With the new EU General Data Protection Regulation legislation coming into force on the 25th of May, I had the opportunity to discuss with Dr Sophie Stalla-Bourdillon, Associate Professor in Information Technology and Intellectual Property Law and Director of ILAWS, her opinion on the changes that the new compliance regulation brings and why GDPR is welcome but not a silver bullet.
Q: Before we get into your GDPR advice, can you tell me a little bit about your background?
Sophie: I am an Associate Professor in Information Technology (IT) law at the University of Southampton, Associate Editor of Computer Law and Security Review and independent IT Law consultant, mentoring start-ups in variety of contexts, e.g. for the Data Pitch project.
Q: How is GDPR different from other compliance regulations and why is it so important?
Sophie: I am not entirely sure the GDPR is that different from other regulations. The GDPR is a regulation, like many others, and will therefore have direct effect, although Member States do have a certain margin of manoeuvre, in particular when it comes to exceptions. The intention is to strike a balance between the protection of personal data, which is a fundamental right protected by the Charter of Fundamental Rights of the European Union, and the free flow of personal data. The GDPR is meant to be a leap forward in that it comes with a range of sanctions aimed at effective enforcement. Many of the GDPR rules were already there but not really effectively enforced and therefore largely ignored. The GDPR does mean that practices will need to be adapted. This will have to be the case for a wide range of actors including private actors and public bodies.
Q: What industries will GDPR impact most and how will the changes affect their daily operations?
Sophie: The GDPR will have an impact upon all industries. Each time personal data is collected and processed the GDPR is potentially applicable, as long as the activity at stake does not fall outside the scope of European Union law (See Article 2 for a few other limitations). The strength of the GDPR is that it is a horizontal piece of legislation applicable to all sectors. In some sectors, however, additional rules have been adopted or are in the process of being adopted to complement GDPR rules. This is the case of the proposal for an ePrivacy Regulation, which covers electronic communications.
Q: What does a typical GDPR compliance project entail for a business?
Sophie: GDPR compliance projects should imply the setting up of a data governance structure within each organisation to make sure data controllers are in position to demonstrate compliance. Businesses should know how many personal data assets they hold, how these data assets are being used, for how long they need to keep them, whether they are secure, and to whom they are being transferred. Mechanisms to ensure data subjects can exercise their rights should also be implemented. Staff dealing with personal data should be specifically trained.
Q: How does GDPR impact data-driven organizations?
Sophie: Data-driven organisations cannot ignore data protection law anymore and have to allocate resources to GDPR compliance projects. However, although data protection law is often depicted negatively in that it is seen as being costly and over-restrictive, a rising number of organisations are starting to see the GDPR as a business opportunity and a data sharing enabler.
Q: GDPR – with the new regulation, who will own individuals’ information?
Sophie: The GDPR does not grant ownership rights to individuals or legal entities. It may well be that the very concept of ownership is not adapted to describe practices and entitlements. These are more about rights to use data for specified purposes. The GDPR frames and confines the way personal data is being processed, so that data subjects can exercise different types of control over these processing activities and in some instances ask for their termination.
Q: Businesses may worry that GDPR changes regarding cookies and other tracking methods will distort their web analytics data. Are such concerns valid?
Sophie: Cookies and online tracking methods have been specifically regulated by the ePrivacy Directive, more than the Data Protection Directive. The GDPR, which replaces the Data Protection Directive, will be complemented with a second regulation, the ePrivacy Regulation, which will replace the ePrivacy Directive. The text of the ePrivacy Regulation is not final yet. Nevertheless, the ePrivacy Regulation is not meant to distort web analytics. It is expressly acknowledged that “Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website.”(Recital 21). If the text does not evolve on this point, end-users’ consent will not be required for the collection of information from end-users’ terminal equipment, if “it is necessary for providing an information society service requested by the end-user or if it is necessary for web audience measuring” undertaken by the service provider.
Q: How should media monitors and software providers prepare for the changes?
Sophie: Media monitors and in particular online media monitors should closely follow the proposal for an ePrivacy Regulation and should not think that the GDPR is the only relevant piece of legislation. More generally, media monitors and software providers should be proactive and should not conceive data protection compliance as a mere tick-box exercise. They should take the data protection by design and by default principle seriously and assess or re-assess the way they are building or have built data flows between system components and entities, including end-users. Pseudonymisation, and in particular dynamic pseudonymisation, should be seen as a key compliance measure. It is true that, strictly speaking, the GDPR and in particular its Article 25 does not target software providers but the GDPR does apply to data controllers before the beginning of the processing, when they determine the means of the processing. It is therefore likely that data controllers will put pressure on software providers, in particular through contracts when negotiation is possible, or that the software providers showcasing good practices will have a market advantage.
Q: How will current data leakage procedures change?
Sophie: The GDPR now contains horizontal rules about breach notification. Articles 33 and 34 set the standards. Potentially, both supervisory authorities and data subject will need to be notified. This will be the case when the personal data breach “is likely to result in a high risk to the rights and freedoms of natural persons.”The timeframe for notification is tight but remains flexible: “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach], notify the personal data breach to the supervisory authority” and when it comes to data subjects, the notification should happen without undue delay. Article 33 lists the information to include within a notification.
Q: GDPR and social media – where is the link?
Sophie: Social media live on personal data. Like all other data controllers, social media service providers will have to be both GDPR and ePrivacy Regulation compliant. However, compliance is not only for social media service providers. Social media users themselves will also have to understand what compliance actually requires, as users could be regarded as data controllers themselves. The GDPR does contain a limitation: it does not apply to the processing of personal data “in the course of a purely personal or household activity” and thereby “with no connection to a professional or commercial activity.” Recital 18 adds that “personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.” However the remit of household activities is likely to be narrow. The Court of Justice of the European Union (CJEU) held in 2014 that when an activity impinges on a public space it “cannot be regarded as an activity which is a purely ‘personal or household’ activity.” And in October 2017 Advocate General (BOT) of the CJEU argued that Facebook fan page administrators should be considered joint data controllers along with Facebook for the collection “of data relating to people who visit the fan page for the purpose of compiling viewing statistics for that fan page.” It remains to be seen whether the CJEU will follow its Advocate General.
About Dr Sophie Stalla-Bourdillon
Dr Sophie Stalla-Bourdillon is Associate Professor in Information Technology within Southampton Law School at the University of Southampton, specialising in Information Technology related issues. She is the Director of ILAWS, the Institute for Law and the Web and its core iCLIC. She is a member of the Southampton Cybersecurity Centre of Excellence and a member of the Southampton Web Science Institute.
Sophie is the author of several legal articles, book chapters and books on intermediary liability, data protection and privacy, information security and intellectual property. She has been researching and writing on the liability of Internet intermediaries such as Internet service providers, Web 2.0 platforms, search engines, on the legal implications of deep packet inspection practices implemented by Internet service providers, on the role of hosting providers in relation to malicious webpages, on the standardization of privacy policies and on anonymisation practices.
She is extensively involved in diverse research and consulting activities. Sophie has acted as an expert for the Council of Europe, the Venice Commission, The European Commission, the Organisation for the Cooperation and Security in Europe and for the Organisation for Economic Development and Cooperation.