tag:econsultancy.com,2008:/topics/legal-and-regulations Latest Legal content from Econsultancy 2016-08-25T14:24:00+01:00 tag:econsultancy.com,2008:BlogPost/68215 2016-08-25T14:24:00+01:00 2016-08-25T14:24:00+01:00 Are regulations impeding financial services innovation? Patricio Robles <p>As <a href="http://www.ft.com/cms/s/0/66c75f74-6790-11e6-ae5b-a7cc5dd5a28c.html">detailed by</a> The Financial Times, BBVA is asking the European Commission to make changes to the bonus cap rules, which apply to employees who are "material risk takers" or earn more than €500,000 per annum.</p> <p>BBVA says that the bonus cap rules are making it difficult to compete and innovate, and that they should be amended.</p> <p>Specifically, BBVA would like to see that they're not applied to technology specialists, which the bank notes have seen their compensation increase but who don't expose the bank to the type of risks traders do.</p> <p>"In some cases we compete against US banks or tech companies on acquisitions. Their bonuses are not capped, so we may lose out," BBVA's digital M&amp;A chief, Juan López Carretero, told the FT.</p> <blockquote> <p>If you can design an app so a payment is done in two clicks instead of eight clicks that is valuable but it isn’t putting the bank at risk.</p> </blockquote> <p>BBVA is considered one of the more tech-friendly large banks.</p> <p>It <a href="https://www.bbva.com/en/news/economy/corporate/finance/bbva-acquires-simple-to-accelerate-digital-banking-expansion/">acquired Simple</a>, a US banking startup, for $117m in 2014, <a href="https://www.bbva.com/en/news/general/bbva-acquires-finnish-banking-start-holvi/">and Finnish business banking startup Holvi</a> in March. </p> <p>BBVA has invested in a number of financial services startups, including <a href="http://www.ft.com/cms/s/0/b71ad596-91f3-11e5-94e6-c5413829caa5.html">UK mobile bank Atom</a>, and earlier this year it <a href="http://www.americanbanker.com/news/bank-technology/whats-behind-restructuring-of-bbvas-fintech-venture-fund-1079319-1.html">created an independent venture firm</a>, Propel Venture Partners, to "invest in technology-driven companies that are Rethinking and Rebuilding financial services."</p> <p>With more and more <a href="https://econsultancy.com/blog/67919-five-fintech-start-ups-aiming-to-replace-traditional-banking">startups looking to disrupt traditional banking</a>, rules that make it more difficult for banks like BBVA to recruit top tech talent or acquire promising young companies would indeed appear to be a legitimate concern.</p> <p>But big banks shouldn't fall into the trap of believing that the ability to open their wallets more freely is the key to thwarting would-be disruptors and spurring innovation.</p> <p><strong>First,</strong> in the battle for talent, <a href="https://techcrunch.com/2015/06/25/a-closer-look-at-the-silicon-valley-vs-wall-street-talent-war/">it's not all about money</a>.</p> <p>Many of those who are choosing Silicon Valley over Wall Street and The City aren't doing so just because they see the opportunity to make more money.</p> <p>Big banks are seen by many as stodgy and bureaucratic, making them less attractive for job seekers looking for opportunities that will give them the ability to do interesting work and make an impact.</p> <p>Additionally, the financial services industry's reputation hit post-2008 hasn't helped matters.  </p> <p><strong>Second,</strong> as far as acquisitions and partnerships are concerned, banks will need to prove that they can integrate with the upstarts they acquire and partner with.</p> <p>BBVA appears to be on the right track in this regard <a href="https://www.finextra.com/newsarticle/28693/simple-to-move-customer-accounts-to-bbva-compass-platform">thanks to investment in APIs</a>, but it's still very early in the game and it's not clear that large financial institutions will be able to acquire or partner their way to success.</p> <h3>Regulation to the rescue?</h3> <p>Ironically, regulation might soon provide some relief for banks under attack from fintechs.</p> <p>Their rapid rise has not gone unnoticed by regulators and it's possible that fintech upstarts will soon find themselves subject to much greater scrutiny.</p> <p>For example, in the US, state and federal regulators, including the FDIC, <a href="http://www.wsj.com/articles/greater-scrutiny-looms-for-bank-online-lender-rent-a-charter-deals-1471824803">are eyeing new guidelines</a> that would allow greater oversight of online lenders.</p> <p>If they become subject to more regulation, these upstart non-bank lenders could see many of the advantages they've used to gain market share slip away, making it easier for banks to compete for loan business once again.</p> <p>That could be good news for banks, at least in the short-term, but even if fintechs are saddled with new regulatory burdens, the reality is that <a href="http://www.americanbanker.com/news/bank-technology/what-do-millennials-want-from-banks-everything-nothing-whatever-1079945-1.html">consumer behavior and expectations have changed and continue to change</a>.</p> <p>Banks that want to thrive will need to address this and they can't do that with money alone.</p> tag:econsultancy.com,2008:BlogPost/68108 2016-08-02T12:30:00+01:00 2016-08-02T12:30:00+01:00 Brexit and the Digital Single Market: Three ways forward Todd Ruback <h3>Brexit, data protection and the Digital Single Market</h3> <p>The people have collectively spoken and now policy makers need to forge a path forward that honours the will of the people, while also ensuring the UK’s access to the all important EU economic market – especially the digital market and this is no easy task.</p> <p>The UK’s decision to leave the European Union comes just on the heels of the passage of the EU’s General Data Protection Regulation (GDPR), a massive piece of legislation that aims to give control over personal data back to the individual through a series of new codified rights.</p> <p>The GDPR is a pan-European law that will add certainty for companies selling their wares to EU citizens.</p> <p>More importantly, it is the foundation of the <a href="http://ec.europa.eu/priorities/digital-single-market_en">Digital Single Market</a>, a strategic European initiative that aims to create fertile conditions for European-based innovation that will add billions of Euros to the overall economy, the UK included, while creating countless jobs.</p> <p><iframe src="https://www.youtube.com/embed/mTeqrJJPkfg?wmode=transparent" width="560" height="315"></iframe></p> <p><em>As well as increasing access to goods and services, the Digital Single Market will also improve networks and drive economic growth</em></p> <p>The UK’s pending exit from the EU puts it at risk of not participating in the Digital Single Market unless another option can be implemented.</p> <p>Here are three possible paths forward, none of them straightforward, but paths nonetheless.</p> <h3>Three paths forward</h3> <p><strong>1. UK adopts GDPR</strong></p> <p>The UK can adopt the GDPR as its own national data protection legislation, but then would still be left with the dystopian act of applying – upon a politically bended knee – to the EU to be granted “adequacy” status, which is legal jargon recognising that your data protection law offers the equivalent level of protection that the GDPR provides.</p> <p>If you receive “adequacy”, as countries like Canada and Argentina have been granted, then data can flow between the two economies freely.</p> <p>At issue is whether political egos will get in the way of applying for “adequacy” designation, and that is impossible to predict.</p> <p><strong>2. Be Switzerland </strong></p> <p>A second path forward would be for the UK to follow the Swiss model and negotiate a series of critical trade agreements with the EU that will allow the UK access to the EU digital market.</p> <p>While a series of one-off trade agreements may require a lot of heavy lifting and must be done quickly, it is important to remember that reciprocal access by the EU to the UK economy, the second largest in the EU after Germany, is important to the EU.</p> <p><strong>3. EEA Membership</strong></p> <p>A third path forward may be the simplest and could represent a balanced approach that would both honour the collective will of UK citizens, while still providing access to the EU Digital Single Market.</p> <p>Namely, the UK could apply to become part of the European Economic Area (EEA), a 1994 agreement that opens the EU market to non-member states under certain situations.</p> <p>Norway is the prime example, but there are technical considerations that I am not qualified to comment on that still must be met before a country can join the EEA, and like the first option, could result in an unbalanced relationship since membership is contingent upon meeting EU mandated and monitored requirements.</p> <h3>Riveting but serious </h3> <p>The UK political theatre playing out in front of us is riveting, especially for an American privacy wonk such as myself.</p> <p>But its entertainment value is far outweighed by the economic seriousness that portent if cool heads don’t negotiate a way forward.</p> <p>I know some of these cool heads, both in London and Brussels, and am confident that they will find that path forward that honours the democratic will of the referendum, while also fostering conditions for joint economic prosperity.</p> <p>It’s in everyone’s best interest.</p> <p><em>More on Brexit and the UK's digital economy:</em></p> <ul> <li> <a href="https://econsultancy.com/blog/68003-ecommerce-in-the-uk-post-brexit-positives-negatives-opportunities/">Ecommerce in the UK post-Brexit: Positives, negatives &amp; opportunities</a> </li> <li> <a href="https://econsultancy.com/blog/68001-how-will-brexit-impact-digital-businesses-and-marketers/">How will Brexit impact digital businesses and marketers?</a> </li> <li> <a href="https://econsultancy.com/blog/68099-three-ways-uk-retailers-can-utilise-the-post-brexit-gbp-drop-to-target-international-customers/">Three ways UK retailers can utilise the post-Brexit GBP drop to target international customers</a> </li> </ul> tag:econsultancy.com,2008:BlogPost/68067 2016-07-15T14:27:00+01:00 2016-07-15T14:27:00+01:00 Is ad fraud the 21st century drug trade? Patricio Robles <p>The Senators are concerned that ad fraud, which is estimated to be costing advertisers billions annually, could eventually lead companies to pass the costs of fraud on to consumers in the form of higher prices.</p> <p>They are also concerned that as fraudsters flood the online ad market, consumers will be at greater risk of having personal information stolen and abused.  </p> <blockquote class="twitter-tweet"> <p lang="en" dir="ltr">Here's an amazing fact: by 2025, the digital ad market could be 2nd only to drug trafficking as largest revenue source for organized crime</p> — Mark Warner (@MarkWarner) <a href="https://twitter.com/MarkWarner/status/752512068562063360">11 de julio de 2016</a> </blockquote> <h3>The role of programmatic</h3> <p>While digital ad fraud has been around in some form or another since digital ads first appeared, it appears to be becoming more lucrative and complex.</p> <p>There's more digital ad inventory than ever, and many advertisers are pouring more and more money into digital spend. At the same time, publishers and advertisers have embraced <a href="https://econsultancy.com/reports/the-cmo-s-guide-to-programmatic">programmatic</a> ad buying.</p> <p>According to Senator Mark Warner of Virginia, this makes for a dangerous combination. <a href="http://www.wsj.com/articles/senators-urge-ftc-to-examine-ad-fraud-1468231200">He told</a> the Wall Street Journal... </p> <blockquote> <p>This is a $60 billion industry, and some of the fraud numbers suggest that 10% of that is being wasted. And you’re seeing some of the same tools [we saw] in stock manipulation. This needs to be looked at.</p> </blockquote> <p>Warner likens the ad fraud problem to the 2008 financial crisis, and suggests that "some of the tech community has swept this under the rug," though he admits that he and other lawmakers have a lot to learn about the subject before the possibility of legislation should be put on the table.</p> <p><strong>But is ad fraud really a problem that can legitimately be compared to drug trafficking? That isn't so clear.</strong></p> <p>The industry is <a href="https://econsultancy.com/blog/67660-what-can-prevent-ad-fraud-we-ask-an-ad-tech-ceo">well aware of the issue</a>, and many parties are working to mitigate it.</p> <p>The good news is that digital advertising is one of the most accountable forms of advertising, so prudent advertisers have many opportunities to ensure that they're not being taken for a ride.</p> <p>So what explains the fact that advertisers are estimated to be spending billions on fraudulent ads that aren't being seen by real people? It's simple: in most cases, ad prices reflect advertisers' knowledge that fraud and <a href="https://econsultancy.com/blog/67076-the-rise-and-rise-of-ad-blockers-stats">ad blockers</a> will prevent 100% viewability.</p> <p>As former brand marketer Rick Webb <a href="https://econsultancy.com/blog/66712-former-brand-marketer-banner-ads-suck-but-they-re-great">explained last year</a>...</p> <blockquote> <p>We’ll spend a million bucks on a literal f**k ton of banners (I mean, just billions of the things, it’s crazy). And then we’ll do targeted brand sentiment and purchase-intent surveys using our internal peeps, online along with companies like Nielsen and Foresee, and offline with a bunch of (really quite awesome) companies you’ve never heard of. Then we’ll see whether the banners moved the needle, and if they did (and they often do), we’re happy.</p> </blockquote> <p>In other words, <a href="https://econsultancy.com/blog/67632-why-chasing-after-100-viewability-makes-no-sense-for-advertisers">100% viewability isn't required</a> to run profitable campaigns, and sophisticated advertisers are more than capable of factoring viewability into their considerations when determining how much they should pay for ads.</p> <h3>The bigger problem?</h3> <p>Obviously, this doesn't mean that ad fraud isn't a problem worth addressing, but the idea that ad fraud, and programmatic ad fraud in particular, is going to create a Wall Street-like crisis that threatens the digital advertising ecosystem seems far-fetched.</p> <p>If anything, lawmakers and regulators should be more concerned about how fraudsters <a href="https://econsultancy.com/blog/67924-is-facebook-doing-enough-to-prevent-fraudulent-ads">are using digital ads to target consumers</a>. Long-term, that is perhaps the biggest threat to digital advertising that publishers and advertisers should be most concerned about.</p> <p><em>Want to know more, why not attend <a href="http://conferences.marketingweek.com/mc/programmatic/getwiththeprogrammatic">Get With the Programmatic</a>, Marketing Week and Econsultancy's one-day conference on 21st September in London, to hear from brand and agency experts.</em></p> tag:econsultancy.com,2008:BlogPost/67923 2016-06-09T14:43:00+01:00 2016-06-09T14:43:00+01:00 Influencer marketing is becoming a joke: What can brands do about it? Patricio Robles <p>That dark side was on display for all to see recently when Scott Disick, a television personality best known for his relationship with reality TV star and socialite Kourtney Kardashian, was caught posting an ostensibly paid promotion for Bootea protein shakes.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/5705/oops-blog-flyer.jpg" alt="" width="415" height="738"></p> <p>As the screenshot above demonstrates, Disick's Bootea Instagram post was about as far from authentic as is possible and not surprisingly, Disick was subsequently teased and lambasted for his embarrassing faux pas.</p> <p>Brands should take note and heed the following advice to ensure their influencer marketing campaigns don't become a joke.</p> <h3>1. Align your brand with the right influencers</h3> <p>With 16.4m Instagram followers, Scott Disick's ability to reach a large number of people is hard to dispute.</p> <p>But why would Bootea, a health and wellness brand, align itself with a celebrity who is known for his hard-partying ways and who has made headlines for his struggles with drug and alcohol abuse?</p> <p>While Disick shouldn't be shamed for those struggles, it's hard not to think that Bootea would have been better off aligning itself with influencers whose lifestyles are more consistent with its values.</p> <p>Long-term, that is a much safer bet.</p> <h3>2. Think bigger than paid posts</h3> <p>For obvious reasons, paid posts are not going away.</p> <p>But any good influencer campaign should be more thoughtful and comprehensive than paid posts that are the social web equivalent of product placement.</p> <p>The reason for this is that paid posts alone are probably not going to move the needle, especially if those paid posts are not compelling and not clearly aligned with the influencer's persona. </p> <h3>3. Trust your influencers</h3> <p>If a brand can't trust an influencer to write his or her own 140-character tweet or caption for an Instgram post, the influencer relationship needs to be reassessed.</p> <p>Influencer content, even when paid for, should at least <em>appear</em> to be somewhat authentic.</p> <p>Here, an influencer was directed to publish a post referencing a morning protein shake in the afternoon. #fail</p> <h3>4. Co-create, and demand more</h3> <p>Naturally, brands are going to want to have some say in what influencers post.</p> <p>But a brand shouldn't have to direct an influencer to write something as simple as "Keeping up with the summer workout routine..."</p> <p>Instead, they should <a href="https://econsultancy.com/reports/influencing-the-influencers-the-magic-of-co-created-content">co-create content</a> with their influencers to ensure that they stay on message without compromising the influencer's authenticity and creativity.</p> <p><img src="https://assets.econsultancy.com/images/0007/5752/disick.jpg" alt="" width="578" height="370"></p> <p>And they should demand the latter to ensure that they don't get lazy, uninspired content like the above, which is another paid post Disick published for Bootea several weeks ago.</p> <p>Note the similarity to the botched paid post, and the fact that neither post even suggests that Disick is actually using the product. There isn't a glass in sight in either photo.</p> <h3>5. Don't ignore the rules</h3> <p>Although Disick fixed his Instagram faux pas and included the hashtag #ad to identify his post as a paid advertisement, brands looking to ensure their influencer marketing campaigns don't fail should remember not to ignore <a href="https://econsultancy.com/blog/67368-what-advertisers-need-to-know-about-the-ftc-s-new-guidance-on-native-ads/">the guidances provided by the Federal Trade Commission</a> vis-à-vis advertising disclosures.</p> <p>While the FTC obviously can't take action against every violator, <a href="https://www.ftc.gov/news-events/press-releases/2016/03/lord-taylor-settles-ftc-charges-it-deceived-consumers-through">the agency recently settled</a> with Lord &amp; Taylor after alleging that the retailer, among other things, paid Instagram fashion influencers to post pictures of themselves wearing a dress it sold.</p> tag:econsultancy.com,2008:BlogPost/67924 2016-06-07T14:22:00+01:00 2016-06-07T14:22:00+01:00 Is Facebook doing enough to prevent fraudulent ads? Patricio Robles <p>As <a href="https://medium.com/@hunchly/bait-and-switch-the-failure-of-facebook-advertising-an-osint-investigation-37d693b2a858">detailed on his blog</a>, Seitz stumbled onto this subject after noticing a provactive ad related to professional hockey player Sidney Crosby. </p> <p><img src="https://assets.econsultancy.com/images/resized/0007/5753/fbad-blog-flyer.png" alt="" width="347" height="347"></p> <p>Seitz observed that the URL associated with the ad, ctvnews.ca, belongs to a reputable Canadian news outlet, so he clicked on the ad.</p> <p>He found himself on a website that resembled ESPN.com, not ctvnews.ca, but the domain, espn.l1dh.com, was dubious.</p> <p>Scrolling down, Seitz found a number of ads for supplements:</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/5754/fbspoof-blog-flyer.png" alt="" width="358" height="344"></p> <p>At the bottom of the page were apparent testimonials, presented in the format of an embedded Facebook Comments Plugin, but it wasn't genuine.</p> <p>Instead, Seitz discovered that the creator of the page had taken photos of real people and attributed fake comments to them.</p> <p>Seitz concluded:</p> <blockquote> <p>Clearly someone has figured out how to game the Facebook system in order to run ads that look like they lead one place (ctvnews.ca) and ultimately lead to somewhere vastly different.</p> <p>Not only that but they are repeatedly using trademarked names, terms, and false information to sell product. This violates a number of Facebook advertising policies.</p> <p>My guess is that you sign up for the “Free Trial” and you are going to get dinged once a month for life. Or worse.</p> </blockquote> <p>Using Hunchly, Seitz decided to see if he could figure out how common this was.</p> <p>He quickly identified another Facebook ad on a page he had viewed months ago, this one also appearing suspicious and being associated with the URL of a legitimate Canadian news organization. </p> <p>This ad, which also eventually led to a landing page hosted on a suspicious domain, used Google's URL shortening service, so Seitz was able to determine that in a very short period of time, the shortened URL saw 26,812 clicks, at least nearly half of which originated on Facebook.</p> <p>The worrisome implication...</p> <blockquote> <p>...fraudsters can create ads that appear to point to legitimate sites, and then drive tens of thousands of clicks through to their landing pages.</p> <p>Facebook apparently is asleep at the wheel, and sadly, I feel that the general Facebook user and consumers as a whole are being victimized because of it.</p> </blockquote> <p>In an attempt to verify this, Seitz himself set up a Facebook ad campaign for Hunchly and specified that CNN.com be the display URL.</p> <p>"Surely they must catch the fact that the destination URL is not even close to the displayed URL. Surely they must see how bad this would be for the average consumer or Facebook user."</p> <p>But that wasn't the case. To Seitz's amazement, the ad was approved.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/5756/fbad2-blog-flyer.png" alt="" width="405" height="378"></p> <h3>What gives, Facebook?</h3> <p>While Seitz's proposed solution for this problem, checking to ensure that the landing page domain matches the display domain, is probably too simplistic to be viable, his investigation does raise serious questions about how well Facebook is policing ads.</p> <p>Certainly, the apparent ease with which advertisers can use display URLs referencing popular news sites is hard to understand.</p> <p>As Seitz noted,<strong> "If you tried this in Google AdWords, you would be laughed right out of your account."</strong></p> <p>One commenter suggested that the apparent fraud Seitz discovered only scratches the surface.</p> <p>"I'm afraid you have no idea how black (hint: think Archer) the black hat advertising on Facebook can go, this is not even the tip of the iceberg," he wrote.</p> <p>Others on Hacker News <a href="https://news.ycombinator.com/item?id=11839603">suggested</a> much the same thing, with one person even <a href="https://news.ycombinator.com/item?id=11841815">claiming</a> that "an affiliate acquaintance I met once bribed a Facebook employee, who set his account to autoapprove any ad he wanted.</p> <blockquote> <p>He used this to advertise Google Is Hiring: Work from Home credit card rebill offers. He told me he made $80,000 in the four days it took Facebook to discover it.</p> </blockquote> <p>Obviously, in its defense, Facebook, as one of the largest players in online advertising, has a tough job.</p> <p>Keeping up with scammers and advertisers looking to bend the rules to exploit its massive audience will realistically be an ongoing process, and Facebook isn't going to catch every black or gray hat tactic before it gets employed successfully.</p> <p>But as with any ad company, Facebook faces an inherent conflict: even though it has good reason not to let bad ads overtake its network, it still profits from them.</p> <p>The company's revenue grew a whopping 57%, from $3.3bn to $5.2bn, in the first quarter of the year, so the stakes are high. </p> <p>And with Facebook <a href="https://www.facebook.com/business/news/facebook-powered-ads-for-more-people">extending its Audience Network to show ads to non-Facebook users</a>, the stakes will soon be even higher for Facebook, legitimate advertisers and consumers alike.</p> tag:econsultancy.com,2008:BlogPost/67784 2016-04-27T11:06:15+01:00 2016-04-27T11:06:15+01:00 EU data laws: An update on GDPR & Privacy Shield Todd Ruback <p>The controversial Apple and FBI matter – where the FBI sought to compel Apple to unlock an old iPhone model as part of a domestic terrorism investigation – has already become old news.</p> <p>In the EU, terrorism in Brussels and Paris is forcing uncomfortable and morally difficult conversations about security, privacy, and fundamental human rights. </p> <p>While I am optimistic that we will arrive at a good place, the EU is enacting a flurry of powerful new privacy laws that will impact us all.</p> <h3>General Data Protection Regulation (GDPR)</h3> <p>On the 14<sup>th</sup> April 2016, the EU Parliament <a href="https://econsultancy.com/blog/67540-what-is-the-eu-general-data-protection-regulation-gdpr-why-should-you-care/">formally adopted the GDPR</a>; another legislative step in the multi-year process to overhaul the EU’s disparate data protection laws. </p> <p>The next step will be for the GDPR to be officially published, translated, and put to print in the Official Journal of the European Union, hopefully by June.</p> <p> Just 20 days following that, the two-year countdown to the GDPR taking effect will commence. </p> <p>As the GDPR winds its way through the end of this legislative process, it’s important to note how much work organisations will have to complete during this small two-year window. </p> <p>It will strengthen the individual’s control over their personal data by new rights that will be bestowed upon EU citizens, such as the right to data portability and the right to be forgotten (erasure).</p> <p><img src="https://assets.econsultancy.com/images/0007/4342/The_EU.jpg" alt="" width="800" height="600"></p> <p>On the flip side, organisations will have new codified obligations to honour the individual’s rights, and these obligations will force companies to create new privacy-centric business processes – no easy task in the best of times. </p> <p>For example, the quaint notion of “bundled” consent – those dense, unreadable Terms and Conditions buried in the footer of a site that say use of the website constitutes consent to the company’s data practices – is non-existent. </p> <p>In it’s place, companies are going to have to give prominent notice and obtain a user’s consent when a person visits their website.</p> <p>Other changes include more transparent privacy policies and the requirement to have processes for a person to access, review, and correct their personal data, as well as request that data can be easily transferred or taken from one service provider to another.</p> <p>All of this, and more, needs to be considered, created, tested, and put in place by the time the GDPR takes effect. That means you need to start now.</p> <p><strong>Why is this important?</strong> </p> <p>Namely because the EU’s data protection authorities have enhanced new enforcement powers that include the ability to penalise an organisation up to €20m or 4% of it’s annual global turnover, whichever is greater.</p> <h3>Privacy Shield </h3> <p>While the GDPR’s impact will be huge, at the same time, the evolution of the digital world continues to sprint forward. </p> <p>Similar to the Berlin Wall, digital borders have come crashing down; allowing for the natural flow of data between Member States but also between the EU and US, its largest trading partner. </p> <p>Both economies are in fact dependent upon this fundamental notion. </p> <p>However, the fledgling Privacy Shield – a heavily negotiated replacement to <a href="https://econsultancy.com/blog/67144-safe-harbor-2-0-an-update-on-eu-privacy-law/">the invalidated US Safe Harbor Program</a> – recently received a tepid review by the Article 29 Working Party (WP29).</p> <p><img src="https://assets.econsultancy.com/images/0007/4343/safe_harbor.png" alt="" width="351" height="144"></p> <p>The Privacy Shield at the highest level is a mechanism that allows organisations to transfer personal data about EU citizens to companies in the US. </p> <p>It’s needed because the EU, for a host of reasons, has not recognised the US as a country that has “adequate” data protection laws, although the US does in fact heavily regulate data protection through a variety of laws and robust enforcement. </p> <p>But because of this political fact, a negotiated agreement that created a mechanism needed to be put in place, thus the Safe Harbor Program (which became obsolete), and now the Privacy Shield.</p> <p>Although many thought-leaders have concluded that the Privacy Shield provides essentially equivalent levels of data protection as EU law, the WP29 has chosen a more cautious route, one that whilst not rejecting it, also doesn’t endorse it. </p> <p>I anticipate the Privacy Shield will be heavily challenged in the EU courts, but that it will ultimately prevail. </p> <p>Any other result would have a tremendous negative impact on both economies, which no reasonable person could want.</p> <h3>ePrivacy Directive </h3> <p>On the 12<sup>th</sup> April 2016, the European Commission began its comprehensive review of <a href="https://econsultancy.com/reports/the-eu-cookie-law-a-guide-to-compliance/">the ePrivacy Directive</a>. </p> <p>Some call it the cookie law, which requires companies to give notice and get consent before they use any sort of tracking technologies or analytics tools when you visit their sites. </p> <p>The Directive also restricts how telecom providers can treat or move electronic communications. The review aims to close any potential gaps between the ePrivacy Directive and the GDPR.</p> <p>As a stakeholder in the process, I am aware how important it is to get it right. </p> <p>Of concern to me is the separate notice and consent requirement the ePrivacy Directive has from the GDPR. </p> <p>But I am also confident that the distinct transparency requirements between the two laws can be merged so the consumer can be well informed and make meaningful decisions that are best for themselves.</p> tag:econsultancy.com,2008:BlogPost/67743 2016-04-15T14:14:27+01:00 2016-04-15T14:14:27+01:00 The five announcements from Facebook's F8 conference that you need to know about Patricio Robles <h3>Messenger Platform</h3> <p><a href="https://econsultancy.com/blog/67551-private-messaging-is-social-s-next-big-ad-frontier">Private messaging is social's next big ad frontier</a> and talk of <a href="https://econsultancy.com/blog/66234-is-facebook-about-to-open-messenger-to-content-producers-brands">Facebook opening its Messenger app to brands</a> has been circling for more than a year.</p> <p>One of the biggest announcements at the F8 conference was <a href="http://newsroom.fb.com/news/2016/04/messenger-platform-at-f8/">the beta launch of Messenger Platform</a>, which allows third parties to develop <a href="https://econsultancy.com/blog/67697-does-the-rise-of-messaging-apps-mean-brands-need-a-bot-strategy">bots</a> that interact with Messenger's 900m users. </p> <p><img src="https://assets.econsultancy.com/images/0007/3950/how-to-search-for-bots-on-messenger.jpeg" alt="" width="249" height="483"></p> <p>According to David Marcus, Facebook's VP of Messaging Products...</p> <blockquote> <p>Bots can provide anything from automated subscription content like weather and traffic updates, to customized communications like receipts, shipping notifications, and live automated messages all by interacting directly with the people who want to get them.</p> </blockquote> <p>Facebook has created a number of discovery tools to help users find bots that may be of interest to them, and users will have the ability to block communications that are unwanted.</p> <p>Facebook says it has established strict review and oversight policies to ensure that brands don't abuse its <a href="https://messengerplatform.fb.com/">Messenger Platform</a>.</p> <h3>Facebook Live API</h3> <p><a href="https://econsultancy.com/blog/67712-seven-helpful-tips-for-livestreaming-success">Livestreaming</a> is the subject of a lot of buzz today, and Facebook believes that it's a meaningful trend.</p> <p>The social network <a href="https://econsultancy.com/blog/67603-what-marketers-need-to-know-about-facebook-s-livestreaming-push">is pushing to be a livestreaming leader</a>, so it's no surprise that Facebook has built a Live API, which <a href="https://media.fb.com/2016/04/12/introducing-the-facebook-live-api/">it unveiled at F8</a>.</p> <p>Thanks to the Live API, publishers wanting to broadcast directly to Facebook can work with Facebook's Media Solutions partners, and access advanced capabilities, such as the ability to mix multiple video and audio sources and to combine the Live API with Facebook's Graph API to access live video comments, reactions, and mentions in real-time.</p> <p>According to Facebook, "You can use this information to reflect viewer engagement in real time and create on-screen graphics that show live poll results, analyze comments, and enable comment moderation."</p> <p>The Live API will also allow hardware manufacturers to integrate with Facebook Live.</p> <p>Already, a number of camera manufacturers have taken advantage of this, and drone manufacturer DJI has integrated its GO app with Facebook's Live API so that drone pilots can stream their flights.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3955/facebooklivedrone-blog-flyer.jpg" alt="" width="470" height="264"></p> <h3>Account Kit</h3> <p>Use of <a href="https://econsultancy.com/blog/66711-social-login-adoption-grows-despite-privacy-concerns">social login</a> has grown significantly in recent years and Facebook is aiming to make it even easier for consumers to access third-party apps with <a href="https://developers.facebook.com/blog/post/2016/04/12/grow-your-app-with-account-kit/">Account Kit</a>, a new tool that allows individuals to sign in with just a phone number or email address, even if they don't have a Facebook account.</p> <p><img src="https://assets.econsultancy.com/images/resized/0007/3956/12995596_1709301726022225_16641357_n-blog-flyer.png" alt="" width="470" height="299"></p> <p>Account Kit gives app owners the ability to customize UI and access analytics.</p> <p>Facebook also offers a backup notification option for users of its social network, which it says can help conversions...</p> <blockquote> <p>If a person chooses to sign into your app using their phone number, but doesn't receive an SMS, but does have a Facebook account, they can choose to receive a Facebook notification to complete the login process.</p> <p>We built this backup option to help increase your conversion rate by making sure people have more ways to log in if needed.</p> </blockquote> <p><a href="https://developers.facebook.com/docs/case-studies/saavn">According to</a> Facebook, music streaming app Saavn saw its daily signups grow by 33% within two months of adopting Account Kit. </p> <h3>New Sharing Tools</h3> <p><img src="https://assets.econsultancy.com/images/0007/3957/facebooksave.jpg" alt="" width="236" height="452"></p> <p><a href="https://econsultancy.com/blog/67733-the-facebook-context-collapse-how-decline-in-personal-sharing-might-affect-brands">Facebook is fighting "context collapse"</a> and to encourage more sharing, the company released a number of new sharing tools at F8.</p> <p>These include:</p> <ul> <li> <strong>Quote Sharing</strong>, which allows Facebook users to more easily share quotes they like from websites and apps.</li> <li> <strong>Hashtag Sharing</strong>, which gives users the ability to add a hashtag to content they share from apps.</li> <li>A <strong>Save Button</strong> that extends Facebook's Save functionality to third-party sites that integrate it.</li> </ul> <p>Additionally, Facebook has released <a href="https://developers.facebook.com/docs/sharing/insights">Sharing Insights</a> and an improved Sharing Debugger to help publishers better track sharing activity and manage their sharing integrations.</p> <h3>Rights Manager</h3> <p>Facebook's rise as an online video powerhouse is a double-edged sword for content owners which are increasingly grappling with copyright infringment issues on the world's largest social network.</p> <p>In an effort to address this, Facebook created <a href="https://rightsmanager.fb.com/">Rights Manager</a>, an online tool that gives content owners the ability to upload a reference library of their content, along with associated rules, so that possible violations can be identified and reported more efficiently.</p> <p>Content owners can apply for access to Rights Manager. Currently, Facebook says it is providing access based on need.</p> tag:econsultancy.com,2008:BlogPost/67540 2016-02-18T10:50:58+00:00 2016-02-18T10:50:58+00:00 What is the EU General Data Protection Regulation (GDPR) & why should you care? Nick Stringer <p>However, the next few years will see a ‘sea-change’ in privacy and data protection law: organisations face a new privacy challenge.</p> <h3><strong>Enter the EU General Data Protection Regulation (GDPR)</strong></h3> <p>Having just got used to the changes brought in by the <a href="http://www.iabuk.net/policy/briefings/updated-iab-factsheet-july-2015-the-revised-eprivacy-directive" target="_blank">revised ePrivacy Directive</a> (the so-called ‘<a href="https://econsultancy.com/reports/the-eu-cookie-law-a-guide-to-compliance/">cookie law</a>’) - replacing the ‘notice and opt out’ provisions for the use of cookies and other technologies to one based upon ‘consent’ - European policy-makers have agreed an update to the existing data protection legal framework dating back to 1995 (in the UK, the 1998 Data Protection Act).</p> <p>Known as the <a href="http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm" target="_blank">EU General Data Protection Regulation (GDPR)</a>, it is expected to be formally agreed in the coming months although won’t actually come into force until mid-2018.</p> <p>However, after nearly four years of debate and discussion in Brussels, it introduces new aspects that will require a different approach.</p> <p>It won’t overhaul existing data protection law completely but organisations need to sit up and take note now.</p> <h3><strong>So what’s new? </strong></h3> <p>There has been a wide range of debate about the new regulation: Will it place too many restrictions on the use of data? How will the ‘open’ internet fare? Is it a ‘milestone’ for the digital world?</p> <p>The devil is in the 200+ pages of text, but there are four specific changes to be aware of now:</p> <p><strong>1. It aims to deliver 'one law across one continent’.</strong></p> <p>In updating the existing framework, the policy-makers in Brussels wanted to take into account the world we live in today where vast amounts of digital information are collected, exchanged and used every second.</p> <p>They also sought to recognise that this world is global. To this extent, the new law is what is known as a ‘Regulation’.</p> <p>So, unlike the ‘cookie law', it will apply consistently across EU markets. However, in reality, many aspects are devolved to national jurisdictions.</p> <p><strong>2. It’s scope is broad. </strong></p> <p>The drafters will argue otherwise. But, with a few exceptions, all data is now ‘personal’ whether it directly identifies an individual or not.</p> <p>Therefore, in practice, a lot more data is swept up in the regulatory net.</p> <p><strong>3. The new law’s influence stretches beyond European shores in an attempt to recognise the global nature of data. </strong></p> <p>If an organisation is processing personal data about a person who is in the EU then the rules will apply regardless of where the organisation is located. </p> <p><strong>4. The penalties for a breach have been ramped up. </strong></p> <p>For serious violations the fine is €20m or 4% of annual global turnover, whichever is higher.</p> <h3><strong>A need for consistent &amp; practical EU-wide guidance</strong></h3> <p>The political necessity to find an agreement in Brussels before Christmas contributed to many aspects of ambiguity in the final text.</p> <p>But we should be used to this from policy-makers by now and, while organisations seek legal clarity, this may not be such a bad thing given what was on the table six months ago.</p> <p>While the Regulation will be done and dusted by the middle of this year, there will be a need for consistent and practical guidance across Europe, particularly on areas such as ‘consent'.</p> <p><a href="https://assets.econsultancy.com/images/resized/0007/2056/cookie_law-blog-flyer.jpg"><img src="https://assets.econsultancy.com/images/resized/0007/2056/cookie_law-blog-flyer.jpg" alt="" width="470" height="353"></a></p> <p>Working with industry, Data Protection Authorities (DPAs), such as the UK Information Commissioner’s Office (ICO), need to produce consistent EU guidance to help deliver practical, realistic and creative ways of achieving compliance.</p> <p>The experience of the ‘cookie’ law illustrates only too well that we require something that actually works for users: improving their control without interrupting their experience.</p> <h3><strong>What about the Cookie Law? </strong></h3> <p>The revised ePrivacy Directive stays in force for now.</p> <p>However, it will need to eventually align (specifically Article 5.3 regarding cookies, etc.) with the new Regulation to ensure organisations do not face ‘double-regulation'.</p> <p>There are many different views on its future and work is already underway to review it in Brussels.</p> <h3><strong>Next steps</strong></h3> <p>It is clear is that, in the next few years, the data protection and privacy landscape is going to change.</p> <p>The ICO, the UK body that will enforce the new law, has already kicked off its implementation process and it will soon have a new section of its site dedicated to this.</p> <p>It is worth organisations following this and the ICO’s updates. Those businesses and organisations that get out in front are likely to gain the advantage.</p> tag:econsultancy.com,2008:BlogPost/67144 2015-11-05T10:28:50+00:00 2015-11-05T10:28:50+00:00 Safe Harbor 2.0? An update on EU Privacy Law Todd Ruback <p>This is an important development on a number of levels. While there are other legal mechanisms that allow for the transfer of personal data outside of the EU, the Safe Harbor Program, with over 4,000 companies participating, was clearly the most popular. </p> <p>The effect of the court’s ruling was to immediately make data transfers under this program illegal. </p> <p>While some interpret the court’s ruling as politically motivated, or as wreaking havoc on a negotiated bi-lateral agreement, I see this moment as an opportunity. </p> <p>After the Snowden revelations about the NSA’s surveillance programs, our European colleagues were kind enough to enumerate 13 specific areas for improvement of the program. </p> <p>To be fair, many of them were well reasoned and I was encouraged that the Department of Commerce was open to change. </p> <p>In fact, at the time of the court’s ruling in <a href="https://en.wikipedia.org/wiki/Max_Schrems">the Schrems case</a> it was reported that the negotiators were down to a final point or two, namely the right of EU citizens to have judicial redress against US companies, and indiscriminate governmental surveillance.</p> <p><img src="https://assets.econsultancy.com/images/0006/8703/harbor.jpg" alt="" width="500" height="375"></p> <p>The court’s ruling may be just the spur to motivate the negotiators to close the gap on these last points, and I’m confident that a new understanding will emerge.</p> <p>Lost in the noise surrounding the Schrems case is a nuanced and important point that it wasn’t the framework that was invalidated, just the program. </p> <p>That means that it is subject to change and once the negotiated points are agreed upon, then the program may back in a new and improved form. </p> <p>I am hopeful that this is exactly what will occur and if it took the European Court of Justice to help us over the finish line, then they deserve a big thank you.</p> <p>Of course no one knows if Safe Harbor 2.0, as it is already being called, will indeed be born, and even if it is it may have a completely different look and feel. </p> <p>My guess is that it will be and that we can anticipate more robust monitoring and enforcement, something the FTC has already begun, and something we can all get behind. </p> <p>Some are also speculating that the Safe Harbor seal program, where approved third party providers do annual audits, may be a thing of the past.</p> <p><img src="https://assets.econsultancy.com/images/0006/8705/safe_harbor_2.0.png" alt="" width="351" height="144"></p> <p>Also, look for EU citizens securing better access to their personal data and an easier path to obtain judicial relief, an important and valid issue. </p> <p>Finally, look for a mechanism that limits certain types of governmental surveillance. </p> <p>While nobody doubts the need for governments to access data to keep citizens safe, well-reasoned policy makers also recognise the imperative to balance access to that data with citizens’ fundamental rights to privacy.</p> <p>While I hope that Safe Harbor does indeed get revamped, it is wise to prepare a Plan B, just in case it doesn’t. </p> <p>The Working Party 29, in response to Schrems, quickly convened and issued a statement reiterating that the present program is no longer a valid way to transfer data out of the EU, while also leaving the door open for a new and improved Safe Harbor to emerge. </p> <p>However, hope is not a good strategy, so the WP29 also gave clear expectations that organisations have until January 31 2016 to put in place an alternative transfer mechanism, namely either Standard Contractual Clauses or Binding Corporate Rules, both which are already on the books as approved avenues to move data. </p> <p>Implementing a Plan B, especially as we enter the end of the year, will take significant work for any company, possibly utilising outside counsel with expertise in international data transfers. </p> <p>But it is an investment well worth it as it will force us all to review our data management practices to ensure that they are still world class and that we are in fact doing what we think and say we are doing. </p> <p>In the end, this is no bad thing. </p> tag:econsultancy.com,2008:BlogPost/67032 2015-10-13T11:40:57+01:00 2015-10-13T11:40:57+01:00 The end of the Safe Harbor Agreement: What next for digital marketing? Tim Roe <h3><strong>What did the Safe Harbor agreement actually do?</strong></h3> <p>In EU law (from which the UK Data Protection Act is drawn), a Data Controller who needs to transfer data outside of the European Economic Area must do due diligence on where they intend to send the data.</p> <p>They need to satisfy themselves that the data protection will be the same or better than provided within the EU. </p> <p>It’s quite an undertaking, because if anything goes wrong it’s down to the Data Controller to prove they took all reasonable steps to ensure the data’s safety. If they can’t do that, they could well have broken the law.</p> <p>It also counts if the personal data belongs to EU Citizens and is being gathered by a non EU organisation, like Facebook for instance.</p> <p>Enter Safe Harbor, an agreement between the EU and the US that allowed any organisation agreeing to its principles to be deemed adequate in relation to data protection.  </p> <p>The principles of this agreement were developed between 1998 and 2000, with the European Commission rubber stamping the agreement in July 2000.</p> <p>This allowed EEA businesses to export data to the US with a clean conscience. It also allows US companies to process data they have gathered on EU citizens.</p> <p>So what does a US data processor need to do to belong to this exclusive crowd of data protection stalwarts?</p> <p>It might go something like this:</p> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Hey Buddy, I want to join the ‘Safe Harbor’ crowd.</p> </blockquote> <p><strong>Buddy:</strong>                          </p> <blockquote> <p>Ok, you’ve got to do something first.</p> </blockquote> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Right. so what might that be then?</p> </blockquote> <p><strong>Buddy:      </strong>                    </p> <blockquote> <p>See these data protection principles? Just say you agree to them.</p> </blockquote> <p><strong>US data processor:  </strong>        </p> <blockquote> <p>Is that it?</p> </blockquote> <p><strong>Buddy:</strong>                          </p> <blockquote> <p>Yep.</p> </blockquote> <p><strong>US data processor:</strong>          </p> <blockquote> <p>Ok... in that case, yes I agree, count me in!</p> </blockquote> <p>No promises, no guarantees...</p> <h3><strong>Lack of protection</strong></h3> <p>To add to the lack of substance in the 'Safe Harbor' the Court of European Justice has ruled that the agreement is invalid due to other more fundamental reasons.</p> <p>This is because, to paraphrase the court's ruling, the US authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.  </p> <p>That suggests, that not only is EU citizens' data unsafe in the US, but US citizens are no better protected either.</p> <p>The UK Information Commissioner’s Office (ICO) has already issued a statement saying that negotiations on an updated Safe Harbor are already in an advanced stage.</p> <p>However, seeing that the Court of European Justice ruling cites a disagreement with what is a key US security policy, this process is likely to go on for some time. For now, Safe Harbor is finished.</p> <h3>What actions to take now!</h3> <p>Does this mean the end of data transfers and processing across the pond? What happens now?</p> <p>Well, apparently you don’t need to panic, because there are a number of options available for organisations that rely on transferring data to the US. Actions you could take now:</p> <ul> <li>Identify all of your personal data that goes to the US. This could be something like CRM systems or US-based service providers.</li> <li>Review the terms of the suppliers to see who relies on the Safe Harbor.</li> <li>See if you can make alternative arrangements, such as using the model contract clauses (available from the ICO website) or binding corporate rules if you are a global business.</li> </ul> <p>There are likely to be many more options and advice in the coming weeks, from organisations such as the Information Commissioner’s Office.</p> <p>Some service providers in the US have already issued new contracts including model contract clauses, which binds data protection on a contractual level.</p> <h3>What happens next?</h3> <p>At first glance, the demise of Safe Harbor will be little more than an inconvenience for many EU-based organisations.</p> <p>But, if you are a US service provider who relied on Safe Harbor to rubber stamp the gathering of EU citizens' data (such as social media platforms), things might not look so rosy.</p> <p>The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject.</p> <p>But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection. </p> <p>And if they were informed, would they consent? </p> <p>And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.</p> <p>Nothing short of a complete revision of the US security regime regarding the surveillance of foreign citizens will satisfy the EU regulations.</p> <p>The EU regulations are formed on fundamental human rights, one of which is the right to a private life. That is not going to change, but it remains to be seen how far the US is prepared to compromise. </p> <p>The only certainty, is that the next few months will be very interesting.</p>