Re: [projectvrm] Princeton’s Ad-Blocking Superweapon May Put an End to the Ad-Blocking Arms Race - Motherboard

[Aurelie Pols < >]

Thanks for your reply Doc and for pitching in Mike and Tim, much appreciated!

As far as I recall, this thread is about AdBlocking and thus ePrivacy, and most importantly whether article 6 of the GDPR will be reflected in it's entirety in article 8 of ePrivacy. Whether ePrivacy will be wrapped up in time is still open, let's hope for the best and I prefer not to speculate as I don't lobby. My job is helping both controllers and processors in aligning with new compliance requirements brought about by the GDPR, for now. I consider ePrivacy to be lex specalis and we'll see whether legitimate interest makes it into article 8. If not, consent will be a tough cookie to crack (pun intended), certainly for those non EU based intermediaries that make money out of the data market that has taken shape over the years.

It's also in that regard where I have problems reconciling with this idea of data minimization, hence my question about what compliance actually means for companies wanting to align with the GDPR, in the EU and abroad.

I'm seeing 2 opposing camps: total ignorance or brushing off as "this does not apply to us", as if we were still in an "we don't collect PII" era or general hysteria "oh my God, we need to get going", of course because of the sanctions, making this a risk factor that has entered board room discussion levels. 

My personal interpretation, and I'm happy to be proven wrong, is that GDPR brings along 2 major changes compared to the current Data Protection Directive: territoriality (art. 3), which is why companies outside the EU should care ("processing of personal data of data subjects who are in the Union") and the fact that pseudonymous data, which includes cookies and unique identifiers, is subject to privacy obligations (reading lawfulness of processing is an issue hence the outcome of article 8 of ePrivacy is going to create quite some turmoil for this sector imho).  

Last but not least, I am witnessing a lot of opportunities here as well, ranging from indeed as Tim pointed out article 5.2 on accountability: how do we make sure we keep those traces?
to how to help controllers with all those Rights: SARs (art. 15: Right of access by the data subject), which are not new of course but how far does this rabbit hole go exactly, certainly with the introduction of pseudonymous data? are questions that need to be asked by processors to make sure they have the traceability mechanisms in place to help their clients comply (and avoid those hefty fines);
Right to Rectification and Erasure (art. 16 & 17) when for example data is being backed-up and there is a cost to restoring this data even before any rectification or deletion can take place; Right to Object (art. 21 & 22) as art. 18 stems from the technical measures of the articles cited previously.

While I think there are technical solutions to solving the above issues mentioned, hence again my question about what does compliance to the GDPR mean exactly?, it's also broader than that in the sense that companies need to assure accountability on a number of fronts to indeed push these ideas of PbD, DPbD, blablabla. I'm not a big fan, I have to confess as it's too vague and I have difficulty translating this into actionable items. 

I've therefore cut down the GDPR in 10 pillars, ranging from Data Security & Breach Notification to SOPs (Standard operating Procedures) and actually reaching out to DPAs, now SAs (I have trouble evolving!) in case of doubt. Data flows and classification of data types (anybody have a list of Purpose by any chance?), cross borders data transfers, the different rights partially enumerated above are part of this exercise. 
I see the GDPR as a team effort where, depending upon the issue, one of the actors of a "GDPR Steering Committee" would step-up. Typically, security measures and data breach detection would not fall under the DPO. It should be a joint effort with IT/CISO that knows which mechanisms exist within a company once a breach has been detected. At this point, collaboration is needed, not before. 
Same for a data scientist, who needs to understand the logic of privacy law, and can escalate when needed once a specific data type is being collected or processed: training is required to implement those reflexes that can then be taken over by those part of that Steering Committee. 

This is what I understand for starters by compliance with the GDPR and it's not by any means written in stone nor complete.
If we are to understand data as an asset yet also as something that falls under fundamental Rights, at least under EU law (the US keeps talking about data ownership, which is not imho an angle we can accept in Europe but we're working on possible interpretations of this issue, beyond Giovanni Buttarelli's daring reference to human organs), it needs to be accompanied by accountability mechanisms and practices that go beyond the current interpretation of the law, bridging the technical and legal worlds. 
I'm happy to read DNT is part of the ePrivacy draft and love the idea of VRM. The question is how to turn these concepts into something tangible, hence totally aligning with Tim's last statement: we need to be concrete about what compliance with the GDPR means: building solutions, standards and processes to avoid indeed these excuses.

thank you for your time, I've love to take a peak at what you mentioned Tim and happy to exchange more.

Happy Easter Monday, gracias,

Aurélie

On Mon, Apr 17, 2017 at 9:58 AM, Tim Walters < " target="_blank"> > wrote:

Yes, the WP247 document that Mike points to is very important. It's also concerning, because I'm not confident that the parliament will be able (because of the effort involved) or willing (because of the industry lobbyists) to undertake the changes to the ePrivacy draft regulation that have been "requested" by the Working Party.

Over 35 pages, the Article 29 Working Party notes dozens of "grave concerns," "concerns," and "suggestions for clarifications."  However, they also endorse the goal of introducing the proposed ePR along with the GDPR in May 2018. I've been wondering about the next steps and timeline -- thanks to Mike, I'm now enlightened -- vote on a revised Regulation in October, implement in parallel with the GDPR on May 25, 2018. 

However, as I think I've said to this group in another thread, industry representatives that I've talked with are adamant that the burden of parallel implementation is unbearable. (And given how much I see firms struggling with the GDPR, they may have a point.) Moreover, some of them tell me they have met with key EU figures and are confident they can bury ePrivacy in committee for some time. I'm very curious to see how this plays out. If you sense any more smoke signals, please let me know.

Now, as for Aurelie's question: Doc points to the sanctions/fines (Article 83) and, more importantly, to some of the factors to be considered when setting/imposing a fine, such as "the intentional or negligent character of the infringement" and "any action taken by the controller . . . to mitigate the damage suffered by data subjects" (83(b-c)). The implication being, I think, that companies have an interest in and an incentive to avoid collecting data that they don't (think they) absolutely require, and will welcome assistance in this regard from individuals.

All good. But if Aurelie or others are looking for specific provisions of the GDPR that would motivate companies to embrace anti-tracking,  I think the answer is data protection by design (DPbD) in Article 25 and Recital 78.

From Recital 78: "In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features."

Article 25(2) expands in particular upon the data minimization requirement and, in my view, shows that embracing DPbD means not (only) following the seven foundational principles of privacy by design articulated by Ann Cavoukian (https://image.slidesharecdn.com/pbdseminar-150508185502-lva1-app6892/95/privacy-by-design-seminar-jan-22-2015-12-638.jpg?cb=1431111507) but also more broadly ensuring that the company's behavior reflects the six core data protection principles in Article 5(1). (And, crucially, the accountability requirement in Article 5(2). In short, every affected company must ensure that it respects the core principles and it must be able to demonstrate (prove) that it's actions and behavior reflect this respect.)

I just delivered a short webinar on DPbD in the GDPR. It was client-only, but I'll see if I can pry loose the recording, if anyone is interested. In any case, I'll be writing more about it soon.

By the way, Article 25 begins by stating, "Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall" implement DPbD. This inescapably creates an incentive for companies to argue that the state of the art is not advanced enough and/or the cost of implementation is too high, etc. That makes it all the more important for third parties such as Customer Commons, the Cyberlaw Clinic, and the Princeton ad blocking group to develop technologies that defeat these excuses.

Cheers,

tw

On Sun, Apr 16, 2017 at 11:28 PM, Mike O'Neill < " target="_blank"> > wrote:

I did not see if thus had been posted here yet, but it is the DPAs (Article 29 Working Party) response to the ePrivacy Regulation proposal. This is before the European parliament (who are very influenced by Article 29's output) now, aiming for a vote in October, so it can become law in May 2018 when the GDPR will apply.

http://ec.europa.eu/newsroom/document.cfm?doc_id=44103

They are calling for mandatory DNT.

-----Original Message-----
From: Doc Searls [mailto: " target="_blank"> ard.edu]
Sent: 16 April 2017 20:55
To: Aurelie Pols < " target="_blank"> >
Cc: Tim Walters < " target="_blank"> >; John @ BB < " target="_blank"> t>; ProjectVRM list < " target="_blank"> u>
Subject: Re: [projectvrm] Princeton’s Ad-Blocking Superweapon May Put an End to the Ad-Blocking Arms Race - Motherboard


> On Apr 16, 2017, at 2:14 PM, Aurelie Pols < " target="_blank"> > wrote:
>
> Can I ask a silly question?

Sure. But this one isn’t silly.

> When you say "Motivation on the corporate side for agreeing with these terms is compliance with the GDPR.", which part of the GDPR is referred to exactly? I'm curious about the various interpretations that are circulating and how "corporations" are indeed motivated, certainly as ePrivacy is still in discussion.
> Please enlighten me ;-) muchisimas gracias
> Aurélie

This part: <https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Sanctions>

Or, from the law itself: <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1>

Companies wishing to comply with the GDPR will continue to work on their own privacy-assuring schemes, of course, and that’s cool. What we’re offering here is the beginning of something new: individuals taking the lead in helping companies deal with a compliance issue that has at least some of those companies scared, and therefore willing to do new things.

Doc

> On Sun, Apr 16, 2017 at 5:26 PM, Doc Searls < " target="_blank"> > wrote:
>
>> On Apr 16, 2017, at 11:10 AM, Tim Walters < " target="_blank"> > wrote:
>>
>> Nice. But what we really need is a superweapon that blocks tracking.
>
> We’re working on one at Customer Commons, with help from the Cyberlaw Clinic at Harvard and working groups at Kantara. The weapon is terms we can assert as first parties that sites and services can agree to as second parties. Those terms can, and will, involve requirements restricting or preventing tracking.
>
> Motivation on the corporate side for agreeing with these terms is compliance with the GDPR.
>
> The latter was the subject of an earlier thread here, and both topics will be up front at VRM Day and IIW. Register here:
>
> http://bit.ly/vrmday2017a
> https://iiw24.eventbrite.com/
>
> To be clear, blocking tracking directly will also be on the table. Hope developers of those will be there as well. (We had Privacy Badger folks last time.)
>
> Doc
>
>> Most of the ads can stay as far as I'm concerned. I just ignore them.
>>
>> tw
>>
>> On Sun, Apr 16, 2017 at 4:11 PM, John @ BB < " target="_blank"> t> wrote:
>> https://motherboard.vice.com/en_us/article/princetons-ad-blocking-superweapon-may-put-an-end-to-the-ad-blocking-arms-race
>>
>> John
>>
>> [Powered by an iSomethingOrOther]
>> +1 808 344 2914
>>
>
>
>
>
> --
> --
> Aurélie Pols
>
> Skype: aurelie.pols
> Mobile: + 34 630 687 112

--

--
Aurélie Pols

Skype: aurelie.pols
Mobile: + 34 630 687 112