Welcome to the SecAware blog

I spy with my beady eye ...

24 Apr 2018

NBlog April 24 - privacy policies under GDPR [UPDATED x3]

As the world plummets towards the May 25th GDPR deadline, organizations are revising their web-based privacy policies to align with both the new regulatory regime and their internal privacy practices.

From May 10th, PayPal, for instance, has a new ~4,000 word ~11 A4 page privacy policy - well, several in fact depending on the user's location. Among other things, I notice that they "do not respond to DNT signals" (meaning, I think, that they simply ignore the Do Not Track flag sent by cautious browsers) and they:

"... maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls ..."
Providing 'reasonable' protection is perhaps all we can expect of anyone. It would be unreasonable to insist on absolute security, although it would be nice to have greater assurance than a simple assertion such as confirmation that their privacy and data security measures have been competently and independently checked (audited) for compliance with applicable legal and regulatory obligations (GDPR for instance), as well as good practices such as the ISO27k or NIST SP800 standards.

Google's privacy policy was revised in December. It has a similar length and structure to the PayPal one, with personal choice and transparency being prominent up-front.

Google does mention compliance:
"... We regularly review our compliance with our Privacy Policy. We also adhere to several self regulatory frameworks, including the EU-US and Swiss-US Privacy Shield Frameworks ..." 
There's nothing in there about GDPR compliance as yet, and personally I'm dubious about the assurance value of the Privacy Shield which, as I understand it, is another self-assertion rather than an independent audit and certification mechanism.

Although the information security section highlights a few specific controls, most remain unspecified.

Re people deleting their personal information, I like the way they put this:  
"... We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems ..." 
They are right in saying that backups and other measures are needed for security and resilience reasons, which can make it tricky to ensure that all primary and backup copies of personal data are revised or deleted in line with privacy requirements. It might be nice to know that those backups will eventually expire and be deleted too, preferably within a 'reasonable' period (maybe a year?) but formally ensuring that happens across such a massive, complex and dynamic network would be tough too. So they don't even make the promise. Seems fair enough to me, provided their approach fulfills their privacy obligations, and I'm not in a position to challenge that.

In contrast to PayPal and Google, Santander UK's 'privacy statement' follows the typical European structure and style. It is much shorter (just the 2 pages, not 11) with only brief, plain English statements in most cases, such as this carefully-crafted line near the top:
"We're committed to keeping your personal information safe and confidential both online and offline."
Although that may or may not be a strict promise in the legal sense of a warranty or contractual obligation, it's reassuring to know, especially right up-front. If you can't be bothered to read the rest of the statement, it's a comforting message to take away.

The rest of the message includes the obligatory yawn-inducing tripe about cookies that most EU sites are compelled to trot out as a result of some EU bureaucrat or committee's edict, I guess. What were they thinking it would achieve? Had they no idea how the Web works? Oh well. Aside from that drivel, most of the other sections are an admirable 1-3 sentences each - readable and sufficiently informative for an overview. As an infosec pro, I would have preferred links to further details on many areas but I accept I am "special".

[Update 25th April] Twitter's new privacy policy that comes into effect a month from today is another lengthy tome of about 11-12 pages, although they have at least made an effort to provide a readable summary version as well.

[Update 26th April] The Facebook/Cambridge Analytica privacy breach, plus the widespread adoption of GDPR, may mark a turning point in US attitudes towards privacy and personal data. As I understand it, if the Social Media Privacy Protection and Consumer Rights Act for instance became law as proposed, it would give Americans the rights to opt out of having to provide their personal data [to social media sites] and have the [social media] sites delete any or all of their personal data. It would force the [social media] sites to clarify their terms of service, and introduce a 72 hour privacy breach notification rule [for social media sites?] - requirements curiously similar to the EU and OECD approach to privacy, including GDPR. The apparent myopic focus purely on social media sites strikes me as odd, though, given that the same issues affect anyone using personal data, including big business, the marketing industry and the US Government. Aha, the light just went on.

Meanwhile, Facebook is preparing to update its privacy policy on some as yet unspecified date. The new version is ~4,300 words and ~12 A4 pages, with no mention of GDPR. The pattern is becoming clear.

[Update 27th April] GoDaddy's new privacy policy is shorter, simpler and clearer than most US organizations. There's also a Privacy Center, essentially an FAQ or help page with minimal content at present, but hopefully that will be fleshed out in time. Good on 'em!  It doesn't mention GDPR as such but the phrasing (such as 'only using personal data for the purposes for which it was provided' and having a Data Protection Officer) suggests GDPR compliance is an objective.

No comments:

Post a Comment