1. State of EU legislation
GDPR & ePrivacy
January 29th 2018– Budapest
Aurélie Pols for Superweek
Views from the Privacy Engineering trenches,
free of disclaimers aka just my views and not any of my clients
European at heart

2. Data Governance & Privacy Engineer
Data is the New Electricity – Privacy is the New Green – Trust is the New
Currency
Dutch nationality, French mother tongue, works in English, lives in Spain
AURELIE POLS,
DATA GOVERNANCE
& PRIVACY ENGINEER
• Chief Visionary Officer – Mind Your Privacy
• Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS)
• Professor of Ethics & Privacy, Big Data & Analytics Master – Instituto de Empresa (IE), Madrid; guest
professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business
School Brussels.
• Vice-chair P7002 – Data Privacy Process – IEEE
• Speaker/writer/consiglieri: SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry
associations, AdTech & MarTech vendors, …
2003: OX2 Co-
founder
Webanalytics.be
2008: Sold to
Digitas LBi
(Publicis)
2

3. Objective: hopefully be able to answer
• When does the GDPR come into force? When does ePrivacy come into force?
• What happens on the 29th of March 2019 at 11pm?
• Is the GDPR, as a Regulation, going to be transposed into national legislation?
• Are cookies personal data?
• Are unique IDs personal data?
• If I delink CMR data, is that enough?
• How much time does a company have to report a data breach?
• How much time does a company have to answer a subject access request?
• Does the right to erasure always apply?
• Does the right to restriction of processing always apply?
• Does the right not to be subject to automated processing always apply?
• Consent is one way to assure lawfulness of processing. How many methods are there in the
GDPR?

4. 2016 2017
1. Define yourself
2. Define data flows
3. Align liabilities
4. Purpose & consent
5. Risk based approach
i. Data
Security &
breach
notification
ii. Codes of
Conduct &
Certifications
iii. Data
Pseudony-
mization
iv. Data subject
consent &
purpose of
processing
v. Profiling
& the Right
to Object
vi. Cross
border data
transfers
vii. Erasure /
Rectification
Rights
viii. Data
Portability
ix. Duties &
responsibilities
x.
Procedures
& Fines
Privacy
engineering
1. Incentives beyond
accountability?
2. Data ownership? never!
3. Blurring lines of personal
data ( ≠ PII !!! despite NIST)
4. Standards

6. The EU vs. the US
The EU has created a privacy culture around “rights talk” that protects
its “data subjects”. In the EU moreover, rights talk forms a critical part
of the postwar European project of creating the identity of the
European citizen.
In the United States in contrast, the focus is on a “marketplace
discourse” about personal information and the safeguarding of “privacy
consumers”. In the United States, data privacy law focuses on
protecting consumers in a data marketplace.
Transatlantic Data Privacy Law, Paul M. Schwartz & Karl-Nikolaus Peifer
6

7. The inevitable
question!
(≠ PII!)
Personal data
in the GDPR
(article 4.1)
‘personal data’:
any information relating to an identified or identifiable
natural person (‘Data Subject’);
an identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier
or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or
social identity of that natural person;
7

8. When the law kicks in
8
Depends on variables and combinations
Hashing & encryption (by default) enough??? NO
Some privacy law
Possible privacy
law?
Privacy law
Consent required!
Anonymous data
Pseudonymous
data
Personal data &
PII
Sensitive data:
health, financial,
racial, political,
biometric, genetic

10. 2018
http://europa.eu/!PX68WN

12. We are Data
Subjects as
• Parents, Caretakers,
• Consumers, Customers,
• Citizens,
• Business Partners, Employees,
• Men and women,
• Young and old,
• ….

13. Autonomy, beyond Dignity
13
Charter of Fundamental Rights of the European Union
Article 1: “Human dignity is inviolable. It must be respected and protected”.
Charter articles Charter text
GDPR Art. 8: Protection
of personal data
1. Everyone has the right to the protection of
personal data concerning him or her.
2. Such data must be processed fairly for
specified purposes and on the basis of the
consent of the person concerned or some
other legitimate basis laid down by law.
Everyone has the right of access to data which
has been collected concerning him or her, and
the right to have it rectified.
3. Compliance with these rules shall be
subject to control by an independent
authority.
ePrivacy Art. 7: Respect
for private and
family life
Everyone has the right to respect for his or her
private and family life, home and
communications.

15. 2 different legislations, 1 of which is decided
15
Today: Directives As of May 2018: Regulations
Data Protection Directive 95/46/EC GDPR: Regulation (EU) 2016/679
“ePrivacy” and Electronic
Communications
(the cookie wall thing)
Directive 2002/58/EC Intermediary version, not
definitive, possibly some form of
this
(Waiting for Trialogue)
ePrivacy is lex specialis to GDPR, dealing with confidentiality of communication &
access to “stuff on your appliances” like cookies, IDs, etc.

16. GDPR (+ ePrivacy!)
• Alignment between trackers & privacy policy
• Recital 30 of the GDPR: “Natural persons may be associated with
online identifiers provided by their devices, applications, tools and
protocols, such as internet protocol addresses, cookie identifiers or
other identifiers such as radio frequency identification tags. This may
leave traces which, in particular when combined with unique
identifiers and other information received by the servers, may be
used to create profiles of the natural persons and identify them.”
• DNT? => ePrivacy Regulation
16

17. Test: Does the GDPR apply?
It used to be, DPD art. 4:
Does the entity use any means of processing (automated or otherwise)
located in any Member State?
It is under the GDPR (as of May 2018), art. 3:
Does the entity either
(i) Offer goods and services to EU residents; or
(ii) Monitor EU residents’ behavior?
17

19. I am a Data Subject
(Bits of Me)
The GDPR is
1. a base line for compliance,
2. re-introducing
the Data Subject into the data
ecosystem’s equation (not new!)
3. where each actor is
accountable
19

20. Obligations under the GDPR data ecosystem
20
Source: https://www.rizikon.oi/gdpr-compliance
Appointing a DPO –
Data Protection
Officer – or not?
Described in section
4 of the GDPR, art.
37: Designation of a
data protection
officer.
Following articles
talk of position and
tasks.
The choice remains
to appoint one even
if not directly
required: moving
beyond
compliance!

21. Once you know who you are
Controller: art. 25; Processor: art. 28; Joint-Controller: art. 26
Art. 5: Principles relating to processing of Personal Data
“The controller shall be responsible for, and be able to demonstrate compliance
with, paragraph 1 (‘accountability’).”
Art. 6: Lawfulness of processing
(a) to (f) options, typically consent or legitimate interests used
21

22. Getting back to the beginning
Principles relating to processing of personal data (art. 5)
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• + accountability!
22
Transparency
Choice
Information
review &
correction
Information
protection
Accountability
FIPPs: Fair information Practice Principles

23. An accountability chain
23

24. And then lawfulness of processing (art. 6)
Can be either:
a) Consent
b) Performance of a contract
c) Necessary for compliance
d) In order to protect the vital interests
e) Necessary for the performance of a task carried out in the public
interest
f) Legitimate interests
24

25. A word of extreme caution
About the fallacy of legitimate interests
i.e. we don’t want consent only in ePrivacy! (certain associations)

26. Transparency
Trackers & permissions
on Android SDKs
Know who:
- Accesses them
- Sets them up
- Ensures maintenance,
within your company?
If any…
26Source: https://framapiaf.org/system/media_attachments/files/000/415/923/original/9124597811744249.png

27. To make all that lawful (art.6)
in the digital realm
2 things need to be specified:
1.Purpose: the reason for all this
2.Consent: the ok by the ‘data subject’
Note: data controllers are responsible for defining
this (unless data is being passed along to another
legal entity)
27

28. Same idea at Apple (this is iOS 10)
28

29. Sloppy privacy work: this is not consent!

30. Data Subjects Rights
• Article 15: Right of access by the data subject
• Article 16: Right to rectification
• Article 17: Right to erasure (“right to be forgotten”)
• Article 18: Right to restriction of processing
• Article 20: Right to data portability
• Article 21: Right to object
• Article 22: automated individual decision-making, including profiling
30
Article 19: Notification
obligation regarding
rectification or erasure
of personal data or
restriction of processing

31. Articles 16 & 17: Rectification & deletion
31
General Data Protection
Regulation
(GPDR) - May 25 2018
Which variables or combination exactly?
Hashing & encryption (by default): not enough!
Processor Controller

32. 32

33. Depend upon
• Recognition of compliance obligation
• Linkability of data, even pseudonymized, and possibility to decouple
• Available options: typically deletion probable (Adobe)
Article 18: Restriction of processing. When?
• Data accuracy
• Unlawful processing, typically 6.1(f) legitimate interests
• Internal process flow!
33

34. SSO Delinking: avoid leaking! (breach?)
• Adobe: delinking inside
contracts, not a
feature!
• See in Gigya etc. it’s
about leaking
34
Source: https://www.arte.tv/sites/en/corporate/arte-and-your-online-privacy/

35. Article 15: Data Subject Access Requests
35
Source: DataGuidance GDPR Essentials: Data Subject Rights

36. Take note of
• Article 12.4 to develop communication around your stance:
“if the controller does not take action on the request of the data subject, the
controller shall inform the data subject without delay and at the latest within
one month of receipt of the request of the reasons for not taking action and on
the possibility of lodging a complaint with the supervisory authority and
seeking judicial remedy”.
• Recital 63
• Article 15.4, which shows it’s about
1. The right to obtain certain information on the activities a company performs
2. The right to obtain a copy of the data undergoing processing
36

37. Practical steps for SARs:
37
Source: DataGuidance GDPR Essentials: Data Subject Rights

38. Article 16: Right to Rectification
38
See also
recital 65
which
provides
examples
and links
rectification
to erasure
Source: DataGuidance GDPR Essentials: Data Subject Rights

39. Article 17: Right to erasure (to be forgotten)
39
Source: DataGuidance GDPR Essentials: Data Subject Rights

40. Note that
• Erasure applies to all systems: includes back-ups, copies leans &
extends to 3rd parties!
• Applicable when individuals have removed their consent for
processing activities based on consent (no other legal ground) or have
objected to processing based on legitimate interests or they have
objected to direct marketing activities
• Refusal for deletion doesn’t mean access should not be granted!
• Automated deletion? Unlikely!
40

41. Erasure is a similar process to SARs
41
Source: DataGuidance GDPR Essentials: Data Subject Rights

42. Art. 18: Restriction of processing
42
Source: DataGuidance GDPR Essentials: Data Subject Rights

43. Article 20: Data Portability
43
Source: DataGuidance GDPR Essentials: Data Subject Rights

44. The coming of age of Transparency Wars?
44

45. Profiling
45
Source: DataGuidance GDPR Essentials: Data Subject Rights

46. Assuring compliance with profiling activities
46
Source: DataGuidance GDPR Essentials: Data Subject Rights

47. Minimize risks: do Data Protection Impact
Assessments
• Art. 35: Data protection impact assessments, §1:
“Where a type of processing in particular using new technologies, and taking
into account the nature, scope, context and purposes of the processing, is likely
to result in a high risk to the rights and freedoms of natural persons, the
controller shall, prior to the processing, carry out an assessment of the impact
of the envisaged processing operations on the protection of personal data."
47
Tip from a digital analytics guru turned privacy geek: you bet that applies to us!
(EACA seminar, December 2017 aka digital transformation)

48. When to undergo a DPIA – eg. digital analytics
Why?
Criteria #6 to undergo a DPIA:
“Matching or combining datasets, for example originating from two or
more data processing operations performed for different purposes
and/or by different data controllers in a way that would exceed the
reasonable expectations of the data subject”
48

51. What happens on the 29th of
March 2019 at 11pm?

52. Can you answer
• When does the GDPR come into force? When does ePrivacy come into force?
• What happens on the 29th of March 2019 at 11pm?
• Is the GDPR, as a Regulation, going to be transposed into national legislation?
• Are cookies personal data?
• Are unique IDs personal data?
• If I delink CMR data, is that enough?
• How much time does a company have to report a data breach?
• How much time does a company have to answer a subject access request?
• Does the right to erasure always apply?
• Does the right to restriction of processing always apply?
• Does the right not to be subject to automated processing always apply?
• Consent is one way to assure lawfulness of processing. How many methods are there in the
GDPR?

53. Thank you for
your attention
aurelie@mindyourprivacy.com
53