Web Summit must adhere to standards in privacy protection

NET RESULTS:IN JUST two years, the Dublin Web Summit has become one of the top conferences on the technology calendar. For good reason. Founder Paddy Cosgrave has deftly built the event up from its starting point as a small but high quality speaker event two years ago into a big summit last year, and a major conference this week.

This is an important event for many in the industry, especially social media and internet focused companies. It has also given a tech friendly profile to Ireland, and provides an economic boost, with visitors spending in hotels and restaurants during an otherwise slack period. Those achievements make it all the more alarming that organisers have shown a consistently cavalier – and at times lawbreaking – attitude towards participants’ personal data and privacy.

And it isn’t as if they are not aware of it. The Office of the Data Protection Commissioner has received complaints. As a result, it says, it has spoken in an advisory capacity several times to the organisers. I’ve also written to them personally but got no satisfaction.

Some of what they are doing violates the State’s and wider European data protection and privacy regulations.

The longest standing issue is that the Data Protection Commissioner’s office says the organisation has, in response to complaints, been unable to show that it has used a legally compliant method to gain permission to send emails advertising their events, personal start-up ventures, and other topics to people on its database.

Under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, event organisers must obtain direct permission from attendees to continue to use their data beyond its original purpose for any reason and must be clear on the ways in which it might be used. They cannot rely on information buried inside terms and conditions that few read.

Once organisers have gained that permission, which many people would no doubt give – they are obliged to provide a clear opt-out option on every email. This is sometimes there on the high volume of emails the Web Summit organisers sends, and sometimes not.

Web Summit has each year also distributed the lists of names of those attending the event, which also requires explicit permission. In the case of the media list (sent out to attending companies without the necessary permission from individual journalists), my name was included even though I had never registered for the event nor said I would be covering it.

This year, while the organisers did not list all attendees on the website, visitors were advised to sign up to a Web Summit Facebook app to get the complete list of attendees, again without those individuals’ permission. Being listed like this really riles some attendees who otherwise love this event.

For me, and some others, the most irritating data misuse came from a networking app called Presdo. Web Summit dumped its mailing list database into Presdo which then pulled LinkedIn information to create public profiles for every person involved in the event.

Such an app could be very handy for networking if you want to use it; something which should be a personal choice, like creating a profile on LinkedIn or Facebook. The big Le Web conference in Europe has used Presdo in a far more appropriate and compliant way, issuing a code that participants could use to go to Presdo if they wished, create a profile, and enable it for that specific conference.

Web and social media companies are all under increasing scrutiny because of user and regulator concerns about how they use or abuse data, and protect or violate privacy.

Ireland, because it is home to the European offices of many of these companies, will have an increasingly important oversight role and the industry, a responsibility to show it cares about these issues and operates within legal frameworks.

As an event organiser for that industry and a young start-up itself, the Web Summit really must stand up and be an example of best practice for data privacy.

Failure to do so is one thing that makes so many in the wider public, in business, and in regulatory roles, suspicious of the web and social media sector and it will damage the sector’s future unless addressed responsibly.