24 June 2018

Data Protection: The GDPR Misconceptions

All inboxes are inundated with recent messages from companies seeking continued permission to send emails after the GDPR Implementation on May 25th. Most companies have erred on the side of caution regarding consent reconfirmation, regardless of the legitimacy of their past relationship with users. This is the most common, but not the only, misconception regarding the GDPR compliance: Consent is not the only basis for data processing.

1. Requirement for Consent

For companies seeking to continue direct marketing, it is widely believed that such activity requires the data subject’s explicit consent. Where that is true it is normally in consequence of the e-Privacy directive, not the GDPR. However, the legitimate interest basis for processing and communication can also be used; provided the controller or third-party’s interests are not overridden by those of the data subject’s. Making this determination involves examining the controller-subject relationship, particularly as it relates to the subject’s reasonable expectations of how their data may be used and processed. Another persistent misconception is that all previous consents must be reconfirmed. Prior consent is adequate where such consent was unambiguously given.

2. GDPR & Brexit

Another misconception is that the UK will not be GDPR compliant after Brexit. The UK was a part of the EU when the GDPR became law. Furthermore, the Data Protection Act 2018 entrenches the GDPR in UK law and has already gained royal assent. Regardless of Brexit, that Act keeps GDPR as part of UK law.

3. Data Protection Officer Appointment

All entities need someone keeping them GDPR compliant, and a Data Protection Officer (DPO) is the obvious way to do this. However, not all need to register DPOs. Registered DPOs are only required if an organisation meets certain criteria, including where data processing is done by a public authority or where large scale monitoring or processing of special data is carried out.

4. One National Regulator

Many people believe that the only regulator with jurisdiction over an organisation’s processing is that which exists in its given country. While the ‘lead supervisory authority’ will usually be where an organisation has its main establishment, other regulators can still have jurisdiction. For example, an organisation based in the UK may become subject to French data regulators if people in France are ‘substantially affected’ by the UK-based processing activity, or if the foreign regulator receives a complaint regarding processing from a citizen in their jurisdiction. There are then rules to decide which regulator takes the lead.

5. Data must be kept in the country of origin

The GDPR allows data to reside outside the EU, but requires that the host country have data protection laws that meet EU adequacy requirements. The European Commission has historically recognised several jurisdictions as providing adequate protection. However, the list needs review and monitoring in light of the GDPR as some previously judged adequate may no longer be. In addition, consent and in some cases contractual safeguards, can allow for transfer.

GDPR: A Barrier to Transatlantic Trade?

It is apparent that many US businesses and policymakers are unhappy with the new regime. Days after complaints were brought against Facebook, US Commerce Secretary Wilbur Ross wrote an op-ed criticizing the GDPR and its potential impact on US-EU trade relations. Ross stated that the GDPR could “Disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-operation, and important commerce” while creating “Unnecessary barriers to trade, not only for the US, but for everyone outside of the EU.”

He also expressed concern for law enforcement and IP rights holders, who will face restrictions in accessing WHOIS domain-name registration data. WHOIS is a listing of all registered domains, and is used for various legal purposes. The future of WHOIS and what is published is unclear, particularly in light of recent legal action on the part of ICANN (WHOIS’ governing body) against a contracting registrar. Ross also noted that the new rules could threaten the global war on terror by making it harder to discover those promoting terrorism online. While valid, these concerns may be placated once the appropriate use of GDPR exceptions is determined by national data protection authorities.

Ross opined that the costs of GDPR compliance may disproportionately affect small and medium-sized companies, leading businesses to turn away from EU markets and reducing consumer choice in digital services going forward. This would suggest that the GDPR could reinforce the dominant market position of tech giants, counter to the Regulation’s stated aim of giving EU citizens and residents greater control over their data.

In response, UK chancellor Philip Hammond stated that, despite such concerns, the UK must abide by the GDPR, now enshrined in the UK’s new Data Protection Act. As the GDPR represents the EU’s first Regulation with extraterritorial application, Hammond stated that he is unsurprised by such concerns. However, if the GDPR does not work as planned, he expressed confidence that necessary amendments could be made to support trade relations.

Despite Ross’ comments, state level data protection policies in the US are imitating the GDPR. On May 22nd 2018, Vermont passed a bill to regulate data brokers and provide protections for consumers who deal with companies that collect, analyse and sell their personal information. In GDPR-like fashion, the bill requires data brokers to register with the state, disclose their data collection practices and opt-out policies, and notify authorities of data breaches.

While Vermont may not have the clout to impact federal data protection policy, a California ballot initiative expected to appear in this November election, called the California Consumer Privacy Act 2018, may do just that. The California measure would give consumers a right to ask companies to disclose what data they have collected on them, similar to the GDPR right of access. The measure would also grant Californians the right to demand companies not sell their data to third parties and to sue companies that violate the law.

The concerns raised by Ross represent a variety of interests at stake in the data economy. While an unwelcome development for US tech giants, the GDPR represents a global shift in data privacy regulation, as similar policies have become more common internationally. Regulators will require time to acclimate, but ideally these new rules will be applied in a way that allows for greater privacy without considerable disruption to international trade.

Public or Private? Facebook’s Most Recent Privacy Gaffe

Fresh off their Cambridge Analytica privacy issues, Facebook is back in the news for further problems in managing user data. The social network has now confessed to a software glitch that involuntarily set users’ private posts to public, meaning anyone could read them.

Facebook explained that roughly 14 million people were affected by the glitch for a nine-day span between May 18 and 27, resulting in the default setting for profile post to be set as public. The problem is believed to have been caused by new features being tested by Facebook, which would permit users to share “featured” items, provided the items are designated as being publicly shared. However, the new feature resulted in all new posts being made public, not just those designated as publicly-shareable by users.

Facebook chief privacy officer, Erin Egan, explained in a statement that “to be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We’d like to apologise for this mistake.” Facebook has stated that they plan on notifying all users affected.

This represents the social network’s second privacy crisis of 2018, after it was discover in March that research firm Cambridge Analytica was able to scrape details from millions of Facebook users through fraudulent apps. Complaints have also been brought against Facebook in Ireland under the General Data Protection Regulation, concerning allegations that Facebook fails to meet consent requirements under the new Regulation.