GDPR has been looming for a while now, but today it is on our doorsteps. It’s not just soon; it’s tomorrow. Is it time to panic, as seems to be the prevailing belief? No, definitely not! Whether you have started your transformation programme or not, here is some advice for this week:
Although we are all being bombarded with re-consenting emails, if you have assessed your contact database and have decided, using the ICO guidance, that you are compliant up to GDPR standards (helpful blogposts on that here, here, and here even if I do say so myself) don’t feel pressured to follow suit as it will likely mean a huge blow to your contact list for no compliance gain.
It does seem as though a few organisations are sneaking through consent emails to people who they only had either a tenuous relationship in the past, or no relationship at all (I can say I've personally had a few from companies I've never heard of!), and although it can seem a tempting strategy to use to bump marketing list numbers up, any complaints received by the ICO during this time will still be looked at (although likely a bit late) so the risk of being found to be in breach by the ICO and being fined for it is still present.
Ignore the Journalists
Ignore absolutely all reporting from anywhere which isn’t from an information law expert. As awareness that people have to do something to do with data protection increases, as does reporting on it. However it is a complex subject, and a lot of the nuance has been lost by reporters. This means editorial oversights, and plain mistakes from respected sources are rampant. To name (and shame) a few:
I could go on for days listing mistakes from well-meaning journalists, as almost every article I have read includes glaring inaccuracies. However, it’s advisable to ignore them altogether to avoid spinning out in a panic. Various negative outcomes can arise from reading them and taking them seriously: From undoing hard work already undertaken because you have read in multiple sources that the measured path you have taken is incorrect, to making rash decisions about what needs to be done going forwards if you haven’t started your change programme yet.
If you have yet to get your change programme in place to uplift your organisation to GDPR standard, hopefully all the emails and hype about it this week will help push the need for it internally. However, it is highly unlikely you will be bombarded with rights to erasure requests come Friday, so prepare for the change programme using reliable sources and your knowledge of your organisation, rather than attempting to enact it in a panicked few weeks (or even days). Rushed compliance will lead to mistakes and may be costly for several reasons: In overdoing it (not all of your systems will need APIs to adhere to data portability requirements! Possibly none will), underdoing it (doing a rush job of it now will likely mean less interest or funds to become compliant later), or doing it wrong (take your time to take stock of what information you have, what requirements apply to you, and how to implement it into your business in a way which will fit into your culture).
Yes, GDPR is a 'big deal', and yes it is here tomorrow, but there is no need to panic. Especially if your own change programme is well underway!
With all the focus being on GDPR implementation coming up to the 25th May, it would be easy to think that implementing the regulation and moving your change programmes more into business as usual would be the end state of privacy legislation, at least for now. Unfortunately change is in the air, and there are quite a few things organisations need to keep an eye out for, namely:
GDPR Case Law
Assumptions and organisational bets have been made around exactly how to interpret some of the more vague aspects of the GDPR (looking at you legitimate interests for marketing!), which will be sorted out through case law and ICO enforcement notices. It will be interesting to see how lenient the ICO is with fines and exactly what stance they take on issues which have been hotly, but up until now, hypothetically contested. Although points of law can be appealed if your organisations has a decision made against it by the ICO, it is nonetheless prudent to ensure your organisation learns from others mistakes to avoid getting a similar fine.
The replacement for PECR is coming up, and is more far ranging with less scope for nuance (or at least it’s draft form is!), this will be one to watch especially for digital marketers as well as any of the new ‘smart’ technology such as smart meters or other ‘internet of things’ services. Organisations will have to carefully implement technical changes where they apply, such as collecting less metadata around location for communications content, changes to cookies, and changes to how you can contact people.
Restriction of Model Contract Clauses to exclude the US
As discussed in a previous blog post there is highly likely to be a decision which means that the US is no longer able to use Model Contract Clauses, which is the legitimisation route most companies use when dealing with businesses outside of the EU. The new Facebook debacle has likely brought this forward somewhat, although it has been ongoing now for some time. This makes a Privacy Shield certification a much bigger priority if US companies want to do business with the EU, and would also mean that any data processors who process in the US would need to be reviewed with fresh eyes.
Data Protection Bill
The Data Protection Bill should be read side by side with GDPR and adds provisions where the GDPR allows to areas such as immigration, and is especially important for those in law enforcement or national security, however it also details more powers for the ICO. As was in the news this week, there are still considerable amendments being made to the Data Protection Bill, and at lot more discussion to be had about what makes it into the final text as it seems to be a medium for stirring up controversy from freedom of the press to immigration enforcement. As it is now it in the final strait in order to become law it won’t undergo a full revamp, but some surprises could yet be in store. It is certainly a document with implementation ramifications which a lot of organisations will want to pay attention to.
Supervisory Authority Guidance
The ICO releases some great pointers on how to comply with information law, but so far updated guidance for GDPR hasn’t been particularly comprehensive, this may be purposeful as there are so many other changes afoot, it may have been decided it is prudent to wait until the dust has settled to write authoritative guidance. Once the Data Protection Bill and e-Privacy Directive are through I would expect an increase in helpful guidance from the ICO, which may be radically different from how a given organisation has implemented GDPR. There are also other powers and responsibilities under GDPR that the ICO will need to fulfil which need to looked out for such as standard data protection clauses for international data transfers which would presumably supersede the current Model Contract Clauses. The ICO’s blog and published speeches are a great way to head off differences in implementation by the regulator as their stances are often alluded to much earlier than official guidance is released.
Codes of Conduct
Referred to explicitly in Article 40 of the GDPR as a way to stimulate proper application of the legislation, these have yet to rear their head. It’s not just the ICO who can write these, governing bodies of different sectors can also write these too, however it would need to be in conjunction with and signed off by the ICO. Look out for bodies such as the Financial Conduct Authority, Fundraising Regulator, and the Direct Marketing Association releasing official privacy Codes of Conduct.
You may have been getting a lot of emails recently; likely from recruitment companies and retailers detailing that they have you as opted in on their marketing systems and that they would like to keep marketing to you, but you’ll need to let them know you are still happy for them to. These are examples of organisations ‘refreshing’ consent, or uplifting their 'consents' to meet GDPR compliance levels. You may need to use the same approach for some of your contacts, however don’t worry– you likely won’t need to do it for all contacts. The below discussion is for 'BAU' marketing only, i.e. consent to receiving all marketing communications.
This uplift is being spurred on by GDPR, as although the Privacy and Electronic Communications Regulations (PECR) are the main legislation for electronic marketing, you also have to comply with GDPR. PECR does not specifically say you need a positive indication like a tick box for consent, and neither did the DPA. However, with a few exceptions for legitimate interests (and as the ICO has stated, only to be used sparingly), GDPR states that consent needs to be shown with an affirmative action. This means no more soft-opt ins in BAU marketing, or 'implied' consent.
Do I need to do it for everything?
No – just your 'soft opt ins', or things for which you don’t know if you asked a GDPR compliant question. As the Article 29 Working Party have noted: ‘Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR’. This is where good records management practices will pay dividends, because if you have details of all the questions you have asked to gain your consent, and they are GDPR compliant (as per my last blog post) then you are good to go. No refreshing needed here! However, this is also where not so good records management practices are going to sting you. You’ll need to hunt around your approvals or web design records to try and find the questions, and the manner that they were asked (no pre-ticked boxes!). If you can’t find any, or you have found them and none of the questions are compliant (they are all opt out, or have pre-ticked boxes for example) then you'll need to refresh all of your data. As discussed in the first of the GDPR debunking blog posts, you don’t actually need consent to contact customers in a lot of circumstances, only for marketing.
Isn’t asking people if they want to be marketed to considered marketing?
Before the 25th May asking people who you market to compliantly under the DPA whether they still want to receive communications is fine, as we are still operating under that legislation. Afterwards, it will likely be seen as very similar to the Honda situation, where you are asking borderline or grey area contacts whether they want to be marketed to. This is not viewed lightly by the ICO, and is likely to get you a fine. The fine Honda received was £13,000 of a possible £500,000. This tells us that it was not seen as a particularly severe breach of PECR, but a breach all the same. If you want to do it right, and risk free, it is advised that you do it before the 25th May.
What about refreshing consent to keep it up to date?
This guidance is from draft GDPR guidance on consent from the ICO and isn’t necessarily in the GDPR. The background to it is explored in detail in my previous blog post. The time limited aspect is mentioned in PECR – as it is implied you can’t keep the consent indefinitely. How long the consent is kept for will depend on your relationship with a customer, client, or supporter. If a person has consented to marketing and is using a continuous service such as water or electricity, or they are a registered supporter who has a longstanding monthly donation for a charity, this will need to be treated differently than a person who consented to marketing when they made a one off purchase, such as at an online retailer. It is likely a safe bet to assume that if a customer has consented to marketing at the start of a relationship, and that relationship is ongoing, that the consent doesn’t need to be refreshed until after that relationship is over.
Next week, RiverWolf will be looking at GDPR Mania in the run-up to GDPR implementation on the 25th May.
One of the main areas affected by the new GDPR and upcoming e-Privacy is Marketing – specifically business to customer marketing. The legislation in this area have indisputably gotten a lot stricter, a lot less vague, with more dire consequences if ignored, however there are quite a few alternative facts spreading that we will look at in detail below, namely:
You cannot contact customers about their product without opt-in consent
As discussed in a previous blog post, consent isn’t the only legitimate reason for contacting customers. In all of the relevant privacy legislation (GDPR, PECR, e-Privacy, etc.) stricter consent rules regarding business to customer marketing only refers to ‘direct marketing’, and so communications regarding a product the customer is on would not count. An organisation can happily contact a customer regarding changes to their product, that their product will expire soon (it’s worth noting that there are a significant number of scenarios such as in the finance and energy sector where you must inform a customer they are reaching the end of a cheaper/current deal and let them know the alternatives), or general service details around their product or service.
For now, under GDPR consent is not technically always needed for direct marketing, as you can send direct marketing for ‘legitimate interests’. This would be in very rare circumstances, for example in the instance where a customer is on a considerably worse product and an organisation wants to contact them to move them across. This ‘loophole’ if misused will not be viewed kindly by the ICO and so I would not recommend using it for ‘business as usual’ marketing, as that was not the intention of its inclusion. This is also likely to be overwritten by direct marketing rules under the new e-Privacy regulations so it will be a short lived loophole.
All of your current marketing data is invalid or will need updating
This marketing myth is based in some truth, all consent for direct marketing obtained pre GDPR will need to be checked to ensure they meet the GDPR standard. The Article 29 Working Party have stated that “controllers that currently process data on the basis of consent in compliance with national data protection law are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR. Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR”. For this organisations will have to have kept good records in the past to ensure they know what questions were asked to customers and specifically that they were opt-in with no pre-ticked boxes, and the question was specific and granular. Depending on your organisational record keeping this could be a very straightforward task or will take a lot of digging around. If you can’t find any evidence of what questions were asked to obtain the marketing consents then it does unfortunately mean all consent will have to be ‘refreshed’ or the processing stopped.
Marketing data will need to be updated every two years, no matter what
The GDPR does not mention that consent needs to be time limited, however both the GDPR and the DPA state that information cannot be held for longer than necessary, and so the ‘time limited’ aspect of the ICO guidance is likely an interpretation of this in association with the PECR wording ‘[the data subject] has given consent for the time being to such communications being sent by, or at the instigation of, the sender’. It isn’t only direct marketing consents which are time limited, all data types should have a relevant retention period in order for organisations to meet data minimisation requirements, and also to help with businesses not over-spending on storage they don’t need.
In the ICOs draft consent guidance they suggested that if a company was in doubt of when to delete or refresh data every two years is a good idea “You should also consider whether to automatically refresh consent at appropriate intervals. How often it’s appropriate to do so will depend on the particular context, including people’s expectations, whether you are in regular contact, and how disruptive repeated consent requests would be to the individual. If in doubt, we recommend you consider refreshing consent every two years – but you may be able to justify a longer period, or need to refresh more regularly to ensure good levels of trust and engagement.” However this did not go down too well in most circles, as trying to put a best practice figure on how long consent lasts is impossible and will only lead to confusion. It can only be based on the context of the relationship with the individual and the service being provided. As noted above neither the GDPR or PECR set a specific time limit for consent, and if you are marketing to existing customers the time for ‘refreshing’ is likely after they are no longer a customer, as long as an easy opt out is provided on each communication.
Mythbusting conclusion: None of the three myths above are correct, although they do have roots in accurate guidance and legislation. Although these three are not technically accurate the rules around marketing have gotten significantly stricter, and will be getting stricter still when the e-Privacy Regulation comes into force.
Next week RiverWolf will be publishing ‘Debunking GDPR: What Exactly Does ‘Refreshing Consent’ Mean?’ taking a close look at a vague phrase which has considerable implications.
Marketing is a necessary part of the business world, and is essential for getting word out about what your business does, normally to selected groups of people or businesses who have been identified as possibly being interested in a product or service. Despite the essential nature of marketing it does have a bad reputation, as some organisations have mistreated the spirit of legitimate pathways (looking at you soft-opt in) to marketing in the past, and due to this those pathways which were in the Data Protection Act have not made it into the General Data Protection Regulations. However there are still ways organisations can legitimately speak and sell to their customers and stakeholders – old or new. This week RiverWolf will specifically be looking at business to business marketing, which have much softer rules than business to customer.
Marketing in privacy legislation only refers to ‘direct marketing’ which is defined as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”, and we will look at the words ‘direct’ and ‘marketing’ separately, as they are important to understand the full meaning. To be ‘direct’, the communication needs to be aimed at a specific individual. In practice all electronic messages such as calls, emails, text messages fall into this definition, however two major areas of marketing – unaddressed physical mailshots and most online semi-targeted adverts don’t come under this purview. The second word ‘marketing’ is important, as service correspondence, follow up conversations, and all other further correspondence with a prospective client wouldn’t count. For example if a coffee shop asked a website design company to design them a website, the follow up emails would not constitute direct marketing, despite the website company largely ‘selling’ a product and telling the coffee shop what they can do, this would be information or correspondence necessary to enter a contract. A further example would be if a coffee shop were to be on a preferential rate with the website company for 6 months, and were about to come to the end of their preferential rate and onto a normal higher rate, sending them details of other rates would not constitute direct marketing either as this would be ‘service correspondence’.
PECR and GDPR’s rules go much lighter when the marketing is business to business. You can email or text any corporate body (not including sole traders, but including companies, Scottish partnerships, LLPs, or government bodies) with marketing as long as you identify yourself and provide contact details. The recipients still have rights – especially if the address has the individuals details such as [email protected]. Specifically the rights the individual staff members and businesses have is the right to object to marketing, so an unsubscribe function is essential, and it is essential that it is easy to find and use (no rabbit hole link after link, register to unsubscribe, or dragon slaying to unsubscribe!). Although you do need to provide an opt-out on all communication, you do not need to specifically rely on opt in consent as you do with business to customer. You must however, keep an unsubscribed list and ensure you do not contact these people with marketing in the future.
Mythbusting conclusion: You can market to organisations without explicit opt in consent, as it is treated differently to personal contact details. However you will have to ensure you stick to the following checklist for B2B marketing:
Next week RiverWolf will be publishing Debunking GDPR Myths: Business to Customer Marketing which will take a look at B2C marketing myths. Subscribe to ensure you get the news first.
A prevailing myth of both the Data Protection Act and more recently, the GDPR is that you can only use a person’s personal data with their consent, and a subset of this belief is that although you can use personal data without gaining consent first, that this practice it is frowned upon. This belief has been repeated by many quite reputable sources, and is something heard regularly when running Data Protection training sessions. Fortunately for both consumers, organisations, and humans in general, all processing of personal data does not need consent. Not only is consent not needed it is also not the preferred method, as noted by the ICO who have stated “no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual”.
All processing of personal information must be fair and legal, and to be legal it needs to fit into a ‘condition for processing’. There are six conditions for processing which can legitimise your activity and these can be summaried as:
It is important to take note of the word ‘necessary’ here, and not try and legitimise processing which is surplus to requirements of the core processing through an incorrect condition. Activities should fit neatly into one of the above, and if it doesn’t that is the point where consent is considered and a clear way of capturing consent in a freely given way is set out to the individual. Consent should not be chosen as the condition for processing if the processing could cause detriment to a person, or if it isn’t a real choice. For example- if a person is buying a cup of coffee the coffee shop would not ask them if they consent to their payment details being processed in order to pay, as if the customer declined they would not be able to buy a cup of coffee, hence it is not a real choice. The coffee shop would be providing a service and so this processing would fit under the ‘contract’ provision. Although it can seem like a paper exercise, picking the incorrect condition for processing can lead to serious issues later on if you need to reuse the information for any purpose, or if a person wants to exercise their right to erasure, objection (or withdrawal of consent), or portability based on what condition for processing you have given, and finds out they are not eligible for the right. For example, if the coffee shop had asked the customer for their consent to process their payment information, in the future the customer would have the right for the shop to delete that information, which would put them in a tricky situation with either just the ICO or the tax man and the ICO depending on how they handled it.
The only hard and fast rule (which isn’t always necessarily clear cut, as we’ll discuss next week), is that direct marketing to individuals needs to have explicit consent in order to be legal under GDPR (and the Personal Electronic Communications Regulations). This was not necessarily always the case, as previously organisations could rely on ‘soft opt in’, a practice where if a person had already shown they were interested by enquiring or previously purchasing from an organisation, it could be assumed they wanted to hear from them in the future. This is now not the case, and a clear indication that the person wants to be marketed to separate to (for example) wanting to go ahead with a purchase or other service, must now be collected. In other words, the coffee shop can’t assume that the customer wants emails about their coffee offers because they bought coffee from their shop.
A significant amount of confusion seems to stem from the need to tell people how you are using their data. With a few exceptions, all organisations need to tell people what they are doing with their information in the form of a ‘privacy notice’, which is given on collection of the data. Some privacy notices do ask for consent, as privacy notices are given at the start of a relationship with an individual and this is the best time to gain consent. However most notices are for information only and are necessary in order for organisations to be transparent and open about what happens with individual’s personal data, not for collecting consent. Not using consent doesn’t exempt an organisation from giving notice, but giving a notice doesn’t mean you need a tick box for a person to agree with it either.
As with the Data Protection Act, the GDPR has an addition set of conditions for processing for ‘sensitive personal data’, also now known as ‘special categories’ (the name changes are no doubt to keep us all on our toes!). There are 10 conditions for processing for sensitive personal data, but these come with more caveats (which are not listed) than conditions for non-sensitive personal data:
For most organisations which are not a public body or a not for profit, this means that they almost definitely will need explicit consent to process sensitive personal information. For some types of data, this is a vague area of the legislation, for example, some browsing history could be considered sensitive personal data (if you were to search ‘how to get rid of a migraine’ or ‘gout symptom checker’), yet these have traditionally not been caught by the much stricter provisions for sensitive personal data. However, most data which comes under the definition of sensitive personal data will be quite clear cut and the ICO does not take lightly to it being processed without a clear legal basis.
Mythbusting conclusion: Your organisation has many more conditions for processing to rely on other than consent for most personal data, however you mustn’t (generally speaking) use a person’s data without their knowledge, and if you want to start processing sensitive personal data you are likely going to have to use explicit consent.
Next week RiverWolf takes a close look at GDPR and Marketing.
The last few weeks have been tough on US data processors, specifically the tech giants Google and Facebook. The Cambridge Analytica saga has caused a ripple effect where US tech giant’s privacy practices have come under scrutiny. Issues such as Facebook tracking phone calls on Android phones without the users knowledge, saving of draft videos, and further scandal over the third party usage of data have been in the media spot light, and in the background the discussion of transatlantic processing has come to the forefront. As discussed in Part One the US-EU privacy relationship has quite often been projected upon, and broken by Facebook’s practices and reputation.
The Safe Harbor Agreement was initially the US’ way of getting an adequacy decision from the EU to make it easier for US companies to do business with European companies. It allowed companies to self-certify that it would protect data when on US shores, preventing the need to set up individual Model Contract Clauses with each client. In principle it’s a great idea, the EU and the US have a lot of data transfers, and a significant amount of prominent tech companies are based in the US. However, this became the centre of controversy when Max Schrems took Facebook to court and argued that the Safe Harbor Agreement did not give adequate protection to EU citizens. In a David and Goliath moment Yves Bot, the European court of justice’s advocate general agreed with Schrems and Safe Harbor was no more. Far from the easy one-stop-shop tool it was supposed to be, it was now a spot light, shining global news on US privacy practices, adding fuel to the fire of the PRISM and NSA scandal. For nearly a year there was no easy mechanism for transatlantic data processing, with organisations largely unsure of whether they were still allowed to use US companies (as Model Contract Clauses are not particularly well known even now), and shying away from contracts with these companies until the more formal go ahead was given by the EU. Relations with US companies still haven’t recovered, with procurement departments still not sure whether they are allowed to select US companies.
Privacy Shield was born out of the ashes of Safe Harbor 10 months after Safe Harbor was declared invalid, although it took a little longer for US companies to self-certify and for many companies to be on there. There is still a take up issue with many companies disregarding it, currently there are only 2786 organisations signed up, which are a fraction of the organisations who process EU data in the US. This makes procurement department’s reservations about appointing US companies more understandable. Arguably the differences between Safe Harbor and Privacy Shield are subtle at best, and do not solve the issues which lead to the dissolving of Safe Harbor (that European citizen’s data was being used for mass surveillance, and that there was no recourse to enforce privacy rights) in the first place. The differences which did make it through were the insertion of key definitions, mechanisms to ensure the oversight of the Privacy Shield list, and the mandatory external and internal reviews of compliance. The latter of these two in the November 2017 review of Privacy Shield didn’t seem to be working as safeguards particularly well. The last review, which was November 2017, before the Cambridge Analytic/Facebook debacle was lukewarm at best calling for “an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies” and was no less critical of the public authority side as security apparatus are still processing EU citizen data for mass surveillance purposes. Both privacy campaigners and certain EU officials aren’t placated by the safeguards put in by Privacy Shield, and this latest development could kill or strengthen it.
Considering the issues the US are having with their privacy reputation it does need to be asserted that there are no blacklisted countries, companies can still do business with any other business in any country as long as there are appropriate safeguards in place– however the US is currently the most difficult country to do business with privacy wise. This is bad news for all US businesses, but especially the tech giants who will be missing out on the large EU market. The US can either change their privacy laws ala Canada and gain an adequacy decision, continue with Privacy Shield and try and get it more widely adopted by US companies – making transfers and contract negotiations more smooth, or Privacy Shield could be quashed and replaced with something slightly more robust (… and hopefully something slightly more compulsory).
There have already been some immediate consequences of the focus on US privacy. The CEO of Cambridge Analytica has been suspended, there are calls for Zuckerberg’s resignation, and the EU have reiterated that they are unhappy with US privacy practices. There are also signs that it will have a positive effect, Facebook are wanting to roll GDPR-esque compliance out worldwide (although only ‘in spirit’), it has brought attention to the fact that GDPR applies to all EU citizens and residents even if you are processing it in the US, and hopefully it is a wake-up call to tech giants and other organisations that people take their privacy seriously. The previous cold start ‘wait and see’ approach to GDPR implementation and working towards good privacy practice in general may just be heating up.
A large portion of the backlash from the Cambridge Analytica (CA) saga, at least in the Privacy world, has been the focus on US privacy governance, or as the EU pointed out, lack of it. This has been a thorn in the side of the EU for some time, with notable events in the transatlantic relationship being: the moving away from traditional Model Contract Clauses (MCCs); the creation of the Safe Harbor Agreement; (even more notable) the overturning of Safe Harbor due to the Max Schrems v Facebook case; the creation of Privacy Shield; and potential overturn of MCCs through the Irish Courts (again, due to Facebook). For comparison’s sake other countries outside the EEA have not had such a hard time of it, and have the choice or Binding Corporate Rules (if eligible), MCCs, or getting an adequacy decision as a country (such as Israel, New Zealand, Switzerland, Uruguay, etc.).
Schrems, the privacy campaigner who had the Safe Harbor Agreement overturned, and now has his sights set on MCCs, seems to be feeling vindicated since Facebook were implicated in CA’s misuse of data. Schrems is reportedly ready to file more lawsuits to try and force stricter privacy laws for the US, which will no doubt be taken slightly more to heart by Facebook this time round (especially now that the hope of a class action lawsuit costing a serious amount of money has been abated). Other major players are also increasingly vocally concerned, such as Sophie in’t Veld a member of the EU Parliament, and Vera Jourova the EU Justice Commissioner. Both are calling this a wake-up call for Europe to ensure that their citizens data is protected in the US, beyond mere lip service.
Let’s look at the journey the US (and Facebook) has taken with EU privacy laws, their validity today, and the future of the Privacy Shield arrangement.
Binding Corporate Rules BCRs are for multinational corporations, international organizations, and groups of companies who pass or otherwise process EEA citizen or individuals who live in the EEA’s data outside of the EEA. Binding corporate rules are internal rules for data transfers an organisation, like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection and must be signed off by a data protection authority, such as the Information Commissioner’s Office (ICO) or other equivalents within the EEA.
These have been around since the Article 29 Working Party birthed them in 2003, but so far according to the European Commission’s website only 88 have been set up and signed off. This is an indication of how popular these are considering the sheer number of companies who would be eligible for it as they share data across EEA borders within their organisations and subsidiaries. The low take up could be due to the process being difficult, the standard of sign off being high, or low awareness. Considering that many of the eligible organisations have very knowledgeable lawyers and information management professionals I would posit it is one of the first two. Facebook do not have a BCR, but this would validate the data transfers within the Group and solve a number of their issues. This is unlikely going to be a path Facebook follow as it would need to be signed off by either the ICO or by the Data Protection Commissioner in Ireland. The process would mean their internal practices would be under significant scrutiny, at the end of which they may not meet the standard, and to boot the outputs of this scrutiny up for grabs under the Freedom of Information Act (exemptions non-withstanding). If Facebook do go for this option, I will eat my hat. However for other US multinational companies who are eligible for it, it is an option worth exploring as once achieved it’s smooth sailing as far as internal international data processing goes.
Model Contract Clauses MCCs are for any organisation outside of the EEA wanting to process European data for a company within the EEA. They’re usually an annex to a Data Processing Agreement, and are unfortunately an afterthought and blocker to procurement processes which includes any international organisation (‘if only they’d gotten Privacy involved right at the start!’ with likely be etched onto my tombstone as most said phrase). If initiated at the beginning of a procurement process, and privacy and security provisions are included in the tendering process MCCs are relatively pain-free. They only become painful when a non-compliant organisation wins a tender as privacy and security were not considered beforehand.
Max Schrems has semi-recently brought the case that MCCs just won’t cut it when it comes to transferring EEA data to the US to the Irish High Court, who have decided that they weren’t really the ones to decide on it (that honour will be the Court of Justice of the European Union). It is highly likely that the CJEU will invalidate MCCs for transatlantic transfers as the Irish High Court found that the concerns were ‘well founded’ due to the MCCs not offering any remedial action for rights abuses through the US courts. This is especially important considering the indiscriminate mass surveillance operations underway by the US government. Any MCCs with the US which are currently active are still valid, however I wouldn’t advise signing any more as a basis of a contract as a US company as they could be (and are likely to be) invalidated quite soon. As Facebook are relying on MCCs it is likely to add fuel to the fire for both MCCs as a concept and Facebook’s position in the CA debacle as it has been known that the clauses are on shaky ground for over a year.
The elephant in the room when discussing the validity of any agreement or contract with the US is the ‘massive and indiscriminate’ surveillance undertaken by the US government which has been the reason in the past and will likely be the reason in the future for the invalidation of transfer agreements. The 29 Working Party has repeatedly stated that such surveillance is not compatible with EU law and that where state authorities access to information goes beyond what is necessary in a democratic society, such countries and territories will not be deemed safe places for transfers or processing of EU data.
Overall the blood is in the water for MCCs (but not their more difficult cousins BCRs!). Both the US and more specifically Facebook must utilise stricter privacy controls and governance if they want to be competitive in the more privacy aware EU market. US companies, especially tech companies, are losing out on contracts due to this issue, and will be losing out on more as GDPR comes in and EU companies review their data processor agreement contracts and 3rd party supplier lists.
The next post will focus on the subject of (the late) Safe Harbor Agreement, Privacy Shield, and the future of transatlantic data processing.
Data Protection has recently come back into the public consciousness in a way it hasn’t done since the Talk Talk breach, and unusually it’s not for a security breach but a breach of legal processing, which rarely captures the public’s attention. Let’s look in detail where it went wrong in relation to the Data Protection Act and the upcoming General Data Protection Regulation.
Cambridge Analytica (CA) were in breach of Principle 1 of the Data Protection Act (DPA) due to not having a legal basis for processing. CA may insist that they had the consent of the data subjects, however this consent was clearly not informed and freely given considering that users thought it was for a fun personality quiz called ‘thisisyourdigitallife’. If the quiz’s fair processing notice had followed the ICO’s guidance the user would have real choice and control (and for this you need to be informed), a positive opt in such as a tick box (especially for sharing with third parties such as CA), have named any third parties who may receive the information (meaning CA should have been specifically named), and the consent should be freely given by the data subjects.
This is a trend in apps, especially third party apps which link to social media, that their fair processing notices are not appropriately transparent and often don’t come close to the standards of the DPA and the ICO’s recommendations. Under GDPR the requirements written into legislation are more specific, and so it will be easier to prosecute those who are clearly being vague in order to gain consent. In the instance of CA this shouldn’t be a problem for prosecution as the end use is so distant from those initially stated, that it breaches Principle Two of the DPA - i.e. that organisations must detail specifically why they need the data, and must not process it further for different purposes. Not only did ‘thisisyourdigitallife’ not have an appropriate condition for processing, as their consent wasn’t compliant, the data was also sent to an undisclosed third party (CA) for a completely separate purpose from Aleksandr Kogan and Global Science Research.
To add insult to injury, data subjects were not just providing ‘consent’ for their data to be processed, they were giving consent for some of their friends as well. As people can’t give consent on behalf of others (unless they are legally responsible for them), this is also a breach of Principle One. it is clear that the majority of the data was collected from scraping users' friends' profiles, as only 270,000 people took the quiz but data was collected from around 5 million individuals via the quiz's functionality which also looked at friend's profiles. Some may argue that as their friend’s privacy settings were not set to private, that these people were open for having their data scraped. This may be true on an open platform like Twitter, but most people on Facebook who have ‘open’ profiles have done so by mistake, due to the nature of Facebook's default settings. It is public largely by accident, not on purpose. This brings the Right to Privacy in the Human Rights Act into play if it were brought to court, on top of the other transgressions.
Direct Marketing is defined in the DPA as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”, this doesn’t only cover selling items, but the marketing of ideals and covers political campaigns. Although highly targeted campaigns through Facebook and other social media sites have not yet come into scope from the ICO and other legislators as direct marketing, the more personalised it gets, the more likely it is to come into scope. Technically if the definition is taken at face value, these types of adverts should already be in scope. Once marketing and advertising is defined as direct marketing it comes under much more stringent governance processes, which arguably the issues with data usage by CA have shown to be necessary.
In breach of Principle Five of the DPA, retaining data for longer than the purposes you obtained it for, CA have held onto the data from the Facebook, who here are the original Data Controller, after they had been told to delete the data, and after they have confirmed they had done so. Attempting to get a streak of as many of the 8 Data Protection Principles contravened as possible, there is also a case that Principle Four ‘Personal data shall be accurate’ has also been contravened, with their assertion that they put forward knowingly inaccurate smear campaigns (discovered through the Channel 4 sting). However the slander and libel laws are much better established for this purpose, and so it is unlikely a Principle Four contravention will be pursued as much as the others.
Under the DPA, considering they are prosecuted under this and not the GDPR, they will be in contravention of Section 55 of the DPA, especially as they did not have the consent of Facebook:
“A person must not knowingly or recklessly, without the consent of the data controller--
(a)obtain or disclose personal data or the information contained in personal data, or
(b)procure the disclosure to another person of the information contained in personal data”.
This is a criminal offence which can attract a personal fine as well as a fine for the person’s company, however it is much more likely that only the company will be pursued, rather than individuals. Data subjects could also press for damages for causing distress on top of the personal and company fines, with potentially five million data subjects with a legitimate case.
Considering their contraventions, the ICO are interested in CA and their practices. CA have been given a deadline to respond to the ICO’s request for access to their servers, a request which passed with no access given. The ICO are now having to apply for a warrant to access these servers, the delay in being able to raid will no doubt hinder the investigation significantly, but the evidence will also be on Facebook and so they won’t be able to scrub the evidence of wrong doing away, only attempt to defend it.
Overall, it has been a catalogue of errors, with CA seemingly ignoring any legislation which protects people’s privacy in order to reach their desired goal.