Enforcing GDPR will make data regulators clarify grey areas
by Conor Brennan on 23 Jan 2019
After all the talk about GDPR implementation last year, we are starting to come to the crunch point where companies' data practices are being tested by the regulators. The results could create continued regulatory headaches for data-intensive businesses.
Since its implementation in the May 2018, there has been somewhat of a grace-period for companies adopting operations to accommodate the new EU General Data Protection Regulation. Businesses operations have adapted, online cookie banners are increasingly more prominent and consent opt-out for marketing services are disappearing. All the while policymakers are moving on to the next big issue - ethical use of data.
However, over the last couple of months European regulators have begun examining whether the operational changes that have been adopted by big industry players are fully in line with the spirit of GDPR. With some prompting from pressure groups, data regulators are now proceeding with investigations and enforcement decisions which will provide precedent for best practice in data processing for the future.
Google falls foul of new regime
This week saw GDPR’s first large-scale fine for the breach of its rules. France's data regulator CNIL announced it has fined Google €50 million for failing to provide transparent and easily accessible information in accordance with its data consent policies. CNIL said Google made it too difficult for users to understand and manage preferences on how their personal information is used, with a particular emphasis on targeted advertising, therefore voiding its legal basis for processing data.
It should come as no surprise for those who have followed the evolution of the implementation of GDPR that operational questions and ‘grey areas’ remain. Consequently, a list of queries and uncertainties persist which may only be decided through data protection regulators and the European Data Protection Board taking decisive action, as demonstrated with the fine against Google.
A pipeline of challenges for regulators to consider
Two challenges to the status quo deserve particular attention. In November 2018, privacy rights group Privacy International submitted complaints against seven data brokers, ad-tech companies and credit referencing agencies with the data protection authorities in France, Ireland, and the UK. At the heart of these complaints were concerns about the legal basis used for data processing activities of the data broking and AdTech industry. Privacy International argues that the problems they are highlighting are systemic in these industries.
The complaint challenges ‘legitimate interest’ as a legal basis for processing data. It questions whether the activities of data brokers follow the equivocal principle of ‘fairness’ - the requirement to consider the reasonable expectations of data subjects, the effect that the processing may have on them and their ability to exercise their rights in relation to that information.
Another principle of GDPR, a data subject’s right to access the data held about them, has being brought to the fore by privacy activist Max Schrems and his new privacy group None Of Your Business (“noyb”). Focusing on large digital streaming services, noyb has published a report claiming that eight streaming services (including Amazon, Apple, Spotify and Netflix) are not in compliance with Article 15 of GDPR, a right to access data.
As part of noyb’s research it requested raw data held on users from these digital platforms, as well as the source, recipients and purpose of holding the data. The key arguments made in the report were that the data was often adjusted and not in a raw format. It also claimed that none of the streaming services included in the report adequately disclosed the purpose of holding the data and who will be a recipient of the data.
Data-driven sectors wait for clear direction
The overarching theme which binds these challenges together is transparency of information - a perceived lack of user information for how data brokers utilise data, how raw data is managed and shared, and what users are fully consenting to. It runs to the heart of the ongoing conflict the EU has faced while developing rules for the digital sector – where does the appropriate balance lie between the rights of a data subject and the responsibilities on companies that hold or process data.
Following its fine, Google said it was “studying the decision to determine our next steps”. If there is no appeal, it will be required to make operational changes, including segregating its requests for consent from European users to process data for certain services. As further investigations and formal decisions are produced by European regulators data-focused businesses will need to keep their data policies under close review to ensure continued compliance with GDPR.
If you would like to keep in touch with our briefings on data policy in the EU and UK then please fill in the form below.
Written by Conor Brennan
Conor is an experienced consultant who advises clients in the data economy, insur-tech, and energy sectors.