NEW DATA PROTECTION RULES TO GUARANTEE THE PRIVACY OF CITIZENS
DATA
PROTECTION 01
A shift of focus in data collection
03
02
INTERVIEW Heidy Balanta
04
SERIE INNOVATION TRENDS
INTERVIEW Nuria Oliver Basic guide to the new data protection regulation (EU)
01
A shift of focus in data collection “Data is our identity and we must take ownership of it". The European Union (EU) Justice Commissioner, Vera Jourová, thus celebrated the latest changes to data protection regulations. Data protection associations from a number of EU member states have been clamoring for such legislative amendments for some time. The Snowden affair shook the security world to its
foundations, after revealing in 2013 that the U.S. National Security Agency (NSA) had been spying on EU and UN politicians, as well as embassies.
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
In Spain the data protection act dates back to 1999 (amending a directive from 1995), and covers general data protection but does not regulate each activity area on a sector-bysector basis. The act was drawn up at a time when few of us where familiar with the Internet and terms like Big Data did not even exist. The new European regulations came into effect on May 25,
but countries have two years to transfer the changes to national legislation. According to European representatives, the new regulation "aims to hand back to citizens control over their personal data and to guarantee strict protection standards throughout the EU, adapting the same to the digital environment". This new regulation has been four years in the making.
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
According to Iñaki Pariente de la Prada, former Director of the Basque Data Protection Agency and current partner of the Dayntic Legal consultancy firm, the new legislation "very much takes into account the financial repercussions of using company data. Data has value. And the four-year debate at the European Parliament looked to safeguard data, but also to strike a balance and encourage its use".
Highlights of the new regulation include:
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
•
The right to "forget", via the rectification or deletion of personal data.
•
The need for “clear and affirmative consent” for the use of personal data by the individual concerned.
•
“Portability", or the right to transfer data to another service provider.
•
The right to be informed if personal data has been pirated.
•
Clear and understandable language in privacy clauses.
•
Fines of up to 4% of overall turnover may be imposed on companies in the event of breach of legislation.
Pariente de la Prada emphasized that under the new regulation, “any service provider - even those from the United States - will have to abide by European legislation”. One of the problems that the data expert identified is that "the regulation is by its nature applied directly and automatically". Over the next two years member states will therefore have to familiarize themselves with it and interpret it. The Director of Dayntic Legal points out that the sanctioning aspect is new. "If, for example, a company creates profiles but overlooks the new legislative requirements, it could face a fine of a million euros". The requirement to conduct analysis prior to compiling data is also significant. “Companies need to have a data processing plan in place before collecting information. They need to identify what kind of data they will collect, what for and if consent is required. This is a means of self- evaluation. It represents a complete change of focus", he concluded.
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
02
“Internet services are not free –the currency being traded is our own information” The Colombian lawyer Heidy Balanta, specialist in IT Law and New Technologies and manager of derechoinformatico.co, shares some reflections on data protection and the best way of knowing and exercising our rights, and complying with the data protection laws in Latin America. The vast quantities of data that circulate between people and companies every day pose the colossal challenge of how to protect that information without interfering in its legitimate use by its recipients. INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
What's the general tone of the legislation on personal data in Latin America? The spirit of the legislation in regard to personal data is that the owner of the information has control over data that is their, but which for commercial, contractual or civic reasons are processed by third parties –either a company or a state institution. For this reason, most legislation limits the collection of data by third parties unless they have the free, prior and express authorization of the owner to process their personal information. That is, a third party cannot hold someone's personal data unless they have prior authorization to process them. This aspect lies at the heart of the data protection system.
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
What are the main differences between the data protection laws in Latin America compared to Europe or the United States? There are two models of regulation in regard to data protection. The key differentiating feature of the European and US models lies in the conception of data protection. Whereas the European model conceives data protection as a fundamental right, the US model sees it as a consumer right.
Another difference between the two models is that the US prioritizes self-regulation, so is regulated by the sector. Meanwhile, the European model has a general regulation that establishes obligations for those responsible for and entrusted with the management of personal data, sanctions for organizations that fail to comply with the law, and the delimitation of the rights of the owners of the information. In thecase of Colombia, for example, there is a hybrid model, because there are both general regulations and sector regulations.
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
Many Internet services –social networks, search engines and apps– are free and capture several types of personal data. What type of information do these services inevitably need to take from the users, and what use do they give it? The services we access free via the Internet are not actually free –the currency being traded is our data. We surrender our data in exchange for these services, because if we refuse to provide it we are unable to access the services being offered. Personal data have an economic value, as it is a factor for exchange on Internet.
Data are used by these services for the purposes of advertising, marketing, generating profiles and tracking consumer habits. So Internet users must exercise responsible behavior and take into account who is delivering the data and whether there are
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
sufficient levels of security. We regularly see news of computer delinquents who steal passwords to well-known sites and sell them on the Internet black market.
What options do users have to find out more about the services they use? The problem with Internet users is that most of them don't read the terms and conditions of the websites they access, and that's where they clearly state what's done with their data, the
processing policies, and the general policies of the website. In theory, users can request the elimination of the personal information contained on these pages from the administrator of this website.However, this is sometimes pointless, as there are widespread data-sharing
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
practices whereby the personal data collected are passed on to other partners, which can no longer be controlled by the owner of the data. This highlights the importance of entering your personal data exclusively on reliable sites.
What are the greatest challenges facing the authorities when regulating the way users' data are captured and used? One of the main challenges is the ability of Latin American countries to investigate and sanction leading social networks such as Facebook, due to the fact that Internet has no geographical limits. Countries such as Colombia and Mexico are currently seeking to implement a regulation that allows them to investigate these social networks; however, this is proving to be fruitless in practical terms.
The transfer of personal information between countries is another of the important challenges in regard to data protection as many do not have adequate levels of security. A safe harbor agreement was signed for this reason between Europe and the United States, but was subsequently rendered invalid. Today there is a new “Privacy Shield” agreement“ whose purpose is to provide guarantees for European citizens regarding noninterference in their privacy by
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
US government agencies, and US companies will therefore be required to make appropriate and legitimate use of personal data.
What mechanisms do users have to exercise their right to data protection? Owners have the mechanism of consultations and complaint. Through these tools they can request to see, update and correct their data, and the revocation and suppression of access to any third parties who may possess them. If the third party does not respond, or if the response is negative, the owner may petition the supervisory body to conduct the respective investigation and take a decision.
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
03/INTERVIEW
Nuria Oliver: "When speaking of artificial intelligence, it is important to be accompanied by ethical recommendations" Ms. Oliver, a telecommunications engineer with a PhD awarded by the Media Lab of the Massachusetts Institute of Technology (MIT) and Science Manager at Telefónica, highlights the value of data: "for the first time since our existence as a species, we are able to obtain quantitative data". INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
"Let's just do it and we'll ask for permission later". Nuria Oliver -a telecommunications engineer with a PhD awarded by the Media Lab of the Massachusetts Institute of Technology (MIT) and Science Manager at Telefónica- speaks and talks very quickly. She doesn't have time to miss the United States - where she worked at Microsoft for 12 years - although she insists on the more "proactive" attitude in that country - "they don't wait for permission before they take on a project" - and the "lack of conformism" to group values. “In Spain we are very grouporiented and it is very difficult to be innovative and different and break out of the status quo if you do what everyone else does. Different gets pummeled”.
Oliver defends diversity, “fundamental to improve yourself”, and -before the interview- she participated in the Thinking Party event organized by Telefónica Foundation Space with a master class called Technology and Brain, an exceptional duality to highlight the progress being made in artificial intelligence. She also highlights the value of data: "for the first time since we exist as a species, we are capable of obtaining quantitative data -what we do, where we go, what we like, how we interact-; it's a small revolution that began 6 years ago and enables us to validate or not sociological theories thanks to the data and collective intelligence techniques that are available".
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
What is the challenge for Big Data? There are many challenges of many kinds. Some are very technical and have to do with extracting relevant information from immensely large amounts of data. If nobody is capable of interpreting these data, analyzing them or making use of them, it comes down to digital trash. On the one hand, the challenge is the capacity through artificial intelligence techniques and data analysis to extract relevant information and, at the same time, to know what to do with that information and knowledge derived from
Big Data. The storage and generation of these data is advancing constantly. What is the value of data? Many decisions are already made on the basis of data analysis in all spheres. We can digitalize biology by digitalizing our body through images or analysis of DNA... the challenge is to find patterns that allow us to associate them with certain diseases, to predict diseases. And in banking? The situation in banking is impressive and very advanced
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
in the context of Big Data. It has been digitalized for many years now. There are all kinds of analyses to understand, predict behavior, detect fraud, identify trends or to know what is going to happen beforehand. All that can be done by using the data. The stock exchange is already completely digital. Most transactions are artificial intelligence systems. In trade almost everything is based on the design of data, modelled according to the needs of people, recommendations‌
Are the techniques used to interpret data correct? This research area is very active, it is obvious that we haven't reached the end, because new date sources are being used. One of the challenges is to combine data from different sources to extract even more interesting information, information that is more sophisticated. Predicting is very difficult, the predictive models are very difficult in many contexts and it is also very difficult to have the data in real time on many occasions.
Do you think restrictions should be established for artificial intelligence? It depends on how it is used. To save lives, probably not. To cross ethical and moral limits, evidently yes. It is important for data analysis recommendations to be accompanied by ethical recommendations as to where it makes sense or doesn't make sense. We are at a historical moment where technology is increasingly present in our lives; just as we have conversations
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
about ethics with other people, we will have to have conversations about the impact on ethics that this technology has in our daily lives.
As a citizen, are you worried about where your data goes? Yes, in fact people are becoming increasingly aware of the data that are being captured and where that personal data are going. The two fundamental principles that we are working on at TelefĂłnica are the principle of control: if they are personal data, I have to have control over what happens with my data and the principle of transparency: that I really know what my data are being used for. Transparency as regards data use and having control so I can change that use if I don't agree.
What has to be done for technology to enrich us as a species? As we develop this intimate relationship with technology, we are redefining who we are as a human species; the technology will be inside us and understand us, change our skills, I think it is very important for there to be more technological knowledge. The first step is to
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
know where we are. We can then have an intelligent conversation about where we are and make decisions. All technological progress should be for the good of humanity and that is the conversation we should all be having together.
How much ignorance is there as regards Big Data? Not specifically about Big Data, but about technology. There is too little talk about technology in society. We talk a lot about politics, soccer, but our average knowledge about technology is very poor. We use technology every day but our level of
technological knowledge is shallow. Other than my scientific work, what matters the most to me is disseminating knowledge, opening up horizons so people understand where we are, technologically speaking. Young people have to be inspired and educated. I think having more scientific and technological knowledge is essential.
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
Does the digital gap between countries worry you? It forms part of the conversation we should have as a society. Information is power and we access it digitally. Technology can make access to information and education democratic, much more than any traditional method, but we can't forget the gap there is and have to try to prevent it from getting larger. It is important to be aware of the digital gap because we survive as a human species if we all survive.
Basic guide to the new data protection regulation The Spanish Data Protection Agency (AGPD) has published a document on the new regulatory framework adopted by the European Union (EU) to guarantee the privacy and protect the data of European citizens.
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
These are some of the main points emphasized by the Spanish Data Protection Agency and included on its web site:
European institutions and organizations that process data to prepare and adapt. 2. Companies affected.
1.
Entry into force of the Regulation.
The Regulation came into force on 25 May 2016 but shall not start to be applied until a further two years have passed, on 25 May 2018. Until then, both Directive 95/46 and the national regulations transposing it, including the Spanish ones, remain fully valid and applicable. The period of two years before it becomes applicable is designed to allow European Union states,
Not only those belonging to the European Union. The regulation is applicable to companies that, until now, could process data of people in the Union but be governed by the regulations of other regions or countries not always offering the same level of protection as European regulations (as for example in the United States). 3. Right to be forgotten. The regulation introduces new
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
elements, such as the right to be forgotten and the right to portability, which improve the capacity of citizens to control and decide what personal data they entrust to third parties. The right to be forgotten is presented as the consequence of the right that citizens have to request and obtain from the people responsible the removal of their personal data when, among other cases, this data is no longer necessary for the ends for which it was gathered, when consent has been withdrawn, or when it has been gathered illegally.
The right to portability means that individuals who provided their data to a manager that processes it automatically may request the retrieval of this data in a format suitable for its transfer to another manager. 4. Age The age at which minors may themselves consent to their personal data being processed in the area of information society services (e.g. social networks) is 16 years. However, this age may be lowered by each member state, with a bottom limit of 13 years. In Spain's case, this limit continues to be 14 years. Below this age, the consent of parents or guardians is required.
5. Consent One of the fundamental bases for processing personal data is consent. The Regulation calls for consent, in general, to be free, informed, specific and unequivocal. For consent to be considered "unequivocal", the regulation requires there to be a statement of interest or a positive action indicating the agreement of the person concerned. Consent can not be inferred from the silence or inaction of citizens.
INNOVATION TRENDS SERIE ¡ MAY 2016¡ www.centrodeinnovacionbbva.com/en
6. Active responsibility One of the key elements of the regulation.
Companies must take steps to ensure reasonably that they are able to comply with the principles, rights and guarantees that the regulation establishes. They must not only take action when an infraction occurs, but must also take preventive action. To this end companies must ensure the following:
•
Data protection in designing.
•
Data protection by default.
•
Security measures.
•
Keeping a record of processing.
INNOVATION TRENDS SERIE · MAY 2016· www.centrodeinnovacionbbva.com/en
•
Carrying out of impact assessments on data protection.
•
Appointment of a data protection officer.
•
Notification of data security breaches.
•
Promoting codes of conduct and certification schemes.
share PREVIOUS ISSUES
INNOVATION TRENDS SERIES BBVA Innovation Center creates the Innovation Trends Series to keep you updated with cutting edge innovation trends and their appliance to your everyday life. In this papers you will find all key facts, analysis, case studies, interviews with experts and infographics to visualize the data that each and every trend describes.
The struggle for boosting the female entrepreneurship
The keys in the data analysis
A look at the profile that demand more companies
Trends aspire to become the starts in the new year
sĂguenos:
Register
to keep up with the lastest trends
centrodeinnovacionbbva.com
BBVA no se hace responsable de las opiniones publicadas en este documento.