tag:econsultancy.com,2008:/topics/legal-and-regulations Latest Legal content from Econsultancy 2016-04-27T11:06:15+01:00 tag:econsultancy.com,2008:BlogPost/67784 2016-04-27T11:06:15+01:00 2016-04-27T11:06:15+01:00 EU data laws: An update on GDPR & Privacy Shield Todd Ruback <p>The controversial Apple and FBI matter – where the FBI sought to compel Apple to unlock an old iPhone model as part of a domestic terrorism investigation – has already become old news.</p> <p>In the EU, terrorism in Brussels and Paris is forcing uncomfortable and morally difficult conversations about security, privacy, and fundamental human rights. </p> <p>While I am optimistic that we will arrive at a good place, the EU is enacting a flurry of powerful new privacy laws that will impact us all.</p> <h3>General Data Protection Regulation (GDPR)</h3> <p>On the 14<sup>th</sup> April 2016, the EU Parliament <a href="https://econsultancy.com/blog/67540-what-is-the-eu-general-data-protection-regulation-gdpr-why-should-you-care/">formally adopted the GDPR</a>; another legislative step in the multi-year process to overhaul the EU’s disparate data protection laws. </p> <p>The next step will be for the GDPR to be officially published, translated, and put to print in the Official Journal of the European Union, hopefully by June.</p> <p> Just 20 days following that, the two-year countdown to the GDPR taking effect will commence. </p> <p>As the GDPR winds its way through the end of this legislative process, it’s important to note how much work organisations will have to complete during this small two-year window. </p> <p>It will strengthen the individual’s control over their personal data by new rights that will be bestowed upon EU citizens, such as the right to data portability and the right to be forgotten (erasure).</p> <p><img src="https://assets.econsultancy.com/images/0007/4342/The_EU.jpg" alt="" width="800" height="600"></p> <p>On the flip side, organisations will have new codified obligations to honour the individual’s rights, and these obligations will force companies to create new privacy-centric business processes – no easy task in the best of times. </p> <p>For example, the quaint notion of “bundled” consent – those dense, unreadable Terms and Conditions buried in the footer of a site that say use of the website constitutes consent to the company’s data practices – is non-existent. </p> <p>In it’s place, companies are going to have to give prominent notice and obtain a user’s consent when a person visits their website.</p> <p>Other changes include more transparent privacy policies and the requirement to have processes for a person to access, review, and correct their personal data, as well as request that data can be easily transferred or taken from one service provider to another.</p> <p>All of this, and more, needs to be considered, created, tested, and put in place by the time the GDPR takes effect. That means you need to start now.</p> <p><strong>Why is this important?</strong> </p> <p>Namely because the EU’s data protection authorities have enhanced new enforcement powers that include the ability to penalise an organisation up to €20m or 4% of it’s annual global turnover, whichever is greater.</p> <h3>Privacy Shield </h3> <p>While the GDPR’s impact will be huge, at the same time, the evolution of the digital world continues to sprint forward. </p> <p>Similar to the Berlin Wall, digital borders have come crashing down; allowing for the natural flow of data between Member States but also between the EU and US, its largest trading partner. </p> <p>Both economies are in fact dependent upon this fundamental notion. </p> <p>However, the fledgling Privacy Shield – a heavily negotiated replacement to <a href="https://econsultancy.com/blog/67144-safe-harbor-2-0-an-update-on-eu-privacy-law/">the invalidated US Safe Harbor Program</a> – recently received a tepid review by the Article 29 Working Party (WP29).</p> <p><img src="https://assets.econsultancy.com/images/0007/4343/safe_harbor.png" alt="" width="351" height="144"></p> <p>The Privacy Shield at the highest level is a mechanism that allows organisations to transfer personal data about EU citizens to companies in the US. </p> <p>It’s needed because the EU, for a host of reasons, has not recognised the US as a country that has “adequate” data protection laws, although the US does in fact heavily regulate data protection through a variety of laws and robust enforcement. </p> <p>But because of this political fact, a negotiated agreement that created a mechanism needed to be put in place, thus the Safe Harbor Program (which became obsolete), and now the Privacy Shield.</p> <p>Although many thought-leaders have concluded that the Privacy Shield provides essentially equivalent levels of data protection as EU law, the WP29 has chosen a more cautious route, one that whilst not rejecting it, also doesn’t endorse it. </p> <p>I anticipate the Privacy Shield will be heavily challenged in the EU courts, but that it will ultimately prevail. </p> <p>Any other result would have a tremendous negative impact on both economies, which no reasonable person could want.</p> <h3>ePrivacy Directive </h3> <p>On the 12<sup>th</sup> April 2016, the European Commission began its comprehensive review of <a href="https://econsultancy.com/reports/the-eu-cookie-law-a-guide-to-compliance/">the ePrivacy Directive</a>. </p> <p>Some call it the cookie law, which requires companies to give notice and get consent before they use any sort of tracking technologies or analytics tools when you visit their sites. </p> <p>The Directive also restricts how telecom providers can treat or move electronic communications. The review aims to close any potential gaps between the ePrivacy Directive and the GDPR.</p> <p>As a stakeholder in the process, I am aware how important it is to get it right. </p> <p>Of concern to me is the separate notice and consent requirement the ePrivacy Directive has from the GDPR. </p> <p>But I am also confident that the distinct transparency requirements between the two laws can be merged so the consumer can be well informed and make meaningful decisions that are best for themselves.</p> tag:econsultancy.com,2008:BlogPost/67743 2016-04-15T14:14:27+01:00 2016-04-15T14:14:27+01:00 The five announcements from Facebook's F8 conference that you need to know about Patricio Robles <h3>Messenger Platform</h3> <p><a href="https://econsultancy.com/blog/67551-private-messaging-is-social-s-next-big-ad-frontier">Private messaging is social's next big ad frontier</a> and talk of <a href="https://econsultancy.com/blog/66234-is-facebook-about-to-open-messenger-to-content-producers-brands">Facebook opening its Messenger app to brands</a> has been circling for more than a year.</p> <p>One of the biggest announcements at the F8 conference was <a href="http://newsroom.fb.com/news/2016/04/messenger-platform-at-f8/">the beta launch of Messenger Platform</a>, which allows third parties to develop <a href="https://econsultancy.com/blog/67697-does-the-rise-of-messaging-apps-mean-brands-need-a-bot-strategy">bots</a> that interact with Messenger's 900m users. </p> <p><img src="https://assets.econsultancy.com/images/0007/3950/how-to-search-for-bots-on-messenger.jpeg" alt="" width="249" height="483"></p> <p>According to David Marcus, Facebook's VP of Messaging Products...</p> <blockquote> <p>Bots can provide anything from automated subscription content like weather and traffic updates, to customized communications like receipts, shipping notifications, and live automated messages all by interacting directly with the people who want to get them.</p> </blockquote> <p>Facebook has created a number of discovery tools to help users find bots that may be of interest to them, and users will have the ability to block communications that are unwanted.</p> <p>Facebook says it has established strict review and oversight policies to ensure that brands don't abuse its <a href="https://messengerplatform.fb.com/">Messenger Platform</a>.</p> <h3>Facebook Live API</h3> <p><a href="https://econsultancy.com/blog/67712-seven-helpful-tips-for-livestreaming-success">Livestreaming</a> is the subject of a lot of buzz today, and Facebook believes that it's a meaningful trend.</p> <p>The social network <a href="https://econsultancy.com/blog/67603-what-marketers-need-to-know-about-facebook-s-livestreaming-push">is pushing to be a livestreaming leader</a>, so it's no surprise that Facebook has built a Live API, which <a href="https://media.fb.com/2016/04/12/introducing-the-facebook-live-api/">it unveiled at F8</a>.</p> <p>Thanks to the Live API, publishers wanting to broadcast directly to Facebook can work with Facebook's Media Solutions partners, and access advanced capabilities, such as the ability to mix multiple video and audio sources and to combine the Live API with Facebook's Graph API to access live video comments, reactions, and mentions in real-time.</p> <p>According to Facebook, "You can use this information to reflect viewer engagement in real time and create on-screen graphics that show live poll results, analyze comments, and enable comment moderation."</p> <p>The Live API will also allow hardware manufacturers to integrate with Facebook Live.</p> <p>Already, a number of camera manufacturers have taken advantage of this, and drone manufacturer DJI has integrated its GO app with Facebook's Live API so that drone pilots can stream their flights.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3955/facebooklivedrone-blog-flyer.jpg" alt="" width="470" height="264"></p> <h3>Account Kit</h3> <p>Use of <a href="https://econsultancy.com/blog/66711-social-login-adoption-grows-despite-privacy-concerns">social login</a> has grown significantly in recent years and Facebook is aiming to make it even easier for consumers to access third-party apps with <a href="https://developers.facebook.com/blog/post/2016/04/12/grow-your-app-with-account-kit/">Account Kit</a>, a new tool that allows individuals to sign in with just a phone number or email address, even if they don't have a Facebook account.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3956/12995596_1709301726022225_16641357_n-blog-flyer.png" alt="" width="470" height="299"></p> <p>Account Kit gives app owners the ability to customize UI and access analytics.</p> <p>Facebook also offers a backup notification option for users of its social network, which it says can help conversions...</p> <blockquote> <p>If a person chooses to sign into your app using their phone number, but doesn't receive an SMS, but does have a Facebook account, they can choose to receive a Facebook notification to complete the login process.</p> <p>We built this backup option to help increase your conversion rate by making sure people have more ways to log in if needed.</p> </blockquote> <p><a href="https://developers.facebook.com/docs/case-studies/saavn">According to</a> Facebook, music streaming app Saavn saw its daily signups grow by 33% within two months of adopting Account Kit. </p> <h3>New Sharing Tools</h3> <p><img src="https://assets.econsultancy.com/images/0007/3957/facebooksave.jpg" alt="" width="236" height="452"></p> <p><a href="https://econsultancy.com/blog/67733-the-facebook-context-collapse-how-decline-in-personal-sharing-might-affect-brands">Facebook is fighting "context collapse"</a> and to encourage more sharing, the company released a number of new sharing tools at F8.</p> <p>These include:</p> <ul> <li> <strong>Quote Sharing</strong>, which allows Facebook users to more easily share quotes they like from websites and apps.</li> <li> <strong>Hashtag Sharing</strong>, which gives users the ability to add a hashtag to content they share from apps.</li> <li>A <strong>Save Button</strong> that extends Facebook's Save functionality to third-party sites that integrate it.</li> </ul> <p>Additionally, Facebook has released <a href="https://developers.facebook.com/docs/sharing/insights">Sharing Insights</a> and an improved Sharing Debugger to help publishers better track sharing activity and manage their sharing integrations.</p> <h3>Rights Manager</h3> <p>Facebook's rise as an online video powerhouse is a double-edged sword for content owners which are increasingly grappling with copyright infringment issues on the world's largest social network.</p> <p>In an effort to address this, Facebook created <a href="https://rightsmanager.fb.com/">Rights Manager</a>, an online tool that gives content owners the ability to upload a reference library of their content, along with associated rules, so that possible violations can be identified and reported more efficiently.</p> <p>Content owners can apply for access to Rights Manager. Currently, Facebook says it is providing access based on need.</p> tag:econsultancy.com,2008:BlogPost/67540 2016-02-18T10:50:58+00:00 2016-02-18T10:50:58+00:00 What is the EU General Data Protection Regulation (GDPR) & why should you care? Nick Stringer <p>However, the next few years will see a ‘sea-change’ in privacy and data protection law: organisations face a new privacy challenge.</p> <h3><strong>Enter the EU General Data Protection Regulation (GDPR)</strong></h3> <p>Having just got used to the changes brought in by the <a href="http://www.iabuk.net/policy/briefings/updated-iab-factsheet-july-2015-the-revised-eprivacy-directive" target="_blank">revised ePrivacy Directive</a> (the so-called ‘<a href="https://econsultancy.com/reports/the-eu-cookie-law-a-guide-to-compliance/">cookie law</a>’) - replacing the ‘notice and opt out’ provisions for the use of cookies and other technologies to one based upon ‘consent’ - European policy-makers have agreed an update to the existing data protection legal framework dating back to 1995 (in the UK, the 1998 Data Protection Act).</p> <p>Known as the <a href="http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm" target="_blank">EU General Data Protection Regulation (GDPR)</a>, it is expected to be formally agreed in the coming months although won’t actually come into force until mid-2018.</p> <p>However, after nearly four years of debate and discussion in Brussels, it introduces new aspects that will require a different approach.</p> <p>It won’t overhaul existing data protection law completely but organisations need to sit up and take note now.</p> <h3><strong>So what’s new? </strong></h3> <p>There has been a wide range of debate about the new regulation: Will it place too many restrictions on the use of data? How will the ‘open’ internet fare? Is it a ‘milestone’ for the digital world?</p> <p>The devil is in the 200+ pages of text, but there are four specific changes to be aware of now:</p> <p><strong>1. It aims to deliver 'one law across one continent’.</strong></p> <p>In updating the existing framework, the policy-makers in Brussels wanted to take into account the world we live in today where vast amounts of digital information are collected, exchanged and used every second.</p> <p>They also sought to recognise that this world is global. To this extent, the new law is what is known as a ‘Regulation’.</p> <p>So, unlike the ‘cookie law', it will apply consistently across EU markets. However, in reality, many aspects are devolved to national jurisdictions.</p> <p><strong>2. It’s scope is broad. </strong></p> <p>The drafters will argue otherwise. But, with a few exceptions, all data is now ‘personal’ whether it directly identifies an individual or not.</p> <p>Therefore, in practice, a lot more data is swept up in the regulatory net.</p> <p><strong>3. The new law’s influence stretches beyond European shores in an attempt to recognise the global nature of data. </strong></p> <p>If an organisation is processing personal data about a person who is in the EU then the rules will apply regardless of where the organisation is located. </p> <p><strong>4. The penalties for a breach have been ramped up. </strong></p> <p>For serious violations the fine is €20m or 4% of annual global turnover, whichever is higher.</p> <h3><strong>A need for consistent &amp; practical EU-wide guidance</strong></h3> <p>The political necessity to find an agreement in Brussels before Christmas contributed to many aspects of ambiguity in the final text.</p> <p>But we should be used to this from policy-makers by now and, while organisations seek legal clarity, this may not be such a bad thing given what was on the table six months ago.</p> <p>While the Regulation will be done and dusted by the middle of this year, there will be a need for consistent and practical guidance across Europe, particularly on areas such as ‘consent'.</p> <p><a href="https://assets.econsultancy.com/images/resized/0007/2056/cookie_law-blog-flyer.jpg"><img src="https://assets.econsultancy.com/images/resized/0007/2056/cookie_law-blog-flyer.jpg" alt="" width="470" height="353"></a></p> <p>Working with industry, Data Protection Authorities (DPAs), such as the UK Information Commissioner’s Office (ICO), need to produce consistent EU guidance to help deliver practical, realistic and creative ways of achieving compliance.</p> <p>The experience of the ‘cookie’ law illustrates only too well that we require something that actually works for users: improving their control without interrupting their experience.</p> <h3><strong>What about the Cookie Law? </strong></h3> <p>The revised ePrivacy Directive stays in force for now.</p> <p>However, it will need to eventually align (specifically Article 5.3 regarding cookies, etc.) with the new Regulation to ensure organisations do not face ‘double-regulation'.</p> <p>There are many different views on its future and work is already underway to review it in Brussels.</p> <h3><strong>Next steps</strong></h3> <p>It is clear is that, in the next few years, the data protection and privacy landscape is going to change.</p> <p>The ICO, the UK body that will enforce the new law, has already kicked off its implementation process and it will soon have a new section of its site dedicated to this.</p> <p>It is worth organisations following this and the ICO’s updates. Those businesses and organisations that get out in front are likely to gain the advantage.</p> tag:econsultancy.com,2008:BlogPost/67144 2015-11-05T10:28:50+00:00 2015-11-05T10:28:50+00:00 Safe Harbor 2.0? An update on EU Privacy Law Todd Ruback <p>This is an important development on a number of levels. While there are other legal mechanisms that allow for the transfer of personal data outside of the EU, the Safe Harbor Program, with over 4,000 companies participating, was clearly the most popular. </p> <p>The effect of the court’s ruling was to immediately make data transfers under this program illegal. </p> <p>While some interpret the court’s ruling as politically motivated, or as wreaking havoc on a negotiated bi-lateral agreement, I see this moment as an opportunity. </p> <p>After the Snowden revelations about the NSA’s surveillance programs, our European colleagues were kind enough to enumerate 13 specific areas for improvement of the program. </p> <p>To be fair, many of them were well reasoned and I was encouraged that the Department of Commerce was open to change. </p> <p>In fact, at the time of the court’s ruling in <a href="https://en.wikipedia.org/wiki/Max_Schrems">the Schrems case</a> it was reported that the negotiators were down to a final point or two, namely the right of EU citizens to have judicial redress against US companies, and indiscriminate governmental surveillance.</p> <p><img src="https://assets.econsultancy.com/images/0006/8703/harbor.jpg" alt="" width="500" height="375"></p> <p>The court’s ruling may be just the spur to motivate the negotiators to close the gap on these last points, and I’m confident that a new understanding will emerge.</p> <p>Lost in the noise surrounding the Schrems case is a nuanced and important point that it wasn’t the framework that was invalidated, just the program. </p> <p>That means that it is subject to change and once the negotiated points are agreed upon, then the program may back in a new and improved form. </p> <p>I am hopeful that this is exactly what will occur and if it took the European Court of Justice to help us over the finish line, then they deserve a big thank you.</p> <p>Of course no one knows if Safe Harbor 2.0, as it is already being called, will indeed be born, and even if it is it may have a completely different look and feel. </p> <p>My guess is that it will be and that we can anticipate more robust monitoring and enforcement, something the FTC has already begun, and something we can all get behind. </p> <p>Some are also speculating that the Safe Harbor seal program, where approved third party providers do annual audits, may be a thing of the past.</p> <p><img src="https://assets.econsultancy.com/images/0006/8705/safe_harbor_2.0.png" alt="" width="351" height="144"></p> <p>Also, look for EU citizens securing better access to their personal data and an easier path to obtain judicial relief, an important and valid issue. </p> <p>Finally, look for a mechanism that limits certain types of governmental surveillance. </p> <p>While nobody doubts the need for governments to access data to keep citizens safe, well-reasoned policy makers also recognise the imperative to balance access to that data with citizens’ fundamental rights to privacy.</p> <p>While I hope that Safe Harbor does indeed get revamped, it is wise to prepare a Plan B, just in case it doesn’t. </p> <p>The Working Party 29, in response to Schrems, quickly convened and issued a statement reiterating that the present program is no longer a valid way to transfer data out of the EU, while also leaving the door open for a new and improved Safe Harbor to emerge. </p> <p>However, hope is not a good strategy, so the WP29 also gave clear expectations that organisations have until January 31 2016 to put in place an alternative transfer mechanism, namely either Standard Contractual Clauses or Binding Corporate Rules, both which are already on the books as approved avenues to move data. </p> <p>Implementing a Plan B, especially as we enter the end of the year, will take significant work for any company, possibly utilising outside counsel with expertise in international data transfers. </p> <p>But it is an investment well worth it as it will force us all to review our data management practices to ensure that they are still world class and that we are in fact doing what we think and say we are doing. </p> <p>In the end, this is no bad thing. </p> tag:econsultancy.com,2008:BlogPost/67032 2015-10-13T11:40:57+01:00 2015-10-13T11:40:57+01:00 The end of the Safe Harbor Agreement: What next for digital marketing? Tim Roe <h3><strong>What did the Safe Harbor agreement actually do?</strong></h3> <p>In EU law (from which the UK Data Protection Act is drawn), a Data Controller who needs to transfer data outside of the European Economic Area must do due diligence on where they intend to send the data.</p> <p>They need to satisfy themselves that the data protection will be the same or better than provided within the EU. </p> <p>It’s quite an undertaking, because if anything goes wrong it’s down to the Data Controller to prove they took all reasonable steps to ensure the data’s safety. If they can’t do that, they could well have broken the law.</p> <p>It also counts if the personal data belongs to EU Citizens and is being gathered by a non EU organisation, like Facebook for instance.</p> <p>Enter Safe Harbor, an agreement between the EU and the US that allowed any organisation agreeing to its principles to be deemed adequate in relation to data protection.  </p> <p>The principles of this agreement were developed between 1998 and 2000, with the European Commission rubber stamping the agreement in July 2000.</p> <p>This allowed EEA businesses to export data to the US with a clean conscience. It also allows US companies to process data they have gathered on EU citizens.</p> <p>So what does a US data processor need to do to belong to this exclusive crowd of data protection stalwarts?</p> <p>It might go something like this:</p> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Hey Buddy, I want to join the ‘Safe Harbor’ crowd.</p> </blockquote> <p><strong>Buddy:</strong>                          </p> <blockquote> <p>Ok, you’ve got to do something first.</p> </blockquote> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Right. so what might that be then?</p> </blockquote> <p><strong>Buddy:      </strong>                    </p> <blockquote> <p>See these data protection principles? Just say you agree to them.</p> </blockquote> <p><strong>US data processor:  </strong>        </p> <blockquote> <p>Is that it?</p> </blockquote> <p><strong>Buddy:</strong>                          </p> <blockquote> <p>Yep.</p> </blockquote> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Ok... in that case, yes I agree, count me in!</p> </blockquote> <p>No promises, no guarantees...</p> <h3><strong>Lack of protection</strong></h3> <p>To add to the lack of substance in the 'Safe Harbor' the Court of European Justice has ruled that the agreement is invalid due to other more fundamental reasons.</p> <p>This is because, to paraphrase the court's ruling, the US authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.  </p> <p>That suggests, that not only is EU citizens' data unsafe in the US, but US citizens are no better protected either.</p> <p>The UK Information Commissioner’s Office (ICO) has already issued a statement saying that negotiations on an updated Safe Harbor are already in an advanced stage.</p> <p>However, seeing that the Court of European Justice ruling cites a disagreement with what is a key US security policy, this process is likely to go on for some time. For now, Safe Harbor is finished.</p> <h3>What actions to take now!</h3> <p>Does this mean the end of data transfers and processing across the pond? What happens now?</p> <p>Well, apparently you don’t need to panic, because there are a number of options available for organisations that rely on transferring data to the US. Actions you could take now:</p> <ul> <li>Identify all of your personal data that goes to the US. This could be something like CRM systems or US-based service providers.</li> <li>Review the terms of the suppliers to see who relies on the Safe Harbor.</li> <li>See if you can make alternative arrangements, such as using the model contract clauses (available from the ICO website) or binding corporate rules if you are a global business.</li> </ul> <p>There are likely to be many more options and advice in the coming weeks, from organisations such as the Information Commissioner’s Office.</p> <p>Some service providers in the US have already issued new contracts including model contract clauses, which binds data protection on a contractual level.</p> <h3>What happens next?</h3> <p>At first glance, the demise of Safe Harbor will be little more than an inconvenience for many EU-based organisations.</p> <p>But, if you are a US service provider who relied on Safe Harbor to rubber stamp the gathering of EU citizens' data (such as social media platforms), things might not look so rosy.</p> <p>The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject.</p> <p>But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection. </p> <p>And if they were informed, would they consent? </p> <p>And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.</p> <p>Nothing short of a complete revision of the US security regime regarding the surveillance of foreign citizens will satisfy the EU regulations.</p> <p>The EU regulations are formed on fundamental human rights, one of which is the right to a private life. That is not going to change, but it remains to be seen how far the US is prepared to compromise. </p> <p>The only certainty, is that the next few months will be very interesting.</p> tag:econsultancy.com,2008:BlogPost/66435 2015-05-12T09:15:00+01:00 2015-05-12T09:15:00+01:00 The state of online privacy Todd Ruback <p style="text-align: justify;">The speed at which new technologies have become embedded into our daily lives is amazing. Within the past five years, I’ve gone from defaulting to my laptop to my phone, and now within my phone my entry point to information is through apps. </p> <p style="text-align: justify;">What many of us don’t fully realise is that <strong>apps, just like websites, collect data on our behaviour.</strong> Apps can collect location data about where we are, as well as what apps we use and how we use them. </p> <p style="text-align: justify;">This is valuable information to apps, as it not only helps them understand and improve how they are being used, but also because digital marketing’s fastest growth segment is app based.</p> <p>While all of this is happening, laws such as the EC’s Data Protection Framework and the ePrivacy Directive – what some call the <a href="https://econsultancy.com/blog/65366-the-eu-cookie-law-what-has-it-done-for-us">'cookie law'</a> – are struggling to be relevant, and naturally so. </p> <p>They were passed in a different age, when we used desktops or laptops and smart phones were a futuristic notion. Legislation, though, is trying to catch up.</p> <p> In the EU, the Data Protection Framework, after a long process, will soon be overhauled into a pan-European Regulation, having the effect of a unified data protection law that will help to create a single EU digital economy. </p> <p>The aspiration is that such a pan-European law will lessen compliance burdens on companies and allow the cross-border flow of data to be frictionless, thus creating the foundation in the EU for companies to develop new technologies and industries. </p> <p>By creating a condition for innovation, there can be greater prosperity: more jobs, money, and tax revenue. </p> <p>That’s the theory at least. But it’s all predicated on one simple notion: that new technologies and their uses, in order to pass regulatory muster, must not ignore well established privacy principles such as a right to notice, consent, access to data, and the ability to withdraw consent, to name a few. And this is where it gets tricky. </p> <p>Well-established <a href="https://econsultancy.com/blog/64742-privacy-how-much-personal-data-are-we-willing-to-share">privacy principles</a>, because they were created in a different era, are difficult to implement technologically in a fast-changing digital age. </p> <p>Although the principles are timeless, there is not often a tool that enables companies to comply with them, thus the notion of notice and consent within the context of an ever-changing digital environment becomes a central pillar.</p> <p>A stand-alone law in the EU, the ePrivacy Directive, provides a great roadmap for us to follow. This law, also long in the tooth, was flexibly written to be technologically neutral and therefore can be extended into apps and even beyond.  </p> <p>While its original purpose was to require websites to give notice and obtain consent where tracking technologies are deployed, regulators have been quietly giving guidance that the law applies equally to apps. </p> <p>Thus, any sort of data collection in an app triggers the notice and consent requirements of the ePrivacy Directive. It’s only a matter of time before one of the EU regulators steps up and enforces the law against apps.</p> <p>The magic of the notion of notice and consent, seemingly self-evident, is that it creates trust, and not in an amorphous way. </p> <p>Consumers have been quite clear that <strong>the more transparent an organisation is about its digital practices and the more control it gives to the individual, the higher the level of consumer trust.</strong> </p> <p>And where there is trust, a company has a solid foundation with its customers and will be able to extend new services and products, and it will sell more.</p> <p>It’s important that companies, apps included, get the notion of notice and consent right because shortly the digital landscape will go through yet more change, change that is difficult to imagine from where we sit. </p> <p>I have spoken widely that we are on the threshold of the post-internet age, where we are about to morph from a world of 2bn smart phones to 50bn connected devices as part of the Internet of Things, all of which will be collecting data for some reason or another. </p> <p>We will see yet another round of laws struggling to keep up and needing to be updated, but what the before and after will have in common is the notion of transparency or notice and consent. Its not fully clear how notice and consent will be delivered in the world of tomorrow. </p> <p>What is clear is that, as well-established privacy principles, they will still be relevant and still be required.</p> tag:econsultancy.com,2008:BlogPost/66258 2015-04-03T14:30:00+01:00 2015-04-03T14:30:00+01:00 Equity crowdfunding comes to the US, sort of Patricio Robles <p>It's not <a href="https://econsultancy.com/blog/9548-the-crowdfund-act-everything-you-need-to-know/">the CROWDFUND Act</a> that everybody has been talking about for years and which may never be put into place, but it does pave the way for businesses to raise up to $50 million in offerings that aren't open only to wealthy investors. </p> <p>The new Regulation A+ rules give companies the ability to sell equity in two tiers. Under a Tier 1 offering, companies can offer up to $20m in equity to the public over a 12 month period.</p> <p>Companies will need to have their financials reviewed and an offering circular approved by the SEC. Under a Tier 2 offering, companies will be able to offer up to $50m in equity to the public over a 12 month period.</p> <p>In addition to the Tier 1 requirements, audited financials must be provided, and ongoing disclosures similar in nature to those publicly-traded companies are required.</p> <p>The buzz around Regulation A+ is due to the fact that under both Tier 1 and Tier 2 offerings, companies can sell equity to non-accredited investors (individuals who don't have more than $200,000 a year in income or a net worth of at least $1m).</p> <p>In Tier 2 offerings, non-accredited investors will be limited to investing 10% of their net worth or net income, whichever is greater, in an effort to prevent individuals from betting more than the SEC believes they can afford to lose.</p> <p>Importantly, non-accredited investors will be able to self-report their net worths and incomes, so companies will not have the burden of verifying this information.</p> <p>Combined with the fact that companies using Regulation A+ can freely advertise their offerings to the public, Regulation A+ is being hailed by many as a groundbreaking development that will usher in a new wave of equity crowdfunding in the United States. But will it really?</p> <p>A Regulation A+ offering isn't going to be cheap to prepare and according to some observers, the total cost could run companies upwards of $100,000.</p> <p>Additionally, the offering circular that the SEC must approve is expected to receive the same level of scrutiny as an SEC Form S-1, the document companies must prepare for a traditional IPO.</p> <p>Fortunately, Regulation A+ does allow companies to test the waters before they prepare their circulars, so in theory some of the costs could be delayed until companies have confidence their offerings will be successful.</p> <p>Despite this, given the minimum costs, disclosures required and reviews that companies will be subjected to, it might be appropriate to think of Regulation A+ offerings as mini IPOs rather than the true crowdfunding campaigns proponents have been seeking.</p> <p>Certainly, there are reasons to believe there won't be a flood of new companies raising money using Regulation A+, but that doesn't mean that the SEC's new rules aren't a step in the right direction.</p> <p>Giving young companies more ways to raise capital is almost certainly a good thing and it would be surprising if, at a minimum, Regulation A+ doesn't result in at least a few interesting, innovating businesses getting capital they might otherwise not have.</p> tag:econsultancy.com,2008:BlogPost/65946 2015-01-08T11:30:00+00:00 2015-01-08T11:30:00+00:00 How the new EU VAT rules and MOSS affect you Nick Chowdrey <p>The <a title="New EU VAT rules" href="https://econsultancy.com/blog/65810-new-eu-vat-regulations-threaten-small-businesses-vatmoss/" target="_blank">new EU VAT rules</a> have annoyed a lot of people, mainly due to their complexity and wording. For example, the Regulation states that the changes will only apply to those providing digital services.</p> <p>This is confusing, because actually the rules not only cover digital services like broadcasting and telecoms services (think Skype or Vimeo), but also products, such as ebooks, games or other downloads.</p> <p>The broad effect of the legislation is another big reason why small business owners are upset.</p> <p>Really, the rules are a good thing, as they’re meant to stop the current VAT evasion practices of big multinationals.</p> <p>For example, Amazon currently funnels its EU sales through a subsidiary in Luxembourg, benefitting from the country’s extremely low VAT rate.</p> <p><img src="http://i.imgur.com/zNabgyH.jpg" alt="" width="4012" height="1998"></p> <p>The new rules will force Amazon to register for VAT in every country it supplies to, meaning member states will get the taxes they rightly deserve.</p> <p>The problem is that the rules have been implemented with no threshold, meaning that even if you’re a really small business with a limited turnover, you’ll still be affected.</p> <p>This seems highly disproportionate, and it’s safe to say that neither the EU nor HMRC has properly considered the impact the new rules will have on micro businesses.</p> <p>Thankfully, a small victory for the small business community has been made. So much of a fuss was kicked up about the huge impact the new rules would have on UK microbusinesses that <a title="HMRC VAT changes" href="http://www.telegraph.co.uk/finance/businessclub/11268706/Victory-for-UK-micro-firms-as-HMRC-tweaks-EU-VAT-MOSS-rule.html" target="_blank">HMRC agreed to make some changes</a>.</p> <p>Basically, if you’re a UK business and can separate your UK from your EU sales, you’ll only have to pay VAT on any UK sales over the current threshold of £81,000 gross a year.</p> <p>Unfortunately however, this has made it even more difficult to figure out whether or not you’re affected.</p> <p>Add to this the several other criteria that could affect your position and it’s no wonder the whole thing has been dubbed a right <a title="#VATMESS" href="https://twitter.com/hashtag/vatmess" target="_blank">#VATMESS</a>. </p> <p>HMRC tried to clear things up by, in the Revenue’s inimitable fashion, publishing an ugly and intimidating flow chart.</p> <p>Thankfully, Crunch Accounting made an attractive click-through quiz version for you to try out instead, which you can find at the bottom of their post on the <a title="New EU VAT rules" href="http://www.crunch.co.uk/small-business-advice/2014/12/09/affected-new-eu-vat-rules/">new EU VAT rules</a>.</p> <p>If you’re still confused about what these changes mean, and whether or not you’ll be affected, here's a short video explaining the basics:</p> <p><iframe src="https://www.youtube.com/embed/lbb0e1YYT_E?list=UUIoPE66PBHp1xXOaXxsn2dA&amp;showinfo=0&amp;wmode=transparent" width="651" height="366"></iframe></p> tag:econsultancy.com,2008:BlogPost/65805 2014-12-01T11:21:00+00:00 2014-12-01T11:21:00+00:00 Successful corporate-startup ventures. Pt 2: Doing the deal Frank Lampen <p>Although various intermediaries are springing up with experience in this area, some of these lack the statutory regulation necessary for arranging these deals.</p> <p>As more corporates look to deals with startups, in some cases we’re finding that initiatives are being created without full internal alignment around whether the objective is short term innovation or long term financial return.</p> <p>This in turn creates issues around whether the money is coming from operating expenditure or capital expenditure. <strong>The route chosen has big implications on who the right internal stakeholders are.</strong></p> <p><img src="https://assets.econsultancy.com/images/0005/6380/IU_Corporate_Venturing_2.jpg" alt="choose the right path for your corporate startup venture strategy" width="615" height="435"></p> <p>If you are intending to take an equity stake in a startup, it’s helpful to understand how different the world of VC and angel finance (where startups tend to raise most of their money) is from the realm large listed companies.</p> <p>The two worlds have such fundamentally different attitudes to risk and control that corporates can quickly find themselves facing challenges in either getting the startup to agree terms, or in getting internal approvals within their own organisation.</p> <p>Before you start on the deal, <strong>you need to look at your organisation and honestly assess whether key stakeholders have a true picture of the length of time before they can expect a return, the risks, the likely additional capital needs the business will have, and who in the business will take the P&amp;L hit from any writedowns</strong> (and inevitably there will be some writedowns).</p> <p>Once you’ve got that alignment internally, framing the deal well requires you to adopt a win-win style of integrative negotiation rather than the hard-bargaining negotiation that might be more prevalent in your organisation.</p> <p>Even if long-term equity gain is not your principal reason for forming the partnership, we’ve seen many times how putting some money on the table to become a shareholder can lead to better outcomes than simply paying for services or only trying to use non-monetary value added.</p> <p>Once you’re a shareholder, you’re much less likely to bargain hard for a deal which might satisfy your short term interests at the expense of the startup’s long term future.</p> <p>There isn’t really a shortage of investment capital right now, and for the good companies it is certainly an investee’s market not an investor’s; so <strong>if you want to work with the best, you want your deal to be smartest, best-value one on the table</strong>.</p> <p>If you can’t, or won’t, compete on deal terms to work with the best startups, it’s worth questioning whether you should really be doing this in the first place.</p> <p>In summary, doing the deal in the right way requires you to consider:</p> <ul> <li>What the real value exchange is.</li> <li>The time horizon in which your organisation needs to see a return.</li> <li>Whether you’re funding from capex or operating expenditure.</li> <li>Having the right internal stakeholders aligned.</li> <li>Covering off the likely future capital needs and taking account of the possibility of writedowns.</li> <li>Adopting win-win negotiating strategies.</li> <li>Having deal terms that are at least competitive and ideally the best in the market.</li> </ul> <p>In the final post we’ll look forward to how you keep your organisation engaged, and how you can be a great partner to the startups you work with.</p> tag:econsultancy.com,2008:BlogPost/64537 2014-03-19T17:25:55+00:00 2014-03-19T17:25:55+00:00 Privacy practices: the should and must of online transparency Todd Ruback <p>This explosion in digital data practices is due, in large part, to emerging technologies that offer innovative ways to utilise data.</p> <p>The mobile advertising industry today can track you from app to app by your phone’s identifier and then serve you relevant adverts. Brick and mortar retailers have 'smart stores' that track your phone’s location and deduce what sort of products will interest you, then text a 'just in time discount' coupon.</p><p>Innovation knows no bounds, but as innovation drives business, customers are becoming <a href="https://econsultancy.com/blog/62978-has-online-advertising-made-us-apathetic-to-privacy">concerned about their privacy</a>, and rightly so.</p> <p>Government is in on the action as well. The revelations about the NSA’s massive data collection programme in the US have only amplified privacy concerns. Why was there so much outrage over the NSA revelations? A lack of transparency, that’s why.</p><p>The strategic lesson is that innovation without transparency can breed suspicion and a lack of trust. Innovation combined with transparency is powerful and builds trust.</p> <p>When asked to cite companies they considered to be the most trustworthy collector of consumer data in a recent Toluna study, <strong>16% of respondents mentioned Amazon, more than any other company</strong>.</p> <p>It also revealed that 84% of UK consumers (86% of US consumers) <strong>trust companies that are transparent about their online data practices and 75% would buy more from those companies. </strong></p> <p>They like the innovative ways the business uses data in combination with its openness about its data practices. Amazon builds relationships with its customers, and interacts and suggests products that consumers might like. Amazon is open with consumers and, as a result, they trust the brand.  </p><p>Any discussion, however, about data collection practices would be incomplete without mentioning a growing trend in privacy laws.</p> <p>The public unease with new and powerful data collection practices has spawned a flurry of US and EU privacy legislation, much of it transparency-centric.</p> <p>These laws are an easy sell because they reflect the public mood. In a recent study by The Economist, only 26% of UK residents think businesses are transparent enough in how they use customers’ personal data and 75% think regulation preventing the misuse of such information is too weak.</p><p>Here in the US, California recently <a href="http://oag.ca.gov/privacy/COPPA">implemented</a> a transparency law requiring websites to disclose their online data practices. At the national level, FTC Commissioner Julie Brill has long voiced unease over the ‘Big Data’ industry and recently <a href="http://thehill.com/blogs/hillicon-valley/technology/198867-ftcs-brill-pushes-congress-on-privacy-laws">called</a> upon Congress to pass a 'Big Data' transparency law.</p> <p>And President Obama recently <a href="http://www.whitehouse.gov/blog/2014/01/23/big-data-and-future-privacy">formed</a> a committee to investigate the comprehensive issues of big data and privacy.</p><p>In a timely coincidence, the EU is overhauling the aging EU Privacy Directive, its pan-European privacy framework. A central theme of the proposed privacy regulation may be increased transparency obligations on data collectors.</p><p>Consumers are demanding transparency. <strong>Now is the time to get ahead and develop a transparency strategy that informs the consumer about your online data practices in a meaningful way that is both comprehensive and clear. </strong></p> <p>You’ll be doing the right thing for your business, while at the same time complying with the fast approaching transparency laws.</p>