Home / Tag Archives: data-protection

Tag Archives: data-protection

AI spots legal problems with tech T&Cs in GDPR research project

Technology is the proverbial double-edged sword. And an experimental European research project is ensuring this axiom cuts very close to the industry’s bone indeed by applying machine learning technology to critically sift big tech’s privacy policies — to see whether AI can automatically identify violations of data protection law. The still-in-training privacy policy and contract parsing tool — which is called ‘ Claudette ‘: Aka (automated) clause detector — is being developed by researchers at the European University Institute in Florence. They’ve also now got support from European consumer organization BEUC — for a ‘Claudette meets GDPR ‘ project — which specifically applies the tool to evaluate compliance with the EU’s General Data Protection Regulation. Early results from this project have been released today, with BEUC saying the AI was able to automatically flag a range of problems with the language being used in tech T&Cs. The researchers set Claudette to work analyzing the privacy policies of 14 companies in all — namely:  Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking, Skyscanner, Netflix, Steam and Epic Games — saying this group was selected to cover a range of online services and sectors. And also because they are among the biggest online players and — I quote — “should be setting a good example for the market to follow”.  Ehem, should . The AI analysis of the policies was carried out in June, after the update to the EU’s data protection rules had come into force. The regulation tightens requirements on obtaining consent for processing citizens’ personal data by, for example, increasing transparency requirements — basically requiring that privacy policies be written in clear and intelligible language, explaining exactly how the data will be used, in order that people can make a genuine, informed choice to consent (or not consent). In theory, all 15 parsed privacy policies should have been compliant with GDPR by June, as it came into force on May 25. However some tech giants are already facing legal challenges  to their interpretation of ‘consent’. And it’s fair to say the law has not vanquished the tech industry’s fuzzy language and logic overnight. Where user privacy is concerned, old, ugly habits die hard, clearly. But that’s where BEUC is hoping AI technology can help. It says that out of a combined 3,659 sentences (80,398 words) Claudette marked 401 sentences (11.0%) as containing unclear language, and 1,240 (33.9%) containing “potentially problematic” clauses or clauses providing “insufficient” information.

Read More »

Audit of NHS Trust’s app project with DeepMind raises more questions than it answers

A third party audit of a controversial patient data-sharing arrangement between a London NHS Trust and Google DeepMind appears to have skirted over the core issues that generated the controversy in the first place. The audit ( full report here ) — conducted by law firm Linklaters — of the Royal Free NHS Foundation Trust’s acute kidney injury detection app system, Streams, which was co-developed with Google-DeepMind (using an existing NHS algorithm for early detection of the condition), does not examine the problematic 2015 information-sharing agreement inked between the pair which allowed data to start flowing. “This Report contains an assessment of the data protection and confidentiality issues associated with the data protection arrangements between the Royal Free and DeepMind . It is limited to the current use of Streams, and any further development, functional testing or clinical testing, that is either planned or in progress. It is not a historical review,” writes Linklaters, adding that: “It includes consideration as to whether the transparency, fair processing, proportionality and information sharing concerns outlined in the Undertakings are being met.” Yet it was the original 2015 contract that triggered the controversy, after it was obtained and published by New Scientist, with the wide-ranging document  r aising questions over the broad scope of the data transfer ; the legal bases for patients information to be shared; and leading to questions over whether regulatory processes intended to safeguard patients and patient data had been sidelined  by the two main parties involved in the project. In  November 2016  the pair scrapped and replaced the initial five-year contract with a different one — which put in place additional information governance steps. They also went on to roll out the Streams app for use on patients in multiple NHS hospitals  — despite the UK’s data protection regulator, the ICO, having instigated an investigation into the original data-sharing arrangement. And just over a year ago  the ICO concluded that the Royal Free NHS Foundation Trust had failed to comply with Data Protection Law in its dealings with Google’s DeepMind. The audit of the Streams project was a requirement of the ICO. Though, notably, the regulator has not endorsed Linklaters report. On the contrary, it warns that it’s seeking legal advice and could take further action. In a statement  on its website, the ICO’s deputy commissioner for policy, Steve Wood, writes: “We cannot endorse a report from a third party audit but we have provided feedback to the Royal Free. We also reserve our position in relation to their position on medical confidentiality and the equitable duty of confidence. We are seeking legal advice on this issue and may require further action.” In a section of the report listing exclusions, Linklaters confirms the audit does not consider: “The data protection and confidentiality issues associated with the processing of personal data about the clinicians at the Royal Free using the Streams App.” So essentially the core controversy, related to the legal basis for the Royal Free to pass personally identifiable information on 1.6M patients to DeepMind when the app was being developed, and without people’s knowledge or consent, is going unaddressed here.

Read More »

UK watchdog issues $330k fine for Yahoo’s 2014 data breach

Another fallout from the  massive Yahoo data breach that dates back to 2014 : The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998. Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users. Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR , which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case … ). The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller. And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”. Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.” According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k. And given Verizon was able to knock $350M off the acquisition price of Yahoo on account of a pair of massive data breaches , well, it’s not going to be too concerned with the regulatory sting here. Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo

Read More »

Europe’s top court takes a broad view of privacy responsibilities around platforms

An interesting ruling by Europe’s top court could have some major implications for data mining tech giants like Facebook and Google, along with anyone who administers pages that allow platforms to collect and process their visitors’ personal data — such as a Facebook fan page or even potentially a site running Google Analytics. Passing judgement on a series of legal questions referred to it, the CJEU has held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page — aligning with the the Advocate General’s opinion to the court, which we covered back in October . In practical terms the ruling means tech giants could face more challenges from European data protection authorities. While anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules. The CJEU deems both parties to be responsible (aka, ‘data controllers’ in the legal jargon), though the court also emphasizes that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”, adding: “On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” Gist of Wirtschaftsakademie final judgement – if you attract users to a service (e.g. FB fan page) – that tracks them – and you use (aggregate) results from the tracking you are a data controller, *even* if you never held or saw anything that could be considered personal data. — Michael Veale (@mikarv) June 5, 2018 The original case dates back to 2011, when a German education and training company with a fan page on Facebook was ordered by a local data protection authority to deactivate the page because neither it nor Facebook had informed users their personal data was being collected. The education company challenged the DPA’s order and, after much legal back and forth, questions were  referred  to Europe’s top court for a preliminary ruling. “The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court writes today, handing down its judgement. “It must be emphasised, moreover, that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data. “In those circumstances, the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46.” Facebook unsurprisingly expressed disappointment at the CJEU’s decision when contacted for a response.

Read More »

Facebook says it “disagrees” with the New York Times’ criticisms of its device-integrated APIs

Facebook has responded to a New York Times story that raises privacy concerns about the company’s device-integrated APIs, saying that it “disagrees with the issues they’ve raised about these APIs.” Headined “Facebook Gave Device Makers Deep Access to Data on Users and Friends,” the New York Times article criticizes the privacy protections of device-integrated APIs, which were launched by Facebook a decade ago. Before app stores became common, the APIs enabled Facebook to strike data-sharing partnerships with at least 60 device makers, including Apple, Amazon, BlackBerry, Microsoft and Samsung, that allowed them to offer Facebook features, such as messaging, address books and the like button, to their users. But they may have given access to more data than assumed, says the article. New York Times reporters Gabriel J.X. Dance, Nicholas Confessore and Michael LaForgia write that “the partnerships, whose scope has not been previously reported, raise concerns about the company’s privacy protections,” as well as its compliance with a consent decree it struck with the Federal Trade Commission in 2011 . The FTC is currently investigating Facebook’s privacy practices in light of the Cambridge Analytica data misuse scandal . “Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders,” the New York Times story says. “Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.” Facebook said in April it would begin winding down access to its device-integrated APIs, but the New York Times says that many of those partnerships are still in effect. Facebook is already under intense scrutiny by lawmakers and regulators, including the FTC, because of the Cambridge Analytica revelation, which raised serious concerns about the public APIs used by third-party developers and the company’s data-sharing policies. “In the furor that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends,” the New York Times says. “But the company officials did not disclose that Facebook had exempted the makers of cellphones, tablets and other hardware from such restrictions.” Facebook told the New York Times that data sharing through device-integrated APIs adhered to its privacy policies and the 2011 FTC agreement. The company also told the newspapers that it knew of no cases where a partner had misused data. Facebook acknowledged that some partners did store users’ data, including data from their Facebook friends, on their own servers, but said that those practices abided by strict agreements

Read More »

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned , read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR , which will start being applied from tomorrow. Instapaper’s notification does not say how long the self-imposed outage will last. WTF is instapaper doing with data? pic.twitter.com/eG2dhtkvnd — Sam (@smithsam) May 23, 2018 The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover. So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information). That said, EU regulators are clearly going to tread softly on the enforcement front in the short term. And any major fines are only going to hit the most serious violations and violators — and only down the line when data protection authorities have received complaints and conducted thorough investigations. So it’s not clear exactly why Instapaper believes it needs to pause its service to European users. It’s also had plenty of time to prepare to be compliant — given the new framework was agreed  at the back end of 2015 . We’ve reached out to Pinterest with questions and will update this story with any response. In an exchange on Twitter, Pinterest product engineering manager Brian Donohue — who, prior to acquisition was Instapaper’s CEO — flagged that the product’s  privacy policy “hasn’t been changed in several years”.

Read More »

Brexit data transfer gaps a risk for UK startups, MPs told

The uncertainty facing digital businesses as a result of Brexit was front and center during a committee session in the UK parliament today, with experts including the UK’s information commissioner responding to MPs’ questions about how and even whether data will continue to flow between the UK and the European Union once the country has departed the bloc — in just under a year’s time, per the current schedule. The risks for UK startups vs tech giants were also flagged, with concerns voiced that larger businesses are better placed to weather Brexit-based uncertainty thanks to greater resources at their disposal to plug data transfer gaps resulting from the political upheaval. Information commissioner Elizabeth Denham emphasized the overriding importance of the UK  data protection bill being passed. Though that’s really just the baby step where the Brexit negotiations are concerned. Parliamentarians have another vote on the bill this afternoon, during its third reading, and the legislative timetable is tight, given that the pan-EU General Data Protection Act ( GDPR ) takes direct effect on May 25 — and many provisions in the UK bill are intended to bring domestic law into line with that regulation, and complete implementation ahead of the EU deadline. Despite the UK referendum vote to pull the country out of the EU, the government has committed to complying with GDPR — which ministers hope will lay a strong foundation for it to secure a future agreement with the EU that allows data to continue flowing, as is critical for business. Although what exactly that future data regime might be remains to be seen — and various scenarios were discussed during today’s hearing — hence there’s further operational uncertainty for businesses in the years ahead. “Getting the data policy right is of critical importance both on the commercial side but also on the security and law enforcement side,” said Denham. “We need data to continue to flow and if we’re not part of the unified framework in the EU then we have to make sure that we’re focused and we’re robust about putting in place measures to ensure that data continues to flow appropriately, that it’s safeguarded and also that there is business certainty in advance of our exit from the EU. “Data underpins everything that we do and it’s critically important.” Another witness to the committee, James Mullock, a partner at law firm Bird & Bird, warned that the Brexit-shaped threat to UK-EU data flows could result in a situation akin to what happened after the long-standing Safe Harbor arrangement between the EU and the US was struck down in 2015  — leaving thousands of companies scrambling to put in place alternative data transfer mechanisms. “If we have anything like that it would be extremely disruptive,” warned Mullock. “And it will, I think, be extremely off-putting in terms of businesses looking at where they will headquarter themselves in Europe. And therefore the long term prospects of attracting businesses from many of the sectors that this country supports so well.” “Essentially what you’re doing is you’re putting the burden on business to find a legal agreement or a legal mechanism to agree data protection standards on an overseas recipient so all UK businesses that receive data from Europe will be having to sign these agreements or put in place these mechanisms to receive data from the European Union which is obviously one of our very major senders of data to this country,” he added of the alternative legal mechanisms fall-back scenario. Another witness, Giles Derrington, head of Brexit policy for UK technology advocacy organization, TechUK , explained how the collapse of Safe Harbor had saddled businesses with major amounts of bureaucracy — and went on to suggest that a similar scenario befalling the UK as a result of Brexit could put domestic startups at a big disadvantage vs tech giants. “We had a member company who had to put in place two million Standard Contractual Clauses over the space of a month or so after Safe Harbor was struck down,” he told the committee

Read More »

Unroll.me to close to EU users saying it can’t comply with GDPR

Put on your best unsurprised face : Unroll.me , a company that has, for years, used the premise of ‘free’ but not very useful ’email management’ services to gain access to people’s email inboxes in order to data-mine the contents for competitive intelligence — and controversially flog the gleaned commercial insights to the likes of Uber — is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR , which applies from May 25. In a section on its website  about the regional service shutdown, the company writes that “unfortunately we can no longer support users from the EU as of the 23rd of May”, before asking whether a visitor lives in the EU or not. Clicking ‘no’ doesn’t seem to do anything but clicking ‘yes’ brings up another info screen where Unroll.me writes that this is its “last month in the EU” — because it says it will be unable to comply with “all GDPR requirements” (although it does not specify which portions of the regulation it cannot comply with). Any existing EU user accounts will be deleted by May 24, it adds: The EU is implementing new data privacy rules, known as General Data Protection Regulation (GDPR). Unfortunately, our service is intended to serve users in the U.S. Because it was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents. This means we may not serve users we believe are residents of the EU, and we must delete any EU user accounts by May 24. We are truly sorry that we are unable to offer our service to you. While Unroll.me, which is owned by Slice Technologies , also claims on the very same website that its parent company “strips away personal information” (i.e. after it has passed personal data attached to commercial and transactional emails found in users’ inboxes) — to “build anonymized market research products that analyze and track consumer trends” — it has been criticized for not being transparent about how it parses and sells people’s personal information. And in fact if you go to the trouble of reading the small print of Unroll.me’s  privacy policy it says it can share users’ personal information how it pleases — not just with its parent entity (and direct affiliates) but with any other ‘partners’ it chooses… We may share personal information we collect with our parent company, other affiliated companies, and trusted business partners. We also will share personal information with service providers that perform services on our behalf

Read More »

What we learned from Facebook’s latest data misuse grilling

Facebook’s CTO Mike Schroepfer has just undergone almost five hours of often forensic and frequently awkward questions from members of a UK parliament committee that’s investigating online disinformation, and whose members have been further fired up by misinformation they claim Facebook gave it. The veteran senior exec, who’s clocked up a decade at the company, also as its VP of engineering, is the latest stand-in for CEO Mark Zuckerberg who keeps  eschewing repeat requests to appear . The DCMS committee’s enquiry began last year as a probe into ‘fake news’ but has snowballed in scope as the scale of concern around political disinformation has also mounted — including, most recently, fresh information being exposed by journalists about the scale of the misuse of Facebook data for political targeting purposes. During today’s session committee chair Damian Collins again made a direct appeal for Zuckerberg to testify, pausing the flow of questions momentarily to cite news reports suggesting the Facebook founder has agreed to fly to Brussels to testify before European Union lawmakers in relation to the Cambridge Analytica Facebook data misuse scandal. “We’ll certainly be renewing our request for him to give evidence,” said Collins. “We still do need the opportunity to put some of these questions to him.” Committee members displayed visible outrage during the session, accusing Facebook of concealing the truth or at very least concealing evidence from it at a prior hearing that took place in Washington in February — when the company sent its UK head of policy, Simon Milner, and its head of global policy management, Monika Bickert, to field questions. During questioning Milner and Bickert failed to inform the committee about a legal agreement Facebook had made with Cambridge Analytica in December 2015 — after the company had learned (via an earlier Guardian article ) that Facebook user data had been passed to the company by the developer of an app running on its platform. Milner also told the committee that Cambridge Analytica could not have any Facebook data — yet last month the company admitted data on up to 87 million of its users had indeed been passed to the firm. Schroepfer said he wasn’t sure whether Milner had been “specifically informed” about the agreement Facebook already had with Cambridge Analytica — adding: “I’m guessing he didn’t know”. He also claimed he had only himself become aware of it “within the last month”. “ Who knows? Who knows about what the position was with Cambridge Analytica in February of this year? Who was in charge of this?” pressed one committee member

Read More »

Facebook moves to shrink its legal liabilities under GDPR

Facebook has another change in the works to respond to the European Union’s beefed up data protection framework — and this one looks intended to shrink its legal liabilities under GDPR , and at scale. Late yesterday Reuters  reported on a change incoming to Facebook’s T&Cs that it said will be pushed out next month — meaning all non-EU international are switched from having their data processed by Facebook Ireland to Facebook USA. With this shift, Facebook will ensure that the privacy protections afforded by the EU’s incoming General Data Protection Regulation (GDPR) — which applies from May 25 — will not cover the ~1.5BN+ international Facebook users who aren’t EU citizens (but current have their data processed in the EU, by Facebook Ireland). The U.S. does not have a comparable data protection framework to GDPR. While the incoming EU framework substantially strengthens penalties for data protection violations, making the move a pretty logical one for Facebook’s lawyers thinking about how it can shrink its GDPR liabilities. Reuters says Facebook confirmed the impending update to the T&Cs of non-EU international users, though the company played down the significance — repeating its claim that it will be making the same privacy “controls and settings” available everywhere. (Though, as experts have pointed out, this does not mean the same GDPR principles will be applied by Facebook everywhere.) Critics have couched the T&Cs shift as regressive — arguing it’s a reduction in the level of privacy protection that would otherwise have applied for international users, thanks to GDPR. Although whether these EU privacy rights would really have been enforceable for non-Europeans is questionable . A t the time of writing Facebook had not responded to a request for comment on the change.  Update:  It’s now sent us the following statement — attributed to deputy chief global privacy officer, Stephen Deadman: “The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users.  We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”  The company’s generally argument is that the EU law takes a prescriptive approach — which can make certain elements irrelevant for international users outside the bloc. It also claims it’s working on being more responsive to regional norms and local frameworks. (Which will presumably be music to the New Zealand privacy commissioner ‘s ears, for one…) According to Reuters the T&Cs shift will affect more than 70 per cent of Facebook’s 2BN+ users. As of December, Facebook had 239M users in the US and Canada; 370M in Europe; and 1.52BN users elsewhere. The news agency also reports that Microsoft -owned LinkedIn is one of several other multinational companies planning to make the same data processing shift for international users — with LinkedIn’s new terms set to take effect on May 8, moving non-Europeans to contracts with the U.S.-based LinkedIn Corp.

Read More »

Data experts on Facebook’s GDPR changes: Expect lawsuits

Make no mistake: Fresh battle lines are being drawn in the clash between data-mining tech giants and Internet users over people’s right to control their personal information and  protect their privacy . An update to European Union data protection rules next month — called the General Data Protection Regulation — is the catalyst for this next chapter in the global story of tech vs privacy. A fairytale ending would remove that ugly ‘vs’ and replace it with an enlightened ‘+’. But there’s no doubt it will be a battle to get there — requiring legal challenges and fresh case law to be set down — as an old guard of dominant tech platforms marshal their extensive resources to try to hold onto the power and wealth gained through years of riding roughshod over data protection law. Payback is coming though. Balance is being reset. And the implications of not regulating what tech giants can do with people’s data has arguably  never been clearer . The exciting opportunity for startups is to skate to where the puck is going — by thinking beyond exploitative legacy business models that amount to embarrassing blackboxes whose CEOs dare not publicly admit what the systems really do  — and come up with new ways of operating and monetizing services that don’t rely on selling the lie that people don’t care about privacy.   More than just small print Right now the EU’s General Data Protection Regulation can take credit for a whole lot of spilt ink as tech industry small print is reworded en masse. Did you just receive a T&C update notification about a company’s digital service? Chances are it’s related to the incoming standard. The regulation is generally intended to strengthen Internet users’ control over their personal information, as we’ve explained  before. But its focus on transparency — making sure people know how and why data will flow if they choose to click ‘I agree’ — combined with supersized fines for major data violations represents something of an existential threat to ad tech processes that rely on pervasive background harvesting of users’ personal data to be siphoned biofuel for their vast, proprietary microtargeting engines. This is why Facebook is not going gentle into a data processing goodnight.

Read More »

Instagram will let users download all their data

As data protection and privacy becomes a big issue around the world, social networking companies like Instagram need to appropriately take care of the information we share. One of the provisions of the UK's upcoming Data Protection Bill would require...

Read More »