Tech Solidarity NL meetup #11

After an introduction to Tech Solidarity we dive into one major way in which technology is abused in the interest of the few: the capture and trading of personal data. The EU is introducing a new law that attempts to regulate the trafficking in personal data and to reign in some of its worst practices. It is called GDPR, in the Netherlands it is implemented as the ‘Algemene verordening gegevensbescherming’ (AVG), and it is expected to have a considerable impact on the tech industry.

Introduction to GDPR/AVG

This night we have two speakers, the first of which is Bob Cordemeyer of Cordemeyer & Slager Advocaten. He provides a general overview of the GDPR/AVG which applies from May 25th. With regard to electronic communications and data protection, the EU has announced ePrivacy regulation which is expected in 2019.

The GDPR/AVG (we’ll refer to as ‘the regulation’) is about data processing. This may entail more then you’d expect, e.g. storing data is also considered processing. Processing is considered lawful if (granular) consent is provided by the data subject (individual). Another notable condition is when there are ‘legitimate interests’. And there are some exceptions, for example when it comes to fundamental rights.

Note that direct marketing is considered a legitimate interest (organisations need to be able to reach their customers), but only when it is closely linked to previous processing of personal information. And with the option to object to the processing. What about other individuals collecting data about you, say someone else tags you on Facebook? In that case too, the processor needs to have your consent.

Special categories of personal data, e.g. biometric data, can be processed but only under strict criteria. That is, explicit consent is given. Or when the subject is not (medically) able to give consent. Or in some cases when the data is collected by public organisations (like a foundation, association or any other not-for-profit body, or is necessary for reasons of public interest in the area of public health, et cetera).

Data subjects also have a number op rights, like the right of information, access, rectification, erasure, and portability (to take data with you from one to another organisation). This can be difficult to facilitate in existing systems and organisations. The next talk will go into providing these rights ‘by design’.

Organisations need to keep a register of the processing activities of personal data. Business tasks need to be described in relation to the processing of personal data (the purpose, duration, et cetera). For existing systems, an impact assessment is required, measures are to be taken, and monitored after implementation. A script needs to be ready in case of a data leak, in which case the supervisor authority (Autoriteit Persoonsgegevens in the Netherlands) needs to be notified within 72 hours. A Data Protection Officer (DPO) is required for public authorities, for high risk organisations (such as hospitals), and some other cases. The size of an organisation (say less than 250 persons) is to be taken into account when applying the regulation.

The new regulation requires awareness in the organisation and with stakeholders. It applies to the processing of personal data by a controller (deciding means and purposes of the processing) or a processor within the EU. As a non-EU organisation, if you offer services to clients in the EU, you need to comply with the the regulation as well. Even if the processing of personal data takes places outside the EU, but the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, the regulation applies.

The administrative fines for not complying with the regulation can be very high (max. 20 million, and for companies up to 4% of the total worldwide annual turnover of the preceding financial year). And you can be held liable by any person as a result of an infringement of the GDPR/AVG.

Privacy by design

For new systems and business processes, privacy by design is obligatory. This is the subject of the next talk by Jaap-Henk Hoepman of Privacy & Identity Lab, Radboud University, Tilburg University and University of Groningen.

Download Jaap-Henk's slides (PDF)

In his introduction, he notes that many laws and regulations are dependent on personal data, which allows for all sorts of personal data to be collected, ‘surveillance’-like. So one way of improving privacy is making less complex laws requiring less personal data.

Personal information can either be transferred (explicitly, when asked, or implicitly by observing your behaviour) or derived from other data about you.

One example is that an activity tracker (like a smart watch) measuring heart rate has actually been used as additional evidence in a case in de US. Did the heart rate of the accused increase at a certain time?

A way to counterbalance these developments is protecting privacy ‘by design’. It is a simple concept, to be practiced throughout the life cycle of technology, and continuously. It’s a quality attribute, much like security is (which is also much easier if done by design).

But how to do this? Privacy does not equal security or data minimisation. And there is a gap between engineers (who like to think in binary categories) and these legal aspects (who will always tell you ‘it depends’). So Jaap-Henk worked on translating legal norms to technical design requirements. Using these, you have a good chance of being compliant and probably include more protection.

This privacy by design strategy considers systems simply as a database of attributes about individuals. One can then:

  • minimise data (by not processesing about all individuals, or not all attributes);
  • separate these attributes, to prevent correlation (by distributing the processing or by processing parts independently);
  • use abstracted information, i.e. limit the detail in which personal information is processed (by finding correlations instead of the data itself, by allocating data in common categories, or by adding noise);
  • and hide or secure (access to) data.

As noted in the previous talk, the data controller must enforce and demonstrate that the data processing is happening in a privacy friendly way. Considering the data subject, the design strategy is to inform the data subject about what data is processed about them and control the data being processed. Both will be very hard when these aspects were not considered by design.

‘Informing’ here entails supplying resources about the processing (including policies, processes and potential risks), alerting data subjects to new information about processing of their personal data in a timely manner, and providing that information in a concise and understandable form. So a big files of legal text you have to accept will not do.

Finally Jaap-Henk introduces the broader concept of ‘honest design’: systems that work as advertised and don’t do harm. This new legislation may create a more level playing field for the (existing) non-compliant companies and the (new) companies in the same market that are compliant.

Some organisations now depend on business models around personal data, which may be the elephant in the room here. Even big non-EU social networks will have to comply some way or the other. One big problem is that there are not many alternatives to systems using these exploitative business models.


Original announcement:

Our next meetup happens Monday, February 5 at Sensor Lab from 19:00–21:00 (doors open 18:30) and will be about data protection by design. Read on below for details.

On May 25 of this year a new European data protection law will come into effect: the General Data Protection Regulations (GDPR). In the Netherlands, GDPR is implemented as the ‘Algemene verordening gegevensbescherming’ (AVG). The law applies to anyone controlling or processing personal data of EU citizens. It requires you have a lawful basis for processing personal data. It extends a number of rights to data subjects—those whose personal data is processed. And it insists on a number of practices, including data protection by design.

GDPR will have a considerable impact on the work of tech professionals. It also presents those of us who believe technology can and should serve the many with the opportunity to build better products and services—by putting the ideas behind data protection by design into practice.

Program

To help us prepare for these challenges and opportunities, Bob Cordemeyer will provide us with an introduction to the law. Richard Kranendonk (Rent-a-DPO) will then talk about how to sell GDPR compliance to your clients and stakeholders. And finally, Jaap‑Henk Hoepman will help us understand how to practice data protection by design. We’ll close out with more conversation over drinks.

Venue & RSVP

We will meet at Sensor Lab in Utrecht on Monday, February 5. We will start at 19:00 and wrap up around 21:00. (Doors open 18:30.) Admission fee is 5 euros payable at the door.

To RSVP, send an email to info@techsolidarity.nl. Hope to see you there!