Law students at American law schools take property, torts, and contracts during their first year. It is difficult not to view consumer privacy interests through one or more of those lenses, particularly when U.S. consumer privacy law has been based on a notice and consent, enforced by principles of fairness and non-deception reflected in the Federal Trade Commission Act and state consumer protection laws. For the most part, being explicit in a privacy statement about how consumer data is used, shared, and kept secure, and then living up to those promises while not acting in a way that would surprise or be unfair to a consumer, sums up the basics of U.S. consumer privacy law (nuance notwithstanding).
Given the broad jurisdictional scope of the EU Regulation’s complexity has been cited by nearly one in four U.S. organizations as the biggest compliance barrier by the data protection officer and a U.S.-trained attorney, is that the notion of data protection from the consumer’s point of view does not fit neatly into property, contract, or tort law principles. Instead, the GDPR paradigm reflects consumer rights and freedoms, bundles of interests that the consumer owns when they arrive to purchase a company’s goods and services and that may not easily be negotiated away.
While working to prepare an updated internal privacy policy for the IAPP, then, I did what Eduardo Ustaran suggested in an early 2018 tweet about how to start off the new year: “Read the GDPR. Read it again (Recitals and all).” As I read, I kept notes of key provisions that — more than others — seemed to me to reflect the foundational elements of the GDPR. What follows here is my “letter to the staff,” which is an attempt to translate parts of the GDPR to an American audience who will need to understand the Regulation to do their jobs.
Perhaps you will find this useful as you go about trying to explain the GDPR to your own staffs in the United States and around the world.
The nature of personal data
First, we need to get used to the term “personal data” instead of “PII” (personally identifiable information). Personal data is much broader than PII — it applies to anything that can be used to identify a person, including things that wouldn’t be PII such as an email address or even an IP address associated with a mobile device.
Next, it’s important to flip the view you might have of personal data the company collects as belonging to the company. Instead think of it as belonging to the person it identifies. You may then be ready to try to grasp a core value of the GDPR: “Natural persons should have control over their own personal data.”
This reflects a key public policy that data belongs to the person it identifies, and that the person has a right to control how it is processed. This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.
We can use that data to serve our customers and fulfill our business mission, of course, and by choosing to do business with us they are often giving us implicit permission to use it for legitimate business reasons. But there will be times when we must get the customer’s prior permission before we use their data, and this will mean more than just referring them to our privacy statement — we will need to get them to clearly express their interest in having us use their data in certain ways that we might tend to think should be entirely up to us, not them.
Restricted license
The customer is, you might say, giving us a license to use their personal data. This license is limited by some key things in the GDPR. For one, the person who provides their data may ask to see it at any time, may correct it if there are mistakes in our records, may ask us to stop using it, and may even ask us to erase it under certain circumstances. They can take our license away.
The license is ongoing because we do not know when we gather it when our relationship with the customer will end, or when we will otherwise no longer have a legitimate reason to keep the data. But it is not infinite. The GDPR expects us to stop processing the data and no longer retain it when we have fulfilled the person’s needs and we have no other legal obligation or other legitimate basis to keep it.
Furthermore, our permission to use our customers’ data is conditioned upon our using it lawfully, sometimes referred to in the GDPR as “legitimately.” This doesn’t mean that our business is legal and above-board; that is already presumed. It means that we are using the data to fulfill the consumer’s request for goods or services in a way that they would expect us to use it that wouldn’t surprise them or make them uncomfortable and is consistent with our privacy promises. It also means we have a good reason to use the data we collect from people, one we’ve established before we gather it for processing and that we’ve explained to the customers when they hand their data to us.
When we gather data from people, we are promising them that we’ll be careful with it, keep it secure, and only allow authorized people within the company to have access to it. One way to help protect our customers’ privacy is to use encryption whenever possible to protect access to their information by those who aren’t authorized to see it. We also need to be careful whenever we communicate by email that we aren’t sharing their data by accident with people who should not see it.
When we collect our customers’ personal data we are also promising not to share it with other people outside of the company without first telling our customers about it. This means we need to let them know when we are sending their information to any other person or company, perhaps a mailing house or even a database management service that stores their data in the cloud on our behalf.
We must work only with people whom we trust, and who have agreed in writing to comply with the law and be careful with our customers’ data as well. If you are thinking of using a new service that involves sharing our customers’ data you should tell your privacy or data protection officer (me!) right away and not start using that service until the proper agreements are in place.
Sometimes we’ll want to communicate with our customers about new products and services we’d like to offer them, and they won’t want to be bothered. We need to respect that. Consumers have the right to object to having their data used for direct marketing purposes, including having it used to “profile” them — analyzing their data to make decisions about them that might have a legal effect such as granting or denying them services. We need to tell our customers up front that they have the right to object to marketing and profiling.
Keeping data forever
It is tempting to keep information about customers for a long time because we never know what uses might be made of it later. After all, the largest and most successful technology companies (like Google, Facebook, and Amazon, for example) have built their fortunes on gathering and analyzing lots of data.
The GDPR doesn’t see it that way. One of the core principles of the law is that data should not be retained longer than necessary. Even though data subjects have a right to access their data, to correct it, and to have it transferred to others, data should not be kept in a form that permits a person to be identified just to fulfill these rights, if the original purposes for processing the data have been fulfilled.
As mentioned above, data subjects even have the right in some cases to ask that the company deletes all of their data — it’s called the “right to erasure” or the “right to be forgotten.” Although the right doesn’t apply in every case, it does when keeping the personal data is no longer necessary in relation to the purpose for which it was collected in the first place.
What’s the harm?
In the U.S., we are accustomed to worrying about data breaches, and the identity theft that might follow. We try to minimize the damage to people by offering them credit monitoring and limiting the amount of money they might lose if someone, say, uses their credit card illegally.
In Europe, data protection is much broader than preventing identity theft. Harm to data subjects includes non-material damage to a person. This “non-material” damage includes the mere loss of control over their personal data. All of which circles back to how this post began, namely, that it’s their data — not ours.
Conclusion
The GDPR — and many other countries’ data protection laws — challenges us to think of personal data differently than PII, or even than “privacy” rights under U.S. law. Its complexity extends beyond the high-level overview discussed here. But in general, if we begin to think of ourselves as stewards or guardians of our customers’ data, that will go a long way to helping us meet their privacy expectations and comply with the GDPR.