The definition of personal data under the GDPR, the EU’s new privacy regulation, is beginning to “swallow everything,” according to Professor Lilian Edwards, an expert in Internet Law from the University of Strathclyde.
In a two-part interview with Indivigital (the first part can be read here) she also stated:
- EU privacy laws may “destroy” free-to-user business models;
- Attempts by organizations to reacquire consent prior to the GDPR were often “completely unnecessary” and an example of “lawyers going crazy about risks”;
- Free-to-user business models are “contributory to destroying privacy and creating profiling and discrimination”;
- That she’s “fed up” with people thinking consent is the only lawful basis under which organizations can process data; and
- That SMEs making “good faith efforts” to comply with the GDPR are unlikely to be on the radar of data protection authorities.
She also highlighted what she believes are the “two biggest issues going right now,” namely:
- Google and Facebook, to some extent, “playing games” by claiming in some circumstances that they are only a data processor rather than joint controllers; and
- Inferences around personal data i.e. organizations inferring personal characteristics based on users’ online activities.
Is it possible to comply with the GDPR?
During the interview Professor Edwards referred to a paper, recently published by Nadezhda Purtova, titled: “The law of everything: Broad concept of personal data and future of EU data protection law”.
In the paper, Purtova states:
“…European data protection law is facing a risk of becoming ‘the law of everything’, meant to deliver the highest legal protection under all circumstances, but in practice impossible to comply with and hence ignored or discredited as conducive to abuse of rights and unreasonable”.
With reference to Potova’s paper, Professor Edwards stated:
“Almost everyone agrees that the definition of personal data in the modern world is beginning to swallow everything. But possibly that’s right.
“There’s very little data that is collected to make money in any kind of consumer context that isn’t personal and going to identify people.
“Otherwise you can’t make money out of it. Nadezhda’s article even takes things like weather measurements and argues that they can be seen as personal data…an example she notes is meant to point out the possible absurd width of the definition.”.
Asked, with specific reference to the fluid nature of data transmission, about whether there’s such a thing as compliance or non-compliance with the GDPR, she states: “I always tell people: go and actually look at it [the regulation]”.
She also likened the notion that compliance with the GDPR boils down to a list of steps to “saying someone can lose weight if they eat well and exercise; it’s often at that level of generality”.
“Compliance is a matter of having a worked-out programme to go through the important aspects of the GDPR that apply to you. But if you get one tiny thing wrong it’s not like the ICO [The UK’s Data Protection Authority] is going to come after you and charge you half a million pounds”.
Facebook, Google and data protection
Professor Edwards also addressed the behavior of tech platforms like Google and Facebook following the enactment of the GDPR.
“Facebook and Google, to some extent, are playing this game now claiming all the time that they are only a data processor,” she said.
“If you look at the new policies they brought out two days before the GDPR [came into effect]…they are mostly claiming that they are only the processor, that the client as it were is the controller and therefore it’s the client’s job to get the right consent from the public.
“Which gets them nicely out of it. And I’ve been arguing strenuously that that is not how I see it, that they are a lot more like joint controllers. But that is a big issue”.
The search giant interprets its role as that of a “controller” for services like DoubleClick and AdSense but “data processor” for services like Analytics and Tag Manager.
“We’re just providing a service, a toolkit to you, you’re the controller, you fulfil all the obligations, which includes information obligations. That’s what their new policies say, and that’s what the publishers are up in arms about. They have very cleverly wormed their way out of that one by declaring in their contracts they are just a processor,” she said.
“The fact is, that even if both sides agree to it [the designation of controller or processor], the Information Commissioner will not necessarily agree; what you say about processor-controller in the contract isn’t definitive.
“None of these definitions work well anymore because no-one actually fully determines the means and purposes of processing anymore, because they are all using sub-processors, and cloud providers, [etc.]…”.
Enforcement is “going to be minimal for everyone but big tech companies”
Arguably, one of the reasons why the GDPR has received extensive coverage in the press is the size of penalties data protection authorities can now issue against offending organizations.
Under The Data Protection Act 1998, the maximum fine the ICO can issue against an offending organization is £500,000 (the ICO still issues fines under The DPA 1998 for offences prior to May, 2018).
Under the GDPR, this has increased substantially to 20 million EUR or 4 percent of revenue, whichever is higher.
Despite this, Professor Edwards believes the primary target for monitoring by regulators will be larger organizations, and that data protection authorities will take a more pragmatic approach towards SMEs.
“If you’re a small company that has made a good faith effort to comply with the GDPR, which is not much more than maybe getting someone in for a day to look at your data auditing processes, your security, your contracts, [etc.,] then no-one would take you out for an enforcement action,” she said.
“If someone complains they [the regulator] would come and talk to you about it and give you an opportunity to change your ways. That’s what the ICO has always done and I don’t see any sign that that’s particularly going to change, not in relation to SMEs”.
Do platforms need to stipulate a legal basis for each processing activity?
Asked whether organizations need to state a separate legal basis for each data processing activity, Professor Edwards referred to Article 7(2) of the GDPR and stated:
“The Article 29 Working Party will argue that for you to be lawful – that’s the top data protection principle, to be lawful, fair and transparent – then you must clearly indicate the grounds of processing for every activity. And a lot of people aren’t”.
Professor Edwards is also critical over Facebook’s approach to disclosing the legal basis for processing its users’ data.
“It’s hard to tell what’s being justified based on consent, what’s being justified by legitimate interest, what’s being justified by necessary for contract. So they’re playing around with it in quite a clever way”.
According to our recent analysis, numerous MPs are relying on a little spoken of provision under clause 8 of the Data Protection Act 2018 – which extends and clarifies the “public interest” lawful basis offered under the GDPR – to justify collecting data from users via their constituency websites.
This provision is referred to as the “democratic engagement” provision and the ICO, in evidence submitted to the Public Bill Committee earlier this year, described it as “very wide”.
MPs are also citing numerous lawful bases for collecting users’ data on behalf of organizations like YouTube, Facebook, Google and Twitter without specifying which basis applies to each activity.