THE NEW EUROPEAN PRIVACY LAW

THE GENERAL DATA PROTECTION REGULATION

AND WHAT’S NEXT

Oslo, Norway

14 September 2016

CONTEXTWhy a new data protection law?

April 14, 2016

May 5,2016

...May 25,

2018GDPR formal adoption GDPR publication in OJ 20 days + 24 months

GDPR taking effect

INTRO

WHY A NEW DATA PROTECTION LAW?

Source: International Telecommunications Union

Internet users

1995 1998 2002 2004 2007 2008 2009 2012 2013 2016

EU Cookie Directive II (opt-in)

EU GDPR Proposal

EU Data Protection Directive

WHY A NEW DATA PROTECTION LAW?

EU GDPR Adoption

EU Cookie Directive I (opt-out)

WHAT TO TAKE AWAYThe definition of personal data under the GDPR and the

lawfulness of processing

SCOPE OF APPLICATION

The definition of personal data under the GDPR

• The GDPR will apply to controllers and processors established within the territory of the European Union.

• Branch, or subsidiary located in the European Union…

• The GDPR will also apply to controllers outside of the EU if they process personal data of data subjects in the EU, e.g. for offering goods and services or for the monitoring of their behavior taking place within the EU.

• Shop or website offering goods or services to the EU… (offered in local language, sells goods in local currency)

• Company engaging in profiling of users within the EU... (OBA)

TERRITORIAL SCOPE

• You are in Europe: The GDPR applies to you.

• You are outside of Europe: The GDPR applies to you if you process Europeans’ data.

TERRITORIAL SCOPE

anonymousinformation

identifiable

information

identified

information

PERSONAL DATA

NON-PERSONAL DATA

MATERIAL SCOPE

anonymousinformation

identifiable

information

identified

information

PERSONAL DATA

NON-PERSONAL DATA

PSEUDONYMISED DATA

MATERIAL SCOPE

anonymousinformation

identifiable

information

identified

information

PERSONAL DATA

NON-PERSONAL DATA

PSEUDONYMISED DATA

PII

MATERIAL SCOPE

• Any information (the medium is irrelevant) relating to an identified or identifiable natural person

• Identifiable? Consider the “means reasonably likely to be used” to identify the individual

• taking into account all objective factors, like• the costs of identification• the amount of time required for identification• the available technology at the time of processing• technological developments

• used either by the controller or by another person

• Identification can be direct (name) or indirect (telephone number, combination of significant criteria)

• Singling out is a form of identification

MATERIAL SCOPE: PERSONAL DATA

• Born on August 4, 1961

• Born in Honolulu, Hawaii

• Married in 1992

• Two daughters

• Alma mater: Harvard University

• Resides in Washington, D.C.

• Lives in a house built in 1792

• The house is white

• 44th President of the United States

• Barack Obama

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

Unique Combinations

Barack Obama

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

• If an individual can be distinguished from a group, that data is personal data (unique cookie ID)

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

Barack ObamaSHA-1

(Secure Hash Algorithm)

cb8701b4202dbb46fda978884bbc21c0c9

7b538d

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

Barack ObamaSHA-1

(Secure Hash Algorithm)

cb8701b4202dbb46fda978884bbc21c0c9

7b538d

personal data (identified)

personal data (identifiable)

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

IP 94.225.47.200

ad tech ???

IP 94.225.47.200

internet service provider

Matthias Matthiesen

on Friday, 22 April 2016, 9:15 AM

personal data (identifiable) personal data (identified)

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

• The definition of personal data goes beyond the notion of PII• e.g. pseudonymised data is considered personal data.

• The mode of identification is irrelevant• e.g. singling out (unique cookie ID) without knowing identity is a form of

identification.

• The holder of the means of identification is irrelevant.

• The notion of personal data will expand with technological progress.

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

anonymousinformation

identifiable

information

identified

information

PERSONAL DATA

NON-PERSONAL DATA

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

identifiable

information

identified

information

PERSONAL DATA

NON-PERSONAL DATA

MATERIAL SCOPE: EXAMPLES OF PERSONAL DATA

ALL DATA IS PERSONAL DATA. EVERYWHERE IS

EUROPE.Make no mistake: You are in scope.* Don’t be a fool – prepare!

*very likely

LAWFULNESS OF PROCESSING

The legal justifications that allow processing of personal data

Processing personal data is prohibited…

…unless it is specifically allowed

• because you have the consent of the data subject to process their personal data (opt-in);

• because you have a legitimate interest to process personal data (opt-out)

• and the privacy rights of the data subject are not overriding

• and the data subject has not objected to the processing

LAWFULNESS OF PROCESSING

LAWFULNESS OF PROCESSING

The consent of the data subject

• Consent is a statement or clear affirmative action signifying agreement to the processing of personal data.

• freely given

• specific

• informed

• unambiguous

LAWFULNESS OF PROCESSING: CONSENT

• Silence or inactivity, e.g. not using a provided opt-out, cannot be consent.

• Consent is presumed not to be freely given when provision of a service is made conditional on consent for unrelated data processing (take it or leave it).

• Consent is presumed not to be freely given when there is a “power imbalance” between the data subject and the controller (government vs individual).

LAWFULNESS OF PROCESSING: CONSENT

• Which affirmative actions can convey consent?

• Further browsing?

• Clicking a link?

• Highlighting text?

• Scrolling the website?

LAWFULNESS OF PROCESSING: CONSENT

LAWFULNESS OF PROCESSING: CONSENT

LAWFULNESS OF PROCESSING: CONSENT

LAWFULNESS OF PROCESSING: CONSENT

PROFILING…and automated decisions

• Profiling is automated processing, analyzing, or predicting aperson’s preferences, interests, behavior, etc.

• It must be justified through one of the legal justifications, e.g. consentor the legitimate interests of the controller.

PROFILING

• Where an automated decision, including, profiling has legaleffects or similarly significantly affects a user, it is regulatedmore strictly.

• It can only be justified through the explicit consent of the user.

PROFILING

Automated review of credit applications

Automated recruitment practices, e.g. candidate selection through

algorithm

REGULATED PROFILING: EXAMPLES

Automated review of credit applications,

Automated recruitment practices, e.g. candidate selection through

algorithm

REGULATED PROFILING: EXAMPLES

What about profiling for the purpose of serving interest based advertising?

Does not produce legal effects or similarly significantly affects data subjects.

FINESWhy should you care to follow these rules?

• Breach of the provisions of the GDPR can lead to fines of up to€20 million (kr 185.5 million) or 4% of global annual turnover

FINES

WRAP UP…and next steps

• The GDPR is broader in its scope (both territorial, and material):more activities will fall under it.

• The GDPR is more restrictive in its legal grounds for processing:Activities are harder to justify.

• The GDPR lacks legal clarity: member states, DPAs and courts willneed to fill in the gaps (if they are permitted).

• As a direct result of the above, the GDPR is a far cry from”harmonization”: gaps will not be filled in the same wayeverywhere.

• It was an uphill battle from the beginning and while the outcomeis not great. The most extreme ideas have not made it in.

WRAP UP

THANK YOU FOR LISTENING

Questions?

MATTHIAS MATTHIESENPublic Policy Manager, IAB Europe

matthiesen@iabeurope.eu

GET IN TOUCH

BONUS

LAWFULNESS OF PROCESSING

The legitimate interests of the controller or of a third party

legitimate interests

pursued by the controller

fundamental rights and

interests of the data subject

controllerdata

subject

privacy

reasonable expectations

running a business

direct marketing processingcontroller

no processingdata

subject

LAWFULNESS OF PROCESSING: LEGITIMATE INTERESTS

legitimate interests

pursued by the controller

fundamental rights and

interests of the data subject

controllerdata

subject

no_processingdata

subject

LAWFULNESS OF PROCESSING: LEGITIMATE INTERESTS

legitimate interests

pursued by the controller

fundamental rights and

interests of the data subject

controllerdata

subject

processingcontroller

LAWFULNESS OF PROCESSING: LEGITIMATE INTERESTS

• Real balancing test, not a mere formality

• Provide information (transparency)

• Provide the right to object (opt-out)

• Unfortunately unavailable for OBA in practice because of the cookie directive

• consent required for storing or accessing any information on a user device• cookies• advertising id• device finger printing• javascript?

LAWFULNESS OF PROCESSING: LEGITIMATE INTERESTS

EU LAW MAKING 101An intro to decision making procedures – official and unofficial

CHANGES

CONCILIATION

INFORMAL AGREEMENT

LEGISLATIVE PROCEDURE

FORMAL PROPOSAL OF INFORMALLY AGREED CHANGES

INSTITUTIONS NEGOTIATE INFORMALLY

INFORMAL AGREEMENT

82% of laws adopted 2009-2014 were agreed in trilogue96% of laws adopted in 2014 were agreed in trilogue

Only 2% of laws negotiated in trilogue fail *

* Source: EBD

TRILOGUES

LEGISLATIVE PROCEDURE

• Trilogues sidestep the formal democratic process with little chance for the public to intervene.

• Time between decisions can be as little as a couple of days.

“Bloody Brussels bureaucrats making rules behind closed doors.”

LEGISLATIVE PROCEDURE

• Trilogues sidestep the formal democratic process with little chance for the public to intervene.

• Time between decisions can be as little as a couple of days.

“Bloody Brussels bureaucrats making rules behind closed doors.”

LEGISLATIVE PROCEDURE

THE REVIEW OF THE EPRIVACY DIRECTIVE

Fixing or worsening the cookie law

• The ePrivacy Directive, better known as the “Cookie Directive”• applies to “storing and accessing information on a terminal device”,

which could be everything• cookies, device identifiers, advertising identifiers, fingerprinting, even Javascript?

• Requires that the user grants their consent before storing oraccessing information, making alternative legal bases such, as thelegitimate interest, unavailable.

• Only exception is where the technology is strictly necessary fordelivering the service requested by the user.

• e.g. session cookies for providing shopping basket functionality

REVIEW OF THE ePRIVACY DIRECTIVE

The European Commission has announced a review of theePrivacy Directive (”cookie law”), to “bring it in line with theGDPR”.

• Chance to deregulate cookies?• some new exceptions…• removing limitation to consent...

• Risk that cookies will be regulated more strictly?

• Risk that other limitations will be imposed on top of the GDPR?• consent could be made even stricter than under the GDPR

REVIEW OF THE ePRIVACY DIRECTIVE

REVIEW OF THE ePRIVACY DIRECTIVE

• Taking away publishers’ freedom to decide on their own business model.

• Obligation to provide subscription-based access to website content.

• Forcing publishers to provide their service for free.• No right to turn a user away that does not agree to seeing advertising.

• And more!

REVIEW OF THE ePRIVACY DIRECTIVE