Today, we announced that as of 27th March 2019, Connected Technologies Inc. in Brampton, Ontario, has been acquired by Calligo.
Connected Technologies is a Canadian specialist in outsourced IT and cloud services, including Microsoft Azure and Office 365, with more than 200 customers. The acquisition complements our two previous acquisitions in Canada – cloud services provider, 3 Peaks, in October 2017 and Mico Systems, an outsourced IT services company, in May of last year.
It is a special day in the privacy industry calendar. It marks the Council of Europe’s Convention 108 and it being opened for signature on this day in 1981, and celebrates how far we as a global industry have come since – while reminding us how much work there is still to do.
Privacy Shield is an EU-instigated unilateral agreement that obliges the US to protect the personal data of US citizens that came into force on 1 Aug 2016.
It’s fair to say that since then, Privacy Shield has not been considered the lighthouse of data privacy law. The history of US corporate observance is far less than positive. But this is perhaps unsurprising given its original construction lacked a legal foundation or punitive measures – as MEPs and the wider privacy industry and media have repeatedly and forcefully bemoaned.
Privacy Shield is required to be reviewed each year, during which it can be revoked if it’s not performing or being adhered to, and last month saw Privacy Shield’s second annual review.
Shaky ground?
As the review approached, there were various theories that Privacy Shield would indeed be suspended or even cancelled by the EU Commission in response to the US’ underwhelming response to the 10 recommendations (or perhaps demands) made by the EU this time last year.
One of the key requirements was new senior appointments to the PCLOB (Privacy and Civil Liberties Oversight Board), an independent agency headed by a board of at least three, ideally five, bipartisan members and designed to ensure personal privacy is not infringed in anti-terrorism activity or legislation. These appointments have been slow to say the least. A chair was appointed almost immediately, but two further senior members were only nominated in March and were for many months yet to be confirmed. Indeed, just before the review, a coalition of 31 organisations even called for faster action on this, noting that the PCLOB had only had a full senior complement for 4.5 of its 11 years!
MEPs also resented the US refusal to include Presidential Policy Directive 28 within FISA when it was reviewed at the end of 2017. This would have required US surveillance activities to safeguard all personal information, regardless of the individual’s nationality. This was rejected, and so the EU requested (and is still waiting for) evidence that FISA is not indiscriminately collecting data in direct violation of the EU’s Charter on Fundamental Rights.
Progress made
All of this said, it seems that this review may have resulted in some notable developments – ones that may save it from being suspended, cancelled or embarrassingly ignored.
The official report is due before the end of the year, but there have already been announcements of practical progress. For example, three PCLOB members were appointed on 12 October (one week before the review), creating a total of four, with one resignation pending and two further nominees before the Senate for approval.
Also, an acting Privacy Shield Ombudsperson was appointed in late September. Granted, this was also overdue and required after the first annual review a year ago, but Manisha Singh, a previous Undersecretary for State, now heads up the focal point for EU citizens to direct their complaints about the US Government’s treatment of their personal data. This appointment has been welcomed by the EU Commission, although judging by the language in the official press release, it is still a source of frustration for the EU that a permanent appointment is still outstanding.
Almost hidden in that same release however was a seed of something potentially rather significant:
“Among other things, the Commerce Department will revoke the certification of companies that do not comply with Privacy Shield’s vigorous data protection requirements.”
This is a new development, and assuming it is carried through in practice, it answers one of the main criticisms about Privacy Shield – its lack of enforcement. It also marks a notable change for the 4,000-odd companies registered with them.
Previously, Privacy Shield has been viewed by many as a tick box exercise. Companies would simply upload their privacy policies, pay a fee and then be self-certified. No third party had to be involved to verify the policies or their performance. Clearly, this was hardly robust.
If companies will now need to demonstrate compliance to the requirements of Privacy Shield, and by extension, create and follow more robust privacy policies and procedures, then for many this will result in a marked increase in effort to protect EU citizens’ data.
There may still not be the threat of financial fines, but active statements of enforcement are a marked improvement on the past. Revocation of certifications will most likely depend on complaints and whistleblowing, and it is true that the Federal Trade Commission has in two years only received four complaints of companies’ false or lapsed compliance. But GDPR and other national privacy legislation has heightened society’s and companies’ scrutiny of how data is collected, shared and used, meaning more objections are likely, in turn making the possession or loss of the certification more important.
We may well see revoked certifications having dramatic commercial impacts on those companies whose ability to tender for, or continue to hold, certain contracts depend on them holding that certification. For a few, that revocation may even be more dangerous than the fines possible under GDPR, and we all saw how those potential penalties spurred the global business world into action.
Of course, we have to wait and see what actually happens. Privacy Shield will most likely live to see another day, or year. The above warning will lead to either a serious change in how Privacy Shield operates and companies treat it, or the criticism of “toothlessness” will continue. The imminent report will reveal all, but it certainly appears that the wheels are in motion to require companies to go to a great deal more effort with Privacy Shield than they have before.
Back in August, Brazil approved its General Data Protection Law (or the LGPD, standing for the Lei Geral de Proteção de Dados Pessoais in Portugese). It will come into effect in early 2020, echoing the approximate timeframe of the GDPR’s implementation period.
The launch of the Data Privacy Periodic Table earlier this month was a roaring success. We’ve received some excellent feedback, and some people are even printing it off for their office walls!
Some of the comments we’ve received:
“Not seen anything like this before.”
“Very useful for the project I am working on right now.”
“Great initiative and a very innovative way of displaying what is a lot of information.”
But more importantly, we have also had some really constructive feedback and fascinating conversations on new “elements” to include, some to move and even debates on the worthiness of some elements’ inclusion.
All in all, it’s been a really exciting launch. We have now completed some updates to the Table and a new version is now available below. As always, some notes on what we have done are underneath, along with reasoning behind why some input has not been pursued.
This is however by no means a finished project. We still want your feedback as the data privacy world changes under our feet. Case law might mean that new central components of privacy may be demanded, or new independent bodies may be formed. And of course, new core legislation will always be likely. So submit comments below, or contact me directly.
The Updates:
Data Protection Authorities
We were asked by a number of readers to add DPAs to the Independent Bodies section on the far right hand side, but we have decided against it. Such terminology was deemed too GDPR-focused, which we are trying hard to avoid with this project.
Although, we have taken on board the sentiment of the comment and recognized we needed to add enforcement bodies alongside the Local Legislators that were already included. We have therefore added in Local Regulators, in place of the EU, on the basis that we needed to make room somehow; didn’t need two European organizations; and were wiser to include the European Data Protection Board instead.
Audit
It was suggested that we ought to add “Audit” to the Central Components. We have decided to add this instead to the key skills and traits of the most reliable privacy advisors, as “Auditing Skills”.
This is because performing an audit is one thing, but it is quite another to be constructive with it. We find that many external advisors conduct audits of organizations, only to leave them with a list of actions and criticisms, and offering no plan or input as to how to remedy them. This “ivory tower” syndrome is in our view irresponsible and unhelpful. We would rather emphasize the need for audits to be augmented with honest consultation and support, alongside a practicable plan of action based on technical and legal knowledge. Anyone can criticize, but few can (or will?) help organizations improve.
KYC
We received a very perceptive comment that we had included Background Checking in our section focused on legislation and practices that conflict with privacy if exercised irresponsibly, but that we had omitted KYC.
To many, these will appear synonymous. But in actual fact, background checking is primarily focused on employees whereas KYC is, as the name suggests, focused on customers. A good point that we have accommodated in our new version.
Reflection and the Right to be Informed
The element Reflection was the one that engendered the highest number of comments, which was understandable as we were trying to describe a great deal with a single word. The intention was to articulate the right for a subject to review and correct data held about them. “Rectification” was not enough as we wanted to encompass the right to review the data, beyond simply the right to Access. Reflection was where we ended up.
However, this has become a moot point. We have removed this element to replace it with the Right to be Informed – the right for a data subject to be told how their data will be used.
Clearly this is a controversial decision, as it suggests we are prioritising some Rights over others. To be clear, we are not doing this. We feel that Reflection / Rectification is sufficiently addressed by Accuracy and Availability in the fundamental principles of data protection for us to remove it in favour of R2BI, without the underlying sentiment of the Right disappearing. In addition, we are confined by the practicalities of this project – just as with the EU decision above, there is a set number of elements in the real periodic table (118) so we have to make hard choices of what survives and what does not!
Interestingly, the R2BI may be a universal right, but the way it manifests in various legal frameworks varies enormously. For instance, the GDPR states the right must be protected proactively through clear instructions in the privacy notices. In contrast, Canada’s PIPEDA simply states that such information should be available, with no stipulation of it being published proactively.
We also find in our client engagements that R2BI is confused with the right to Access. For the sake of clarity, the R2BI is concerned with understanding how data is used, while Access is simply a matter of a subject being able to view what data is held.
As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.
Calligo is delighted to announce that it has passed two fundamental compliance audit requirements for the provision of its IT and Business Cloud Services:
ISO 9001:2015 – Quality Management System
ISO/IEC 27001:2013 – Information Security Management System
What this means for our customers
ISO 9001:2015 – Quality Management System Aligning our processes with ISO 9001 helps ensure that our clients receive consistently high-quality services, and that this standard of delivery is protected as we and our clients scale.
Furthermore, it ensures that every aspect of our business, from the most outward-facing (such as service delivery and project management) to the “back office” (such as finance, procurement and HR) are equally robust, accurate and supportive of our clients.
Crucially, it also ensures that our processes are repeatable, understood and efficient. This allows us to free up more resource to serve our clients’ needs.
ISO/IEC 27001:2013 – Information Security Management System This standard assures clients that we have put in place, and continuously maintain, an effective information security management system. It includes the design and execution of a continual improvement programme to ensure the ISMS can grow and change along with the business and the technologies used.
ISO 27001 supports us in protecting the confidentiality, integrity and availability of the data clients entrust us with. At the very core of the standard is the need to identify and manage risk with minimal disruption to our clients.
How we consider the award of these standards These standards are at the heart of everything we do – every service we deliver, every change we consider and every innovation we pursue. Simply put, we would consider it irresponsible for data optimization and privacy specialists to act in any other way.
To find out more about the attention we pay to our governance and compliance, and the other certifications we hold, click here.
Today we’re launching our Data Privacy Periodic Table – the first-ever collection of the key “elements” of the data privacy world, regularly updated as new elements come to light. It is intended to help privacy professionals better understand the industry in which they work, and shed light on its often confusing terminology and how various pieces inter-relate.
We have categorized the elements mimicking the traits of the categories in the original scientific version. For example, the far right of the original periodic table is reserved for the Noble gases – stable, inert, and unreactive. This seemed an ideal match for the independent legislative or regulatory bodies. Similarly, the column dedicated to the Alkali metals on the far left, with their characteristic volatility, was a fitting location for the universal rights of the data subject, as if meddled with, both are likely to cause an explosion!
We have created a table on the main Data Privacy Periodic Table page that sets out why we have categorized the elements as we have.
Also, below, we have added some additional explanatory notes to explain our thinking for various elements’ inclusion and position.
We’d welcome any comments, or suggestions for new additions – contact me here for any recommendations or drop a comment below.
We also plan to release new updates to this table on a regular basis as the data privacy world changes. Each time we update the table, we will publish similar blogs, all of which are accessible off the main Periodic Table page.
Ethics
The location usually reserved for Hydrogen was the perfect place to put Ethics. It is the spot for the first element in the atomic order and is also the most common element in the universe.
This high status for ethics within data privacy is no exaggeration. After all, privacy legislation is the codification of what society deems to be the ethical and appropriate way in which personal data can be processed. Like Hydrogen, ethics is the most fundamental, original, and abundant element of data privacy.
‘Compliance’
This element, number 21, is expressed in inverted commas for a simple reason: it is impossible. It is a frustrating myth that continues to revolve around data privacy that compliance can be achieved. It cannot, at least not in the way that businesses commonly understand it i.e. a one-off demonstration of adherence to certain rules.
Data privacy regulations are not designed for “single point in time” adherence. They require ongoing efforts and constant vigilance to ensure that data subjects’ rights are protected. A business’ data and processes are far too fluid for any assertion that adherence now means anything for adherence in the future, making claims of “compliance” utterly empty – and so-called certifications of compliance utterly worthless.
We discuss this in more detail our Myths and Fairy Tales of GDPR which discusses more of our thoughts on this and other common GDPR misunderstandings.
The 9 Myths & Fairy Tales of GDPR The 9 most dangerous misperceptions that undermine organizations’ GDPR observance and strategies Download
ePrivacy Regulation AND ePrivacy Directive
We have included the ePrivacy Regulation in the future developments section (and recent reports suggest it will stay there for some time), but have also included the ePrivacy Directive in the Core Legislation section as until the Regulation is passed, the 2002 Directive is in force and very much applicable.
Elements 73-78 list end-users, employees, customers, suppliers, marketing databases, and partners. Collectively, these could be categorized simply as “data subjects”. But this would ignore the unique ways in which each type of data subject’s personal information needs to be addressed, handled, and treated. The data you will likely have on your employees, the permissions you may have, and the nature of its processing differs enormously from how you may collect, use and store your databases of marketing targets.
EUx
The data privacy ramifications of Brexit are critical, most notably whether the UK is officially an adequate state in the eyes of the EU. But this exact scenario could be repeated in other EU countries. Italy, the Netherlands and France have all had robust parliamentary discussions over whether they should follow the UK and leave the EU. The inclusion of this “element” emphasizes the need for privacy professionals to be as up to date as possible on geo-politics and its impact on data privacy, in addition to understanding the law already in force.
Japan-EU adequacy
The announcement of Japan and the EU’s agreement of “reciprocal adequacy” is the latest addition to this section. It means that they each recognize each other’s data protection regimes as “equivalent”, and therefore agree that personal data will be to flow between them once the law comes into effect later this year. We have written a full blog on this announcement here.
ICANN/WHOIS
This is a lesser-known data privacy news cycle, but potentially wide-reaching in its impact. ICANN coordinates the naming conventions of the internet and works to maintain its security, stability, and interoperability. Its WHOIS database is a free service that allows uses to check the ownership of domain names.
This enormous repository of personal data is the subject of a 15-year discussion over data privacy, which has glowed white-hot in the wake of GDPR. Questions have repeatedly arisen over the nature of data WHOIS collects, how it is made available and who to, and whether the data required by WHOIS is more than strictly necessary (and therefore contrary to the data minimization element of GDPR and other privacy legislation). These have in turn led to ICANN’s plans for improved privacy being consistently rejected by European legislators. The story is ongoing (August saw the third plan rejected) and likely will be for some time.
Artificial Intelligence and Societal Values
These last two additions to the “Future developments” section are the two areas of progression that we feel will most influence the future of data privacy in the short and medium-term. As mentioned above in the Ethics section, legislation is typically the codification of society’s ethical values at that time. But what if those values change? Realistically, data privacy is not going to become a less inflammatory issue, but it might well become even more volatile. This would potentially result in legislation becoming more punitive, wider-reaching, and providing a deeper protection of data subjects.
Probably a more imminent driver for legislative change is developments in how we use technology to process, manipulate and optimize our data. The most oft-cited example of this is of course Artificial Intelligence. It is a perfect example of a field of technology where there is dramatically more potential ahead of us than the experience behind us. This in turn means that current privacy legislation will be rapidly found wanting, inadequate and out-of-date, just as it has been before.
The GDPR was one of the first new legislative frameworks to be built in direct response to advancing technology. Previous data privacy laws could not accommodate the way in which data collection and use changed. Fast-moving and ambitious fields of data science such as artificial intelligence will inevitably trigger plenty more new introductions. And taking nearly a decade to implement them, as in the case of GDPR, simply won’t be an option.
More updates to the Data Privacy Periodic Table are available here.
Data privacy is naturally fast-moving and ever-changing and the last few weeks have been no exception. Following our blogs about Japan and India recently, another pair of key data privacy announcements were made – one on the frustrating delays to the EU’s ePrivacy Regulation, and a remarkable declaration of intent from Bahrain
ePrivacy Regulation delayed
So the news has come out that the long awaited ePrivacy Regulation has been delayed yet again, potentially for as much as two years – and met with fury in some quarters.
This Regulation, replacing the current Directive and all its local implementations, was supposed to come in at the same time as GDPR. Its much anticipated principal effect was that it would make important adjustments to key topics like consent.
The preferred text has been agreed since late last year, and all that remained was supposed to be simply going through the normal ratification process. However, since then, it has undergone delay after delay.
Although it missed the May date, most thought it would still be implemented in 2018. But with successive presidencies of the European council kicking it into the long grass, and questions being raised about the agreed text in local European parliaments, who knows when this will actually come to pass? Especially if the proposed two-year transition period is implemented.
The fact is an update to the Directive is highly needed, not only to provide additional protections, but also to simplify requirements for both data subjects and businesses. However, with it continuing to be the ball in a game of legislative ping pong, we may be waiting some time.
Bahrain ups the ante
Bahrain has published their law on the protection of personal data, which comes into effect on 1stAugust 2019.
As with many new privacy legislations, many of the rights, protections, duties and mechanics are similar to what has gone before in frameworks such as GDPR. The difference with Bahrain’s version however is that where other nations are imposing administrative fines on a sliding scale as penalties for non-compliance, Bahrain actually upgrades certain violations into criminal offences.
This is specifically the case where these violations concern:
Processing of sensitive personal data
Transference of personal data outside Bahrain without an adequate level of data protection, and associated exceptions
Processing personal data without notifying the new Data Protection Authority appropriately
Processing personal data contrary to the provision that requires prior authorization from the Authority before processing personal data in certain circumstances
Providing false or misleading information to data subjects
Hindering the Data Protection Authority’s work in any way
Inappropriate disclosures of personal data, or misusing personal data
Judging by the list above, clearly most imaginable breaches are likely to qualify for criminal charges. For a part of the world not famed for its privacy considerations, this is a fascinating step and it will be interesting to see how it is implemented and who follows suit.
On Tuesday this week, the EU and Japan successfully concluded their talks on reciprocal adequacy.
What does this mean?
Generally speaking, it means that the two nations recognise each other’s data protection systems as “equivalent”, and therefore agree that data can flow between them as of the implementation date later this year.
