How to Prepare for Globally Evolving Privacy Legislation – Webinar Recap

Last month for our Data-Driven Digital community webinar, we spoke about how to prepare for globally evolving privacy legislation with Aurelie Pols, part of the EU Commission’s Platform Observatory and board member of the European Center for Privacy and Cybersecurity. 

Many businesses don’t think they have to worry about user privacy just yet (especially in Australia)… but they do. The changes around advertising and app tracking transparency are just the beginning. 

With over 146 globally enacted legislations privacy is not a revolution but an evolution. The global blueprint of GDPR emphasises a risk-based approach. Watch the webinar recording below to learn how to identify those risks and what it means to mitigate them, both short and long term for your business.

What we’ll cover

• State of the global privacy dis?-union:
  • Where are we now?
  • Where did we come from, what’s next?
• What’s all the fuss about cookies, surely it’s not personal data/information right?
• Comparing the GDPR to the 1988 Privacy Act in Australia: similar or different? What about Singapore, South Korea?
• So what now, where do we start?

First, change your mindset

Forget about:

• Data ownership
• Consent
• Watchdogs

Think about:

• Dignity
• Lawful basis for data processing
• A place to exercise your rights (yeah, imperfect, I know)

Why?

• Because (personal) data/information is not a property like a car, a house, …
  • For starters it’s transferable without decay
  • Read about the “tragedy of the commons”
• Because consent puts all the burden on the user
• Because authorities don’t knock on the door with a fine of millions of €

Example of (shitty?) consent

“We would like to use some of your data on other apps to improve our marketing and spread the word about TouchNote” lacks:

• Clarity about which data: what is “some of your data”?
• Other apps also suggests other legal entities. Who is “we” then?
• “Improve our marketing” is a strange combination of words: it’s usually “improve our products” or for marketing, not this fusion thing
• Spread the word? what does that mean? Share the data with other entities?

147 privacy laws and counting

Read the full infographic here.

¿Mañana? ¡Más!

“The biggest Internet companies need more legal limits on their use and handling of personal data. That’s why we need a national privacy law, with a “private right of action” so that users can bring suit if they are victimized by surveillant companies.”

Cory Doctorow – Competitive Compatibility: Let’s Fix the Internet, Not the Tech Giants

GDPR articles chapter VIII

Seriously, tomorrow is already here

Because of article 58.2 in the GDPR: (think scale here, S-C-A-L-E).

Each supervisory authority shall have the following corrective powers:

1. c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
2. d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
3. e) to order the controller to communicate a personal data breach to the data subject;
4. f) to impose a temporary or definitive limitation including a ban on processing;
5. g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
6. h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant … 

Getting back to

• Think Fundamental Rights and DIGNITY* when processing data
• Beyond consent, there are other lawful basis for processing data such as contract or legitimate interest (careful with that one, not a wildcard!)
• Be ACCOUNTABLE for what you are doing, work as a team 

*See Charter of Fundamental Rights of the EU, art. 1 one of the main building blocks of all EU legislation. 

Hint: read it! It’s easier than the GDPR

Let’s talk about cookies (and ATT)

Are cookies part of the GDPR?

Yes, see recital 30, IP addresses also (following a court ruling)

Are “electronic communications” part of the GDPR?

Yes and also in this lex specialis called ePrivacy

Did Apple require to ask for consent for IDFA? 

Yes, that’s where ATT came from

(Is it perfect? No because of lack of purpose)

So what are the rules? (ideally globally)

• PII, Personally Identifiable Information, is an obsolete term
• Personal Data (PD) or Personal Information (PI) are today’s terms
• What’s the difference?
  • PII are lists of single variables defined by each US state
  • Personal data/information is a combination of variables that can potentially identify a unique individual

• Is there an even broader definition?
  • Yes, ePrivacy (the “cookie law”) contains ”all electronic communications”

• Privacy laws do not apply (to us) is not possible since the GDPR

What is the GDPR?

It is a global ripple effect brought about through consensus over a period of over 5 years.

It is built upon initially the US FIPPS, Fair Information Practice Principles of 1974.

It empowers authorities like the supervisory authorities but also other authorities, NGOs and private actors to file complaints to fight for the Right to Privacy/Data Protection.

It is the start of a new era, a journey to support the digitalisation of our societies.

What about Australia?

Not too late on the ball? 

1988 to produce:

• Privacy Act of 1988
• Australian Privacy Principles (APP) 
• Australian Privacy Principles guidelines 
• It remains a mix of federal, state and territory laws

Globally?

What you need to know:

1. Remember the thing about the fact that there is more to life than consent? It doesn’t exist in Australia… (lawful/legal basis for processing)
2. Employees not covered yet public institutions aren’t exempt…
3. No private right to action. Yet there are criminal penalties and personal liability => risk? 

And then Asia

It’s kind of a mixed bag …

• Lawful/legal basis processing required for South Korea, Hong Kong and China (not Singapore)
• Employee data covered? South Korea and Singapore for sure
• Risk? Hong Kong, South Korea and Singapore have all 3: the private right to action, criminal penalties and personal liability

Are we all rowing in the same direction?

Probably up to a point, as the pendulum is reverting back to more humanity instead of putting blind faith in transhumanism (read technology, see Kurzweil)?

The real questions reside in:

1. Which choices your company makes in light of risk perception?
2. How does this influence your data capture and activation processes? Fork or not to fork?

Privacy is a risk-based exercise

Basic data hygiene principles

• Data retention: keeping the data forever is soooo passé
  • What makes sense to your business? How long are the business cycles? Are they seasonal, annual?
  • Deletion costs are often overlooked 

• Purpose limitation: customer expectations (certainly in Australia)
  • Opt-out at the very least

• Talk to the privacy folks of “risk-mitigating measures”

Where to start: Preparing for legal counsel

1. What type of data are you sitting on?
   1. Risk evolves from anonymous data to sensitive/special categories of data where 
      1. Sensitive US = health, SSN and financial
      2. Special categories EU (GDPR) = race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, health, sexual preferences
2. Where do the individuals, characterised by this information, reside?
   1. Since the GDPR it is about the fundamental rights of the data subjects/consumers
3. What are you going to do with the data? 
   1. What is the purpose of the data collection/processing? 
   2. What do customers expect?

How to work together

1. What are the obligations?
   1. Consent? Purpose based? 
   2. Security?
2. How do you assure international transfers are lawful?
   1. Localisation is not a magic bullet!
3. Data activation
   1. Going between your “primary purpose”
   2. Sharing between legal entities