Data Privacy Day: the new EU Data Protection Regulation explained

The new Data Protection Regulation has taken four years to go through Brussels, in a convoluted process that has seen the original proposal from the European Commission utterly transformed through unprecedented levels of lobbying by companies and governments. The US was particularly aggressive, but in the end EU member states such as Germany managed to do a lot of damage with their demands for carve outs and exceptions.

EU flags

Photo credit: Thijs ter Haar – CC-BY2.0

The final version of the regulation is a mixed bag of results from a civil society perspective. The reform of data protection aimed to both modernise and harmonise the legal framework across the EU, while maintaining existing levels of protection. The original proposals aimed to put citizens at the centre, giving people control over their information and improving enforcement against abuses, but these ideas have been watered down substantially. Yet we must celebrate the fact that the regulation was passed at all, given how close the process came to collapsing on various occasions.

The regulation has not managed to completely please businesses either. At a recent stakeholder roundtable organised by the Information Commissioner Office (ICO), we heard repeated concerns about the new requirements and the need for guidance. The message from the Commissioner was “don’t panic but expect fundamental changes to how data protection works”.

In the coming months ORG and other civil society groups will work to ensure that those changes take place and the new regulation takes basic data protections into this century. In this first blog, published on Data Privacy Day, we outline some of the main changes in the regulation, as well as some of the missed opportunities. The GDPR is huge and we will look at other areas in a series of blogs in the coming weeks.

Consent and “legitimate interests” to process your data

The new law brings in a stronger provision for consent to the processing of data. Until now companies could rely on “implicit consent” where if you used their services it was assumed that you were happy for your data to be collected unless you ticked an “opt-out” box.

The GDPR is better as it requires you – the data subject – to positively agree by “a statement or a clear affirmative action.” Consent now must be “freely given, specific, informed, and unambiguous,” which sounds good but belies some complex nuances that armies of lobbyists and lawyers have fought over during the past few years. The original proposals included “explicit” consent, a higher bar, but this has now only been kept in relation to sensitive data such as race, biometrics, political or sexual orientation; much as it is now.

The regulation is an improvement in other areas, making it easier to withdraw consent and clarifying that freely given consent cannot be given when people are unable to refuse without suffering a “detriment”, or where there is an imbalance of power. Importantly, an organisation cannot make a service conditional upon consent to give away data, unless the data is necessary for the service. These aspects should have important implications for many online services and apps.

The new law also brings changes to consent from minors under 16, with concerns for example that teenagers may be required to obtain parental permission to access confidential information. This is a complex issue and we plan to cover it separately.

Most people believe that consent is the one and only basis for handling your data, but this not the case. Companies may need to do this in order to fulfil contractual or legal obligations, or in an emergency, and this is fine in most cases.

Unfortunately, the law also allows some fuzzy “legitimate interests” of an organisation to justify the processing of personal data overriding the privacy of individuals, appearing to contradict the very idea of data protection. This was originally designed as a narrow exceptional case but has become the main justification for the oceans of personal data kept by businesses large and small.

There are some limits to what companies can do, though. The purposes for which the information is used must be clearly defined, and there should be a balancing exercise that ensures there is not an excessive intrusion on individuals’ expectations, rights and freedoms. Unfortunately these are not enough to fully protect individuals and more restrictions are required.

One big problem is that the law sees the “legitimate interests” of third parties as a good enough reason for processing our data. As EDRI put it: “If a company you have never heard of can process your data for reasons you’ve never heard of, what is the point in having data protection legislation?”

The new regulation is a missed opportunity to fix these loopholes by severely restricting legitimate interests, although it brings some minor safeguards.

Transparency and access to your data

The GDPR also brings some improvements to the transparency requirements over what data is collected and how it is processed. Privacy notices should become “concise, transparent, intelligible and easily accessible form, using clear and plain language”. You should now be told a lot more about how your data is processed, including “meaningful information about the logic involved” in automated decision making. This information should be provided when data is obtained.

The regulation also provides for information to be given using “standardised icons” that should be machine-readable. Automated data processes based on computers reading preferences matching expressed privacy settings are possible but may be limited by requirements for explicit consent, and should not be permitted in cases involving sensitive data.

We remain concerned over clauses allowing companies not to comply with all the transparency requirements if giving detailed information would involved a “disproportionate effort” or in cases where disclosure is legally mandated, and expect that the Information Commissioner will be taking a robust approach to any such claims.

Companies are concerned instead that these requirements will mean drowning their customers in privacy notices and losing the ability to “layer” information from simple notices to full complex documents. We do not see why this should be the case, and clear guidance and enforcement lines should come out as early as possible to avoid the ridiculous situation of the ineffective cookie notices.

The regulation brings several changes to your right to request a company gives you the data they have on you. A small but critical change is that now such requests will be free in the first instance, with fees reserved for repeated cases or disproportionate requests. This will likely trigger a large amount of requests in the first months or even years, and we expect semi-automated services to flourish. We also expect that companies will making their life easier by automating such processes.

The information to be provided should not simply be a dump of your data as is often the case but an explanation of how data is used, similar to transparency requirements elsewhere. Overall, the regulation should make companies think their data processes very carefully, as they will be required to explain them at various points, including in new accountability requirements that we will discuss in a separate blog.

In addition to the right of accessing information there is a right to “data portability” designed to allow people to switch services and enhance competition and consumer rights. The right does not cover all types of information though, being restricted to data you provide through consent or in the course of a contract, and then only data processed automatically.

The data should be in machine-readable format and if possible provided directly to another organisation. This new right in combination with a new right to erasure, which we will discuss in our next blog, could mean some seismic changes to how data is treated.

What’s next

In the coming weeks we will look at other areas affecting individual rights – such as pseudonymous data, profiling, breach notifications – and also at the implications for organisations. Businesses and also NGOs will have to consider requirements for data protection officers, international data transfers and accountability measures, including data protection by design. There are also huge changes to data protection authorities, with the establishment of a EU data protection board, and a one stop shop principle for international adjudication.

Enforcement is another area with big changes and much larger fines, although not as extensive as we initially hoped. The recitals do include the possibility for public interest groups such as ORG to lodge complaints to authorities and courts on behalf of individuals, including for compensation.

The right for organisations to launch independent complaints has been left at the discretion of national governments, so we will need your help to get the UK to take a progressive stance on this matter which could transform privacy activism as we’ve known it.

From the above the picture seems pretty rosy, but unfortunately the regulation presents many holes that could mean that in practice not a lot changes. The potential is there but civil society, progressive politicians and data protection authorities must work hard in the coming years to ensure the GDPR delivers as close as possible on its original objectives for modernising the law and empowering individuals.