Towards the new privacy standard - the General Data Protection Regulation and its consequences. On 15 December 2015, the European Union institutions reached a political agreement on the proposed General Data Protection Regulation, which had been a controversial proposition especially for digital advertising industry. In her talk Małgorzata explains the key provisions within GDPR and their expected impact on the online advertising industry.
6. 6
NEW DEFINITION OF PERSONAL DATA
Cookies IP Adresses Unique IDs others
From 2018 the online market will process online identifiers as
personal data.
Hi everyone! My name .. and I have a true pleasure to be here today to give you a sneak peak of what will change is European data protection law and thus how our future as the online business and as the internet user at the same time will look like. Shortly after I had been asked to have this speech, I prepared a very detailed presentation and then I got an email from Aleksandar Petkovic in which he wrote that today’s presentation should be a motivational and creative and last no longer than 25 minutes and I thought – Gosh does he know I am a lawyer and I am supposed to explain new law ? And m
Let me introduce you Ms. Anyone. She lives in Belgrade, is between 35-40, she is a working mother, heavy user of Facebook and a sports’ cars fan. We know all of than and far more because we monitor her activity while she surfs the net by using all kinds of online identifiers. Mentioning for instance a star of the decade - cookies. We build her profile and serve her ads – most often kids food, toys and cars obviously. But some women accessories also.
DODAJEMY: At the end of the day we got used to think of her as an anonymous one. Most probably some of you – some online market players are her personal data controllers. If you provide her with online mail box you got at least her e-mail address – for example. But still most of us simply use data which do not fall under the personal data definition as it is today.
TO RÓWNIEŻ TUTAJ. MOŻEMY DODAC DO SLAJDU „Directive 95/46/EC” And todays set of rules regarding privacy is being embodied in Directive which was adopt in 95. Just to give you a context – 95 was the year when Breavehart was released, DVD, as an optical disc storage media format, was announced, Ebay started the online auction and shopping website. In other words we
From those times our reality has changed. Cloud computing, online shopping, big data. 20 years ago a family had one personal computer. Today – is anyone in the audience without a smartphone? And who is not using it right now? Those with iPhone – are you aware your personal details are stored in US right now under US regulations.
Because when I asked my friends would you like to be tracked all they long? Do you want your insurance company to process your uniqe device identification number to magicaly use statistical data and assess the risk connected with the insurance for some group of clients to ultimately raise their fee, the answer is always no.
First of all - Ms. Anyone becames MS.Someone. Because the answer to the question: what personal information today is, was changed. After a long debate in Europe what is personal and what is not, definition of personal data has been expanded. This is important cause if sth is not personal falls out of the new law scope and you simply could skip this presentation.
And here comes Ms. Someone…. And here comes ladies and gentlemen General Data Protection Regulation, which replaces the Directive from 1995 and which is the biggest shake-out in privacy protection in decades. It’s also a weapon for simple user to restore the control over their data and a at least now a threat for online market. And it will come into effect form May 25 2018.
OK – but to the point what are the main changes.
TYTUŁ: „DEFINITION OF PEROSNAL DATA”
GDPR expressly states that personal data includes online identifiers just like cookies, IP addresses, unique device identification numbers, and others. You don’t need know the name or the exact e-mail address but you knowing one of those means you do know personal information cause Ms. Anyone is indirectly identify.
Additionally you have to deal with personal information not only if you might identify data subject meaning the natural person but also if some of your business partner might. So basically even if you are not able to use the set of data to identify Ms. Anyone but let’s say the publisher you cooperate with can use the same set of data to replace Ms. Anyone with Ms. Someone, you both process personal data.
TUTAJ TEŻ:
What interesting GDPR does not include pseudonymous data concept. If you try to replace data which fall into definition of personal into pseudonymous one, by for example hashing them – they are still regulated as personal information. Thus you still need to treat them as personal, you just protect them better. Making data truly anonymous, just to fall out of the scope of regulation seems almost impossible cause techniques like hasing, encryption or tokenization are treated only as a psedonimization techniques. So we came full circle and still process personal data and thus we need to comply with GDPR although the rules are slightly more relax. That should encourage us to pseudonimise data after all.
The basic requirement – also today – is a legitimate ground for processing any kind of personal data. What we all even today use most often is a consent. Ms. Anyone’s consent to make her Ms. Someone. However there are others grounds too, like a valid legitimate interest of a controller, so in order to process personal information you do not have to have consent. This just one of the grounds. Today we simply don’t have time for in-depth analysis whether it might be use by your specific company or not. With consent as a legitimate grounds comes a lot of practical problems. We all know how obtaining cookie consent look like? Anyway if the consent thus is the ground you want to use, you need to know the consent itself should be an unambiguous consent. Unambiguous word is new and seemed probably like a small change. It is not that small. Today, like it is with cookie consent, it is implied – you see the banner on the website, you click ok, or simply do nothing and publishers might implied that if you do nothing and use the website (and by nothing I mean you did not change your browser settings) you agree to have cookies placed on your device. With an un ambigus word, this kind of implied consent is not enough. It get even harder when it comes to profiling.
TYTUŁ
POKAŻMY PANIĄ I W JAKICHŚ OKRĘGACH MOŻE DANE DOTYCZACE JEJ PROFILU – WIEK, LOKALIZACJA ZAINTERESOWANIA…
The explicit consent will be required for profiling activities (like for OBA purposes). Profiling which is significantly affect individual. This is a bad news unfortunately however if you have gone through the process of pseudonimization and you, let say, has the data about users hash which means they are not directly identifiable, is seems to no longer significantly affect Ms. Someone.
TYTUŁ:
There are other requirements which all together aim at showing that we take care of personal information and that we are accountable – Privacy by Design! We need to implement appropriate measures of protection, data processing records, in some cases appoint Data Protection Officer. Lots of meeting with lawyers is ahead of you. Hope you’ll enjoy it…
TYTUŁ: PROCESSORS
Obligations for processors – so those of you who do not deal with personal data directly, don’t collect but get them from data controllers, their business partners who tell them what to do with those data – like the whole cloud computing industry are going to be affected by the new law. Today, in most of EU countries, if Ms. Someone’s data are just stored in the cloud the cloud provider might have some contractual obligations but that’s it. GDPR will held them accountable. Impose direct obligation for them. Of course subcontractors of your subcontractors if, processing data, are going to be a data processor also.
What’s more. Good news.
It is a regulation. Passed at EU level. Which means there is no need for national implementation. It automatically becomes law in all member state. The same rules for all. Or one rig to rule them all or One continent- one law. Lots of catchy phrase to explain the nature of the change. Today we have directive – which required implementation and thus there were variations between countries. German interpretation, English interpretation and so on. In the future if you operate in Serbia and wish to operate in any other country – you will face the same rules. Of course all laws are interpreted so the GDPR is going to be interpret by your local authorities and courts also but this present an opportunity for online market to actively seek clarity and interpretation which suits us best.
What is more – it’s extraterritorial. New law applies if you have an establishment in EU, or you offer services and goods to Ms. Someone, even for free, or if you simply monitor behavior of Ms. Someone. That means that all operates in EU need to play by the new privacy rules. And by all I mean those big guys from that valley also…
One stop shop - all companies will only have to deal with one single supervisory authority. As you see – some essential changes are ahead of us. As we all present two sides of the same coin being the users, the data subject who get lots of additional rights, gain the control over its data and the business at the same time. We love to have our personal details protected but at the same time we want to earn money, do business. The GDPR from my perspective simply gives me protection. To GDPR gives online industry solid equal regulation without treats – I believe you should act. Use codes of conduct , teach your authorities and promote the solutions which fit you most.