What is the GDPR?
| Regulation (EU) 2016/6791, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
It doesn’t apply to the processing of personal data of deceased persons or of legal entities. The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.
Pity Europe’s 500 million citizens: in the last few weeks, they have been deluged with vast numbers of emails, all largely asking the same question: do you still want to be connected to us? As the days have ticked towards the May 25th rollout of Europe’s new flagship data protection legislation, the General Data Protection Regulation (GDPR), the deluge has become a tsunami of increasingly impassioned pleas.
In the last hours before the new law came into force across Europe, Mark Zuckerberg travelled to Brussels to explain Facebook’s commitment to user privacy after the Cambridge Analytica scandal, Europe saw final rounds of meetings about GDPR implementation, and at least one leading advocate announced they had “#GDPR notification fatigue”.
Oh, and this writer’s email inbox is finally saturated, too.
A new law
GDPR is a major fightback against what Brussels lawmakers see as a widespread and creeping abuse of personal data in Europe. GDPR provisions are heavyweight, and include the need for explicit consent by people (called data subjects in the legislation) to any use (or processing) of data held about them.
The legislation is broad and deep. It covers explicit rights by data subjects to consent to the use of their data, to access data held about them, to be notified promptly in the case of any breaches, and even a right to be forgotten. Definitions of this personally-identifiable data is likewise wide-ranging. Email addresses, social media posts, and IP addresses all fall under its coverage (see table).
Already, Brussels lawmakers see GDPR as the future global benchmark for privacy legislation. It’s a remarkable turnaround. The legislation has had a relatively controversial road, frequently criticized variously for being inflexible, heavy-handed, too costly, or simply just anti-business. But times have changed, post Cambridge Analytica. Privacy is a very hot topic indeed.
Threat or opportunity?
But if GDPR is a hot topic, it is also a rapidly widening one, a policy lightning conductor potentially pulling in a huge number of issues. Much of this focuses on its international reach. The scope of GDPR is “extra-territorial” –in legal parlance– meaning it will almost certainly impact businesses regardless of where they are located if they target European citizens or process the data of European citizens in any way.
The consequences of non-compliance are severe, and clearly no one wants to be a test case. Modelled closely on Europe’s competition law remedies, GDPR infringement would likewise be costly with provision for fines of up to 4 percent of annual global turnover possible. With the potential for large multinationals to be hit by billions of dollars of penalties, boardrooms everywhere have sat up to take notice.
Beyond this extra-territoriality in reach may be specific pressures internationally. GDPR may even challenge other policymakers to up their game with further regulation impacting many different areas.
There are other implications, including an emerging recognition of privacy issues as a new type of business risk. Dan Caprio, Co-Founder of the Providence Group, a Washington, D.C.-based consulting firm that specialises in international trade affairs related to privacy and cybersecurity, says, “Industry leaders are beginning to understand privacy is a risk that needs to be managed by senior corporate executives.”
But, equally, there may be an opportunity, too. In this perspective, legislators want to encourage business leaders in more positive thinking to respond to what many are seeing as a new oil industry, a world driven by data. Dr Evangelos Gazis, Chief Architect for Security in IoT at Huawei, says GDPR provides a new emphasis in this world of data: “[GDPR] highlights the value of data in the IT-driven part of the economy.” He continues: “We know we are generating more data than ever before as a society so GDPR touching these aspects of privacy [represents] an increasing part of the value we [derive] from data.”
GDPR could stimulate the introduction of new business models embedding privacy, well beyond the part that most of us are currently experiencing, the consent for email contact. The talk is of configuring so-called human-centred privacy, and systems that from the outset will embody privacy-by-design. “If I look at it from an incentive position,” concludes Dr Gazis, “GDPR is rewarding the players who will respect your privacy rights more.”
Meanwhile, there are intensive efforts to meet the requirements. Sherrese M. Smith, Senior Partner at Paul Hastings in Washington, D.C., and an expert in privacy and cyber regulation, points out, “In the rush to the May 25th deadline for compliance with [the GDPR], many companies have focused on finding efficient and streamlined methods for coming up with base-level compliance with the various requirements under the law, including consent and use of data, deletion of information upon request, response to cybersecurity breaches, among many others.
She continues, “Companies will need to be able to show that they have contractual provisions in place for the transfer of data, that their third parties and affiliates will be able to comply with the law, that they have processes in place to respond to consumer inquiries about data and requests for deletion of the same.”
| What is Personal Data in the GDPR?
| Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing.
| Examples of personal data a name and surname; a home address; an email address such as name.surname@company.com; an identification card number;location data (for example the location data function on a mobile phone); an Internet Protocol (IP) address; a cookie ID;the advertising identifier of your phone; data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
| Examples of data not considered personal data a company registration number; an email address such as info@company.com; anonymised data.
Source: Adapted from European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform_en
A global gamechanger, or more uncertainty?
Privacy regulation is just one part of a commercial regulatory fabric impacting business. In its current form, however, GDPR is “horizontal” legislation ranging across industrial and commercial sectors. But, given the involvement to collect, transport, and store data, it is the ICT community that naturally takes centre stage and is under the most scrutiny.
GDPR is not the EU’s first legal process dealing with data protection. But it is designed with the twin aims of greater user protection and unifying approaches that have been to date relatively disparate across the 28 national data protection jurisdictions. For the first time, a core set of provisions should see the same rules imposed across the EU countries.
Nevertheless, the widening scope of GDPR means many experts are still seeking clarity. Adrienne E. Fowler, Partner at Harris, Wiltshire & Grannis in Washington, D.C., suggests: “The GDPR will affect many US-based companies, but some remain confused about how it will apply and what they should do in response. Part of this confusion arises from ambiguities in the GDPR itself, lack of clear guidance from the Article 29 Working Group in advance of the implementation deadline, and uncertainty about how forthcoming changes to the e-Privacy Directive will interact with the GDPR.”
Interpretation and enforcement issues are going to be key. Paul Hastings’ Sherrese Smith points out: “The May 25th deadline…is not the end, but rather the beginning, of the most critical phase of the law, the enforcement of the law by the regulators. Companies will need to consult with law firms and lawyers who understand how regulators and administrative bodies expect to implement and enforce the various requirements under the law.”
Adrienne Fowler agrees: “I hope that data protection authorities and the European data protection board will provide clear and practical guidance in the coming months, including materials directed at companies that are not established in the EEA [European Economic Area] and who may be new to the European approach.”
Across the world in Asia-Pacific, Prof. Hannah Yee Fen Lim of the Nanyang Technological University in Singapore is not convinced there will be a singular response in the region. Commenting to PTC in an interview, she concludes, “Asia-Pacific comprises many different countries at varying levels of technological advancement. As a result, those jurisdictions which are not very developed technologically certainly do not have much interest in the GDPR.”
She suggests GDPR has encouraged compliance, but it depends on the size of the company and resources available. “By and large, the multinationals operating in the Asia-Pacific region have been frantically trying to get their house in order. There is certainly confusion as to some of the exact requirements set out in the GDPR, but most are trying their best in their attempts to comply.
“As for the SMEs [small and medium-sized enterprises] in the region, it really depends on the sector and each SMEs appetite in taking a risk that the EU will not target them as there are bigger and more significant targets for the EU to take aim at.”
Regulatory interventions may be specific, she predicts. “GDPR will eventually force an upgrading in some of the major economies in Asia-Pacific in those areas that will be of national interest, such as cybersecurity, hence I foresee provisions on data breach notifications, for example, to be fairly well adopted eventually.”
Back in Europe, in the whirl of last-minute debates, announcements, and receptions in Brussels, it is clear further work needs to be done, particularly on improving on-the-ground data protection enforcement.
Isabelle Buscke of the Federation of German Consumer Organisations says greater enforcement is now key: “It is true we need to step up enforcement…we think GDPR provides the right tools and we will have to see how it works in practice if Member States put their money behind their words and staff their authorities and equip them in an adequate way.”
Reportedly, some timetables are already running late with eight European countries unable to make domestic legal changes by the May 25th deadline. Four further countries are expected to finalise their legislation by early June.
Nevertheless, Europe’s consumer advocates have generally welcomed GDPR and the progress made, even if some issues still need attention. Isabelle Buscke told PTC, “Generally, we are quite happy with the outcome of GDPR because [this positive] outcome was not predictable during the process.” She continues, “The result will now strengthen consumer control [of their data]. But, with regard to implementation, we will probably have to wait to the end of [May] to know how exactly it will work out.”
Ms Buscke points out that profiling, as one issue, she believes will need further attention. “The control that consumers have over the profiles built about them is probably [still] not strong enough even with GDPR.”
Privacy meets a connected world
The landscape, however, may already be moving to other challenges as well, particularly where privacy issues meets an increasingly connected “real world” that will see IoT, AI, and 5G in the very near future.
In such a landscape, can legislation such as GDPR really keep up? Policymakers now seem increasingly emboldened to take the steps to ensure it does. Last week, Pearse O’Donohue, the executive charged with overseeing the policy needs of future ICT networks in the European Commission, told a forum in Brussels “The GDPR will be central to the implementation of the European version of IoT policy because we do know that these devices will be hoovering up vast amounts of data…a lot of it will be non-personal but inevitably part of that will be personal. That is why the GDPR is so important.”
In terms of legislative architecture, the GDPR itself is part of an overriding EU aim: that of creating a Digital Single Market in the European Union, says Mr. O’Donohue. It will be joined by other legislation outputs involving the free flow of non-personal data, e-Privacy, and a cybersecurity framework. European legislators also expect to look at product liability rules to cope with the digital space.
Consumer advocates are already trying to envision what interconnectedness will actually mean. Monique Goyens, Director General of BEUC, a European umbrella group representing 43 consumer organizations in 31 countries, last week urged a regulatory recognition of what a world of connected products will imply. “IoT will be a gamechanger for consumers,” she says. “It will change the way we interact with products, the way we interact with each other, and the way we interact with services.”
She is emphatic that billions of connected products will bring many benefits to consumers but, she says, connected products mean other risks: “IoT is testing the limits of all the principles that are on the line in consumer protection. Can you really speak about privacy in your house, in the street, in your shopping, when you are surrounded 24 hours a day by connected products?” She points to a fundamental question: “How can I realistically ringfence my privacy in a connected world?”
One urgent focus needs to be on self-driving and autonomous vehicles, she says, as these could seriously undermine privacy protection, mixing and diffusing the distinctions between personal and non-personal data. “When I am in a connected car, there is a lot of data about me being collected at the same time as technical data collected about the car,” she says. “When does this data become non-personal?” She predicts “a huge fight” to resolve these issues.
Needed: some future perspectives
Her remarks underline what many fear: that privacy issues could remain troubling, but perhaps even unresolved, in the horizons now emerging. Already, European consumer investigations have unearthed electronic door locks that can be hacked, and connected toys that can be used to spy on households.
But many questions remain: do informed, and even consenting, users necessarily really understand what is going on with their privacy? The email inbox meltdown experienced by many in Europe indicates perhaps notification may be too much of a good thing. Some European parliamentarians are already calling for a push in digital literacy initiatives to cope with the IoT era.
Given increased data flows across borders, many issues aggregate into more cultural perspectives that will no doubt inform future regulatory approaches. Even in response to the current GDPR, this is apparent to several commentators who see differences between the EU and US approaches which otherwise share many societal perspectives. Harris, Wiltshire & Grannis’ Adrienne Fowler says “[A]nother part of [the current] confusion [for US companies looking at the consequences of GDPR compliance] arises from the differences in cultural attitudes about data protection between the US and the EU.”
The Providence Group’s Dan Caprio suggests that there will be different, and perhaps, more pragmatic rules developing in the US. He points out, “While GDPR is forcing US companies to take compliance approach in Europe, many companies are implementing a principles-based approach to global privacy practices. However, a consensus has yet to emerge in the US around specific privacy legislation.”
Others believe that a fundamental rethink away from legislation will be sorely needed because the impending technology changes will be larger than many contemplate. Rob Van Kranenburg, Founder of Council, a European think tank and IoT research consortium, points to a paradigm shift driven by connectedness that will render current policymaking ideas entirely ineffective, and leadership needs to take an entirely new approach. “I think GDPR is addressing the symptoms, it is not addressing the drivers,” he says.