Personal data is the commodity of the 21st century. Some even call it “the new asset class”[1]. It is collected and traded every day, sometimes to the benefit of individuals — by virtue of targeted advertisements and free content — and every now and then to their disadvantage — when massive data centres are breached by hackers and when it is sold illegally by unsavoury data brokers. But in most cases, consumers are not able to tell what information is collected about them and how it is used in relation to the digital services they are using.
All this will change in May 2018, when the General Data Protection Regulation (GDPR) comes into force. The disruptive force of GDPR is characterised by a combination of hard requirements to reduce the information asymmetry between businesses and individuals and strong enforcement mechanisms, such as high penalties imposed by a single supervisory body. More importantly, it will impact the way businesses handle the personal data of EU residents.[2]
Rightfully, some companies fear these changes. The consumer-centric regulation will require them to properly inform consumers (in clear and plain language) about the content and purpose of their data collection, to give them the opportunity to ask questions about their purpose and to provide access to all the data they collected about them.[3] Therefore, even the most modest marketing initiatives — offering, for instance, a subscription to their newsletter — will have to be rethought to make sure that the collected data is not used in a way that is prohibited by the new regulation.
Providing a functioning infrastructure that respects the individual’s right to privacy is expensive and difficult to maintain. As recently reported in the Financial Times, “members of the Fortune 500 will spend a combined $7.8bn to avoid falling foul of GDPR”.[4] Nonetheless, from the perspective of big-business, compliance costs are not seen as a main burden of the new regulation. For them, it is really about access to (big) data, which will soon be restricted.
The primary example of “data minimisation” enshrined in the regulation addresses one of the most criticised and predatory techniques used by some service providers: to request access to data that is not relevant for the service offered. This can be illustrated by a pop-up window on some of the mobile applications that allows consumers to type chat messages, but requires them to allow the app to access emails or camera settings. With the GDPR in place, companies will be allowed to request only a defined and relevant set of data.[5]
Notably, companies will be allowed to process personal data only for that purpose to which the consumer had given an explicit opt-in, and thus have agreed to transfer the data in exchange for access to the service.
However, data processing can only take place as long as the consumer has not withdrawn consent, and the data must be erased once that consent is retracted. Companies must be able to prove at any time that a consumer freely agreed to the transfer of data. This particular requirement to maintain an audit trail will compel service providers to change their current practices of disguising important information under hard to find disclaimers and endless terms and conditions. This will surely disrupt the business models of some of largest Internet companies whose objective is often to amass as much information as possible.
Finally, to ensure optimal privacy and confidentiality, companies should be constantly evaluating advances made in cryptographic technologies. In practice, they will be held liable if they fail to implement sufficient technical and organisational measures that ensure optimal security relative to the risks.[6] The implications are far-reaching and global solutions will most likely fail to pre-empt all the possible points-of-failure that exist in the data processing business. While data breaches are difficult to obliterate, companies will have to tailor and audit their security mechanisms in order to become GDPR-compliant.
Consequently, one can easily argue that GDPR is not a burden, but an opportunity; not a regulatory excess, but a tool restoring something that is long overdue: a balance of power between companies and individuals. As a result, the primary winners will be the consumers. However, high compliance costs for businesses should be set against the opportunity that lies in the regaining of lost trust and transparency with respect to their relationships with consumers. Thus, if GDPR is to incentivise transparency and competition on the market, one should expect more winners and better services in the future.
That being said, the battle over personal data has already been a long one and will most probably not come to an end in May 2018, mainly because the General Data Protection Regulation remains too general. Although blockchain technology is promising with respect to privacy and security concerns, there are still a lot of unresolved challenges, particularly when it comes to addressing the right to be forgotten included in the regulation. Therefore, further clarifications will surely have to be made by the Court of Justice of the European Union. Alternatively, companies which develop good and ethical practices in the pursuit of gaining consumers’ trust can hope to have an edge over their competitors. What is more, they will be able to secure a competitive advantage in the race for access to data, which will become increasingly expensive and difficult to manage.
By Krzysztof Adam Gorski
Legal Analyst at Procivis AG
