necessary or required for the purpose or intent of use.
Organizations should share the organization’s principles on the accuracy of data that is collected.
An organization is responsible for protecting personal information by ensuring that reliable security safeguards that are appropriate for the level of the information’s sensitivity are in place.
Organizations should have policies in place for safeguarding the data that it is hosting for the organization. Organizations should have access to all security policies regarding how their cloud service provider protects the collected data from loss and theft as well as unauthorized access, copying, modification, disclosure, and use.
An organization is responsible for complete transparency regarding its policies and management of collected personal information. The policies should be very detailed in explaining how it manages personal information and these policies should be readily available for both employees and clients.
Organizations should be transparent regarding their data management policies. They should be able to provide a copy of these policies to their clients upon request.
9. Individual Access
An organization is responsible for providing, upon written request, the existence, use, and disclosure of an individual’s personal information. They must also give those individuals access to the information that has been collected and they must be given the opportunity or option to challenge the accuracy of it and have it amended appropriately.
Organizations should have policies in place that are in line with the organization’s policies regarding access to information.
10. Challenging Compliance
An organization is responsible for providing a platform for individuals to address challenges PIPEDA compliance with the core principles. The designated individual or team that handle’s an organization’s compliance will be the point of contact for individuals who are challenging the compliance issues.
Organizations should have the appropriate policies and procedures to ensure that there are no complaints filed or received regarding the way that an organization’s data is handled.
The Privacy Commissioners of Canada, Alberta and British Columbia have jointly issued guidelines to help organizations obtain meaningful consent from individuals for the collection, use and disclosure of their personal information
The Privacy Commissioners of Canada, Alberta and British Columbia have jointly issued guidelines to help organizations obtain meaningful consent from individuals for the collection, use and disclosure of their personal information. The previously written Guidelines came into effect in January 2019 and are now applied by the Commissioners when evaluating organizational conduct.
The Guidelines set out seven guiding principles for meaningful consent:
1. Emphasize key elements
The Guidelines state that organizations must identify for individuals what personal information is being, or may be, collected about them and for what purposes. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to. Disclosure to third parties must also be clearly explained.
Further, individuals must be able to understand the consequences of the collection, use or disclosure to which they are consenting. Meaningful risks must be identified, which means a risk that falls below the balance of probabilities but is more than a minimal or mere possibility should be identified by the organization.
2. Allow individuals to control the level of detail they get and when
The Guidelines state that information must be provided to individuals in manageable and easily accessible ways, potentially including layers. This is because one person may be comfortable with a quick review of summary information, but others may need a “deeper dive.”
The Guidelines go on to state that the information should remain available to individuals as they engage with the organization, because consent choices are not made just once. At any time, individuals should be able to reconsider whether they wish to maintain or withdraw their consent. Full information should be available to them as they make those decisions.
3. Provide individuals with clear options to say "yes" or "no"
The Guidelines emphasize that individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. They must be given a choice about unnecessary collections, uses and disclosures. Previous Commissioner decisions indicate that the term “necessary” does not mean absolutely necessary (i.e. in the sense that it is literally not possible to provide the product/service without collecting, using or disclosing the personal information). Rather, the term “necessary” essentially means “reasonably necessary,” taking all relevant and legitimate factors into account.
For a collection, use or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purposes.
4. Be innovative and creative
The Guidelines say that organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.
While innovation and creativity are clearly worthy goals, it seems unlikely that the Commissioners would chastise an organization or find the organization to be in breach of the consent requirements in their respective legislation simply because the consent was not obtained in an innovative or creative manner. Accordingly, we suggest that organizations see this portion of the Guidelines as an encouragement or “challenge,” but not a strict legal requirement (indeed, the Guidelines note that some statements are intended to communicate “best practices”).
That said, the Guidelines make the fair point that mobile devices present an amplified communication challenge: individuals’ time and attention are at a premium and the medium does not lend itself to lengthy explanations. Accordingly, organizations need to highlight privacy issues at particular decision points in the user experience where people are likely to pay attention in order to obtain informed and meaningful consent from individuals.
5. Consider the consumer’s perspective
The Guidelines point out that consent is only valid where the individual can understand that to which they are consenting. Accordingly, an organization’s consent processes must take into account the consumer’s perspective to ensure that the processes are user-friendly and that the information provided is generally understandable from the point of view of the organization’s target audience. In order to do this effectively, the Guidelines suggest that organizations consider:
consulting with users and seeking their input when designing a consent process;
pilot testing or using focus groups to ensure individuals understand what they are consenting to;
involving user interaction/user experience designers in the development of the consent process;
consulting with privacy experts and/or regulators when designing a consent process; and/or
following an established "best practice" standard or other guideline in developing a consent process.
6. Make consent a dynamic and ongoing process
For example, when an organization plans to introduce significant changes to its privacy practices, it must notify users and obtain consent prior to the changes coming into effect. The Commissioners recommend that organizations consider periodically reminding individuals about their privacy options and inviting them to review these options.
7. Be accountable – stand ready to demonstrate compliance
In addition to the seven guiding principles described above, the Guidelines ask organizations to keep in mind the following:
Organizations need to consider the most appropriate form for consent – in other words, organizations must ask themselves: “Should the consent in this particular situation be express or implied?” While express consent is generally required, there are certain circumstances under which implied consent may be adequate.
The purposes for which an organization collects and uses personal information must be appropriate and defined. Consent is not everything.
Individuals have the right to withdraw consent, subject to legal or contractual restrictions. A withdrawal of consent may mean that data held by an organization about an individual should be deleted, depending on the circumstances.
Organizations must obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves. (The federal commissioner takes the position that, in all but exceptional circumstances, this means anyone under the age of 13).
Elizabeth Denham's latest blog busts the myths for UK small and medium sized businesses transferring personal data to and from the EEA
Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations. The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.
At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer term solution can be put in place.
However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.
With less than two months to go until the UK leaves the EU, we recognise that businesses and organisations are concerned. My latest myth busting blog challenges some of the misconceptions about what a ‘no deal’ Brexit will mean for UK companies transferring personal data to and from the EEA.
Myth #1: Brexit will stop me from transferring personal information from the UK to the EU altogether.
In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.
The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.
All businesses operating in the EEA should consider whether they need to take action now. Read our guidance pages to establish whether you need to prepare for data transfers in the event of ‘no deal’.
Myth #2: I have regular customers from Europe who come to my family’s hotel every year – I’ll need a special agreement set up to deal with their personal details.
When a customer passes their own personal data to a company in the EEA, it is not considered to be a data transfer and can continue without additional measures.
However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures. If you are unsure please check the ICO’s guidance pages where we have a range of tools and advice to help.
Myth #3: Brexit will only affect data transfers of UK companies actually exporting goods or services to the EU.
Personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’.
It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists. Our guidance – Leaving the EU – six steps to take will help.
Myth #4: My business will be fine because there will be a European Commission adequacy decision on exit day on 29 March 2019 to ensure the uninterrupted exchanges of personal data between the UK and the EU.
‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.
Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.
Myth #5: Our parent company in Europe keeps all our personal data records centrally so I don’t need to worry about sorting any new agreements.
Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.
There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU - six steps to take guidance for more information.
You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.
It is in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit. The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance.
The Bundeskartellamt has imposed on Facebook far-reaching restrictions in the processing of user data.
According to Facebook's terms and conditions users have so far only been able to use the social network under the precondition that Facebook can collect user data also outside of the Facebook website in the internet or on smartphone apps and assign these data to the user’s Facebook account. All data collected on the Facebook website, by Facebook-owned services such as e.g. WhatsApp and Instagram and on third party websites can be combined and assigned to the Facebook user account.
The authority’s decision covers different data sources:
(i) Facebook-owned services like WhatsApp and Instagram can continue to collect data. However, assigning the data to Facebook user accounts will only be possible subject to the users’ voluntary consent. Where consent is not given, the data must remain with the respective service and cannot be processed in combination with Facebook data.
(ii) Collecting data from third party websites and assigning them to a Facebook user account will also only be possible if users give their voluntary consent.
If consent is not given for data from Facebook-owned services and third party websites, Facebook will have to substantially restrict its collection and combining of data. Facebook is to develop proposals for solutions to this effect.
Andreas Mundt, President of the Bundeskartellamt: “With regard to Facebook’s future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook’s data.In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power. In future, consumers can prevent Facebook from unrestrictedly collecting and using their data.The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users. Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way. If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources.”
Facebook is the dominant company in the market for social networks
In December 2018, Facebook had 1.52 billion daily active users and 2.32 billion monthly active users. The company has a dominant position in the German market for social networks. With 23 million daily active users and 32 million monthly active users Facebook has a market share of more than 95% (daily active users) and more than 80% (monthly active users). Its competitor Google+ recently announced it was going to shut down its social network by April 2019. Services like Snapchat, YouTube or Twitter, but also professional networks like LinkedIn and Xing only offer parts of the services of a social network and are thus not to be included in the relevant market. However, even if these services were included in the relevant market, the Facebook group with its subsidiaries Instagram and WhatsApp would still achieve very high market shares that would very likely be indicative of a monopolisation process.
Abuse of market power based on the extent of collecting, using and merging data in a user account
The extent to which Facebook collects, merges and uses data in user accounts constitutes an abuse of a dominant position.
The Bundeskartellamt’s decision is not about how the processing of data generated by using Facebook’s own website is to be assessed under competition law. As these data are allocated to a specific service users know that they will be collected and used to a certain extent. This is an essential component of a social network and its data-based business model.
However, this is what many users are not aware of: Among other conditions, private use of the network is subject to Facebook being able to collect an almost unlimited amount of any type of user data from third party sources, allocate these to the users’ Facebook accounts and use them for numerous data processing processes. Third-party sources are Facebook-owned services such as Instagram or WhatsApp, but also third party websites which include interfaces such as the “Like” or “Share” buttons. Where such visible interfaces are embedded in websites and apps, the data flow to Facebook will already start when these are called up or installed. It is not even necessary, e.g., to scroll over or click on a “Like” button. Calling up a website with an embedded “Like” button will start the data flow. Millions of such interfaces can be encountered on German websites and on apps.
Even if no Facebook symbol is visible to users of a website, user data will flow from many websites to Facebook. This happens, for example, if the website operator uses the “Facebook Analytics” service in the background in order to carry out user analyses.
Andreas Mundt: By combining data from its own website, company-owned services and the analysis of third party websites, Facebook obtains very detailed profiles of its users and knows what they are doing online.”
European data protection provisions as a standard for examining exploitative abuse
Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users. The Bundeskartellamt closely cooperated with leading data protection authorities in clarifying the data protection issues involved.
In the authority’s assessment, Facebook’s conduct represents above all a so-called exploitative abuse. Dominant companies may not use exploitative practices to the detriment of the opposite side of the market, i.e. in this case the consumers who use Facebook. This applies above all if the exploitative practice also impedes competitors that are not able to amass such a treasure trove of data. This approach based on competition law is not a new one, but corresponds to the case-law of the Federal Court of Justice under which not only excessive prices, but also inappropriate contractual terms and conditions constitute exploitative abuse (so-called exploitative business terms).
Andreas Mundt: “Today data are a decisive factor in competition. In the case of Facebook they are the essential factor for establishing the company’s dominant position. On the one hand there is a service provided to users free of charge. On the other hand, the attractiveness and value of the advertising spaces increase with the amount and detail of user data. It is therefore precisely in the area of data collection and data use where Facebook, as a dominant company, must comply with the rules and laws applicable in Germany and Europe.”
The Bundeskartellamt’s decision is not yet final. Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court.
On this international Data Privacy Day, and after a year of severe abuses, it is worth reflecting on why it is essential to protect privacy.
Privacy is often cast as an abstract or undervalued concept associated with a desire to keep secret certain aspects of our activities or our personality that we prefer to keep to ourselves.
This is a very narrow outlook. In fact, privacy is nothing less than a prerequisite for freedom: the freedom to live and develop independently as a person, away from the watchful eye of a surveillance state or commercial enterprises, while still participating voluntarily and actively in the regular, day-to-day activities of a modern society.
Data-driven technologies undoubtedly bring great benefits to individuals. They can be fun and convenient but they can also be powerful tools for personal development. They open the door to huge opportunities for improving health care and hold the promise for a future built on artificial intelligence (AI) in which the possibilities seem endless.
On the other hand, these technologies also create new risks. For example, some AI applications, which rely on the massive accumulation of personal data, also put other fundamental rights at risk.
One such risk is the potential for discrimination against people resulting from decisions made by artificial intelligence systems. These systems are generally non-transparent and some have been found to rely on data sets that contain inherent bias, in violation of privacy principles. Such discrimination could potentially result in the restriction of availability of certain services, or result in the exclusion of people from certain aspects of personal, social and professional life, including employment.
In December, AI ethics researchers released the Montreal Declaration for the Responsible Development of Artificial Intelligence – a set of 10 principles for developers and organizations that implement AI, as well as the individuals subject to it.
While this ethical framework marks an important, made-in-Canada development that should help guide this emerging sector, I would agree with the Declaration’s authors who say it is only a first step, and that public authorities now need to act. Governments and legislators in particular have an important role to play in drawing on ethical principles to create an enforceable legal framework for AI that formally requires relevant actors to act fairly and responsibly.
We have also seen in recent years, and in particular in 2018, how privacy breaches can adversely impact the exercise of our democratic rights. The massive accumulation of personal data by certain state and commercial actors makes our democracies vulnerable to manipulation, including by foreign powers. It is unfortunate that the 2019 federal election will take place without any significant strengthening of our personal data protection laws.
In 2019, as the federal government and legislators consider what should be Canada’s national data strategy and laws for the modern age, it is important as a society to remember privacy’s role in protecting other fundamental rights and values, including freedom and democracy. If this happens, we will have drawn the right lessons from 2018.
You check out Facebook to see if one of your friends or someone in your family has done something interesting. Your attention is drawn to a holiday advert. That’s a coincidence, you think, because just before you went to Facebook you had been searching internet for a holiday destination. But this is no coincidence: dozens of parties are looking over your shoulder to see what you are getting up to on internet and this influences which adverts you get to see and where. PhD Candidate Robbert van Eijk investigated this process and the observance of privacy legislation in European countries. He will defend his doctoral thesis on 29 January.
The technology which facilitates online advertising is called 'real-time bidding' (RTB). When you visit a website, within a few tenths of a second the advert space on that page is ‘auctioned’: on the basis of data saved in cookies it is determined what kind of adverts are most relevant for you. The provider who places the highest bid for this kind of advert ‘wins’ and is given - upon payment of course - space by the advertiser to promote his product. 'The motive to write this doctoral thesis came from the desire to investigate real-time bidding at the intersection between technology and the law’, Van Eijk explains. 'I wanted to find out more about what happens when as a visitor to a website you get to see adverts which appear to be tracking your steps. This topic is relevant in light of the application of the General Data Protection Regulation (GDPR) and the current cookie legislation and its rules which are laid down, among others, in Article 11.7a of the (Dutch) Telecommunications Act.'
In his research Van Eijk demonstrates that this privacy component can be measured. 'I combine law and data science in my research by applying mathematic algorithms to the network traffic picked up between the browser and the websites visited. Taking a network-science perspective to the privacy component of RTB is new, by being able to distinguish the networks of partners involved in an advertisement system when displaying an advert on the website which an internet user visits. These advertisement networks partly overlap one another. This new way of observing the process also shows which role partners have in an advertisement network in collecting and sharing the data of website visitors.'
Van Eijk demonstrates in the research that two kinds of algorithms enable transparency in the mutual collaboration arrangements (the betweenness). 'These are cluster edge betweenness and node betweenness. The first is a standard that is based on the shortest paths between the partners in an advertisement network. The algorithm solves an important issue: which RTB partners are clustered in an RTB system? The second solves another important issue: who are the dominant companies in a network of RTB partners? Node betweenness helps us to distinguish between the companies.'
In addition, the researcher provides transparency concerning various differences between European countries. 'I show that a Graph-Based Methodological Approach (GBMA) can indicate the situation concerning differences in permission in 28 European countries; for example, differences in cookie notifications and cookie walls. In Europe we see two mechanisms in relation to permission. An implicit permission (where tracking cookies have already been installed before the end user has given permission) and a strict permission mechanism (where the legal requirements are implemented to the extent that no tracking cookies are (allowed to be) installed on the equipment of the end user or information can be read from the equipment when he visits a webpage). In this way, countries with implicit mechanisms can be compared to countries where strict mechanisms predominate. This leads to unequal rights.'
The Commission has adopted today its adequacy decision on Japan, allowing personal data to flow freely between the two economies on the basis of strong protection guarantees.
This is the last step in the procedure launched in September 2018, which included the opinion of the European Data Protection Board (EDPB) and the agreement from a committee composed of representatives of the EU Member States. Together with its equivalent decision adopted today by Japan, it will start applying as of today.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “This adequacy decision creates the world's largest area of safe data flows. Europeans' data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers' market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards.”
The key elements of the adequacy decision
Before the Commission adopted its adequacy decision, Japan put in place additional safeguards to guarantee that data transferred from the EU enjoy protection guarantees in line with European standards. This includes:
A set of rules (Supplementary Rules) that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another third country. These Supplementary Rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.
The adequacy decisions also complement the EU-Japan Economic Partnership Agreement- which will enter into force in February 2019. European companies will benefit from free data flows with a key commercial partner, as well as from privileged access to the 127 million Japanese consumers. The EU and Japan affirm that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade must and can go hand in hand.
The adequacy decision – as well as the equivalent decision on the Japanese side –will start applying as of today.
After two years, a first joint review will be carried out to assess the functioning of the framework. This will cover all aspects of the adequacy finding, including the application of the Supplementary Rules and the assurances for government access to data. The Representatives of European Data Protection Board will participate in the review regarding access to data for law enforcement and national security purposes. Subsequently a review will take place at least every four years.
The mutual adequacy arrangement with Japan is a part of the EU strategy in the field of international data flows and protection, as announced in January 2017 in the Commission's Communication on Exchanging and Protecting Personal Data in a Globalised World.
The EU and Japan successfully concluded their talks on reciprocal adequacy on 17 July 2018 (see press release). They agreed to recognise each other's data protection systems as adequate, allowing personal data to be transferred safely between the EU and Japan.
In July 2017, President Juncker and Prime Minister Abe committed to adopting the adequacy decision, as part of the EU and Japan's shared commitment to promote high data protection standards on the international scene (see statement).
The processing of personal data in the EU is based on the General Data Protection Regulation (GDPR), which provides for different tools to transfer personal data to third countries, including adequacy decisions. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. The European Parliament and the Council can request the European Commission to maintain, amend or withdraw these decisions.
The early fines to American tech firms will reveal another level of guidance from the Data Protection Authorities. First you should read the LAW. Then seek clarity from the official guidance documents. Then finally, look to the details of the violations. WHAT they fine for is critical information for operations people to set new practices. HOW MUCH they fine for is critical for business risk analysis.
The recent fine from CNIL for GOOGLE is based on "the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."
GDPR is all about TRANSPARENCY. INFORMATION. CONSENT.
CNIL claim that when setting up an Android device (GOOGLE) consents for processing data must be
easy to understand,
communicate a legal basis for processing, and
must show a positive action on the part of the data subject.
Specifically, when signing up for an Android account the purpose of processing your personal data is far too generic and of a "vague manner". The same could be said for communicating "the CATEGORIES of data processing for various purposes". With more than 20 different service offerings, GOOGLE 's consent requests are not easily understood. It must be clear for each type of consent which legal basis for processing is being claimed AND how long GOOGLE planned to keep that information.
Therefore the consent GOOGLE believes they have, is not considered valid by the CNIL. While it "is possible to configure the display of personalized ads", CNIL determined that GOOGLE was "not sufficiently informed regarding the extent of the consents requested". GOOGLE was neither "specific" nor "unambiguous". In fact many of those consents were not easily accessed and when they were, the boxes were pre-checked, therfore no positive action was required on behalf of the data subject.
It is important to note: "the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement." Look for GOOGLE to be fined again for these very same activities if these practices are not corrected immediately.