In just one year, the European Union’s General Data Protection Regulation (GDPR) will take effect. In light of these upcoming changes, we asked data privacy expert Aurélie Pols to share some insights on this critical piece of legislation – why it was developed, what responsibilities it entails for businesses, and how it will affect companies and consumers alike.
Aurélie, can you explain the context behind this new regulation? Why has it been introduced?
The current Data Protection Directive (95/46/EC) was introduced in 1995. Information technology and data storage capabilities have considerably evolved since then, inducing fundamental changes in the ways individuals and organizations collect, compute and share information.
Additionally, as this piece of legislation was a Directive, it has been implemented differently across member states. This created compliance issues for businesses. The General Data Protection Regulation, which comes into effect in May 2018, partially solves such issues, while allowing member states to specify local requirements on some specific themes if required. This is what we are currently witnessing: how the GDPR is aligned with local legislation. The main subject that comes out of these potential discrepancies is possibly age of consent, which will probably be lowered to 13 in most countries, also to align with the US-based COPPA – Children’s Online Privacy Protection Act.
The GDPR was the most-lobbied piece of European legislation in history, with over 500 amendments, and taking years to finalize since its initial reform introduced back in 2012. If anything, the GDPR brings users’ rights back into the data ecosystem, with the reinforcement of accountability principles and rights to access, while adding new rights such as the one related to data portability.
The EU is focused on ensuring that the EU Charter of Fundamental Rights principles are being respected for those in the Union, from Respect for Private and Family Life and Protection of Personal Data to also include Human Dignity (and agency): “Human Dignity is inviolable. It must be respected and protected”. Whether such rights are adequately upheld when data is being transferred beyond the Union’s borders remains, obviously, part of the legal text depending on international frameworks such as the increasingly controversial PrivacyShield.
The GDPR refers heavily to “personal data”. What kind of data does this cover? How is this definition of “personal data” different from the definition(s) provided in US legislation?
Privacy legislation notoriously kicks in when “personal data” is being processed. Note that in “processing”, the GDPR includes the notion of collection (article 4.2. – Definitions; Processing).
From article 4.1: “Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person;”.
Also, the GDPR introduces the concept of “pseudonymous” data, where (art. 4.5) “pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
Note that recital 26 highlights that “… personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information of an identifiable natural person”. And in case this is not clear, recital 28 further states “… The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection”.
Hence, data protection obligations apply to the category of “pseudonymous data” under which cookies and unique identifiers fall (recital 30).
What does this mean?
It means that as data protection legislation applies, the processing should be lawful.
This is where article 6 (on Lawfulness of processing) allows for specific mechanisms to be used to ensure lawful processing practices, of which consent (option a) or, preferably, legitimate interests pursued by the controller or by a third party (option f).
Having said that, there is a small caveat to this last wild card option called “legitimate interests”. Indeed, the ePrivacy Regulation, the lex specialis which applies to the digital analytics sector, is still under negotiation. And the current draft of this piece of legislation, in its notorious article 8, does not include legitimate interests as a legitimate ground for lawful processing. The good news is that is does however include a derogation for “web audience measuring” (d).
The porous and evolving boundaries of what is to be considered “personal data” and when legal privacy compliance obligations kick in, have notoriously been highlighted last year also over discussions related to dynamic IP addresses. The European Court of Justice found that dynamic IP addresses should be considered personal data under certain circumstances, moving beyond the already-existing recommendation dating back to 2009 by the Article 29 Working Party that IP addresses could be personal data.
On the other side of the pond, looking west, then-FTC chairwoman Edith Ramirez mentioned in a speech in August 2016 that “We now regard data as personally identifiable when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.”
However, unlike the EU, the United States does not have an omnibus legislation related to Privacy that covers all sectors and businesses like the GDPR does. If any privacy legislation does exist at a federal level, it is sector-bound with the most famous and best known ones typically being HIPAA, COPPA, VPPA, etc.
What constitutes PII, Personally Identifiable Information, when compliance obligations kick in is therefore left at the discretion of the 50 US states. PII under the California Privacy Protection Act, CalOPPA, for example, includes a person’s birthday, height, weight and hair color.
To date Edith Ramirez has left the FTC; 3 of the 5 chairs are currently open under the Trump administration.
Once the GDPR takes effect, what are the most significant changes or developments of which companies should be aware?
Penalties & fines: Risk related to data uses is increasing dramatically under the GDPR: in fines under the current Directive to 4% of global turn-over or 20 million euros, whichever is higher, under the GDPR.
It’s the reason why suddenly the data discourse has a new angle: toxicity.
Rights: The GDPR is about re-equilibrating this triangle of accountability between businesses, citizens and then legislation to make sure balance is (re)instated, following the rapid evolution of the data economy.
It includes new Rights and reinforces existing ones under Chapter III, Rights of the Data Subject, where data controllers and processors will have to learn to align beyond pure legal contracts to make sure they can abide by these newly found obligations. This for example includes traceability challenges, certainly if pseudonymous data such as cookies are to fall under these privacy obligations.
Article 19 about “notification obligation regarding rectification or erasure of personal data or restriction of processing” to recipients of data is an interesting challenge, certainly if the GDPR applies to the online advertising industry through the previously mentioned outcome of the ePrivacy Regulation. Should one imagine traceability of data points in the current programmatic advertising sphere? Could this be brought about through standards and industry organizations? It would certainly solve other issues around leakage and measurability!
Breach notification: Additionally, moving beyond the digital advertising space, data has increasingly been recognized as an asset. From there on, as data has worth, it has also often been lost, stolen – in a nutshell, breached. Over the years, an increasing amount of data breach notification legislation has been passed on a global level and naturally finds itself today in the GDPR. The maximum delay for notifying the Supervisory Authority has been nailed down to 72 hours, highlighting the need for efficient internal processes so that companies can deliver all the required information described under article 33 for starters, and possibly abide by article 34 – communicating this breach to the citizens.
Building upon security best practices – appropriate technical and organizational measures, such as pseudonymisation –, the GDPR includes data protection by design and by default obligations under article 25. It also points to the opportunity of resorting to approved certification mechanisms, a development opportunity boosted by the GDPR which some technology players are intending to fill. Finally, it highlights the need to undergo Data Privacy Impact Assessments (DPIAs) anywhere that “a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons” under article 35, while opening up the door to consulting with what will now be Supervisory Authorities (SAs), to replace Data Protection Authorities (DPAs).
To ensure more efficient collaboration with said authorities, Data Protection Officers (DPOs) are to be designated in certain circumstances, as explained in article 37.
These are just a few highlights of what the GDPR brings along in terms of responsibility and obligations. As each circumstance of data use is specific, this is by no means a holistic overview of the changes brought about by the 99 articles and 173 recitals of the GDPR.
In light of Brexit, will the GDPR apply to the UK?
The GDPR applies to UK businesses without a doubt, as it comes into effect in May 2018.
Depending upon Brexit negotiations, the following scenarios arise:
- If following the negotiations between the EU and the UK, there is either no Brexit or the UK is part of the EEA, there are no real issues. They’ll become like Norway, Iceland and Liechtenstein.
- If the UK becomes part of EFTA, like Switzerland, they’ll need to seek adequacy to make sure Privacy Rights of Union members are upheld. Think of it as the UK PrivacyShield framework, which will have to be negotiated.
- If the UK goes totally solo and
- accepts the GDPR “as is”, which is probably unlikely but it really depends on how all EU legislation will effectively be “re-written” (or not) under UK law, nothing to be done, everybody happy;
- wants some form of “GDPR light”, they’ll need to seek adequacy.
- remains under the current legislation (or finds a “UK-only” solution based on UK law), the adequacy will be unlikely and data flows between the EU and the UK will probably grind to a halt. It’s doubtful we’d let it come to that, yet certainty in the UK seems to be in rather low supply lately.
Bets are open, possibly on “GDPR light”, which means the need for some adequacy mechanism: model contracts or binding corporate rules maybe, which are also the current available tools for alternatives to PrivacyShield. The first, however, model or standard contractual clauses being on shaky grounds and in front of the European Court of Justice. Binding Corporate Rules (BCR) for transfers within corporations are still today the safest bets.
Will the GDPR apply to non-EU companies as well?
Yes, unlike the current Directive, if your company is addressing EU citizens, the GDPR applies to your data processing activities. Article 3 sets out the Territoriality Scope of the GDPR by stating in paragraph 2:
“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union”
In light of the Internet’s global reach, the question is, when should companies outside of the Union take the GDPR into consideration?
Clues like translating content in German or Catalan, providing shopping carts in Euros, or delivering in the EU are, of course, direct indicators that the GDPR applies.
There will, however, be borderline cases that will surface through time, yet one shouldn’t forget, before discarding this piece of legislation in its entirety, that the presumption of innocence is reversed: it’s not about proving your company is guilty, it’s about being able to prove you are innocent and making sure you have traces of that. Electronic format will perfectly do.
Notice also the reference to free services.
Will non-EU companies commit to adapting their business to their European customers? Might some non-EU companies dispute the GDPR’s application to their business, or contest the territorial scope of the GDPR? If so, what kind of consequences might result for EU citizens?
Unfortunately, time travel to look into the future is not within technical reach as of the time of writing. If anything, the courts will have to settle such a dispute.
There has surprisingly been very little litigation and jurisprudence about data protection and privacy. This is expected to change with the GDPR and following the examples set by the likes of Max Schrems who notoriously helped tear down an international data transfer agreement known as SafeHarbour, which we all (even in our sector) knew was flawed, ever since Edward Snowden confirmed suspicions about mass surveillance practices.
Companies are of course free to bring on litigation against the GDPR and it will be interesting to watch how Supervisory Authorities (SAs) but also the European Data Protection Board (EDPB) – which has more powers than the Article 29 Working Party has today – will come together under such circumstances. If the GDPR means big changes for companies, the same can be said, in my opinion, for current Data Protection Authorities and how they are organized.
If history is any kind of indicator, one might think of the curious case of Wyndham hotels that got breached a couple of times before being charged by the FTC. They disputed the charge, stating the FTC had no authority over data security matters. They lost and settled. Brand damage was not evaluated through this repetitive and rather long-lasting process.
The results of such legal battles on EU citizens are therefore still to be defined. There seem to be openings also towards the possibility of undergoing class actions, driven by consumer associations. If the US logic were to be followed, this could mount up to some money for EU consumers, however negligible. Some companies are talking about not wanting to address the EU market anymore due to increased privacy obligations while still others embrace this idea of “Competing on Privacy”. Undoubtedly these shifts in data processing obligations will shape the market, yet the EU citizen is the one who should gain from it, in the form of increased agency over his/her own data.
Learn more about privacy and data protection with regards to your digital analytics activities! Download the white paper.