Blog

Course 6 (out of 10) of the Microsoft Professional Program for Big Data

As I continue on my #datascience, #bigdata and #ai journey, I am pleased to have just completed my 6th course on the Microsoft Professional Program for Big Data with 84%: Delivering a Data Warehouse in the Cloud.

There are 4 more courses left on the program, and I am still on track to complete the program by my target of the end of January 2019.

Like the EU, many EU country data protection regulators don’t show cookie notices either

(Post by Patrick Lee, 28 August 2018).

Further to my previous article on the EU and cookies, here is a link to a short video “The EU website has no cookies notice”.

This can be viewed as a curiosity if the EU updates its website to include cookie notices, so that it is in line with what many (most) businesses have felt they have had to do. And some – but by no means all – country data protection regulators.

So, what ARE the country data protection regulators doing about cookies?

https://en.wikipedia.org/wiki/National_data_protection_authority has a list of data protection regulators.

This is by no means an exhaustive survey, but from the ones that I have looked at so far:

Regulators with cookie notices on their sites

UK: https://ico.org.uk/

France: https://www.cnil.fr/

Belgium: https://www.dataprotectionauthority.be/

Luxembourg: https://cnpd.public.lu/en/commission-nationale.html

Regulators with no cookie notices on their sites, despite using cookies

Germany: https://www.bfdi.bund.de

Ireland: https://www.dataprotection.ie/

Italy: https://www.garanteprivacy.it/

Netherlands: https://autoriteitpersoonsgegevens.nl (NB it also seems very hard to find a privacy policy or cookies policy page on their site).

Sweden: https://www.datainspektionen.se/

Norway: https://www.datatilsynet.no

Iceland: https://www.personuvernd.is

Greece: http://www.dpa.gr/

Regulators with no cookie notices on their sites (but don’t seem to use cookies)

Spain: https://www.aepd.es/

Portugal: https://www.cnpd.pt/ (while searching for the site, I also found this story: “Portugal Data Protection Commission too broke to comply with GDPR“).

Some of the websites were very pleasing on the eye, others less so

It was interesting looking at the various country regulators’ websites. There was a very wide contrast in how modern the sites looked.

I have not looked at how good the sites are from a functionality point of view are, but my favourite site from an aesthetic point of view was the Dutch one:

DutchDataProtectionWebsiteAug2018

I also liked the look and feel of the Icelandic and Swedish websites.

In contrast, here are a couple which looked old fashioned or a bit garish:

CNPD(Portugal)Website

DPA(Greece)WebsiteAug2018.jpg

The obvious question

If so many of the regulators don’t seem to bother with cookie notices (even when, like the EU, Germany and many others, they are using cookies), why are the rest of us spending so much time on this?

#EU #cookies #GDPR #privacy #regulation

If you haven’t yet added cookie notices, you seem to be in good company (the EU …)

GDPR and cookies: I was looking for best practice

(Post by Patrick Lee, 26 August 2018).

I was trying to answer questions from an acquaintance about cookie notices, and I went looking for examples of best practice. So I visited both the UK Information Commissioner’s Office ( ICO) and the European Union (EU)’s websites. This is what I found.

The EU’s General Data Protection Regulations (GDPR) came into force across the whole of the EU just over 3 months ago, on 25 May 2018. As a result, many of you will have seen (and indeed before May) prominent cookie notices asking you to give explicit consent when visiting websites.

The ICO’s website: looks pretty good

This cookie notice is what you see, and very prominently when you visit the UK Information Commissioner’s (ICO) website for the first time (or after clearing cookies):

ICOWebsiteCookieNotice26Aug2018

The reason for this is that cookies can be used to record personal information. Under GDPR, (and this is from the ICO’s own guidance – the bold emphasis is mine):

Consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.

In other words, the ICO is implying that users need to knowingly perform an action to give consent to cookies. And that is precisely what the ICO’s own website does via its prominent cookie control notice.

To me (and I should make clear that I am not a lawyer) the ICO website does indeed appear to be very much in line with the letter and spirit of the GDPR.

The EU’s website: a very different story

What about the EU’s website, europa.eu? Remember that I visited in the expectation of seeing an example of good, or perhaps best practice.

At present, the EU’s website, http://europa.eu doesn’t give visitors any notice or prominent indication that it is storing cookies on their device.

This is what you see the first time you go to http://europa.eu (or if you have cleared cookies). Notice as well as the absence of any cookie notice, the “Not secure” warning from Google Chrome. This seems to be because, unlike the ICO, the EU website does not (initially at least) redirect users to the secure version of their website (https://europa.eu):

EUWebsiteInsecureAsAt26Aug2018
If you click on English as your desired language, you then see (notice that the site has now at least redirected me to its secure version):

EUWebsiteAfterSelectingEnglishAsLanguage

There is no cookie notice, or prominent link to information about what cookies it stores and what their purpose is. You have to look in the top right or scroll right down to the bottom of the page to see links to Cookies and Privacy policy.

EU Cookies page says they “may” store cookies

The Cookies page says that they may use cookies (amongst other reasons) to record whether visitors have agreed (or not) to the use of cookies on their site.

EUWebsiteCookiesPage

Remember that the site says it *may* use cookies. What is it actually doing by this stage? If you are using Google Chrome, you can see which cookies a site is storing on your device by using Ctrl + Shift + I to bring up the developer tools. Then click on the Application tab from the top, and click and expand the Cookies link on the left and click on the name of the site you are visiting.

By this stage, I had decided to look at the site’s Privacy Policy page, and this is what came up:

EUPrivacyPolicyPageOnFirstVisit26Aug2018

So while the site’s Cookies page says that it “may” store cookies, or (at the top) “we sometimes place” (them) on your device, it has already stored 4 cookies. In fact it stored 2 cookies when I opened the home page, and the third, has_js, when I clicked on the link to use English as my desired language. The 4th, PIKIW_SESSID, appeared when I went to the Privacy Policy page.

The privacy policy page says that by default website visitors are tracked using cookies from Europa. Rather than (as recommended by the UK Information Commissioner’s Office guidance) asking for explicit consent (in other words, an explicit opt-in), notice that the EU has chosen to rely on an implicit opt-in, i.e. you have to untick the box to opt out:

By default, website visitors are tracked using the first-party persistent cookies from Europa. You may choose not to be tracked by Piwik (opt-out). If you change your mind, you can choose to be tracked again by Piwik (opt-in).

Notice again the PIWIK_SESSID cookie. That seems to be the tracking cookie that the EU is referring to.

Let’s try opting out

But what happens if you decide to opt out? Does the EU’s site do what it says it will do? When you first visit the Privacy Policy page, the Piwik cookie is stored on your pc. The privacy page says that you are opted-in to be tracked by Piwik, but that you can choose not to have a unique web analytics cookie stored on your device, presumably the Piwik cookie that has just been stored. So let’s try opting out by unticking the “you are currently opted in” checkbox.

The site now says that you have opted out, and has an extra cookie (piwik_ignore) to record that you have opted out:

EUWebsitePrivacyPolicyPageAfterOptingOut26Aug2018

The tracking cookie is still there …

But the PIWIK cookie (PIWIK_SESSID) cookie is still there!

Does it disappear when I go to another page on the site, e.g. the page on Personal Data Protection? No, the cookie is still there.

Perhaps it will go away if we close the browser completely and re-open it …

What if I close the browser completely and open it up again. Will the cookie have disappeared? Apparently not!

EUPrivacyPolicyPageAfterClosingAndReopeningChromeAsAt2013On26Aug2018

It’s not just Google Chrome: similar things happen if you open the site in a different browser, Microsoft Edge.

Conclusion

My conclusion? Again, I am not a lawyer, but I think it is not clear whether the EU website complies with the GDPR (its own regulations) at the moment:

  • there is no prominent cookie notice when you visit the site
  • you have to explicitly opt out of being tracked
  • even when you do opt out, contrary to what the site says, the same or very similar cookie that is used for tracking is still there.

(Article dated 26 August 2018). #GDPR, #EU #Cookies #Privacy

Course 5 (out of 10) of the Microsoft Professional Program for Big Data

As I continue on my #datascience, #bigdata and #ai journey, I am very pleased to have just completed my 5th course on the Microsoft Professional Program for Big Data with 98%: Introduction to NoSQL Data Solutions.

There are 5 more courses left on the program, and this means I am still on track to complete the program by my target of the end of January 2019.

President’s Award for input on the topic of data science

I am delighted to have received a President’s Award for input on data science from outgoing Institute and Faculty of Actuaries President Marjorie Ngwenya, FIA at yesterday’s AGM at Staple Inn in London.

The IFoA is a tremendously vibrant organisation and I believe IFoA and other actuaries have an important role to play in helping businesses and organisations make the most from the torrents of data becoming available, whilst also helping protect consumers from unethical use of such data. In particular, I am very pleased that the IFoA is collaborating with the Royal Statistical Society in the vital area of the ethical use of data in data science. (For example a joint event was held earlier this month on the Industrialisation and Professionalisation of Data Science)