While the final form of the General Data Protection Regulation remains somewhat a mystery, one thing’s for sure: It is coming. Such was the message of the keynote panel this morning at the IAPP Data Protection Intensive in London. Thus, the panelists focused on peering into their crystal balls and giving attendees insight on what they ought to be preparing for.
Particularly, moderator John Bowman, CIPP/E, of Promontory keyed in on four of the proposed regulation’s major provisions: legitimate interest, proportionality, the one-stop-shop and data transfers.
Rosemary Jay, senior attorney at Hunton & Williams, said she’s concerned that the regulation’s likely requirement that data processors only collect data for which there’s a legitimate interest is tricky in relation to balancing the rights of individuals, because “the minute you get an objection, the person’s right of objection overrides it and you must cease processing.”
Max Sorensen, CIPP/E, data privacy officer at LEGO, said legitimate interests can be difficult to explain to both employees who need to follow the rules and the consumers you need to inform.
“Going up to a consumer and saying (the data collection) is a legitimate interest is all very well, unless you lose business in it,” he said. He suggested privacy pros develop a language that allows them to engage with the employee or the consumer and explain why that will give them headway, and be sure not to use legalities.
Anna Fielder of Privacy International, an advocacy group, agreed with Sorensen that it’s important not to use technical language.
“People have no clue what it (legitimate interest) means, and it’s been abused by businesses and organizations,” she said.
Sorensen said almost daily he gets calls from peers who want to perform profiling for business uses. Whether profiling could be considered a legitimate use is up for debate depending on context, Fielder said.
“There are two issues there,” she said, wrongly identifying a person and targeting the most vulnerable—such as children or low-income people—and potentially discriminating against them. However, she said “at least symbolically” the law should resist decisions made on profiling. Further, there is a big difference between automated and algorithmic profiling for decision-making purposes and profiling that involves human decision-making. The latter is preferable.
Sorensen said it would be helpful if a better definition of profiling existed so companies could focus on compliance.
On the one-stop shop, Jay said it’s a mechanism that is capable of working and though it’s been through some radical changes from one draft of the proposed regulation to the next, it’s current form may be the one that sticks in the end—and it will have real impacts. Essentially, it's a hybrid, with a lead DPA for companies in the country of their main headquarters and lending other DPAs the right to raise a hand and ask for investigation.
But Fielder said, in the UK, for example, most citizens now don’t even know what the Information Commissioner’s Office is and wouldn’t even know where to lodge a complaint against a company if they had one. She thinks the provision isn’t workable.
“If you look at its complexity, it isn’t going to be any more simple than it is now,” she said. She’d rather see a more collective complaint and enforcement system that would allow consumer organizations and privacy organizations the ability to take complaints on behalf of citizens and consumers. If the one-stop-shop mechanism passes as it stands now, she said, “we’ll be back to square one. There’s no effective way of enforcement.”
Finally, the panel discussed data transfers under the regulation, including the much-debated Safe Harbor agreement and Binding Corporate Rules (BCRs).
Fielder said the provision on data transfers should be made broader.
“We support sector-specific provisions and regional provisions like in California in the U.S.,” she said.
She’s not a fan of Article 43(a) within the regulation, which requires businesses transferring data to third countries to notify authorities about EU data subjects whose data they want to transfer and seek permissions from the relevant authority in the absence of a mutual legal agreement like BCRs or Safe Harbor.
“I personally think it will survive in some form or another because of political support from Parliament and some countries like Germany,” she said. “It’s got the support of privacy commissioners and we should support it.”
Jay said she thinks Safe Harbor’s in trouble and expects the EU to develop standards via increasing case law.
Looking forward, the major changes the regulation will likely impose on businesses, the panelists said, will involve how they are allowed to engage with individuals and the obligations on processors.
For now, to prepare, Jay suggested privacy pros look closely at existing contracts and conduct privacy impact assessments to see where they stand. Even if the final draft of the regulation isn't exactly the same as either the Parliament's current draft or the Council's, the exercise of performing a gap analysis won't be wasted effort, she said.
"By now it has to be obvious," said Fielder, "you cannot just hide your business. You can be audited and the consequences can be dire."