2018 has passed and it brought with it an effective EU General Data Protection Regulation (the "GDPR"). We have seen legal counsels, privacy officers and DPOs and their teams within various organisations working very hard to get their GDPR programmes in place. We also saw EU Data Protection Authorities beginning to show their new GDPR teeth, albeit in our view in a lenient manner. This changed last week when the French Data Protection Authority imposed a EUR 50 million fine on Google for lack of transparency, inadequate information and lack of valid consent regarding personalised ads. Google already indicated it will appeal the decision.
What else is happening in the EU?
European Data Protection Board (EDPB)
The EDBP (the 'old' Article 29 Working Party) endorsed the Article 29 Working Party opinions and guidelines as relevant for the GDPR. This includes the Working Party's guidelines on Transparency and on Data Protection Impact Assessments. The EDPB's new guidelines relate to territorial applicability of the GDPR and the accreditation of certifying bodies. The EDPB also adopted opinions on the Data Protection Impact Assessment (DPIA) list, for the purposes of consistent application of the GDPR across the EU. On the EDPB's agenda for 2019 is, in any case, the interplay between the e-Privacy Regulation and the GDPR.
The EDPB on the Payment Services Directive 2 (PSD2)
The revised EU Payment Services Directive (PSD2) contains amended and new rules for provision of payment services. PSD2 enables authorised parties (including non-banks) to access payment account data and to initiate payment transactions if the account holder gives its explicit consent. Banks are in principle required to give such authorised parties access to the bank accounts of its clients.
In relation to the consent given by the account holder, the EDPB issued a letter in July 2018 stating that 'explicit consent' is a contractual requirement and not a legal ground within the meaning of the GDPR. However, in line with the requirements of the GDPR the account holder should be made fully aware of the purposes of the processing of their account data and explicitly agree to the access thereof by the payment service provider. As for the much debated 'silent party data' (the data of other individuals to which the payment service provider inevitably has access as these other individuals make or receive payments visible on the account) the EDPB mentions that legitimate interest could be a legal ground for processing of such silent party data. The EDPB emphasises that the limits of 'legitimate interest' as a legal ground apply, and that the interest of the payment service provider is determined by the reasonable expectations of the silent party. This is a point of debate, as the expectations on the side of the silent party can be difficult to determine. More guidance is required, especially in the field of account information services, where the amount of silent party data can be substantial.
The e-Privacy Regulation (ePR) will replace the e-Privacy Directive and provide supplemental rules for the protection of privacy in electronic communications. The ePR builds on the GDPR and includes fines of similar magnitude. Although we still await the final version, it is expected that the ePR will enter into force in the course of 2019. The ePR applies to traditional telecom providers and adds online communication services such as WhatsApp, Facebook Messenger and Skype to its scope. In line with the GDPR, the ePR confirms that communication metadata (i.e. the time and location of a call) must be anonymised or deleted if a user has not given its consent, unless data is required for billing.
Under the ePR, rules relating to cookies and similar tracking technologies are simplified and streamlined. First party audience measurement cookies are newly exempted from the consent requirement. The ePR includes the possibility that consent for cookies can be given through browser settings and obliges providers of software that can be used for electronic communications to offer options for privacy settings.
Big Data (Analytics)
The year 2018 provided some useful opinions in the fields of GDPR, big data (which is, in short, data of great volume, velocity, and variety) and artificial intelligence (or "AI"). A commonly used description of AI is 'a system’s ability to correctly interpret external data, to learn from such data, and to use those learnings to achieve specific goals and tasks through flexible adaptation'. The International Conference of Data Protection & Privacy Commissioners (ICDP&P) published a Declaration on ethics and data protection in AI (i.e. a consultation document). The Declaration aims to achieve fairness, accountability, transparency and individual control. Common governance principles for AI are necessary and should follow on from the Working Group on Ethics and Data Protection in Artificial Intelligence as established by the ICDP&P.
For big data analytics as a marketing tool, the Article 29 Working Party's final Guidelines on automated individual decision-making and profiling contained some interesting insights. The Guidelines summarise profiling as 'gathering information about an individual (or group of individuals) and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments' (e.g. about their ability to perform a task, about interests or about likely behaviour). As such, classifying personal data is already deemed 'profiling', without any prediction or real assessment. Profiling is not specifically restricted under the GDPR, but the Working Party emphasised that controllers should give meaningful information as to how their profiling activities work and emphasised that complexity is no excuse. Where the profiling results in an automated decision which legally or otherwise significantly affects the individual, this meaningful information includes information about the logic involved, but 'not necessarily the complex explanation of the algorithms used or the full algorithm'.
In light of recent Brexit developments, chances are that the UK will qualify as a 'third country' within the meaning of the GDPR from 29 March 2019. Any transfer of personal data to the UK will be subject to the same conditions as international data transfers.
After that date, in principle a measure to legitimise each transfer will be required. At present, the available measures for UK bound data transfers will be:
- Appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs);
- Binding Corporate Rules
- Specific situations (i.e. individual consent and performance of the agreement.
Preparing yourself for data protection related issues, anticipating on different Brexit scenarios, would include:
- Assess which UK entities (controllers, processors or sub-processors) process personal data for which you are a controller;
- Assess which contractual arrangements are made with respect to international data transfers;
- Assess which additional measures are necessary (e.g. SCCs);
- Adjust your privacy statement;
- Include this international data transfer and the applicable measure in your processing register.