Latest Posts Subscribe to this blog RSS

Wake up call!

wake up callEach day more and more comment is emerging on the lack of preparedness of business to deal with the forthcoming EU General Data Protection Regulation (GDPR) and the need to put education and training on the top of the business agenda – and you may find these two very recent news items of interest and helpful.

We’ve been briefing a Member of the Government’s Treasury Select Committee a few weeks’ ago when we highlighted the issue of GDPR is simply much bigger than a digital marketing issue under ICO’s remit reporting into the Department for Culture, Media and Sport (DCMS).

Check out this recent news item

We strongly support the idea of a debate in the British Parliament about the role that the British Government and in particular the role that the Department for Business, Innovation & Skills (BIS) now needs to play in raising awareness about GDPR and the changes in data protection and privacy as well as helping to ensure that all business sectors are advised to get education and training as soon as possible as well as recruit suitably qualified individuals before it’s too late.

Separately, a new independent survey of 300 businesses supports this general lack of preparedness and highlights the business continuity risk faced by companies with respect to GDPR:

  1. Almost 20% of all respondents still had no idea whether changes in the regulation will apply to them, despite confirming they do store and process personal data
  2. 69% of respondents said their business will need to invest in new technologies or services to help prepare the business for the impact of GDPR
  3. 75% of respondents said that keeping up to date with changing data protection regulatory requirements is a burden on their business
  4. Over 50% of respondents reported that their business has already allocated training budget to help staff understand and comply with GDPR, however, just under a third have not

Details of the survey can be found here

Ardi Kolah is director of GO DPO EU Compliance and GO DPO EU Recruitment. More information is available here

Invite to FREE event Wed 23 Sept 6.00-8.30pm

If you would like to attend this FREE event, please RSVP


What has Bob Dylan, ethics in data collection and GDPR have in common? More than you think.

Yes, how many years can some people exist

Before they’re allowed to be free?

Yes, how many times can a man turn his head

Pretending he just doesn’t see?

Yes, how many times must a man look up

Before he can see the sky?

Yes, how many ears must one man have

Before he can hear people cry?

The answer, according to Dylan is blowin in the wind.

Bob DylanBack in 1962, Blowin’ in the Wind became the anthem of the civil rights movement. In fact, Peter, Paul & Mary performed it on the steps of the Lincoln Memorial in August of that year, a few hours before Dr Martin Luther King delivered his ‘I have a dream’ speech.

Years later, Dylan explained that the song can mean whatever you want it to mean. But there’s no getting away from the sentiment that it asks questions about what’s wrong with the world. And the solution isn’t that far away.

Fast forward to 2015 and here in Europe a major gust is heading our way soon. It’s called the EU General Data Protection Regulation (GDPR).

Of course Dylan wasn’t thinking about personal data protection when he wrote the lyrics to the song but many pressure groups, consumer protection lobbyists and those that value individual privacy over the rights of Governments and big business will no doubt feel these lyrics speak to their cause too.

But the lyrics also raise an important philosophical point. If we really want to change the world and make it a better place, we can do this without waiting for some piece of legislation to drop on the doormat, right?

Isn’t it enough to do the right thing because it’s the right thing to do? It’s about being in control of our own destiny.

Think about it. Technology shows what you can do. Laws and regulations tell you what you’re allowed to do. But ethics tell you what you should do. The European Parliament, European Commission or the Council of Ministers don’t even feature in that decision.

And that’s a point that’s perhaps getting overlooked as we pick apart in fine detail what will be –and not be – in the final version of the GDPR.

If you limit yourself to complying with laws and regulations, you get stuck at the level of a toddler that only obeys because it’s forced to do so, not because it wants to do so.

The word ‘compliance’ feels more stick than carrot, so I would question whether it can really move mountains and even make the world a better place. The word also presumes that perhaps we’ve been bad in some way and it’s time to change our ways and the only way to do this is by force; by complying with something that someone else has told us what to do.

How depressing is that?

Under GDPR, whether the financial penalty is 2% or 5% of annual turnover for a commercial company is actually irrelevant. It’s a big number. A quantum leap in the financial penalty stakes. And Supervisory Authorities across the EU know this is what ‘compliance’ actually means when it hurts companies into doing something when they’re not keen on changing their ways.

Compliance is also one side of the data ethics debate and at the end of the day companies should be able to convince customers to trust them with their data by being transparent, flexible and morally correct, not just by complying with the law or some minimum standard set by bureaucrats in Brussels.

There’s no turning back from here. It’s time to get with the programme. The rapid ascent of data mining has garnered lots of news headlines and not always positive. As companies seek to capture data about our ever changing habits, privacy concerns have flared all over Europe and beyond.

The reality is that every time you click on a website, post on social media, use a mobile app and comment via email or to call centres, your data is collected for future use. This has spooked millions of consumers, not to mention those that make the laws and regulations into taking action. And it’s not just a marketing or fundraising issue.

It goes much deeper than that.

But the answer to building a better world can’t be left to the law makers. Google, Facebook, Amazon and Microsoft take the most private information and use it to drive their empires.

But they should be leading, not following, the changes that are blowing in the wind.

Marketers beware of the cookie monster under GDPR

Cookie warningIn a recent report commissioned by regulator Ofcom and written by German-based consultancy WIK-Consult, the authors note that it’s important to recognise that within the EU informed consent is needed both for placing cookies or similar tracking devices on a user’s device.

EU General Data Protection Regulation

Explicit consent and transparency are key issues for the final version of the EU General Data Protection Regulation (GDPR) that’s set to be agreed before the close of 2015.

The forthcoming GDPR provides for a higher level of consent and transparency than exists at present and under the Trilogue negotiations taking place right now between the European Commission, European Parliament and Council of Ministers the parties will have to agree whether in certain circumstances such consent can be implied or whether it needs to be explicit in all cases.

Based on the premise that the opportunity costs of reading ‘gobblygook’ and largely unintelligible legal terms and conditions are the main reasons that keep users from engaging with them, the authors of the report conclude that making terms and conditions more accessible will improve the likelihood of them being read in the first place and for consumers being able to provide informed consent as a result.

“The use of everyday language and concise information has been conceived as a means to reduce the time consumers have to spend reading terms and conditions. In line with this, web design and software tools have emerged to enable the development of intuitive and easy-to-use information and consent options.

“Furthermore, there are various studies that advocate the use of privacy labels similar to the ones used in food labelling to certify organic or fair trade product schemes. In light of studies demonstrating the misconceptions that such labels may trigger in consumers in relation to the protection of their personal data, such approaches may be debated.

“Nevertheless, the European Commission encourages the use of icons and the European Parliament has proposed requirements for companies to use icons to inform consumers about data-processing practices,” say the report’s authors.

Proposed wording in GDPR

Article 5 of the proposed GDPR requires that personal data must be protected ‘lawfully, fairly and in a transparent manner in relation to the data subject.’

The requirements for lawful and fair processing aren’t new but the addition of an explicit requirement of transparency is new under GDPR and is an important principle for marketers to adhere to.

Article 11 of the proposed GDPR requires that the Controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ rights.

Lawyers on the whole may find this a bit of struggle (!) which is why marketers have a major role to play in how this comes about because of the skills they have in using ordinary, jargon-free and non-legalistic language as a tool for influencing behaviour in order to achieve a desired outcome – in this case, informed consent from the consumer.

Recital 46 of GDPR explains that any information addressed to the public or to the data subject must be ‘accessible and easy to understand’ using ‘clear and plain language’.

The Recital refers to online or behavioural advertising as an example of complex data processing that can make it difficult for a data subject to know whether personal data relating to them is processed and if so, by whom and for what purpose.

In the UK, companies and organisations have already started to adopt a more ‘user friendly’ approach ahead of GDPR by using “just in time” consent notices that pop-up at appropriate times when the user is online.

More harmonised information provisions as provided under GDPR across the whole of the European Union will go a long way to reduce users’ burdens for reading and understanding rambling consent notices that can vary from web site to web site and from country to country.

Another innovation being contemplated is the use of icons instead of text pop- ups or other forms of condensed information that helps the consumer make an informed choice of whether to consent to data processing or not.

Marketers are also encouraged to use icons that can help build trust when they are part of an official certification scheme as envisaged under the draft GDPR.

Privacy policies that reflect a consumer’s individual cultural background and preferences will undoubtedly contribute to better understanding of the rights as well as obligations of the controller in relation to that data.

Flipping this on its head, warnings about unexpected terms in a privacy policy may serve as a means to help consumers become aware of unusual practices and become a ‘red flag’.

Academic research carried out into the so-called ‘Knowledge-based Individualized Privacy Plans’ or KIPPs for short shows that marketers can improve consumer comprehension of the significance of privacy notices by personalising information based on different levels of pre-existing knowledge.

In many respects, that’s what effective direct marketing is all about.

Specific information that must be provided to a data subject

Under Article 14 of GDPR the following information must be provided as a minimum to users:

  • the identity and contract details of the Controller and where applicable any representative and Data Protection Officer (DPO);
  • the purposes of the processing including the contract terms where the controller relies on contract performance as the legitimate basis for processing and the legitimate interests that are relied on, as applicable;
  • the period for which the data will be stored;
  • the existence of rights to request access, rectification and erasure or to object to the processing;
  • the right to lodge a complaint with the supervisory authority, and contact details;
  • recipients or categories of recipients of the personal data; and
  • any further information necessary to guarantee fair processing. In addition, where the data is collected from the data subject, the Controller must also inform the data subject whether the provision of data is voluntary or mandatory as well as the consequences for failing to provide the data. For example, the product or service may not be capable of being delivered unless the use of certain personal data has been consented to.

How is GDPR different from Directive 95/46/EC?

The first thing to notice is that Article 14 of GDPR is more extensive in its scope than under the requirements of the current EC Directive, although in practice many organisations and companies already use consent notices that would broadly be compliant under GDPR.

The European Parliament also wants Controllers to include information about profiling, measures based on profiling and the envisaged effects of profiling on individuals which goes beyond what the Council of Ministers wants to see happen.

In the GDPR draft of the European Parliament, Article 13a was added (removed by the Council of Ministers in its GDPR version) that requires:

  •  details of whether personal data is collected beyond the minimum necessary for each specific purpose of the processing;
  • whether personal data is retained beyond the minimum period necessary for the specific processing;
  • whether the data is processed for the purposes other than those for which they were collected;
  • whether the data is disseminated to commercial third parties;
  • whether the data is rented out and whether it’s retained in encrypted formThe European Parliament envisaged that such information would be provided to data subjects in a table format. Such requirements will no doubt be subject to negotiation under the Trilogue phase and over the coming months we will see whether the Council of Ministers relent and agree to have this incorporated into the final agreed version.

What conclusions can be drawn from these discussions at the EU and recent research for Ofcom?

Academic research shows that there’s a dissonance between the assumptions and requirements stipulated in law about informed consent and actual consumer behaviour in practice.

As many marketers will note, consumers tend to exhibit behaviour that’s sometimes inconsistent with their stated concern for data privacy.

The Ofcom report authors conclude that behavioural economics and in particular experimental studies can go some way to explain some of the reasons behind such behaviour as well as indicate potential ways to mitigate it.

So-called ‘Context-aware nudging’ of the consumer has emerged as one approach but nudging the consumer won’t solve all issues around informed consent all at once. It seems that a single solution for all – or at least most – of the issues raised is as yet to be found. And that of course could change as a result of consensus around GDPR over the next 6 months.

It’s likely that more evidence is required to investigate the extent to which a multi-faceted approach taken by marketers and involving several factors in combination might offer a potential solution to the need for informed and explicit consent from the consumer.In this context, research must also include the Internet of Things (IoT) as the pace of technology change here is likely to further exacerbate the issues around informed consent in practice.

What should marketers do now?

  • Review the extent to which existing consent notices comply with the requirements of the EU Directive and also consider how these notices may need to be updated to reflect the requirements under Article 14 of GDPR and start that process now
  • If consent is used as the legal basis for data processing, then consider whether the organisation or company will be able to meet the more restrictive covenants for consent under GDPR
  • Consider the need for consent to be specific and explicit, capable of being withdrawn at any time and as the Controller, it is the organisation or company’s responsibility to bear the evidential burden of proving that consumer consent has been adequately and lawfully obtained
  • Review the extent to which your organisation or company engages in behavioural advertising and ensure that the highest standards of consent have been adhered to
  • Review existing consent mechanisms and the types of profiling currently undertaken and ensure that these adhere to the highest standards required under GDPR
  • Assess whether the consent is appropriate to carry out the data processing envisaged or whether a more granular level of consent mechanism needs to be created in order to achieve this objective
  • Finally, consider documenting all due diligence ahead of GDPR by carrying out an organisational Data Protection Impact Assessment (DPIA). This will help to demonstrate compliance with the GDPR principles and will be taken into account by the Supervisory Authority in the circumstances of a data breach in order to mitigate the imposition of punitive fines that could be as high as 5% of global turnover or €100m.

Data Protection Officers will be pivotal in data protection and privacy reforms under GDPR

ButtarelliThis week the EU’s independent privacy watchdog, the European Data Protection Supervisor (EDPS) has declared wide ranging support for the European Parliament’s version of the EU General Data Protection Regulation (GDPR) that’s the subject of trilogue negotiations between the European Commission, European Parliament and Council that may be concluded as early as end of October 2015.

However, a notable difference between the EDPS and the European Parliament’s view is the mandatory appointment by organisations and companies of a Data Protection Officer (DPO).

It’s worth noting that 35% of all EU Member States currently require the appointment of a DPO as a compulsory measure, so it would take just 16% of other EU Member States to make this the majority view within the EU.

Under Section 4, Article 35, GDPR provides for the appointment of the DPO. On this important principle, EDPS states:

The controller and the processor shall designate a data protection officer where:

  • the processing is carried out by a public authority or body; or
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, their purposes, the number of individuals concerned or individuals processing personal data, imply regular or systematic monitoring of data subjects or a high level of risk.

The European Commission version of Section 4, Article 35, GDPR states another caveat that such a requirement would apply to those organisations and companies employing 250 or more employees. This was not the view of the EDPS.

The European Parliament version of Section 4, Article 35, GDPR states that it applies where 5,000+ data subjects’ records are processed in any consecutive 12-month period. Again this was not the view of the EDPS.

The Council of Ministers version of Section 4, Article 35, GDPR deleted both of these additional requirements but made the appointment of a DPO not mandatory, stating: “The controller or the processor may, or where required by Union or Member State law shall designate a data protection officer.” Again, this was not the view of the EDPS.

However, EDPS did agree with a similar provision of the European Parliament that two or more organisations or companies (controller or processor) could effectively share a single DPO, with the European Parliament stipulating that such an individual should be ‘easily accessible from each establishment’.

In terms of the length of an internal appointment of a DPO, EDPS appeared to steer a middle path of ‘at least 3 years’, whereas the European Commission preferred ‘at least 2 years’ and the European Parliament ‘at least 4 years’. The European Commission made no such stipulation of duration of tenure.

In explaining the thinking behind the EDPS position, Giovanni Buttarelli, European Data Protection Supervisor said:

“We are driven by three abiding concerns: a better deal for citizens; rules which will work in practice and rules which will last a generation. The EU needs a new deal on data protection, a fresh chapter. The rest of the world is watching closely. The quality of the new law and how it interacts with global legal systems and trends is paramount.”

EDPS has also released a table showing the various different versions of GDPR that are currently under negotiation in the trilogue phase as well as taking the unusual step of releasing an app that compares texts from the EU Commission, European Parliament and EU Council and EDPS.

The general tone of the EDPS, contained in its document entitled ‘Europe’s Big Opportunity’ is for a better equilibrium between the public interest on the one hand and personal data protection on the other.

“Data protection rules should not hamper historical, statistical and scientific research which is genuinely in the public interest. Those responsible must make the necessary arrangements to prevent personal information being used against the interest of the individual, paying particular attention to the rules governing sensitive information concerning health, for example,” says the EDPS.

“Legislation is the art of the possible,” concludes Giovanni Buttarelli. “The options on the table each contain many worthy provisions, but each can be improved. The outcome will not be perfect in our view, but we intend to support the institutions in achieving the best possible outcome. That is why our recommendations stay within the boundaries of the three texts.”

Final stretch for Juncker’s GDPR

GDPR and Juncker road mapThe European Commission, Council of Ministers and the European Parliament are about to turn the corner on the EU General Data Protection Regulation (GDPR) trilogue negotiations in the coming weeks and months.

The calendar of meetings and discussions behind closed doors looks like this, according to the European People’s Party (EPP) Group that brings together centre and centre-right pro-European political forces from the Member States and represents the largest group in the European Parliament.

Monday 15 and Tuesday 16 June 2015

The Council of Ministers will meet in Luxembourg to agree the adoption of a general approach to GDPR.

In effect, the Council will declare its own view on the preferred draft for GDPR and GDPR watchers the world over will be able to compare and contrast the various differences that will exist between this version and the one favoured by the European Parliament.

What started life as an ambitious proposal for reform by the European Commission that was amended by the European Parliament in 2014 will be ready to be debated alongside the Council of Ministers newly agreed draft in the roadmap for reform of data protection and privacy laws which could see an agreed GDPR by the end of 2015.

The European Parliament will try and stick to the proposed timetable and any deviation from this would be an indication of the level of commitment as well as the state of mind of the parties in genuinely wanting to reach agreement. According to the privacy trade body IAPP, both the European Commission and the Office of the European Data Protection Supervisor are likely to influence the outcome of this critical process.

Wednesday 24 June 2915

Big day as subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the 1stTrilogue Meeting on the GDPR in Brussels.

The draft agenda for the meeting:

  • Commitment for the reform of Directive 95/46/EC in Council
  • Agreement on the overall roadmap for Trilogue negotiations from this point
  • General method and approach for delegated and implementing acts.

Progress made before the Summer Recess in July for the European Parliament, Council, and Commission will be a strong signal that the trilogue negotiations are on track to conclude by the end of this year.

Some commentators are optimistic that agreement can be reached, although a potential point of contention is the European Parliament’s introduction of a specific restriction on the disclosure of personal data following a request from a non-EU court or administrative authority. The political connotations with respect to national security are clear and will require skillful negotiation.

Tuesday 14 July 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the 2nd Trilogue Meeting on the GDPR in Brussels.

The draft agenda for the meeting:

  • Territorial scope (Article 3, GDPR)
  • International transfers (Chapter V, GDPR).

There will then be the Summer Recess where what has been agreed and what’s left to be agreed will be the subject of intense media speculation. After the Summer Recess, the European institutions will be focused on tackling the core aspects of the entire GDPR framework with the aim of reaching agreement in the coming months.

September 2015

On returning from the Summer Recess, and subject to agreement between the Council of Ministers, the European Parliament and the European Commission, there will be further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

  • Data protection principles, including the grounds for processing and the conditions for consent (Chapter II, GDPR)
  • Data subject rights including the rights of individuals, the right to be forgotten and the provisions on profiling (Chapter III, GDPR)
  • the substantive obligations affecting data controllers and data processors (Chapter IV, GDPR).

This could be the point at which the trilogue negotiations become protracted and detailed as the European Parliament will need to accept the so-called ‘risk-based approach’ to the GDPR that’s supported by the Council. This appears to be a sensible way forward as it takes account of the need for businesses to grow and flourish under the new data protection and privacy regime. If Parliament is satisfied that such a doctrine is fair and reasonable in the context of all other protections given to individual citizens and their data protection rights, then this could be wrapped up within a matter of weeks.

The bigger prize for the European Parliament and one that could be a hurdle to overcome with the Council of Ministers is the so-called ‘One-Stop Shop’ principle.

October 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

  • Data Protection Authorities including the ‘One-Stop Shop’ Principle (Chapter VI, GDPR)
  • Cooperation and Consistency (Chapter VII, GDPR)
  • Remedies, liability and sanctions (Chapter VIII, GDPR).

The Council will need to be convinced that the ‘One-Stop Shop’ is workable and the Commission as well as the European Data Protection Supervisor will have a critically important role in helping to reach consensus on this principle.

“The One-Stop Shop maintains our main objective of having one interpretation of the GDPR in cross-border cases and I would say it even reinforces it. This sort of co-decision between the adjudication bodies won’t be based on the creation of a new body but on a better functioning of what already exists. It will strengthen the co-operation of DPAs within the framework of the Article 29 in a more structured and legally robust way,” observes Bruno Gencarelli, Head of Unit, Data Protection at the European Commission.

Remedies, liabilities and sanctions has tended to grab the headlines to date and it looks like the highest fines for data breaches and for failure to comply with the principles of the GDPR will be calculated on the basis of annual turnover of companies that transgress and is likely to be up to 5% of global turnover or €100m, whichever is the greater.

When agreement on the level of financial penalties is eventually agreed, then such a deterrent will start to concentrate the minds of those most likely to be impacted by GDPR – financial services, pharmaceuticals/medical, telecoms and on-line retail sectors.

The incoming Luxembourg Council Presidency is also aiming at a general approach on the Directive 95/96 EC in October or November 2015.

November 2015

By November, the negotiators will be on the home run and it’s hoped that the more controversial and substantive issues will have been agreed by the European Parliament, Council of Ministers and the European Commission by this stage.

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

  • Objectives and material scope, flexibility public sector (Chapter I, GDPR)
  • Specific regimes (Chapter IX, GDPR).

In many respects, this is a tidy up of GDPR on technical issues such as special regimes that will apply to the processing of personal data in the context of the employment relationship, scientific research and journalism. This again is likely to create a lot of media comment and will also need careful handling.

If all is well, we could have reached agreement on GDPR. The marathon negotiation cycle of the Trilogue process will have resulted in a new data protection and privacy regime that is the third piece in the jigsaw along with Fundamental Rights and the Single Digital Market.

But there’s still a chance it could stretch to December..

December 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there could be the concluding Trilogue Meetings on the GDPR in Brussels.

This should be relatively uncontroversial although is likely to touch on politically sensitive areas such as the powers of the European Commission to adopt, delegate and implement acts under GDPR.

The draft agenda for the meeting could include (unless already covered in November):

  • Delegated and Implementing Acts (Chapter X, GDPR)
  • Final provisions (Chapter XI, GDPR)
  • Other remaining issues.

With the end in sight (if not sooner), this could be a very swift sweep-up of the remaining business in the Trilogue negotiation process.

What does the EC have in mind for the final text of GDPR?

JunckerIn the last couple of weeks the blogosphere has gone into overdrive regarding the final text of the EU General Data Protection Regulation (GDPR) that’s on track to emerge before the end of the year.

Agreement between the European Parliament, Council of Ministers and European Commission now looks like a distinct possibility in November 2015 after which there’ll be a two-year transition period before sanctions begin to bite.

As GDPR watchers will have already clocked, there’s been a leak on the first reading of EU Regulation by the Council of Ministers. The document runs into 630 pages and can be accessed here.

Fortunately, the fog that’s surrounded the details of the final text of GDPR is now starting to lift.

The European Commission – the ‘honest broker’ in the deal between the European Parliament and the Council of Ministers – has started to provide some clarity on what the final shape of GDPR will look like.

It should be remembered the proposal has been subject of intense debate since 2012 when the European Commission proposed a branch and root reform of Europe’s outdated data protection and privacy laws.

What was fuelling this need for reform was the need to create a functioning single market that would deliver jobs and prosperity across the EU.

At a recent IAPP London KnowledgeNet seminar hosted at the London offices of global law firm Allen & Overy, Bruno Gencarelli, Head of Unit, Data Protection at the Directorate-General for Justice at the European Commission shared his thoughts with an audience of over 100 data protection and privacy experts, who appeared to be hanging on his every word!

Such is the interest in the final outcome of the trilogue negotiations. And British PM David Cameron’s promise to hold a referendum on the UK’s membership of the EU has quadrupled this level of interest.

The context surrounding GDPR is perhaps just as important as the content of the proposed EU Regulation.

EU Charter of Fundamental Rights

The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled.

The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources.

Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.

EU Digital Single Market

Last week, the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).

EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.

The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.

It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.

What’s driving the European Commission to reform data protection and privacy laws across the EU?

There are three key drivers:

  1. Simplifying the regulatory landscape and framework
  2. Updating rights and obligations to the opportunities and challenges of the digital world.
  3. Strengthening enforcement.

According to Bruno Gencarelli, it’s a balance of interests – removing red tape as well as providing protection for the ordinary EU citizen.

“We’ve tried to tailor and granulate certain obligations – the so-called ‘risk-based approach’ that entails carrying out a Data Protection Impact Assessment (DPIA) as well as looking at processing activity that represents a specific risk to the rights and freedom of a data subject. In doing so, we are also looking at the size of business,” he says.

On the point of red tape, Bruno Gencarelli is clear that the GDPR will eliminate most the prior notification and prior authorising processing obligations as a result of the appointment of a Data Protection Officer (DPO) that will sit within the company or organisation and who will report data breaches directly to the Supervisory Authority.

So in a way, this is a self-policing system that will radically reduce the amount of bureaucracy that exists at present, although of course it comes with its own challenges, particularly as Boards will need to be coached in how to work with a ‘mini-regulator’ that’s embedded within its own business.

Putting individuals back in control of their own data

This is perhaps at the root of the proposed data protection and privacy reforms and has the biggest impact of the changes being proposed by the European Commission.

“I would say more than in any other part of the EU Regulation effecting data protection, the proposed reforms mean putting individuals back in control of their personal information in order to re-establish fundamental rights as well as to strengthen trust within the digital single market,” adds Bruno Gencarelli.

Portability of data

One of the proposed eye-catching reforms to be included in the GDPR will be portability of personal data across the EU.

“This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider.

This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice; being able to effectively make a choice in the market and in that way lower the barriers to entry in particular to those markets which are currently dominated by very few big players.”

According to the European Commission, this is an example of a question of balance taken within the GDPR – of balancing fundamental rights as well as complementing the principle of competition within the internal market.

“We don’t see one excluding the other,” explains Bruno Gencarelli.

Breach notification

In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU.

“In practice, the same idea is true for the production of principle points of privacy by design. This is about investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services,” adds Bruno Gencarelli.

More effective supervision and enforcement

The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.

“Data protection and data breaches have become much more serious and relevant and currently we don’t have a credible set of enforcement rules and sufficiently dissuasive sanctions. In Europe, we have a very fragmented situation where certain countries have that power to impose financial sanctions and some countries don’t appear to have that power.

“We drew inspiration from other areas of Europe such as competition law in looking at the issue of supervision and enforcement.

“There have been a lot of misgivings about the level of fines and it should be emphasised that these are a ceiling – it’s about a maximum amount of the fine which will be applicable to the most serious violation.”

Bruno Gencarelli was at pains to emphasise that the European Commission firmly believes in the principle of proportionality and the level of fines imposed will be based on a catalogue of factors that will include:

  • duration of the data breach
  • seriousness of the data breach
  • negligence or intention
  • nature of the violation
  • impact on users
  • other factors

One Stop-Shop

This is one of the jewels in the crown of GDPR and clearly the European Commission sees this as being fundamental in terms of enforcement and supervision that sits alongside its strategy for the digital single market and the Charter of Fundamental Rights.

What’s now proposed is a two-level structure that provides the benefit of proximity for complainants against organisations and companies by recourse to their own Data Protection Authority (DPA) and the courts as well as making it easier to launch a cross-border complaint by reference to a single adjudication body (the lead DPA body of the main establishment).

In this new regime, both bodies will need to agree on the interpretation of the GDPR rather than having diametrically opposed interpretations that would negate the operation of a one-stop shop mechanism.

“The one-stop shop has become more congruent and more consistent in interpretation and application of EU data protection laws throughout the EU and this is good in terms of legal certainty,” explains Bruno Gencarelli.

The European Commission view is that the one-stop shop is more effective in the protection of users’ rights and this appears to have gained consensus within the European Parliament and the Council of Ministers.

“Originally, we had the idea of concentrating the decision making power with the Supervisory Authority of the main establishment and probably that was too simplistic.

“There were a number of very valid observations made and in particular we had to sufficiently take into account the specific fundamental rights and the nature of data protection afforded to the individual.

“So when a data subject lodges a complaint they may have with a data controller or data processor, they should be able to go to their domestic DPA but also the domestic court.

“Negotiations around the one-stop shop mechanism took a while and were debated in detail by the Council where it was important to strike the right balance and for having the ability to adjudicate on cross-border cases with one interpretation of the data protection rules.

“Although the UK may have had certain reservations about the one-stop shop principle, we are very satisfied with the compromise that’s been reached that safeguards the level of proximity for a remedy in particular when the complaint of an individual is rejected and therefore a decision has a negative impact on that individual.

“At the same time, the one-stop shop maintains our main objective of having one interpretation of the GDPR in cross-border cases and I would say it even reinforces it.

“This sort of co-decision between the adjudication bodies won’t be based on the creation of a new body but on a better functioning of what already exists.

“It will strengthen the co-operation of DPAs within the framework of the Article 29 in a more structured and legally robust way,” observes Bruno Gencarelli.

GDPR is therefore likely to reflect the following mechanism for one-stop shop:

  • when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the DPA of the main establishment
  • when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.

Given this additional safety value, the European Commission feel that the Data Protection Board wouldn’t have to intervene except in a relatively few cases.

“Where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. And this is a legally more robust position under the Fundamental Rights Charter perspective,” adds Bruno Gencarelli.

Consensus reached?

According to the European Commission, although some points remain to be agreed, the vast majority of the GDPR has reached a stage of consensus in terms of the viewpoints of the European Parliament, Council and the Commission.

“I think the all the basic elements for an agreement are now in place and there’s definitely consensus around the main foundation of the future system – an EU Regulation, a one-stop shop, an ex-post system of control to a greater extent unaccountability and more effective enforcement on a broader geographical scope. In all of these elements we see consensus,” explains Bruno Gencarelli.

Two-year transition period

On the basis that trilogue agreement is reached in November 2015, this isn’t the end of the matter until 2017.

“In a sense reaching agreement in 2015 isn’t the end point. The two-year transition period will be useful to do a number of things and also because we have a change of governance and moving forward we’ll need to agree institutional issues that concerns including the future of the European Data Protection Board and its role within the new regime.

“The EU Regulation is a skeleton of the principles for the future of data protection and privacy within the EU and over the next two years a lot of meat will need to be put on the bones of GDPR,” concludes Bruno Gencarelli.

The Imitation Game

Imitation GameIn the media this week there’s been a fair amount of speculation as to when the EU General Data Protection Regulation (GDPR) is likely to see the light of day. Some commentators are speculating that sign-off by the European Parliament, Council of Ministers and the European Commission won’t happen until Spring 2016.

Earlier this year, a joint statement by EC vice president Andrus Ansip and EU Commissioner Věra Jourová indicated that GDPR could become law by the end of 2015. Perhaps this was wishful thinking?

And this week, some 60 pressure groups including the UK’s Open Rights Group, Liberty, the Dutch Consumer Council and US Electronic Privacy Information Centre have written an open letter to EU President Jean-Claude Juncker outlining their concerns over the way GDPR is currently drafted and warning that it will erode rather than strengthen existing data protection and privacy laws than at present.

To some extent, a lot of this politicisation over the precise wording of GDPR is largely irrelevant. There’s enough evidence out there to show that Data Protection Authorities (DPAs) across the EU are already applying the risk-based principles of GDPR. In other words, DPAs are acting as if GDPR already exists. It’s a case of the ‘Imitation Game’.

Movie goers will recognise the link. In film of the same name, a group of cryptanalysts crack the German Enigma code with the help of Cambridge maths genius Alan Turing (played by Benedict Cumberbatch) who then goes on to invent the world’s first computer.

80 years later

Fast forward nearly 80 years and companies are now adept at deciphering intimate and sensitive data on just about every aspect of online and offline lives – in order to drive their vast business empires.

The fact that the European Parliament has already voted on GDPR is evidence that the time for talking really is over and what’s now required is action. Hanging on to the outdated Data Protection Directive 95/46/EC isn’t really an option.

However, it isn’t as simple as that.

Following the first reading of GDPR, there were some 4,000 proposed amendments to the EU Commission’s draft and agreement on the GDPR by the European Parliament was reached on 12 March 2014.

The Council of Ministers is now pouring over whether to accept the European Parliament’s position – in which case the GDPR is adopted or where the Council doesn’t adopt all of the European Parliament’s amendments or wants to introduce its own, it adopts a first reading position which then goes back to the European Parliament for a second reading.

And this is where things are right now.

The Council is expected to come clean very soon, although there’s no time limit placed on how long it can take to deliberate on its position on GDPR, which is part of the frustration felt by many data protection and privacy professionals.

Make your mind up time

When the Council eventually makes up its mind on its first reading position, it is back to the European Parliament to examine the Council’s position and this could take between 3-4 months of deliberation.

A special European Parliament committee – Civil Liberties, Justice and Home Affairs Committee (LIBE Committee) – is tasked with drawing up a recommendation for Parliament’s second reading.

At this stage of the game, the text to be amended is the Council’s first reading position rather than the original European Commission proposal for the GDPR that first saw the light of day way back on 25 January 2012!

Likely outcome?

Good question – and it depends on how much tampering has been done by the Council as to whether the European Parliament decides to expedite and approve the Council’s first reading position.

In the event that this happens, this will speed up the process. Of course, there are likely to be some tweaks and further amendments on the Council’s first reading of GDPR. In other words, concessions are likely.

But the good news for GDPR watchers is that about 80% of all EU laws are now agreed after the first reading and in fact most law-making takes place behind the scenes. This is the ‘trilogue’ phase which isn’t mentioned in EU treaties but is specifically designed to speed up the cumbersome EU legislative process.

Three-way split

Informal meetings behind closed doors will take place between:

  • European Parliament (represented by Rapporteur and shadow rapporteurs)
  • European Council (chair of Working Party and/or Permanent Representatives Committee)
  • European Commission (responsible for the dossier and Secretariat-General).

In these informal discussions, the Commission’s role is that of mediator or facilitator of compromise texts but because of its expertise and resources it can have significant influence over the final drafting that’s produced.

Thinking of where to put a data centre in Europe?

Some Governments are blatantly cashing in on the current situation by offering a ‘safe place’ for organisations to continue to ply their trade and not trip up over the forthcoming GDPR.

For example, at the recent IAPP Europe Data Protection Intensive held in London earlier this month, Dara Murphy, Irish Minister for State European Affairs & Data Protection was making such a pitch to IAPP members.

In his address, Murphy made the point that Ireland had become the first EU Member State to create a Ministerial position with respect to data protection and he acknowledged what this meant to the Irish economy.

“We have in our country 29 of the top 30 digital companies in the world and nine of the top ten companies born on the internet. Many of them have their European HQs in Ireland. One of the key priorities we set when we had our reshuffle a couple of months ago was to up the role and importance of data protection within government.

“We’ve doubled our expenditure, opened a second office in Dublin and significantly increased the number of staff.”

Whilst promoting the principle of balancing the benefits to be gained through data-sharing, analytics and innovation, Murphy was also careful to stress the importance of protecting citizens’ rights.

“The work ahead is to put the right of the citizen at the heart of everything lawmakers do with an eye toward reducing administrative burdens and providing a consistent application of rules that foster an environment that creates jobs and growth while simultaneously protecting civil and digital rights and privacy.”

Murphy reflected the mood of many at the IAPP conference that the pace of data protection regulation has picked up remarkable speed and that the existing laws that were developed nearly a decade before most of the tech giants existed were now looking “ridiculous”.

However, conscious that he was there to “sell” Ireland to other global businesses thinking of putting a data centre in Dublin, Murphy added that he didn’t believe in “exemplary fines” in the hope that this signal would encourage more inward investment in his country as a Data Protection Authority that was on the side of big business and in favour of a strong digital market having the capacity for business to function.

An astute PR move but the EU Regulation will have the effect of reducing – not exacerbating – differences in approach to data protection and privacy across the EU that currently exists and has caused the level of uncertainty and confusion that we have at present.

Start making plans for GDPR mechanism now

“Many organisations that are ahead of the curve are mitigating their risks of an ICO investigation by taking educated guesses on how portions of the forthcoming GDPR will come into reality,” explains Martin Hickley, a leading data protection and cyber security expert.

He adds: “For example, many have started making plans where under GDPR they will need to respond to complaints through a one-stop shop mechanism, respond to subject access requests for the right to be forgotten, put in place a higher standard for data transfer and encryption of data that is accessed within the enterprise as well as the pseudonymization of that data among other measures.”

But lingering questions still remain and clarity on the following points will be required so that organisations can start to fully prepare themselves for life under the new EU data protection and privacy mechanism:

  • How will GDPR help to harmonize the way data processing and compliance is conducted within the EU as well as outside of the EU?
  • What should large multi-national organisations do regarding the one-stop shop mechanism if they are significant data controllers across several jurisdictions both within the EU and outside of the EU?
  • Will Data Protection Authorities (DPAs) look at mutual recognition systems like Binding Corporate Rules (BCRs) and apply the same logic to the one-stop shop? In such a scenario, a lead DPA is backed by two supporting DPAs in approving a company’s data transfer process.
  • How will GDPR apply to situations where the company is both controller and processor of a vast quantity of data?
  • What will the seal that is an assurance mark for data protection and privacy look like?
  • Will the Safe Harbor Principles need to change as a result of GDPR?

Hickley concludes: “My advice is to conduct a data protection impact assessment (DPIA) without due delay across the whole organisation rather than on a project basis which is a mistake often made by many organisations that I advise. Ask yourself the question – where do you sit now in relation to what’s been published about GDPR so far? And what do you need to do in order to be compliant before it’s too late.”

Don’t call us, we’ll call you. Illegally.

AT&T image of data theftWhile the EU General Data Protection Regulation (GDPR) requirements have yet to be finalised, 20 years of European jurisprudence is a strong indication of the direction of travel where the supervisory authorities are going to clamp down hard on those organisations and their outsourcing providers that violate the new minimum standards for data protection.

And if you’re in any doubt how hard this will impact the telecoms sector, then you should look no further than what’s just happened to AT&T earlier this week in the US to get a taste of what we can expect to see here in the EU in the wake of the GDPR.

The US Federal Communications Commission (FCC) reached a settlement with the telecoms giant AT&T to pay close to $25m for a series of consumer data privacy violations following an investigation where in excess of 280,000 customers’ data records were illegally accessed and stolen by employees working at AT&T Call Centres in Mexico, Colombia and the Philippines.

To put that into context, the fine equates to around $90 per data record that was breached.

AT&T customer data was used to request unlock codes for AT&T handsets and this data was then provided to unauthorized “third parties” dealing in stolen and “secondary market” handsets.

Such practices may have escaped detection for years and not just within AT&T but across the telecoms sector as it’s highly unlikely to have been an isolated incident.

The FCC has taken the step to make its investigation and subsequent fine a very public matter so as to send a warning shot to all other telecoms companies and outsourcing providers that such data breaches will be severely punished. And European data protection authorities (DPAs) are studying the details of this case with close interest as they aren’t exactly a push-over when it comes to taking action on such a scale.

“You have to recognise that the sheer amount of data that these companies store and process on a daily basis leaves them extremely vulnerable to data breaches on this type of scale,” comments Professor Bryan Foss, a leading data protection and technology expert and former IBM director.

“It’s very common for organisations the size of AT&T to outsource such activities and related services to outsourcing providers and in doing so a great deal of data protection and security is passed—and quite possibly compromised—through the supply chain to third-party service providers.

“The situation also raises interesting questions as to levels of responsibility, as well as liability with regard to data flows through supply chains, and whether adequate safeguards and privacy compliance measures exist with service partners and vendors across the spectrum of industries. The GDPR squarely places responsibility for such data breaches on the shoulders of data controllers and processors,” adds Professor Bryan Foss.

This issue also reaches well beyond internal compliance policies that many large organisations must now look at in some detail, usually as a result of a data protection impact assessment (DPIA) that should be carried out across the whole organisation rather than simply on a project basis.

“However, this still leaves many other questions unanswered such as how do organisations implement sufficient data traceability measures as well as the levels of protection from the source and entry points to potential exit points through to the end of the supply chain,” observes Professor Bryan Foss.

In its news release, FCC announced:

“AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities…”

In response, AT&T has sought to calm the nerves of its shareholders and investors by releasing the following statement:

“Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard and we are terminating vendor sites as appropriate. We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”

Should AT&T and other telecoms providers continue to fall below the data protection standards expected of them they can be certain of being subject to severe fines on both sides of the Atlantic.

Bring Your Own Device to Work is a “ticking time bomb” warns security expert

BYOD tab and mobileAs many data protection, compliance, human resources and legal experts speculate as to the consequences that will be wrecked on all organisations as a result of the forthcoming EU General Data Protection Regulation (GDPR), there is widespread confusion across the web as to whether Bring Your Own Devices (BYOD) is still acceptable or whether organisations need to radically undertake a data protection impact assessment (DPIA) and change their internal policies as a result.

“Even though the law in this area hasn’t changed today, it would be foolhardy in the extreme for organisations not to carry out a DPIA as a precautionary measure given the massive data protection and security risks that allowing BYOD currently presents,” warns data protection and compliance expert Martin Hickley.

GDPR will replace a European-wide regime that was created by an EU directive in 1995 when the internet was still in its infancy and we didn’t have anything like the mobile technology we do today.

The dawn of smartphones came in January 2007 when Steve Jobs brandished a piece of plastic no bigger than a KitKat and proclaimed “this would change everything.” Eight years on, the Apple iPhone exemplifies the early twenty-first century’s defining technology.

Smartphones are now taken for granted and has opened up a new world of work where we are able to work equally effectively from the home as the local coffee shop as a result. Some studies have found that in developing economies every ten extra mobile phones per 100 people increase the rate of growth of GDP-per-person by more than 1%, for example, by drawing people into the banking system. WhatsApp was founded in 2009 and already handles 10bn more messages a day than the SMS global text-messaging system.

The phone is a platform, so start-ups can cheaply create an app to test an idea – and then rapidly go global if people like it.

The way in which mobile has become the centre of our connected world has changed work-life balance into work-life integration.

Mobile manufacturers have been quick to jump on this bandwagon and have been pushing the benefits of employees having their own devices that keeps them in touch with the office and more productive.

The mood music behind this surge in working ‘the way you want, when you want’ is why would organisations seek to supply every employee with a laptop or smartphone when they already have one? Wouldn’t knowledge-based organisations be missing out on cost savings?

If every employee already owns a smartphone and tablet (maybe several devices) why are organisations still buying employees a computer and smartphone when they join the company? That equipment then needs to be maintained, upgraded and replaced. Isn’t the money better spent improving internal infrastructure such as better security and collaboration tools to enable employees to work anywhere, anytime, on their own devices?

In this way the company can then take that money and reinvest it into tools that make that mobile worker more productive.

So will this get companies off the hook for getting caught in a spiral of escalating costs in investing in the latest technology and having to support this across the organisation?

As attractive as these arguments may appear, they are deeply flawed according to Martin Hickley.

“Cost savings aren’t comparable to the financial damage and reputational risk that can be incurred as a result of lost or stolen data and the security implications that a data breach entails. Data protection authorities (DPAs) are insisting that organisations must work to a much higher standard than at present and in the UK the ICO has just published guidance on this area and it makes interesting reading,” he says.

Under the existing Data Protection Act 1998, data controllers must ensure that all processing of personal data under their control remains compliant and in the event of a data breach, the data controller must be able to demonstrate that they’ve secured, controlled or deleted all personal data on a particular device.

The reality is the BYOD makes this almost impossible to police and the ICO guidance states:

“The underlying feature of BYOD is that the user owns, maintains and supports the device. This means that the data controller will have significantly less control over the device that it would have over a traditional corporately owned and provided device. The security of data is therefore a primary concern given that the data controller may have a large number and a wide range of devices to consider.”

Martin Hickley advises that companies should carry out an organisational DPIA that includes a review of the policy and procedures under which employees are permitted to use their own mobile devices for work purposes.

Specifically, data controllers MUST find out:

  • what type of data is held on BYOD used by all its employees
  • whether it is encrypted
  • where such data may be stored
  • how such data is transferred
  • what the risk is for data leakage as a result of BYOD
  • how can the company ensure that personal and business use of BYOD is maintained
  • the security capabilities and vulnerabilities for every BYOD used by employees
  • the policy for when an employee who owns a BYOD leaves employment having had access to personal and confidential information about the company’s customers/clients
  • how to deal with the loss, theft, misuse and failure of an employee’s BYOD
  • what support (if any) is offered by the company to help maintain a BYOD.

“When you start to run through that list you quickly realise that BYOD isn’t a way to save money – in fact, it’s potentially a nightmare that leaves the company massively exposed.

“For example, how can such devices be partitioned where personal information like photos of the employee’s children aren’t accessed by the company’s servers? And should an employee want to take a photograph of a PC screen displaying confidential information at the office, this image will be stored on the BYOD without any control by the company over its use whatsoever.

“Data controllers might be lulled into a false sense of security by thinking that the solution is an App that’s downloaded onto an employee’s mobile device where restricted data can only be accessed through this App.

“The trouble with that as a solution is that the employee may have downloaded other Apps on the BYOD that could be much less secure and could have security vulnerabilities where the employee’s mobile device could be completely hacked without them knowing this is happening. Such a scenario is a real danger for the theft and loss of personal data for which the company remains responsible. And under GDPR, there are significantly higher financial penalties for data breaches that will outweigh the cost of supplying a mobile device to every employee in the first place – which is still the most effective solution,” concludes Martin Hickley.