PERSPECTIVES ON THE UPCOMING EU PROVISIONS ON DATA PROTECTION
In view of the entry into force of the new EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as “GDPR”), on May 25th 2018, more and more companies adopt measures in order to submit to its legal provisions. Harmonizing their activities with the requirements applicable to the processing of personal data represents a complex process, involving not only time, money and human resources, but also uncertainties in relation to the manner of interpreting or effectively applying some of GDPR’s relevant legal provisions.
Such difficulties can emerge on the occasion of performing the company’s data audit in view of identifying the main actions to be adopted for the observance of the new EU data processing rules, as well as when the data processing measures are effectively implemented. Have all the departments involved in the processing of personal data been identified? Did the company make a list with all the possible situations in which natural persons must be required to express their consent, in view of a legal processing of their personal data? Is there a need for a data protection officer (DPO)? Must the data protection authority be notified in case of a specific processing? Such questions and many others are analyzed these days by the legal entities falling under the GDPR’s scope.
Consequently, there is a certain fear when discussing about the GDPR implementation at a company level, which can be also justified by the perspective of incurring severe sanctions in case of breaches of the relevant legal provisions (including fines amounting up to 4% of the annual turnover). And…the plot thickens when CEOs and CFOs imagine going through an unexpected visit of The National Supervising Authority for Personal Data Processing.
The public debates on the subject also reveal that, in many cases, GDPR is perceived as a measure imposed by the EU, which is not necessarily important, but nevertheless needs to be compelled to, given the serious legal consequences that it entails. Just think a little bit and you will surely remember talking with representatives of undertakings who consider that their activity does not involve processing of personal data (but actually it does!) and therefore, implementing the new GDPR provisions would be a waste of their financial resources. However, in the end, such undertakings will probably decide to perform a data audit and harmonize their business with the data protection requirements, given the perspective to incur huge fines. Or, even worse, to pay damages in case of breaches of the individuals’ rights in relation to data processing, which can also lead to a severe deterioration of the company’s image in the eyes of its clients.
But should the assessment of the GDPR be made with fear? Or, on the contrary, with indifference?
Let’s think a little bit outside the box.
68 likes on Facebook. That is what it averagely takes, according to a 2012 study performed by a team of researchers from Cambridge, in order to detect the skin colour of a Facebook user (with a 95% probability), the sexual orientation (88%), the affiliation to the Democratic or Republican party (85%), the intelligence, religious orientation, predilection for alcohol, cigarettes or drugs or even whether the parents are divorced. The more likes a Facebook post has, the more increases the probability for a specific assumption to be real. This is a mere example of the power of personal data in the Big Data era. Processing personal data with modern tools (i.e. collecting, aggregating, storing and using them in the attempt to predict and influence the behavior of the members of a society, driven by a variety of objectives) has huge consequences not only at an individual level, but also at a social level. The ongoing scandal Facebook/Cambridge Analytica is only one of the outcomes related to data processing activities. Affecting the private life of individuals, manipulating people, increasing social inequalities, destroying democratic mechanisms, are only a few of the possibilities revealed by the Rubik cube of private data processing.
Therefore, processing of personal data is nowadays more intense than ever. Powerful undertakings are collecting data in various circumstances and use them in order to predict and influence people’s behavior. Examples include Target – a leading US store chain – that used its clients’ personal data regarding credit card purchases in order to detect pregnant women’s consumer behavior during the stages of pregnancy and subsequently advertised a selection of products to these women (including food, creams and even baby products), based on the detected behavior; Facebook (again!), that uses predictive analysis in order to personalize each user’s wall, as well as to evaluate clicks and profiles, for the purpose of efficiently placing online advertising of various undertakings, which consistently contribute to its incomes; Uber, that is able to predict, with a 74% accuracy, the specific address of destination where the client intents to travel, based on the place where the car has left that client; Amazon, which is able to recommend specific products to its consumer, based on the previous purchases and thus, contributes with a 35% increase of its revenues.
In addition, a huge part of online advertising is based on the activity of personal data brokers, that collect data from numerous sources, either online or offline, aggregate them and interpret them in order to create categories of consumers, depending on various criteria (profiling). Data brokers subsequently sell personal data to their clients, who place targeted advertising and thus, have higher chances to increase their sales.
In other words, modern technology – card payments, GPS localization, mobile communications, internet, mobile applications and social networks – contribute to the multiplication of prediction tools used by the companies. It is common knowledge that processing of personal data represents a very useful instruments for companies (and for consumers, in many occasions, because they benefit of an enhanced shopping experience), but sometimes, these activities can lead to negative consequences.
However, personal data processing is not something new. In fact, it appeared – in a primary form – from the moment when people started drawing or telling each other their adventures or those of the group to which they belonged. For instance, the guest lists of the ancient world’s leaders, used for organizing meetings or banquets, represent a version of today’s direct marketing methods. The use of writing and the necessities of trade (such as information related to the sellers, buyers, prices and products, processed by traders and bankers from Tuscany with the help of inventory lists and afterwards, of Pacioli’s new accounting methods), the governments’ requirements (taxes, genealogy etc.) have all led to the increase of processing of personal data. Letters, denunciations, legal deeds, land registers, private detectives’ notebooks are just a few examples of cases involving the processing of personal data.
Moreover, a legal framework for the processing of personal data exists already for a few decades. Art 8 (1) of the Charter of Fundamental Rights of the European Union and art. 16 (1) of the EU Treaty guarantee the right to the protection of personal data, which was developed in the case-law of the Court of Justice of the European Union (CJEU). The European Convention on Human Rights also protects personal data in the context of the right to private life, which was extensively interpreted by the European Court on Human Rights (ECHR). In addition, the processing of private data is still regulated by Directive 95/46/CE until the GDPR becomes applicable.
Under these circumstances, the entry into force of the GDPR is a natural consequence of the necessity to increase the protection of individuals in relation to the processing of their personal data in the new context of the Big Data era. GDPR is meant to limit the negative aspects and the abuses already committed in the context of processing personal data. Moreover, to the extent that GDPR provisions are correctly applied, they allow the actual processing of personal data, as well as their free movement, in a safer legal framework, by transforming such activities in intelligent tools in the benefit of companies. In other words, undertakings should not refrain from processing personal data, driven by the fear of breaching the data processing requirements imposed by the GDPR.
So, do not fear the GDPR! It can actually become a magical tool in support of both the natural persons’ right to a lawful data processing and to the companies’ need to perform such processing. You just need to learn how to play with the RUBIK cube and you could start…by reading the instructions of use: the GDPR provisions.
Andreea Micu, Partner Stoica&Associates Dragoș Bogdan, Senior Partner Stoica&Associates