The panic has receded. The frantic drafting has slowed down. The GDPR – widely regarded as the most ambitious data protection legal framework ever created – is in place and life goes on. As the dust left by the dramatic coming into effect of the GDPR settles, we are beginning to see what the GDPR means in practical terms. Many questions remain unanswered and many aspects of the law will take years – if not decades – to be fully interpreted and understood. However, among the numerous issues covered by the GDPR, some areas are emerging as the key strategic questions to address and becoming the focus of attention at an operational level.
Is enforcement happening?
One GDPR-related question appears to overshadow all the others: when will enforcement happen and how strict and heavyweight will it be? So much has been said in recent times about the infamous 4 per cent of the worldwide annual turnover as a measure for fines that, in a morbid kind of way, the expectations are sky-high. This has the effect of disrupting not only the approach to compliance – which is too often tainted by efforts to simply avoid negative consequences – but also the understanding of the reasons for regulatory action. The primary role of regulators is to ensure compliance and they have plenty of tools at their disposal to achieve that. Enforcement will undoubtedly happen and as enforcement actions take place, we will be able to calibrate what is seen as a big deal.
In the meantime, it is possible to predict what worries the regulators. Both the guidance issued and the current regulatory action point in a clear direction. As the UK Information Commissioner’s Office has stated, breaches of the law involving novel or invasive technology, or a high degree of intrusion into the privacy of individuals can expect to attract regulatory attention at the upper end of the scale. Similarly, the Irish Data Protection Commission has indicated that it will be targeting those engaged in intensive online tracking and profiling, as well as companies which use emerging technologies or which are intensively engaged in automated decision making.
All of this seems to suggest that any technological development that is particularly aimed at exploiting the value of personal data at a large scale is likely to be closely scrutinised. This is helpful to know as there are tools in the GDPR, such as data protection by design and by default, and data protection impact assessments that are ideally placed to identify and address the privacy risks resulting from new technologies and data uses. So a clear message to take on board is that whilst we have yet to see a spectacular enforcement action, it is essential to be alert to the regulators’ priorities and consider at the outset the implications of sophisticated data uses for privacy.
Power to the people
One of the greatest – and perhaps most surprising – achievements of the GDPR has been its ability to bring privacy and data protection into the mainstream. At pubs, at supermarkets, at schools, in the real world … people talk about the GDPR. It’s slightly surreal. That has in part led to an unexpectedly high increase in the exercise of data subjects’ rights. Time will tell if the volume of requests experienced so far will decrease, increase or remain constant, but dealing with all types of data subjects’ requests currently demands a far more dedicated approach than ever before. Dealing with data subjects’ rights is not easy because most of these rights are not absolute rights. They cannot be ignored but they often involve careful thinking about the limits to be applied, the rights of others and the practicalities of honouring those rights. As with many other European data protection matters, having a process in place is key and following it is essential.
Implementing a process to handle requests from individuals who wish to exercise their data protection rights starts with mapping out the decision-making that goes into it. The GDPR establishes a number of rights – some longstanding ones, like the right of access, rectification or deletion, and some new ones, like data portability – but in every case, the steps to take tend to follow a similar pattern:
- identification of the individual;
- rigorous management of timeframes;
- appropriate use of parameters and exemptions permitted by law; and
- effective engagement with the individual to meet their expectations.
Honouring data subjects’ rights should not be business-crippling. It should be part and parcel of operating in the digital economy and it will certainly pay off to approach this in a planned and organised manner.
International data transfers are back
Speaking of putting processes in place, there is an issue that was somewhat put to one side in the crazy days of pre-GDPR panic and is coming back as a major concern: international data transfers. It should be pretty obvious by now that global data flows are essential to the digital economy. It’s how the internet works and the bread and butter of today’s digital world, from cloud computing and mobile communications to e-commerce and social media. However, European data protection law has retained its traditional hard core approach of restricting data transfers to non-EU countries and this continues to be a visible area of concern.
Transfers of personal data to the US in particular are under constant scrutiny. For starters, after nearly two years in operation, the criticism that the EU–US Privacy Shield receives from all sides is still relentless. Fairly or unfairly, the abrupt end of the original Safe Harbor framework that led to the creation of the Privacy Shield still casts a shadow over its robustness. The fact that the European Parliament has called on the European Commission to suspend the Privacy Shield is indeed worrying and a sign that even if the Commission still defends the framework as a valid one, regulators are likely to remain wary.
Even more preoccupying is the referral by the High Court of Ireland to the Court of Justice of the European Union (CJEU) of a number of critical questions about the validity of the European Commission’s Standard Contractual Clauses (SCC) for transfers. The SCC are by far the most relied-upon mechanism to legitimise international data transfers, so the fact that the CJEU has been tasked with determining the validity of the existing model clauses is a serious concern.
Against this background, partly by design, partly by elimination, Binding Corporate Rules (BCR) have emerged as the go-to solution for any organisation seeking a robust yet flexible approach to legitimising global data flows. BCR top the list of options available in the GDPR for this purpose, and regulators appear sensitive to this situation. It is probably not a coincidence that one of the first actions of the newly created European Data Protection Board (EDPB) has been to reiterate the regulators’ most recent guidance on BCR. In a nutshell, with the coming into effect of the GDPR, the EU regulators are clearly endorsing the role of BCR as the main enabling tool for lawful data transfers worldwide.
e-Privacy as an added complexity
Looking ahead, high on the list of most troubling issues is the relationship between the GDPR and the evolving EU e-privacy framework. The level of unease is particularly noticeable around the interaction between the requirement for a lawful ground for processing and the strict obligation to obtain consent for the use of tracking technologies. Can internet profiling rely on “legitimate interests”? Is my “cookie wall” approach compatible with freely given consent? Will the forthcoming e-privacy regulation change anything and, if so, when? These are difficult questions because the answers have tangible practical implications.
Something that is certain is that from a European public policy perspective, e-privacy is an additional necessity to what the GDPR already provides, not an alternative. That means that we should be prepared to continue to operate with this two-tier approach for the foreseeable future, whilst acknowledging that the law in this area is almost as dynamic as the technological developments.
Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email firstname.lastname@example.org. Twitter @EUstaran.Tweet