Meanwhile in the World of Data Privacy: June 26 2017

Note: Thank you to many readers of the previous post of this series for their inputs and feedback. Based on that, have decided to term these series ‘privacy round-ups’ – because that is what they are intended to be. Happy reading….do keep sending me your feedback on privacy@arrka.com.

-Shivangi Nadkarni, Co-Founder & CEO, Arrka Consulting

Rights over Personal Data in the New Era:

https://www.linkedin.com/pulse/right-to-be-forgotten-new-era-personal-data-rights-dimitri-sirota

The European General Data Protection Regulation or GDPR has been likened to be to the world of Data Privacy what SOX was to the world of Finance & IT in the last decade – a game changer that affects not only Europe but the entire world.

This article talks of how the GDPR is set to re-calibrate the balance of rights between an individual (the owner of the personal data in question) and the entity who receives or gets access to that data. ‘GDPR helps put the “person” back in personal data. It reminds companies that the data belongs to an individual to whom they are accountable and for whom they must provide an accounting’. This is a complete mindset change from the thinking till date – which has been ‘all about “analyze so as to monetize.”’ For organizations, this requires a complete overhaul of their existing data governance, protection and compliance practices.

This approach is pushing the rest of the world to also re-orient its approach. ‘China has just instituted a similar right along with many other countries. Similarly, in the US, several states are debating bills that would enshrine new rights to personal data.’

On Data Privacy Laws:

India

In a recent consultation with industry leaders from the IT/ITES sectors on developing the roadmap for building a 1 Trillion Dollar digital economy in India, Union Minister for Electronics & IT and Law & Justice – Shri Ravishankar Prasad – talked of strengthening the legal framework for data security in India as a critical aspect of reaching this goal. The following press release gives all the details:

http://pib.nic.in/newsite/PrintRelease.aspx?relid=165697

China

The much-awaited cybersecurity law was enacted by China on the  1st of this month, outlining norms for handling personal information and restricting processing of personal information of Chinese people outside China. The definition of personal information is broad and similar to that of the EU GDPR – taking into consideration technical, device and online data as well. The following posts give details:

https://www.linkedin.com/pulse/your-company-ready-chinese-cybersecurity-law-went-1-hicks-esq-ence?trk=v-feed&lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_shares%3BLo1LN%2BLAESQEUYUD1CFOoA%3D%3D

https://www.linkedin.com/pulse/defining-personal-information-chinese-law-galaad-delval

https://qz.com/999613/a-key-question-at-the-heart-of-chinas-cybersecurity-law-where-should-data-live/

The Onward March of Ubiquitous Tracking:

1.In a study conducted of over 5000 apps, 70% were found to share user data with some third party service or the other. You can read all about it here:

https://www.scientificamerican.com/article/7-in-10-smartphone-apps-share-your-data-with-third-party-services/

2.Meanwhile, you know privacy is becoming a mainstream concern in India too when a general interest magazine does a detailed feature on this. Glad the media is beginning to write about the concerns we at Arrka have been voicing for such a long time now…that one should look beyond the convenience of mobile apps. Don’t be ‘trigger-happy’ when it comes to mobile apps…think before you press on that download app option!

http://www.outlookindia.com/magazine/story/installing-the-end-of-privacy/299045

3.And just when you probably thought you had ‘seen it all’ here is a product that logs whatever you type online – even before you hit the submit button. So, for eg, if you have typed out some details on a form and then changed your mind and deleted it all, what you had typed has already been recorded and is probably being read and analysed somewhere. Read all about it here:

http://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081

4.In short, it is important to remember that you are actually far far more exposed than you even realise.

‘What has your web browser seen that could embarrass you later? This isn’t just about porn. Have you hunted for a new job, streamed the ball game at work, investigated a crush or googled the morning-after pill? Imagine having a report about it show up on the desk of your boss, spouse or legal adversary.

Meanwhile, data aggregators send their bots to collect anything and everything they can about you: addresses, browsing habits, even estimated net worth. Then they glue it all together, facts and wild guesses alike, into dossiers. That’s the legal side of data collection. Things get scarier when your tax accountant, credit-card company or email provider gets hacked.’

Read more about this in this Wall Street Journal article:

https://www.wsj.com/articles/your-data-is-way-more-exposed-than-you-realize-1495657390

OTA Trust Audit:

Every year, the Online Trust Alliance conducts an audit ‘to promote security best practices, data stewardship and responsible privacy practices’ and recognize ‘organizations that have demonstrated security and privacy excellence.’

https://otalliance.org/system/files/files/initiative/documents/2017ota-trustaudit.pdf

The above report is a comprehensive one covering security as well as privacy. The key privacy trends the report outlines are:

Privacy Policy – Overall privacy policy scores increased from 27.4 to 30.8 from 2016 to 2017, while disclosure of data retention policies jumped from 34.2% to 49.4% from 2016 to 2017. Cross-device tracking disclosure was added as new criteria this year and was observed on 44.3% of sites (bonus points). DoNot-Track disclosures increased from 32.9% to 36.9% from 2016 to 2017.

Lowlights include the disclosure of vendor / service provider confidentiality, which decreased from 54.8% to 48.4% from 2016 to 2017.

Third Party Trackers – Overall the average number of problematic trackers as defined by sharing data with unaffiliated third parties for non-operational purposes decreased from 11.4 to 8.8 per site from 2016 to 2017. These are trackers known to share data with third parties (not including data for anonymous site metrics). The number of unique trackers observed on all sites ranged from 0 to 59. The News/Media sector had the most with an average of 25.4 reflecting their dependence on advertising and re-targeting of site users.

Data Loss Incidents & Breaches – Measured from January 2016 through May 2017, 11.7% of sites had one or more incidents, with a total of over 3.8 billion exposed records. Of all the segments, the Bank 100 had the highest rate (24%) followed by Consumer sites (23.8%). In total, this is a significant jump from 2016, where only 4.8% of the audited sites had an incident. This shift is attributed to three factors: 1) increased telemetry and data fidelity, 2) overall increase in cyber incidents and 3) increased transparency and disclosures of incidents.12

Regulatory Fines & Settlements – On the regulatory front, 21 organizations received a penalty for suits or settlements this year (up from 9 last year), with the banking sector having the most (8).

Google and Privacy:

There was some heartening news from Google this month:

1.Google has announced that it would start scrubbing private medical records from its search results. Now individuals have hope from incidents like the one that happened in December 2016 in India – where a pathology lab ‘mistakenly uploaded the records of over 43,000 patients containing sensitive information, including names and blood tests for HIV.’ These then got indexed in Google’s search results.

https://www.bloomberg.com/news/articles/2017-06-23/google-now-scrubbing-private-medical-records-from-search-results

2.Google has also said that it would stop reading the mail in users’ Gmail inboxes – and instead use other trackers like search history, etc to deliver ads to users.

http://www.businessinsider.in/Google-is-going-to-stop-reading-the-mail-in-your-Gmail-inbox-to-target-ads-to-you/articleshow/59292532.cms

Note: To know how to maximise your privacy in the google ecosystem, check out Arrka’s privacy guide for Google

IOT & Devices:

There are about 7 Billion IOT devices today, expected to go up to 22.5 Billion by 2021. How banks are expected to leverage this is an angle this article takes up. It talks of the fact that data collection by banks will no longer be restricted to the existing channels like web, mobile, branches, etc – but would cover other devices  – which in turn would be used for many things, not just performance of financial transactions.

http://www.gamingtechlaw.com/2017/06/financial-services-internet-of-things.html

Check out the previous post in this series here

To subscribe to this privacy round-up series, drop a mail to privacy@arrka.com