It feels like we’re on the brink of fundamental change in the digital industry, and a certain piece of European legislation is one of the biggest drivers. The imminent law is smart about what’s “personal,” and it’s serious about consent.
This article offers opinion and an interpretation of the law, but it’s not legal advice.
Regulation (EU) 2016/ 679 of the European Parliament and of the Council – or “the GDPR” as we know it more affectionately – is an 88-page document. Paragraph 4 – very early on, the top of the second page – opens with an arresting sentence:
The processing of personal data should be designed to serve mankind.
Goodness, that’s deep. What about tracking users in order to monetise free stuff?
Data protection is a human right
I’m handing it to the civil servants and lawyers who’ve worked on this legislation. It’s quite profoundly forward thinking: recognising the protection of personal data as a fundamental right, with the exact same significance as “freedom of thought, conscience and religion, freedom of expression and information, […] cultural, religious and linguistic diversity,” and other fundamental human rights protected in European law.
And it’s enormous progress on the previous 1995 directive. It shows that the technology that uses personal data is now well-enough understood that some underlying and permanent principles have become clear:
- Our personal data is necessary to our lives and business
- By definition, we are identifiable in it, so it’s an extension of who we are
- It’s vulnerable to abuse, and we have the right to its protection
Abusing people is not a good look
Under the terms of the GDPR, a business’ abuse of personal data can be met by a fine: the greater of either 4% of global turnover, or €20m. The damage to the value of the biggest brands may be an even greater sum. For businesses, it’s clearer than ever: there is no choice but to treat personal data like we’d treat the people it describes – with respect.
The three most significant implications
The GDPR delivers several changes to the law surrounding data protection. For me, the three most important ones are these.
1. The definition of “personal data” is becoming broader and more flexible.
Data is personal if it could reasonably be used to identify someone, including by combining it with some other data source, or de-anonymising it in some way. We used to understand Personal Data as (or, possibly, conflate it with) “Personally Identifiable Information,” which is information such as your name, address or date of birth. This is changing. For example:
- Behavioural data linked to cookies or device IDs is probably personal, especially if the IDs are pseudonymous for specific individuals named against those IDs in some other database.
- Data that describes individuals’ behaviour by e.g. their IP address, their web browser version, and the time that they viewed each of a series of pages, is considered personal, because it would be possible to identify an individual personally from among that data without too much trouble.
2. Consent is becoming seriously meaningful
A business doesn’t need consent to process personal data if doing so is intrinsic to the provision of the goods or services. When you go clothes shopping, the retailer doesn’t need to seek consent before it records the details of your purchase; online, a website doesn’t need to seek consent before setting its own (first-party) cookies and using them to operate the site, and to measure and improve it.
But it seems a site does need consent before it can set advertising cookies. This means e.g. an online news site needs consent before it can activate tracking technology provided by ad tech companies like Google, Facebook, Twitter, LinkedIn, Criteo and others.
Consent must be explicit, i.e. opt in. A “cookie banner” approach could be used to gain consent, but personal data can’t be collected and processed until the user actively agrees.
When a business obtains consent from an individual to process their personal data, that consent isn’t valid:
- If it isn’t given in relation to a specific purpose.
- If the individual (the “data subject”) has “no genuine or free choice” in giving their consent, or can’t “refuse or withdraw” their consent “without detriment.” This means that if you’re going to offer a free service, monetised by the processing of personal data for advertising, you must offer that service to users with the option of not consenting to the processing of their personal data. And, of course, you mustn’t process their personal data if they don’t consent to it.
- It’s not consent if the request was disruptive, i.e. if the request for consent is an obstacle to using a digital service, and so seeming to give consent is actually just the only way a user can move beyond the obstacle.
- If the individual (“the data subject”) doesn’t know who the data controller is.
3. Personal data belongs to the person, not to the data controller
And that’s even when the controller has spent a lot of money building something that collects personal data. A business might still regard their customers’ personal data as an asset, but that asset is exposed to the risk of withdrawn consent; and it may even become a competitor’s asset, rather than that of the business that collected it.
Individuals have the right to access their data, in a portable format, meaning:
- An individual has the right to obtain from the data controller confirmation as to: a) whether or not personal data concerning them is being processed; b) where the processing is happening; and c) for what purpose
- The controller is required to provide the individual on request a copy of the individual’s personal data they hold
- Personal data must be provided by controllers to individuals in a ‘commonly used and machine readable format’ and individuals have the right to transmit that data to another controller.
And there’s a lot more to it
The full text of the GDPR is available here and the regulation has its own website, with a useful summary page here. I’ve expanded on other points from the summary below.
- The legislation covers businesses that process the personal data of people residing in Europe, regardless of whether the business is European, or the processing is done in Europe.
- We can think of “processing” as doing anything with personal data, including collecting, storing, organising, structuring it, joining it or exposing it in anyway to another system.
- Whereas a data controller is a business that designs and commissions the processing.
- Consent must be requested using “intelligible and easily accessible” terms – so not with “legalese” or otherwise impenetrable Ts & Cs.
- If there’s a data breach – where data is exposed by accident or through “hacking” – and if this breach is likely to “result in a risk for the rights and freedoms of individuals” – like when the data is personal and private – then the individuals involved must be notified with 72 hours of the breach first being discovered. If the data controller and processor are different parties, then in the event of a data breach, the processor must notify the controller “without undue delay.”
- Controllers are required to erase personal data, cease further dissemination of it, and stop third parties from processing it: a) If it’s no longer relevant to the original purpose for which consent was obtained; b) If consent is withdrawn by the individual; and c) While also considering “the public interest in the availability of the data”
- A concept known as “Privacy by Design,” the GDPR requires that systems be designed and built to comply inherently with rights to data protection and privacy.
- The GDPR relaxes the conditions under which data controllers must appoint Data Protection Officers, and notify local Data Protection Authorities of their data processing activities.
This article was amended on 10th January 2018 to add clarification on the consent that’s needed for “first-party” measurement, as opposed to tracking for advertising.