My colleague Jörg Resch just gave us a summary on the current status of new EU Privacy Regulation that is “in the works” in Brussels. If only a portion of this becomes “EU Law” – meaning that it will not be a Directive which needs to be translated into local national law but supersedes any existing national law – it will change the game in an instance. Not only would the “amusingly small” fines that could currently be imposed e.g. German companies for breaking privacy laws (standard maximum fine 50.000 €) be bumped up to “significant” numbers, but the actual provider of a service could be held liable for not protecting the data of his customer (or his customers´ customer, that is). Currently, if your company uses any kind of (IT) service and your customer data is disclosed by errors or omissions on behalf of the Service Provider, still your company will be sued and needs to pay the fine as you did not execute proper Governance in your contract with the Service Provider (hence I´ve been promoting the need for good information security governance paragraphs in each outsourcing contract!). In other words: although your Service Provider failed to deliver secure services and neglected his responsibility to provide the high quality and security that you expected from a professional vendor, you are being held accountable for the improper action that lead to the disclosure.
Looks like this is going to be changed! Or at least, the EU will try to change it…Behold of the Lobbyists!
Sometimes fate has it, that two corresponding subjects are discussed in parallel – as I talked to my old friend Peter Schoo of recently formed Fraunhofer AISEC in Munich-Garching. Just before I received Jörg´s summary on the progress of EU Privacy Law, I discussed with Peter what has been happening regarding Privacy Protection and Anonymity in the market. Recently, my point of view on gathering “customer information” and the process of storing this information to create a “customer profile” has changed dramatically. Besides the fact that this more or less in contradiction to Germanys´ data protection laws (referring to “Daten-Sparsamkeit” here), marketing experts always constructed some sort of “need” to justify this compilation. Especially the “REWE incident” where thousands of customer home addresses and other personal information was ripped from a marketing driven exchange platform (through this site, kids could swap the stickers they harvested with each of Moms shopping trips to REWE stores) made me feel like having this data had become more of a liability/risk than creating benefit/opportunity.
This is where Peters´ newest creation comes into play – his team created a tool called “Prividor” which stands for “Privacy Violation Detector”. It basically spiders a website and checks for any issues with data protection and privacy legislation that this site or portal may have. As some consumers are beginning to revert to a more strict handling of personal information, those “concerned users” would definitely feel more comfortable browsing for “special information” on sites that respect the privacy of a user. Especially government-owned sites or information portals that handle sensitive topics such as cancer, HIV infection or even “erectile dysfunction” would benefit largely. Imagine the user browsing for these things and receiving even more “blue pill” advertisements than usual or getting sponsored ads for cancer treatment on the next portal you visit – not what you fancy if you are really struck by that health condition!
Well, people with extensive Facebook (or name your favorite social network here) usage will probably not even think about such things, but a growing number of “concerned users” will. Now take into account what the EU seems to be aiming at and – voilà – demand for a “privacy protecting web-design” of any kind will rise instantly.
As I said, sometimes fate “makes may day”
Looking forward to your feedback, dear readers!
Oh, and here are the links, for the curious ones…