master_admin

By Ιason Chontzopoulos* and Konstantinos Kakavoulis

When we visit a website for the first time, the following message appears “this website uses cookies to ensure you get the best experience”.

But what are these famous cookies? Do they really improve our experience on the internet? And if so, do they do so with no cost?

What are cookies?

They are small files with information, created by websites while we visit them. They are equivalent to short text files, in which the information is usually codified, or has an ids form, so it does not appear to be coherent, when a human reads them. These files and the information they contain, are created by the computer, in which the server operates. Each website uses only the cookies that it has created itself.

How are cookies used?

They serve to add functionality to the websites we visit. For example, they are used for a website to recognise us. Since they are created by the website, they do not include personal information.

They usually recognise the browser we have used during our previous entry. The principle on which the websites are based is that each of our clicks is independent from the previous one. Cookies were created to denote the continuous relation between the two clicks (on the same site).

Are there different types of cookies?

Yes! We can distinguish cookies according to their functionality, in simple cookies, session cookies and tracking cookies.

1) Simple cookies serve as information storage. Online retailers use such cookies just to remember the products that we have already chosen to buy. Other information could be the technical characteristics, statistics related to how many times we have visited the website, which language we choose, which page layout we prefer etc.

2) Session Cookies: the most common are the authentication cookies, that help to identify our profile, as we previously mentioned. According to their application, they can have a limited duration (temporary cookies). Usually we can find temporary cookies in the website of banks, which expire for safety reasons after a fixed period and we have to re-insert our particulars.

In other cases, the option “Remember Me” or “Keep me Logged in”, sets them active until we explicitly choose to disconnect (permanent cookies).

It is noteworthy that authentication cookies constitute an essential privacy element on the internet and they are always dispatched codified. There are also technologies that can increase the certification’s safety and reliability and operate at the same time with cookies.

3) Lastly, there are tracking cookies. The third-party tracking cookies constitute the most frequently disputed tracking cookies category, as they focus on the service’s improvement apart from those, which are offered from the website. Advertising is included in these services. Cooperating websites obtain the right to use cookies, so as to collect information related to our Internet surfing behaviour. The fact that third services, besides the website itself, can install cookies extend their use beyond the prime reason for which cookies have been created; this is obviously the improvement of the services of the initial website and is served by the simple cookies and the authentication cookies.

There are tools that help us check the information flow we share through cookies. We can see below one of these tools, where the shared information is recorded in cooperating undertakings.

Does this seem complicated? You should try this tool to find out live with whom you share each click at any time!

So, do cookies target me?

As we mentioned above, usually cookies aim at recognising the browser we use and our IP address. Cookies rarely contain personalised characteristics, which indicate the user’s identity. The combination of these specific elements with other sources may be used for the identification of natural persons; for this reason the functioning of cookies is regulated by legislation.

What does the legislation provide for cookies?

The EU General Data Protection Regulation (GDPR) includes a provision concerning cookies.

Specifically, Recital 30 of the Regulation, provides:

“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In simple terms, if cookies can identify a natural person, they are subject to GDPR. Of course not all cookies can identify a person, but most of them -if combined with third sources- can.

For websites to be compatible with the GDPR and not be at risk of being fined under its provisions, they must either stop collecting cookies, which can identify a natural person, or establish an adequate and lawful reason for the collection and the processing of such information.

Significant changes that the GDPR brought in cookies use

1) Tacit consent in cookies use is no longer sufficient. The website user must explicitly provide his/her consent to cookies installation from the website. This is the reason why the messages we mentioned at the beginning of the article, are displayed each time we visit a new website. These messages may seem merely embarrassing, at first sight, but having read this article, you should have a second thought before you click “I accept” next time.

2) The message “By using this website, you agree in the use of cookies” is not sufficient. User’s granted consent must be genuine and consistent with his free will; the user should really have the choice not to accept the cookies installation.

3) The user must have the possibility to withdraw his/her consent as easily as he/she provided it. Therefore, websites must give users the possibility to change their mind and change their original choice at any time, by offering them easy and rapid access in the relevant menu – equally easy and rapid with the one they had when they first visited the website.

What can I do if a website does not comply with the above obligations relating to cookies?

Take a look at the guide that Homo Digitalis has prepared on what you can do and to whom you can address if you face problems with the processing of your personal data. You have to follow the same steps in case a website infringes the legislation on cookies.

Can a website function without cookies?

Cookies obviously multiplied the possibilities of websites and in many cases increased their safety.

Their use is clearly a design choice for each website, but the use of certain cookies has purely technical nature. An example is the online shops we previously mentioned.

Cookies with technical nature are necessary. Websites are accessible through various devices and browsers. The various devices and browsers require particular treatment for technical reasons; therefore, the use of simple cookies with technical data is considered necessary. In this way, the website’s layout changes so as to fit in requisite needs, as for example the adaptation of the website to mobile phones and small screens.

This does not apply to tracking cookies. The use of tracking cookies has attracted world-wide interest in recent years, in particular related to the purpose for which the collected data is exploited. For this reason, the legislation aims to help cookies’ use come into open, giving rights and an option for users to choose. At the same time, it requires transparency in the use of cookies by companies and provides for large fines, in order for companies to comply with their obligations.

Homo Digitalis, faithful to the values it represents, does not place cookies at its website visitors’ devices, in order to analyse the effectiveness of the design and the presentation of our website or identity its visitors (tracking cookies).

We don’t, therefore, make notes of your activity in our website. The only cookie that our website uses is called PHPHSESSID.

This specific cookie cannot identify any natural person and does not note user’s personal data. It is only of technical nature, serving the server’s function.

*Ιason Chontzopoulos is a data scientist based in Zurich. He is an electrical and computer engineer, having studied in National Polytechnic School of Athens and ETH Zurich.

*Source of the main photo: https://www.howtogeek.com/327268/why-do-some-websites-have-pop-up-warnings-about-cookies/

By Anastasia Karagianni*

Social media platforms offer to everyone the opportunity to connect and express freely their opinion and stay informed. In this way, information flows continuously, as it should be. Information though sometimes can be dangerous. The commonly said Hate Speech, according to the European legislation, could be defined as “every form of expression that disseminates, actuates, promotes or justifies racism, xenophobia, anti-semitism and other forms of hate that are based on intolerance, including the one that is expressed through the excessive nationalism and ethnocentrism, the discrimination and hostility towards minorities and the immigrants”.

A context that can define a hate speech action could be based on the character and the popularity of the speaker, the audience’s emotional situation, the content of the action itself as instigation of hatred, the social frame in which the action is manifested and the manners used for its dissemination, including the adopted language. The European Union Council Framework Decision 2008/913/JHA, issued on 28th of November 2008 concerning the elimination of racism, xenophobia and their interaction with the freedom of speech, according to which the national cooperation between the member countries is performed, mostly in article 1 paragraph 1, article 3 and article 4, played a decisive role in hate speech confrontation.

However, a conflict between human rights in the context of hate speech emerges sometimes. Specifically, according to the special regime for children’s protection, which is established in Europe Union, the article 2 of United Nation Convention on the Rights of Children about the welfare of the children is opposed to the article 13 about freedom of information. Thus the freedom of expression and speech seem to conflict with the protective measures will confine children’s access to some activities not the internet. Despite this conflict, children’s protection and the freedom of speech converge at the necessity for protection of the fundamental human rights, which are based on the fundamental values of human autonomy and dignity.

For the purpose of addressing hate speech on the internet, the European Commission agreed with Facebook, Microsoft, Twitter and Youtube on May 2016 and later on 2018 with Instagram, Google, Snapchat and Dailymotion on the adoption of a Code of Conduct, in order for these platforms to offer the opportunity for users to report hate speech incidents, by enforcing social support and coordination with the national authorities. They also agreed to submit users’ notifications according to the European and national legislation regarding hate speech and they committed themselves to extract, if necessary, the notifications assessed against the law.

Nevertheless, different risks possibly need different measures. Sonia Livingstone observes a distinction between the risks for children’s protection, detecting four types of risks: the commercial, the risk of attack or violence against children, risk of sexual abuse, exploitation etc against them and the risks that affect values, as hate speech. These risks are further distinguished according to children’s susceptibility to them: as recipients, as participants and as offenders. Both distinctions highlight the importance of a child-friendly policy making.

Such a policy is detected in articles 6 and 8 of the New Regulation on the Protection of Personal Data (GDPR), as in its Preamble 58. In more detail, in articles 6 and 8 GDPR, the Commission introduces paternal consent or consent from those with the parental responsibility as a way to legitimise the processing of children’s personal data on the internet. The age of 13 is the limit, which dictates if the processing of children’s personal data will be subject to less legal restrictions.

In practice, in this way, children are divided in two age groups: children who are able to give their consent in processing their personal data between 13-16 years of age, and the children who are dependent on paternal consent for their behaviour on the Internet, between 0 to 3 years. The establishment of such a strict line is in conflict with the stages of children’s physical and social development. In further, the paternal consent must be addressed each time from a legal standpoint, whether the proposed measure, in the present case, is proportional and if it reconciles with the framework of human rights.

Paternal consent is opposed, in some cases, with the children’s right to participate in the decision-making process relating to them, a right protected in the United Nations Convention on the Rights of the Child and also safeguarded in the European Union and its Member States. The child’s right to freedom of expression and to private life could be undermined in case that children’s access to information will be restricted and depended on parents. Furthermore, the scope of their right to privacy is shrinking, as parents will have to interfere in children’s privacy to make the corresponding decisions, for example the profile creation in social media. Accordingly, it is observed that paternal consent, occasionally infringes the fundamental principles of human right’s law established by the Convention.

Even so, the role of parents is undoubtedly important and determining for the protection of the child. Despite the fact that they are “children of the digital age”, they don’t have complete digital skills. According to a recent study of EU Kids Online, even though 43% of the children believe that they know more for the internet than their parents, they do not possess digital skills, such the blocking of an unwanted communication, the change of privacy settings in social media and the critical assessment of the information they have access to.

To sum up, social media platforms are among the most important players in the online marketplace. Their business model is based on the processing of users’ personal data. A huge and active part of them is children, which are dependent on the presence of these large companies in their everyday life and develop a strong consuming relation with them. The existence of these Codes of Conduct is really important, as it adds to the existing legal provisions and offers a high level of safety. Equally important is the use of social media for the children’s personal and social development. Thus, a fair balance must be found between freedom of expression and children’s protection.

* Anastasia Karagianni is a lawyer, specialising in children’s digital rights. She is a member of Homo Digitalis and co-creator of ChildAct with the aim of protecting children’s digital rights. On the 8th of November she represented Homo Digitalis in the session on “Facebook and other social risks”, which took place in the European Parliament.

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force and changed significantly the protection of personal data in our country. The GDPR establishes many rights for citizens. Among others, the Regulation provides for the creation of the position of the Data Protection Officer (known as DPO). We met with Emmanuel Tzivieris*, DPO at the Investment Bank of Greece, so that he could explain us more about this new position.

– Talk to us about the role of the DPO. Is it something new?

Many people are referring to the role of the DPO as a novelty of the GDPR, which is not entirely accurate. The term is not unknown. It also existed in the European Directive 95/46, it was also included in Greek law 3979/2011 on eGovernment, it also existed in Germany; but in practice it was not used, at least not to such an extent. This has changed with the implementation of the GDPR, which provides for the mandatory appointment of a DPO, starting on 25 May 2018, for three main categories of organizations and businesses:

(a) Public authorities and bodies other than the courts.

(b) Organizations whose core activities require regular and systematic monitoring of subjects on a large scale.

(c) Organizations processing personal data of specific categories, such as genetics, biometrics, health data e.t.c.

– You are giving me the opportunity to ask you about the level of business alertness on May 25th. Had the Greek companies and organizations already appointed DPOs?

I am not aware of the overall picture of Greek businesses and public organizations to answer your question, but there are indications that the “last minute” rule was not excluded even in the case of GDPR. At this point, I would like to emphasize that the GDPR was adopted in April 2016, which meant that all the persons in charge had more than two years to comply with its requirements, including the definition of DPO. Even the incorporation of the Regulation into the national legislation of the Member States has been delayed. Just a few days after its introduction, the European Commissioner responsible for justice has warned eight member-states (including Greece) and urged them to speed up their compliance procedures.

– How would you describe the role of DPO in an organization?

There are various interpretations of the role the DPO has to play in an organization. It has been suggested that the DPO will be the “long hand” of the Data Protection Authority, or its “eyes and ears” within the organization. It has also been heard that he will be an informal internal auditor who can carry out audits and communicate his findings to the Authority. However, we can’t confirm any of these theories when the legislative process is in progress in Greece. The only certainty is that the DPO will be a communication channel, or the link between the organization and the Supervisory Authority, and will be entrusted with the tasks assigned to it by the Regulation in Article 39, such as monitoring the organization’s compliance with the Regulation, advice to the company, staff briefing, opinion on impact assessment, etc.

– How important are the personal data of the subjects that are managed and processed by a business?

There are whole business models based almost exclusively on the processing of personal data. Meanwhile, the digital world is evolving rapidly and this has resulted in creating an intangible environment for individuals, consumer preferences and needs. See what happens with electronic communications today and compare it to previous decades. Look up on what is coming with artificial intelligence. Real cosmogony. So, you understand the importance of legislation such as the GDPR that tightens the framework for the processing of personal data at a time when personal data and control are becoming decisive for sustainability, competitiveness and further development of businesses.

– What do you think is the biggest challenge for a DPO?

The challenges mainly concern the innovations introduced by the Regulation on the general functioning of an entity. As you can see, it is a piece of legislation that changes the strategy and the way in which organizations and businesses have operated so far. The DPO, therefore, as the orchestration of the compliance process, is called upon to confront the habit, which is the greatest enemy of a healthy business. It is called upon to create within the company a new culture that treats personal data with respect and a sense of responsibility.

– Can the consumer contact the DPO directly?

The Regulation provides for the obligation to process personal data in a transparent manner. In this context, the organization is required to share the DPO contact information to all data subjects, facilitating communication with him/her.

Any interested person may contact the DPO to get informed about the categories of personal data being processed, the purposes of the processing, the potential recipients of the data and, in particular, his/her rights as derived from Regulation.

– What about the public’s awareness so far? Is there a response and interest of the public for the protection of their personal data?

Remember the first days of application of the Regulation and the dozens of identical messages we received from various businesses, e-shops, social media, etc. Anyone claiming that he was not bothered by this information storm and did not delete most of these messages would not be frank. This negative atmosphere gave the impression that sending the newsletters discouraged the public rather than sensitizing it.

This climate is slowly reversing. The messages we receive from daily communication with the public, as well as the results of a recent survey on the level of awareness and information of the Greeks on personal data protection issues, are encouraging. More than 80% said they were aware of the new regulation, while 77% of respondents claimed they had become more cautious about how they shared their personal data. If the numbers tell the truth, then we are on the right track. This progress is largely due to initiatives such as yours, Homo Digitalis, aimed at raising public awareness, but mainly ensuring that the public is properly and responsibly informed.

– How do you see the future of business in this digital world?

Although I’m not good at predictions, what I can say is compliance with the GDPR is the first major test that businesses are faced with in this field. There are plenty of other more demanding tests coming. The results of this first exercise will reveal the level of alertness of organizations to adapt to the new requirements and new business models of the digital world. Those who pass the test successfully have every reason to be optimistic that they will remain competitive, unlike the others, for which, unfortunately, the future does not look promising.

*Emmanuel Tzivieris holds a Bachelor from the Law School of Athens, a Master in Public Law form the National Kapodistrian University of Athens and a Master in Law and Economics from Utrecht University. He is the DPO of the Investment Bank of Greece.