By this time, most companies are aware that the GDPR and the e-Privacy Regulation, which is currently under negotiation, will bring significant changes to the privacy landscape. Translating the regulation’s theoretic contents into a practical implementation that fits the business, will be a major challenge for many organizations. This blog will indicate specific areas of attention and includes practical guidance of where to start.
An important starting point with the GDPR is the concept of personal data. The GDPR is only applicable when personal data is processed. Personal data is data by which a natural person can, directly or indirectly, be identified. Most people are aware that, for example, a name, an address and an email address are personal data. But there is more. Also an IP address or device ID are considered to be personal information.
In addition to that, a distinction is made between 'regular' personal data and ‘special categories of personal data’. The last category may include a photo which reveals someone's race or the registration of the reason for an employee’s sick leave. Organizations should avoid collecting such data unless one of the exceptions that allows processing applies.
A third complicating factor is that the GDPR also applies when data is indirectly traceable to a person. Data could appear not to be personal data at first sight, but in combination with other data or in a particular context, it can lead to an individual and is thus personal data. This means that the scope of the GDPR is very broad.
Pseudonymized or anonymized data is sometimes assumed not to be personal data. This could be convenient because it seems that the GDPR no longer applies to this data. Unfortunately, this assumption is incorrect.
The GDPR is explicitly applicable to pseudonymized data. Pseudonymized data is data of which the most identifying fields within a data record are replaced by pseudonyms. The GDPR does considers pseudonymization as a suitable form of security.
And what about anonymization? If a dataset is anonymized, then the GDPR is no longer applicable. But the bar is set high. The data must be encrypted, the key discarded, and all data that can be redirected to a particular person has disappeared – the encryption has thus been made irreversible. That last criterion is almost never fulfilled. In most cases a dataset contains combinations of data, for it to be useful or interesting. Often it is this combination that can still lead to an individual.
In the GDPR, the controller, processor and data subject are key concepts. The controller determines what happens with personal data and how data are processed. The processor processes the data solely on behalf of the controller. The data subject is the person whose personal data are processed.
Many of our clients have questions about the requirements regarding a processing agreement. Examples of a questions are: When is there an obligation to conclude a processing agreement? When does an organization qualify as a controller and when as a processor?
A processing agreement is necessary when another party is involved in the processing of personal data for which your organization determines the means and purposes. Within the boundaries of that processing agreement, the processor can process the data on your behalf. However, when a processor acts beyond the limits of the processing agreement, it automatically becomes responsible for the processing activity. All obligations arising from the GDPR are then directly applicable to that party. For example, the processor will need a proper basis for processing the data. This can be problematic, especially when it concerns processing sensitive data. In addition this may cause liability for the initial controller.
Not all organizations are required to appoint a DPO. A governmental organization, a -large- organization that processes personal data on a large scale, and an organization which is primarily responsible for processing sensitive categories of data are in particular obliged to appoint a DPO. However, the GDPR leaves room for interpretation. When are you considered to process personal data on a large scale, and when are you "mainly charged" with processing of personal data? As for the latter: think of a hospital, for example. The processing of sensitive personal data is a core activity. A company in marketing and advertising wishing to use for example, location data, the appointment of a DPO could be mandatory. A DPO does not necessarily need to be someone from within your organization. It may also be an external person.4
In addition to the GDPR, the e-Privacy Regulation will also bring a lot of changes. The draft Regulation is currently going through the EU legislative process. The ambition is that this Regulation will become enforceable at the same time as the GDPR, in May 2018. The question is whether this is ambition is a realistic one.
The current e-Privacy Directive includes rules to ensure the confidentiality of communications (including: the prohibition of interference) and the use of cookies. The current e-Privacy Directive regulates the protection of the right to privacy and is focused on traditional telecom providers, such as ISPs. The e-Privacy Regulation will also focus on "over the top" services (OTTs) such as Whatsapp, Facebook Messenger, Gmail, Skype, and Snapchat, in addition to the traditional providers. This means that these service providers must also ensure the confidentiality of communication by citizens and must prevent disturbance, interception or monitoring. This also applies to machine-to-machine communication and therefore, Internet of Things (IoT) communication is also covered. The reason for the broader scope of the e-Privacy Regulation is that consumers and businesses, in their communications, are increasingly dependent on new Internet services. Phone calls and paper letters are now online phone services and emailing via Voice over IP, instant messaging and webmail services.
In addition to the content of communication, so-called 'metadata' are also protected by the regulation. This includes location data, time and duration of communication and the sender. Using current technology, this data, provides almost as much insight into one's private life as the content of the conversation itself.
Many organizations have questions about the changes the e-Privacy Regulation will bring regarding the use of cookies. As it seems now, the Regulation will not necessarily make this use easier.
Cookies may be used when (1) this is necessary for transferring the data, (2) or if it is required to provide the requested services, (3) when it is necessary for measuring web statistics (first party cookies), or (4) when consent was given by the data subject.
For the obtained consent to be valid strict requirements apply. The consent request must be presented in an understandable and easily accessible form and in plain and simple language. In addition, the data subject must be able to withdraw given consent at all times and consent must be given freely. The controller must be able to demonstrate that it obtained consent. If consumers or users do not explicitly give their consent for processing their data, companies must, according to the proposed Regulation, anonymize or delete the data.
Cookies that are necessary for the proper functioning of a website or service and cookies that maintain web statistics (first party cookies) do not require consent. This is already the case under Dutch law, however, for tracking cookies consent is required prior to the placement of these third party cookies. The same consent requirements, as under the GDPR, apply: consent must be given freely, specific and informed. The GDPR also contains a "no bundling" provision. This means that you cannot, for example, ask for consent to access the site and at the same request consent for services that are not directly necessary to provide that access. The question is whether the use of tracking cookies (= advertising revenue) is necessary to keep websites online. This discussion will continue in the coming months.
For companies that use device fingerprinting, the consent issue will also be relevant. Device fingerprinting is the collection of data transmitted by a device (for example phone or laptop) when using the internet through an internet browser. This includes data such as the operating system, set fonts, IP address and screen size, which allows a device and the user to be recognized. This information may only be collected when it is necessary to connect to the website and the visitor is clearly informed about the collection and the possibility to opt-out. This will create an additional challenge for service providers who use device fingerprinting.
The substantial fines that can be imposed under the GDPR are well known. Under the e-Privacy Regulation, the same fines can be imposed by the Data Protection Authority. Under the current proposed e-Privacy Regulation, the fine for the incorrect use of cookies and the deployment of other marketing channels is up to 10 million euros, or 2% of the total annual worldwide revenue of the preceding fiscal year. An amendment has already been filed to increase the fine to 20 million euros or 4% of the total annual worldwide revenue of the preceding fiscal year. We have to wait and see whether this proposal will make it into the final regulation.
For many organizations, there is a still a lot of work to do before the GDPR is properly implemented. And, a new challenge is coming up with the proposal of the e-Privacy Regulation. We will keep you updated on any news regarding the GDPR and the e-Privacy Regulation and we will continue to clarify and provide you with tips and tricks for implementation.