• Team

The Data Drop Panel: November 2021

Updated: Jan 8

Our host Debbi Reynolds takes a deeper dive into some of the most important, concerning, and downright fascinating data privacy and data protection items covered by the Data Drop News podcast in recent weeks.

Pro tip: get The Data Drop on your phone by subscribing to our podcast.

Debbie: Hello. My name is Debbie Reynolds. I'm a global data privacy advisor, a strategist from Chicago. Very happy to be here today with all of you on the Data Drop Panel. So I am a member of the iOWN community and the Data Collaboration Alliance. So welcome to the Data Drop Panel. I am a guest host where each month we gather some of the finest minds in data privacy and data to talk about the stories that have are of interest to them, whether it's something that raised their eyebrows or having clenching their fists. So, I should note that all the stories that we featured today have also been included on the sister Data Drop News podcast, which delivers the four-minute data privacy news roundup every other week. All right, so today we have a great panel.

I have the fortune of actually having to know the two guests, two of the three guests, and we'll happy to be getting to know Daniel as well. So the guests are Daniel Knapp, who is a data privacy consultant based in Atlanta, Georgia. And the Principal of Red Clover Advisors.

We have Peter Barbosa, I know him. He's a co-founder and CEO of Opsware Data in Canada.

And then Jeff Jockisch, who really doesn't need much introduction. I call him the data wizard. A data researcher and principal at PrivacyPlan which is a data privacy consultancy, and also he's a dataset provider.

All right, thank you gents for joining me on the Data Drop Panel today.


GDPR fines top €1 billion in Q3 2021

Debbie: Let's see. I will love to start with Peter. What news came up for you this week or this month that you really want to dig into a little bit more?

Peter: Yeah, absolutely. Happy to start this off. So, the article I found that I'd like to call out this week is, I found the Brussel Times, and its GDPR fines for the third quarter of 2021 almost equal 1 billion Euros which is completely insane.

I've been watching these closely since 2018 and if you actually look at the enforcement, there's been an ongoing trend of it constantly taking upwards every month, and month, and month, of fines being introduced to companies. So for Q3 of 2021 believe it or not, the majority of those fines came from two particular companies.

The first one is I believe it was at my notes over here was Amazon for 746 million euros. If you recall that, I believe that was back in June or July and more recently we saw WhatsApp, which was a 225 million euro fine. So very huge fines. Those are probably the largest ever finds that we've seen issued.

Also important to note that those are fines issued, right? So they still have to go to court and the actual fines being paid and settled with will likely be significantly less. If you're a member of the I think it was the case of the British airway they were originally fined 200 million euros but I believe the actual find pay was 20 million. But still, a very significant jump in Q3 of this year and will be interesting to see how the rest of the year pans out for fines and penalties.

But yeah, those are really getting fines issued, not paid, but still significant. And then, you know, there's, I want to say like four dozen, very much smaller fines that were introduced throughout Q3 of 2021 as well.

Debbie: Right. Yeah. I think Amazon's fine, they're not going to appeal that one. They just sort of agreed to whatever that payment was, but I think WhatsApp, they're definitely gonna appeal. So people are gonna watch that on appeal and see if that gets reduced or not. They're very interesting. Yeah. I think especially because a lot of people have been complaining, I think people in the US we thought soon as GDPR came out, like that day. I start finding people and because it's taken so long, I think it sort of took the wind out of people's sails in some way.

But now that we're seeing these things kind of culminate, you know, there are, there is progress happening and there are things happening. So definitely keep an eye on it.


Over 60 million wearable fitness tracking records exposed

Debbie: I would love to talk with Daniel about fitness tracking records.

Dan: Yeah. So, last month it was discovered that there is a third party, not necessarily even breach, there was an investigation and it was uncovered that a third party known as Get Health, had a non-encrypted, non-password-protected database that they had compiled of users of their third party app and service on Apple Watches and Fitbits along with other wearables. And of course, if you're on Apple Watch or Fitbit, those are the two biggest fitness trackers out there.

And this is an instance where you know, the breach was entirely on the side, that the third party, they had a database, non-encrypted with usernames and first names and geolocation info along with health info that they compiled. And you have a situation where once again, you have users who are, I think just trusting the service because it's accessible through their Fitbit or through their

Apple Watch, presume it's trustworthy. And, you know, up to the level of the privacy policies that they've agreed to with Apple or Google, and it's not necessarily the case. And you know, this has me wondering, however, What technical constraints and further policy agreements can companies such as Apple and Google rollout to better protect their end-users from not necessarily malicious third parties, but third parties that are not being as diligent as they should.

You know, I think there needs to be more education at the very least. For end-users to realize, you know, even if it appears to be a trustworthy and legitimate service, you want to do a certain level of investigation on your end to make sure they're actually protecting your data. But then beyond that, are there further technical constraints that the operating system owners and the device providers, and manufacturers can provide to protect users from even potentially engaging with third parties that are a little, you know, less or in this case, a lot less up to snuff when it comes to data protection. So I think these are the sorts of conversations that we're going to continue to see every time a breach such as this happens.

Debbie: Yeah, that's actually a really good one. You know, we are seeing Apple with their App Transparency, almost go in the other direction, which is you know, let the third-parties fend for themselves and sort of creating that relationship. So maybe there's something that can be done because sometimes like you're right.

Some people think, oh, because I'm using like an Apple product or something and I go to the service, they're covered in the same way. So I think what they're trying to do is say, you know, third parties, you have to create a first-party relationship with a consumer. You have to ask them questions, ask them for consent and things like that.

But I think you're right in terms of consumer education, people may not be aware that once they leave, you know, even though they're using a device and they use other apps that may or may not have the same protection or SECure.

Peter: Yeah, I think Debbie you're right. A lot of companies when they, you know, just cause they're purchasing an Apple product or Fitbit product or that new job-owned wristband that they really like.

I think once they do purchase that they immediately assume it's a big company. You know, a lot of validation. I bought it at the Apple store, I'm protected as much as Apple is. But then again, you have all these third-party services that are constantly tracking and collecting this data. And I totally agree with what Dan says.

I'd like to see some tighter contracts in place between these companies that collect the data and who to share data with to actually protect the consumers more and see those extra technical provisions and you know, being more transparent to the customers as well, as far as what actually is being shared.

And obviously dumbing it down, but we'll see what happens in time.

Debbie: Excellent. I agree with that. I agree with that.


App Annie to pay $10M in landmark SEC action

Debbie: Well, Jeff, you want to talk about a landmark SEC action?

Jeff: Absolutely. Great to be here. Thanks for the introduction earlier. I want to talk about the intersection of what Peter was talking about with fines and what Dan is talking about with breaches.

You know, in this case, I think it's really a breach of trust because the SEC has fined App Annie $10 million for what's effectively a breach of trust, right? What they do if people don't understand is App Annie sort of ranks downloads and other statistics for applications, mobile applications.

And they sort of act as a third party in the mobile ecosystem. And what's really sort of interesting about this story is a couple of different things. One, it's a pretty huge fine in the privacy world. I mean, it's not the sort of on the size of, you know, an Amazon fine, but for a company, the size of App Annie, it's pretty huge.

Right. Second, it's a fine that's coming sort of out of left field in terms of privacy regulators, because you don't really hear about the SEC making privacy finds. Right. So it really sort of demonstrates just how fragmented the US privacy landscape is and how many different regulators that are out there.

And we've literally got dozens of different organizations that regulate privacy in the United States. Right. And third, I think it also sort of speaks to how byzantine the mobile data ecosystem is, right. That app Annie was able to get away with this for how long, right? I mean, it was like years that they've been doing this, where they've been taking all this information from companies large and small and giving away information that was supposed to be de-identified.

And it wasn't and they were just giving away all of this PII to whoever they wanted to. And that's really scary.

Debbie: I agree. I agree with that. You're right. And a lot of people don't with the SEC and the SEC is fining people, actually, we're seeing them go after people for cyber stuff as opposed to privacy, but this is more or less is almost a combination of the two. So, The regulators are also in addition to seeing things in the news about data breaches, like a bad actor or something, or comes in and does something that we talk about in the news also third-party or data sharing without consent of the consumer.

That is kind of what the SEC is looking at and also the FTC. So that's something definitely to look out for. Dan, you have a comment?

Dan: Yeah. Well, I just wanted to build on this by commenting. Yes, Jeff does definitely seems like it flows very theatrically from what I was just discussing because here's yet another instance where you have a company or an entity that is just one step away from the larger, more trusted entity or entities that the consumers are doing business with. And, you know, we have one case, I was talking about Apple and Google in this case, we're talking about, you know, in many cases, major app providers, and yet here is App Annie, just one step away doing something that's not trustworthy.

And so just another instance of we've got to remember as privacy professionals, consumers have to remember, tech companies have to remember, you know, no matter how good our policies are, no matter how strong our protections are, at least we think they are, they're only as strong as the protections and the agreements we have with the third parties we're working are as well. And you know, as someone who, when I first got involved in privacy, the very first thing I was assigned to do is work on data flows and data mapping. This is near and dear to my heart as well, because it's always been part of what I look at, but it just serves as is get another good real-life reminder.

These are the sorts of things we need to be paying attention to.

Debbie: What do you think, Peter?

Peter: Yeah. I mean, like, it kind of comes back the last story, like third-party due diligence is so critical for companies. And I looked at this article a bit more in-depth. It was 2014 to 2018 they've been doing this, right? Like that's a long time.

And App Annie, like they support a lot of major mobile applications. Like I know they're really popular with the mobile gaming space, but Pinterest, LinkedIn, like they got some big customers and to full-on - I mean, from what I understood there, they're manipulating the estimates and the analytics for some of these companies, which is just a big no-no in my books.

So again, I think they're part of your diligence is critical. I think it's something that a lot of companies need to focus on regardless of their size. So yeah.

Debbie: Yeah, it's a big ball of wax. You know, especially people who are developing apps. A lot of times they're very focused on, you know, look at these cool feature, all the stuff that we can do.

And just because he can technologically do something doesn't mean that you should do it. Legally or ethically.


Italian data authority seeks clarifications on privacy from Facebook over its new smart glasses

Debbie: Peter, you have something about the Italian data authorities seeking clarification on privacy from Facebook over these new smart glasses.

Peter: Yeah. So, I mean, you just said that headline right there founded on euronews.com also on the Data Drop as well.

But I'm sure this was pretty controversial when it came out a week ago, Facebook partnered with Ray-Ban to come out with, I call them spy glasses, but they really are such a Spyglass. Cameras embed right into the actual Ray-Ban lens. And I'm a big fan of Ray-Ban. I was pretty shocked to see this myself and I think really the only way they tell the users that they're actually recording is there's a little red light on the actual glass itself. And I think there Facebook, someone asked Facebook and they made a comment about it. They asked Facebook's, you know, so what if someone just covers up the red light with a, with a piece of tape or something, and I think they responded well, that's against our terms of service, don't worry about that.

I only wish it was that easy for people not to worry about, but it is extremely creepy. And. Yeah. I mean, it's definitely not privacy by default or privacy by design. I mean, it's far from it, but I think this is Facebook, unfortunately. Yeah, not the biggest fan of this at all.

Debbie: Yeah. People, you know, this is definitely going to happen anyway. Right. So we knew that, you know, especially with people who are using like the Oculus glasses or whatever, you can't really walk down the street with that. So this was inevitable. This is going to happen. And, you know, I think a lot of these companies they're seeing how far they can push it.

And because especially in the US, there just aren't a lot of guard rails, you know, for stuff. They can kind of just throw things out there and see what happens. But I think the Italian data authority, their seeking clarification, but I think they're not even the only regulator in Europe that's asking for clarification on this.

So what do you think, Dan?

Dan: You know, this just strikes me as really on a whole, another level beyond your typical smart home device or your typical internet of things device, because more often than not, regardless of what the privacy concerns might be about IoT devices, smart home devices. They're usually in the primary user's home or adjacent to their home in some way, shape, or form.

And that individual is at least on some level signing off themselves on what level of privacy they are or are not agreeing to. This is just different because you know, it affects not mainly the privacy of the person wearing the glasses, but presumably whomever they encounter walking down the street, dining with a restaurant, whatever wherever it's they may be.

And I think Peter, beyond the example you gave, I actually saw an example that Facebook was asked, well, what if you know, what's to stop someone from using this say in a public restroom, and again, they said, don't worry about it. That's against our terms of service. Yeah. Okay. But, you know, there's no way to actually then physically stop someone or you know, technologically stop someone from using their smart glasses in a public restroom.

So, there are, I think huge concerns with this product that go well above and beyond what we're used to even addressing. I mean, I really had kind of had to laugh cause, you know, the word I'll use to describe Facebook's responses is chutzpah. I want to use a different term, but I'm not going to for our family-friendly podcast.

But my thought was, they have a lot of, you know, what, and I don't mean that in a positive way in this case. So yeah, this really blew me away that they've even introduced this product and it will be interesting to see they might get away with it here in the states, just because we all know how, outside of California, the US tends to operate, but I don't think Europe's gonna have much patience for this.

Peter: Yeah, a hundred percent agree. And Debbie, to your point, like this was inevitable. But Dan, I think you're right. Like this is going to be a no-fly in Europe and I'm hoping it's gonna eventually be a no-fly in the US as well. We