My recent blogs regarding data breaches, cybersecurity spend and the need for a comprehensive data breach notification law have consistently pointed to the European Union’s General Data Protection Regulation (GDPR) as the “gold standard” for privacy and data protection.
Through the years I have been exposed to the GDPR as a CEO of a company that both needed to be GDPR compliant with its own cloud service while at the same time being in the business of helping corporations and governments become regulatory compliant via use of our products that enabled them to limit access to their sensitive data. But now as part of my blogging interests I have decided to take a fresh look at the GDPR, especially in light of recently enacted and proposed legislation at the state and federal level in the US.
So over the next few blog posts I will go to the source material itself, i.e. dig into the actual GDPR regulation itself (don’t worry, I will create a summarized version in my blog posts for you readers!). This will then let me pivot to comparing and contrasting the GDPR to the California Consumer Privacy Act (CCPA) that is about to come into effect in my home state, as well as compare the GDPR to recently proposed privacy legislation in the US (e.g. Reps Eshoo’s and Lofgren’s Online Privacy Act).
The GDPR was enacted by the European Parliament on April 27, 2016, and has been in effect since May 25, 2018. The actual regulation itself is 88 pages, comprised of 99 articles spread out across 11 chapters. The preamble to the articles is 31 pages and has 173 recitals (i.e. paragraphs), so there is a lot of “set up” before you get to the actual regulation itself.
In this particular blog post I am going to go through the preamble and summarize what it says regarding the GDPR’s key data processing principles and individual data privacy rights which will be key to comparing US state and federal legislation to the EU’s law. [Note: References to “(#)” below refers to the preamble recital number.]
But before we jump into the data processing principles and individual privacy rights, there are a few key GDPR background items we should first discuss:
IMPORTANT GDPR BACKGROUND STUFF
Privacy is a Human Right in the EU
The GDPR immediately makes it clear that “the protection of natural persons in relation to the processing of personal data is a fundamental right” (1) and that “everyone has the right to the protection of personal data concerning him or her” (1). This builds on the “right to privacy” that was articulated in the 1950 European Convention on Human Rights, which states that “Everyone has the right to respect for his private and family life, his home and his correspondence.”
But the GDPR states in that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality” (4). i.e needs to be balanced against national security, law enforcement, etc.
We Need Data Protection More than Ever
As I talked about previously, “software is eating the world” and the fuel that feeds our increasingly software-driven world of the Internet, mobile apps, etc. is … data. More and more data is being collected, increasingly about us as we create more digital exhaust. As the GDPR notes, “rapid technological developments and globalization have brought new challenges for the protection of personal data” and the use of personal data is now on “an unprecedented scale” (6). These “developments require a strong and more coherent data protection framework in the Union” and must be “backed by strong enforcement” (7). Key to making our digital world work is the concept of “trust” that “will allow the digital economy to develop” (7).
But even with the EU’s prior data protection law passed in 1995, there was “fragmentation in the implementation of data protection” (9) across Europe (and frankly currently in the US as I noted here). Hence the need for GDPR but with built-in flexibility to each member state of the EU for “national provisions and horizontal law” including the creation of “special categories” for processing sensitive data (10).
Carve Outs and Caveats
GDPR does give a break to organizations with “fewer than 250 employees with regard to record-keeping” (13). Protection of personal data only applies to “natural persons” vs. “legal persons” or entities (for a discussion of differences, see this) (14). Protection of natural person’s personal data should be “technologically neutral” and applies to both automated and manual processing (15), so no squirming out of GDPR based on your tech stack. As mentioned above, there is a carve out for national security and law enforcement issues (16 and 18) and public authorities (31). And GDPR does not apply to natural persons’ own collection of data (18), e.g. data an individual keeps themselves. And GDPR does not apply to dead people’s data (27). But children merit specific and extra protection (38).
GDPR is Worldwide
The “controller” (the entity that determines “the purposes and means of processing of personal data (Art 4))” and the “processor” (the entity that collects, organizes, stores, etc. the data (Art 4)) must adhere to GDPR “regardless of whether the processing itself takes place within the Union” (22). So US corporations that do business with EU citizens (including marketing to them) are on the hook irrespective of where their backend servers reside. Hence practically every large corporation in the world needs to be GDPR compliant, hence it is the “gold standard” I referenced above.
And What Exactly is “Personal Data”?
Personal data is “any information” that can identity a natural person (e.g. IP addresses, cookies and RFID tags), even if the data has “undergone pseudonymisation” (26). This is broader than many US regulations’ focus on personal identifiable information (PII), with the contrast between the two I will probably explore in a later blog post. And consent should be given by a “clear affirmative act” (32) — that means no silent or “pre-ticked boxes” or even “inactivity” equaling consent. Certain data such as health information and racial or ethnic origin data is more sensitive (and requires “specific protection”) as it as “the context of their processing could create significant risks to the fundamental rights and freedom” (51).
So with that as background, let’s discuss the GDPR’s core data processing (and protection) principles, which is what organizations need to follow when it comes to collecting, processing and storing personal data. There are six of them, but I added a bonus principle.
GDPR’s CORE DATA PROCESSING PRINCIPLES
#1 Lawfulness, Fairness and Transparency.
This should be an easy one comprehend … this means an organization is not breaking the law when it collects personal data and the organization is not hiding what they are doing with that data. By “lawful” it more specifically means any of the following criteria for processing personal data:
(a) consent given (40) and the controller has clear proof it was given (42),
(b) done in the context of a contract (44),
(c) done to fulfill a legal obligation (45),
(d) done to fulfill a vital interest (46) such as saving a life or for humanitarian reasons,
(e) done in the public interest (47) such as what a public authority must perform, and
(f) done for a legitimate purpose (47) such as ensuring network and information security (49), but with the caveat “provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.”
#2 Purpose Limitation
An organization needs to clearly state the purpose and stick to that purpose, i.e. “the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected” (50). Which means if you collect email for the purpose of providing product updates, you can’t turn around and use the emails for another purpose such as creating user accounts.
#3 Data Minimization
GDPR says to collect what you need, i.e. “the data controller should not be obliged to acquire additional information in order to identify the data subject” (57).
#4 Accuracy of Data
GDPR wants you rectify any inaccurate data and/or erase it. Furthermore, natural persons can “obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object” (59).
#5 Data Storage Limitations
Organizations should not keep personal data longer than they need it, i.e. “in order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review” (39).
#6 Integrity and Confidentiality
This principle gets security software vendors excited and helps them sell more stuff! “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing” (39).
Underlying all these principles is Accountability … which is an inherent principle as evidenced by fines for not following these principles, i.e. GDPR makes it clear that the current trends in the explosion of personal data that “strong enforcement” is required given “the importance of creating the trust that will allow the digital economy to develop” (7). I will talk more about accountability and governance in a subsequent post.
So now that we got the GDPR’s data processing principles nailed down, what rights does it give individuals aka “data subjects” in the EU?
GDPR’s INDIVIDUAL RIGHTS
The GDPR gives individuals 8 rights as detailed below.
#1 Right to be Informed
As part of the “fair” and “transparency” aspect of GDPR’s data processing principles, individuals must be “informed of the existence of the processing operation and its purposes” as well take “into account the specific circumstances and context in which the personal data are processed” (60). This must be “easy to understand” and uses “clear and plain language” (58). Organizations who collect personal data not only has to describe the purpose, but also share retention periods and who it will share the data with. The UK’s Information Commissioner’s Office (ICO) has some great content on what privacy information should be provided by an organization to individuals, and highlighted below is a list of that should be provided to individuals when their data is processed.
#2 Right of Access
Individuals have the right to access personal data that organizations have collected on them. They can “exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing” (63). The controller of that data has one month to respond to the request to access. This right to access must be free of charge. Example scenarios can be found here.
#3 Right to Rectification
Individuals can not only request access to their personal data, but request correction or update incomplete information (65). An example of this can be found here.
#4 Right to Erasure (aka Right to be Forgotten)
Individuals also “have the right to have his or her personal data erased and no longer processed” (65), and furthermore, this right “should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data” (66). An example of this can be found here.
#5 Right to Restrict Processing
Individuals can also request that data processing be stopped for their personal data or restricted in some way (73). An example of this can be found here.
#6 Right to Data Portability
Also known as the right to move data, allows individuals to either receive their data and/or have the controller send the data to another organization. The data should be in a “structured, commonly used, machine-readable and interoperable format” (68). An example of this can be found here.
#7 Right to Object to Processing
Individuals can object to processing, e.g. “where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing” (70). An example of this can be found here.
#8 Right to Reject Automated Decision Making and Profiling
Individuals have the right to not be subject to decisions that are based on automated processing (i.e. without any human intervention) of personal data, e.g. a loan application. Same with profiling, as defined as “when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.” Organizations need to clearly inform individuals if personal data is subject to automated decision making and/or profiling. Organizations then must give individuals the right to have the decision to be reviewed by a human, and then in turn let individuals contest that automated decision (71).
So that concludes this blog post, will further dig into the GDPR in subsequent posts, namely on the topic of accountability and governance.