Industry Exposed #17: “Privacy By Design: An Ounce of Prevention Is Worth A Pound Of Cure”

design-by-privacy-eprivacyWelcome back to our Mobile Industry Exposed interview series! Privacy is a paramount topic for us at AppLift, and, this time around, we spoke with  Christoph Bauer, CEO and founder of ePrivacy GmbH. We talked about the importance of data protection and privacy compliance. In particular, we touched upon the difference between US and European privacy laws, the need to respect consumers’ privacy, as well as the benefits of privacy by design for new products.

Christoph BauerChristoph Bauer is the Founder and CEO of ePrivacy GmbH, which conducts certifications on data protection for digital products and companies and offers privacy related consulting. Among other things, ePrivacy runs the well-known ePrivacy seal in Germany and in the EU. Christoph Bauer has over 20 years of experience in the media industry as CFO and COO of larger companies such as AOL and Wunderloop, where he also developed the fields of data protection. He has substantive experience with data privacy seals, such as the ULD, EuroPriSe and ePrivacy seal which comply with the high standards of German and European data privacy regulations. He is an accredited auditor at ULD for the data privacy seal and for ISO 27001 (Information Security Management) and teaches as Professor at the HSBA in Hamburg.

Q: Can you briefly present ePrivacy and its business model? Which companies of the adtech ecosystem (advertisers, publishers, DSPs, DMPs…) need a data privacy certification and why?

ePrivacy offers consulting and certification services on privacy and data protection for digital media businesses. Our main product is the “ePrivacyseal”, a certification based on the strict German or European data protection laws, as well as the “OBA Framework” certification of compliance. These certifications are used by companies like publishers, sales houses, DSPs, DMPs, mobile ad networks, targeting technologies, location-based businesses, etc. When these companies have earned such a certificate, it is then a lot easier for them to work for large German/European companies, which very often require a proven compliance with data protection for any new technologies they implement.

We also act as an external data privacy officer for a number of companies and consult on big data initiatives, eHealth, connected cars and other new businesses, with an approach of “privacy by Design”. We can then ensure that the new business models being brought onto the market are compliant with data protection rules before they are launched.

Q: Why are data privacy and data security such hot topics right now? Which recent developments have fostered such interest?

It is very relevant as there have been quite some incidents where personal data was lost by big companies or was hacked by third parties. For instance, T-Mobile suffered from a major data breach back in 2009. The Snowden story has its part in raising awareness, too. Consumers are increasingly preoccupied by what happens with their data. Certifications such as the ePrivacy Seal make sure that companies do their best efforts to secure personal data and only use it in legal ways.

Q: ePrivacy is headquartered in Hamburg. Germany is said to have the world’s most stringent privacy regulations. Is it true and why do you think it is the case?

Yes, it is true that Germany has rules that are unique in the world. This is most likely because of our political history, during the last centuries there were quite a few times when people were closely watched and monitored by the state and sometimes even sent to jail or prosecuted for minor things. Therefore, Germans have developed a very strict privacy law to prevent the state and others from collecting and using private data, unless there is a good reason for it.

Q: What are the main difference in terms of data privacy regulations between the United States and Europe?

The European privacy law has been developed mainly on the basis of the German privacy law and is therefore strict as well, although not as much as the German law. The main difference is that, in European law, you need the opt-in of a consumer in order to collect personally identifiable information (PII). If you do not have the opt-in, it is strictly not allowed. Exceptions of that rule are very limited and explicitly defined. On top of this, in Germany specifically, PIIs include a user’s IP address, while this is not the case in the rest of the world.

Q: What is “privacy by design”?

Privacy by design means designing a product in a way that makes it privacy-compliant upfront, prior to bringing it to the market. An ounce of prevention is worth a pound of cure :). 

For example, if you want to use data from consumers, you need to anonymize it before you collect it and use it, so that the data is not considered as PII anymore.

Q: Which data privacy and security challenges do you see as specific to the mobile advertising ecosystem?

Today, almost every consumer in the Western world owns a mobile or even a smartphone. The thing with mobile devices is that they collect a lot of data, including PIIs, such as location, address list, calendar, email address, which can then be accessed by any telco provider of app on the device. Therefore data protection and privacy are really important for the mobile business. However, the fact is that today a lot of companies, especially apps, are not yet compliant and need to improve their services.

Q: Which developments can be expected in the fields of data privacy and data security in the next months and years?

There will be new data protection regulations from the EU which should be finalized by the end of 2015 (although it could take slightly longer). We expect a stronger focus on privacy, much higher fines for companies which are not compliant, as well as an obligation for all companies which offer services in the EU to follow the European rules. This would mean, for instance, that a US company needs to abide by European privacy laws for their commercial operations in Europe. The latter includes websites and apps accessible on the EU territory. The new regulations will be directly effective across all European countries.