At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation. http://qonex.com/east-midlands-cyber-security-forum/

1. Be Careful For What You Wish For!
The Great Data Protection Law Reform Saga of 2012-6
Lilian Edwards
Professor of E-Governance
University of Strathclyde
Lilian.edwards@strath.ac.uk
@lilianedwards

2. A. Europe: from the DPD to the GDPR
• Directive 95/46/EC of EU on the protection of individuals with regard
to the processing of personal data and on the free movement of such
data. Human rights based. Much case law now draws on Charter of
Rights and ECtHR as well as European Court of Justice.
• 1998 - intended to address computerisation/databases but NOT the
Internet
• DPD extended to deal with technology challenges eg spam, cookies, by
Privacy and Electronic Communications Directive 2002/58/EC revised
Oct 2009, i’f May 2011 (the “cookie” or E-Privacy Directive)
• Proposed reform as Regulation (GDPR), plus Directive on policing, plus
more – draft out, Jan 25 2012;
• Final compromise, Jan 2016; text April 2016
• 2 yrs implementation then DIRECT EFFECT.

3. Technological challenges to privacy/DP law
• 1995
• Volume of personal data processed, and number of data controllers,
enormous
• Data flows globally but lack of global harmonisation on DP laws
• Lack of public consumer awareness about privacy regulation
• Lack of compliant major actors in web 1.0 (SMEs, spammers, scams
etc)
• -> huge enforcement problems
• 2000 on
• “Consent” as perceived primary protection no longer works well in
web 2.0 click-wrap world (standard terms, privacy policies )
• Post 9/11 politics & low tech costs favour default surveillance and
data retention and mining – if you can do it, why not do it? ->
• Snowden revelations, June 2013 of mass extra legal surveillance by
public/private entities – safe harbor, Data Retention Dir struck down
• New innovative tech nearly always involves networking and data
collection eg robots; music online services; social media; e-voting
• The Cloud – signifies loss of control and visibility as to how/where
data processed
=> Public loss of confidence in privacy law

4. Attitudes to privacy protection - EU
• June 2011 Eurobarometer
• Just over a quarter of social network users (26%) and even
fewer online shoppers (18%) feel in complete control [of
their PD]
• Less than one-third trust phone companies, mobile phone
companies and Internet service providers (32%); and just
over one-fifth trust Internet companies such as search
engines, social networking sites and e-mail services (22%)
• 70% of Europeans are concerned that their personal data
held by companies may be used for a purpose other than
that for which it was collected.
• Only one-third of Europeans are aware of the existence of a
national public authority responsible for protecting their
rights regarding their personal data (33%).

5. Reform of the DPD? Nov 2010
consultation
• Main aims :
– Strengthen Data Subject’s (DS) rights/ trust – eg enhancing
control over PD eg “right to be forgotten”
– Reduce red tape for Data Controllers (DC) -> dump notification;
“one stop shop” national DP regulator
– BUT Make DCs more accountable, eg, must have a CPO;
– Give DP more teeth; higher penalties, security breach
notification
– Address global flows of data better, eg, to US cloud
providers
– Improve harmonisation within EU (binding interpretation
across EU DPAs via EU DP Board; Regulation not Directive)

6. DPD art 2(a)) Personal data is “information relating to an
identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly,
• ..in particular by reference to an identification number or to
one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity + see recital 26
[itals added]
Q. What of IP addresses; cookies, profiled data as collected by
FB, Google, police, insurers? Are they PD?
• Increasing problem in era of Big Data – reidentification
possibility increases – “mosaic” effect and persistent
identifiers like photo icons – tech driven by marketing and
surveillance needs
• When is “anonymization” sufficient to make sure NOT PD?
1. Personal data – scope of
GDPR

7. Personal data definition problems
• GDPR Art 4 (1) – almost identical to DPD – adds “by
reference to .. location data, an online identifier..”
• But GDPR recital 26: “to determine whether a person is
identifiable, account should be taken of all the means
reasonable likely to be used, such as singling out either
by the controller or any other person to identify the
individual” [italics added]
• Nb recital 30 :“traces” left by IP addresses, cookies and
RFID tages when “combined with unique identifiers”
may create profiles of natural persons and identify
them”
• Contextual tests – may depend what DPA gets to
decide on it (tho harmonisation will prevail)
• NB Special rules for consent to cookies exist in PECD because in
2002 not clearly regarded as personal data AND felt consent was
required, no alternatives.

8. 2. Anonymisation and pseudonymisation
Much “profile data” used to finance the Web – targeted ads – is presented
as “anonymous.” Therefore can be used and reused without DP constraint.
• Arguments over “effective” anonymization
– Privacy fundamentalist – everything can be re-identified with enough
data and time
– High degree of diligence – EU A29 WP
– “risk assessment” – UK approach – ICO Code
• Which won in GDPR?
– No defn anonymous data but pseudonymous data is encouraged
(GDPR art 4(5) and recitals 23-23a)
– “pseudonymisation” means processing such that the data can no
longer be attributed to a specific data subject without the use of
additional information so long as such info is “kept separately” and
held securely to ensure this
– Still personal data – but relaxed rules eg no security breach notifn
necc; POSSIBLY easier to re-use for “compatible” purposes(art 6(4 (e) );
and a plus for “privacy by design”

9. 3. Consent
DPD , Art 2 “any freely given specific and informed indication of
his wishes by which the data subject signifies his agreement to
personal data relating to him being processed.”
GDPR art 4 (11) adds unambiguous
And revocability as key aspect of valid consent (GDPR art 7(3)).
And “a clear affirmative action” ie silence is not acceptance
Arguably new(er) requirements in GDPR (art 7(2) and (4))
– written consent to processing should not be “bundled” ie one
consent to everything at once
- consent not free if tied to providing a service but the processing
not necessary for that service(cf FB etc)
BUT
NOT required all consent be “explicit” – sensitive PD only
NOT explicit that consent void if “significant imbalance of power”
Children’s consent – 13 lowest, 16 highest, depending EU state – is
messy
Privacy icons NOT required for policies but are encouraged

10. 4. New user rights – the “Right to Be
Forgotten”
• Right to be forgotten (RTBF) – GDPR, art 17. Right of DS to “obtain from the
DC the erasure of personal data” if
– data no longer necessary for original purpose
– DS withdraws consent
– DS objects to their PD being used for profiling
– They have been “unlawfully processed”
• Aimed at hosts/publishers, esp social networks. Intended to protect children
from own folly! NOT JUST SEARCH ENGINES – see G Spain v Costeja.
• DC also has further duties when data passed to 3rd parties to process: “shall
take reasonable steps, including technical measures, to inform controllers which are
processing the personal data that the data subject has requested the erasure” (GDPR
art 17(2a))
• Implications for cloud service providers?? Not always controllers.
• Exceptions – see art 17(3).
– Freedom of expression
– Archives, historical, statistical and scientific research? (cf Wikipedia on criminal convictions)
– For proof in legal claims

11. Right to data portability
• Right to data portability, ie, for DS to get a copy of their data to
take elsewhere (GDPR art 20) - “in in a structured, commonly used
and machine-readable format”
• Also right to have such data transmitted directly from co A to B
“where technically feasible”
– Aimed at breaking “lock in” to sites like Facebook – network
effects
– But some see as additional burden for service providers OR as
new market opportunity for infomediaries
– UK MiData initiative has already kicked off – mainly re energy cos,
also banks, mobile phone cos – see Enterprise & Regulatory Reform
Act 2013 – powers in reserve, not yet implemented
– Not a right to interoperability

12. 5. Increased enforcement - 1
• Mandatory security breach notification (GDPR art 33-34).
• Already introduced for telcos/ISPs in PECD art 17(1)
• Aim is naming and shaming to prevent breaches; also notice
to public enables them to get remedies, take protective steps
• Devil in the details:
– what triggers (all PD breaches “unless the personal data breach is unlikely
to result in a risk to the rights and freedoms of natural persons – data
encrypted or pseudonymised?);
– Tell DPA – for UK, ICO
– communication to individual DSs only if “high risk” of above
– Public announcement only necc if too hard to notify individuals in high
risk cases
– how long to fix before notifying (within 72 hours if feasible)
– Parallel notification under EU Network Information Security Directive (NIS)
likely (affects non PD breaches as well)
• How effective? US, Japanese experience found SBN not that
helpful. Lack of US style class action rules.
• In UK Vidal-Hall v Google may help DSs in collective claims in
allowing action for DP breach even where harm not economic

13. Heavier penalties
• GDPR originally suggested penalties of up to €1 million or
up to 2% of the global annual turnover of a company. EU
Parl suggested 5% turnover, up to 100 mn Euros.
• Final GDPR – two levels
– Up to 10 mn Euros or 2% annual global turnover
– Up to 20 mn Euros or 4% global turnover for more severe
infringements
• Cf USA –big privacy breach cases, FTC large fines – 2012,
Google fined $22.5m (but < 1 day’s profit) ; FB, 2012, no
fine but $16,000/day per violation of agreed privacy
settlements & 20 years audit
• Small more effective remedies? Disqualification from
company directorship??
• Competition remedies to break up infomonopoloies??

14. Preventing breaches?
• More guidance on security obligation, art 32, inc using
pseudonymisation and encryption, restoring access in timely
fashion, adhering to codes of conduct or certificates/seals
• “Privacy by design and default”
• Mandatory! “the controller shall.. having regard to the state of the
art and the cost of implementation” (art 25)
– Implement “technical and organisational” measures to implement DP
principles
– Pseudonymisation and data minimisation specially mentioned
– “privacy by default” – only collect the data necc for each specific purpose
– Art 35; DP impact assessments – if “high risk” processing, esp using “new
technologies”, DPIA to be carried out before processing
– Esp likely for automated profiling systems, or “systematic monitoring of
public areas”
– UK ICO has much guidance on PIAs but little use in private sector
– Lists of likely systems needing DPIAs to be issued by DPAs