This article is written by Oruj Aashna, from the University of Calcutta. The article addresses notable challenges an organization can face to comply with the General Data Protection Regulation and steps to combat such challenges. Illustrations of several cases are provided in this article to understand the consequences of non-compliance.
Data is considered an asset and is even called the ‘currency of the future’. With the growth of information technology, personal data processing has become highly fluid and considerably easier to access. Concerning the effect of data flow, data breach cases have significantly increased. Data breaches have gained extensive attention as businesses of all sizes become more reliant on digital data, cloud computing, and workforce mobility.
In this context, countries are at the pace of putting high standards of data security and privacy on digital entities. This has consequently moved businesses to evaluate their legal compliance, especially in an international connection.
European Parliament introduced the General Data Protection Regulation (“GDPR”), which placed companies worldwide in a challenging task to stand out in terms of data security and privacy. GDPR proved to be the most stringent law, till now, for protecting the data of EU immigrants. One of the most notable changes in this data regulation is the shift of “power of control” from the service provider to the consumer.
The law is applicable around the world, be the transaction occurs within the EU member state or outside the EU. Due to its wide transnational scope of application, companies outside the EU have also been reevaluating their standards to comply with the standards. Notwithstanding the risks of non-compliance, numerous organizations still suspect their own ability to comply with the regulation. This is notably due to the complexity of GDPR which leaves much to interpretation.
- In the year 1995, when the internet was in its infancy, the EU adopted Directive 95/45/EC to preserve individual data, and to be more precise concerning the data processing and free movement of such data. Although the directive guaranteed to harmonize the protection of individuals’ fundamental rights with regard to data processing, it faced implementation blockage from many EU states. As a result, the directive had to be amended into national law of respective EU states to confirm its admissibility. In short, data processing activities were not applicable in all EU states. Hence, it was swinging between efficacy and non-efficacy.
- In 2016, GDPR came into play replacing the outdated Data Protection Directive.
- The GDPR, as a significant achievement, gained huge acknowledgement from all EU states and is contemplated as the utmost comprehensive and robust data protective initiative till now.
- From the date regulation was implemented, businesses have evaluated and come face to face with its implications on a large scale. The assessment encountered several challenges with regard to its compliance, and to be more precise, because of the regulation’s nature, complexity and multilateral interpretation.
- The regulation’s complexity has opened the scope to assess huge fines due to data infringements and non-compliance.
- In 2018, when GDPR came into force it was feasible enough to see companies having a hard time meeting the compliance requirement of the regulation. While some companies felt fully compliant, others are still uncertain of its compliance parameters that could provide sustainable and long term solutions.
- We see huge tech giants like Facebook, Twitter, Google facing penalties because of the waywardness of the regulation. The question as to “what challenges can a company face?” becomes more relevant when these giants with their cognizant team face stoppages with regard to the regulation.
- The issue is not just about the penalty but it is about the loss of reputation a company suffers due to GDPR non-compliance which leads to overwhelming consequences.
With all the reports of non-compliance cases, given below are some of the extracts of challenges that a company could face while dealing with EU’s data.
Record of Consent
- Lately, many companies have faced difficulty in keeping pace with GDPR compliance regarding the record of data and mapping the location of stored data. One of such challenges is in connection with storing records of ‘received consent’ and ‘withdrawn consent’.
- Article 7(1) of the GDPR states that the controller, while dealing with users’ data, shall be able to demonstrate that the data subject has consented to processing his or her data. To break this down, the consent must be in auditable form, showing that the consent was free and that the consent requests do not involve misleading/misrepresented or intimidating clauses.
- The request for consent shall be in an accessible language using clear and plain language [Article 7(2)]. On top of that, businesses have to make it simple for a data subject to withdraw consent as it was to give in the first place.
- The business shall have the proper storage and management capacity to record the consent status (assent and withdrawal of consent by a consumer) across the system if utilizing the data with permission.
- If the data is shared with a third party (such as an advertising agency, management team), the same shall be informed to and consented from the data subject. The controller or processor shall also record the declaration of consumer consent for third-party access as well.
- The management of consent is one of the challenges a company can face, especially when associating with a third party. One can consider storing all the information of consent received by data subject from the internal and external system in a centralized form.
Joint Data Controller
- Joint controllership is not a new concept, but the same has become more involved in today’s data processing environment. The discussion took place after the befall of the Facebook fan page case. Apart from the Facebook case, there were other cases like the Jehovah’s Witness case and the Fashion Id case, where the subject of joint controllership was addressed in the courts of Europe.
- The GDPR has no proper direction in joint controllership. There are only three brief Articles (Articles 26, 30, and 36) where GDPR has spoken about joint controllers. So the controller and their allies have to interpret their roles and determine if they are coming under data controllership.
How to ascertain the joint controllership?
- Article 26 of GDPR states that joint controllers are those who- “jointly determine the purposes and means of processing.”
- The Information Commissioner’s Office (ICO) has provided signs wherein the organization or individual can determine whether they are under joint data controllership. It states:
- If the parties have a common objective behind the processing of data, it will attract joint controllership.
- Parties are joint controllers, if they have jointly designed the process.
- Parties are joint controllers, if they have standard data management rules with each other.
- Parties are joint controllers, if they share the same set of databases and for the same purpose.
- There might not be a written document to assure that you are acting as a joint controller. In this case, one should assess the activities and purpose. Verify with the central controller concerning the position and what data is being processed.
- Article 26(1) requires joint controllers to enter into a contract to allocate responsibilities. The agreement does not necessarily need to be in written form, but a written document will provide a clear view of each controller’s responsibility and liability.
- For example, Facebook (Ireland) has provided a ‘controller addendum’ to each Facebook, which set forth obligations under GDPR, including the requirement of a legal basis for joint processing and information about joint processing of personal data.
Right to be forgotten
- In 2014, the Court of Justice of the European Union ruled out the right to be forgotten from the case of Google Spain SL, Google Inc. v. AEPD. The court held that an Internet search engine operator is accountable for the processing that it carries out of personal data, which appears on third parties’ web pages.
- Article 17(2) of GDPR empowers data subjects to erase the data anytime they wish to stop processing or storing data. The right to erase extends to archived data in backups. GDPR obliges the controller to erase all data stored, its replica, or copies in a short period.
- The controller has to be effective in initializing the process of deleting the data permanently from each and every stored system. For this purpose, the controller must be aware of where the data is located.
- Data mapping is one way by which one can easily erase the data from a variety of formats.
- Even though there is no explicit requirement for data mapping in the regulation, the controller or processor of data must practice data mapping to comply with the law. Data mapping will help to allocate the location of data, its condition and its existence.
- One should consider the following steps to minimize the burden of subject access requests:
- Do not store unnecessary personal data;
- Erase any data which is not necessary;
- Keep personal data organised enough to access easily; and
- Establish staff training to recognise data subject requests and respond to them with the respective authority.
- It’s important that data controllers/processors do not just rely on contract and paperwork in this regard.
- GDPR classifies personal information into two categories: Personally Identifiable Information (PII) and Sensitive Personal Information (SPI). The two types of information require different approaches to accurately identify and protect them as they flow through automated or manual environments.
- Former is the information that can directly identify an individual. It can be in the form of direct information or a group of “innocent data”. In contrast, the latter refers to the information that does not identify the individual but is related to an individual that could potentially harm the person if made public. SPI receives a higher pedestal of regulation as compared to PPI.
- Companies could have a tough time classifying these data as per the standard and degree of confidentiality.
Examples of SPI and PPI
- SPI- biometric data, genetic data, racial origin, health data, etc.
- PPI- contact information, account no., location, etc. Further, compliance has broadened the range of PII to things like IP address, cookie data, and email.
- The regulation expects companies to provide the same security and protection level for individual IP addresses and email ID. Companies will need to reevaluate their policies and contracts to be aligned with the new expectation of GDPR in the context of security terms.
- Companies can consider resolving this issue by implementing the data classification process in their security program. Data classification is the process of organizing data into categories. It will enable companies to stay compliant with the GDPR guidelines and maintain confidentiality at the same time.
- Tools used for data management- databases, business intelligence software and standard data management systems. Google Data Studio, Databox, Visme, and SAP Lumira are some of the business intelligence software.
- Article 20 of GDPR gives the right to the user the following:
- To receive data from the controller which was provided to the controller/ processor; and
- To transmit the same data to some other controller.
The right enables users to both acquire their data and then move it around to different controllers.
- Article 20 of GDPR applies:
- To personal data shared to a data controller by an individual;’
- When the processing is automated;
- When the processing is done on the consent of the data subject.
- Personal data here not only means names and addresses that the user provides but also those personal data that the company gathers while tracking an individual’s activity. This includes:
- Browsing history;
- Traffic and location data; and
- Raw data processed by connected objects, such as smart meters and wearable devices.
- Despite the limited requirement of data portability, GDPR compliance with this area of the regulation remains complicated.
- The time limit for replying to a “Subject Access Request” (SAR) is short. Similarly, ICO (Information Commissioner’s Office) expects a response time of fewer than 30 days.
- In order to comply with the law, the organization must know where the data is located and have the means to retrieve the required information.
- Without knowing the location of personal data throughout its internal dispersed data landscape, a business entity cannot be GDPR compliant. Most organizations address this by implementing governance strategies or revise existing policies to align with the new data protection.
- This is to note that the regulation is not clear about what is meant by “technically feasible.” The interpretation of the “technically feasible” must be ensured.
- Under GDPR, the data controller and data processor are equally responsible for any breach. In simple words, if an organizations’ third-party partner is not in compliance means the organization is not in compliance. It is crucial to get the third part on board in the context of security standards.
- The organization must prove that the third-party is applying the same data protection standards as the organizations do. Given the potential for vast numbers of customer data to be involved, the organization may require considerable automation and/or have practices that allow organizations to immediately recollect data from a third party.
- The organization must make a contract with the third-party vendor, which should include the clause:
- State that the vendor shall act as per the instruction of the organization.
- Properly define areas where GDPR will be applicable and make the vendor abide by the regulation’s requirements.
- Include that the vendor shall not subcontract or outsource any services under the scope of GDPR with other organizations without taking prior consent, and
- The vendor shall delete and return all the data to the organization on the termination of the contract.
- In addition to signing a contract, an organization associating with the third party must regularly audit the process of the third party.
Upon violation of the GDP regulation, companies are fined a considerable huge amount. There are two levels of infringement, categorised according to the severity of breach upon which fines are imposed:
- Level one: A fine of 10 million pounds or two percent of the vendors’ annual revenue in lower-level violation, whichever is higher; and
- Level two: A fine of 20 million pounds, or four percent of the violator’s annual revenue (whichever is higher), is imposed in case of a severe breach.
Article 83 of the GDPR illustrates how the fines will be determined before charging the penalties to the violator. Following points are taken into consideration before imposing an administrative fine upon the violator:
- The nature, gravity, and duration of the infringement that affect the number of data subjects;
- The intention of the violation;
- Whether any action was taken by controller/processor to alleviate the damage suffered by data subjects;
- The level of duty of the controller or processor taking into account technical and organizational standards executed by them under Articles 25 and 32;
- Any past infringement by the controller or processor relating to regulatory compliance;
- The nature and categories of personal data that got affected by the infringement;
- The degree of cooperation with the supervisory authority, to remedy the infringement and mitigate the possible adverse effects of the infringement;
- How the supervisory authority became aware of the infringement and the extent to which controller or processor notified the infringement;
- Whether measures in the context of Article 58(2) is compliant or not, if there is an order against the controller or processor in the context of the same subject matter;
- Adherence to approved codes of conduct according to Article 40 or approved certification mechanisms under Article 42; and
- Any other aggravating or mitigating factor relevant to the circumstances of the case, like financial benefits gained or losses bypassed, directly or indirectly, from the infringement.
Google’s non-compliance case
- In May 2018, two digital rights advocacy groups, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN.”), filed a complaint against Google for basically not abiding by the EU GDP regulation. The French Data Protection Authority (the “CNIL”) alleged Google failed in two ways:
- Firstly, Google did not provide Android users with accurate information about its data processing actions, such as data retention, data collection, and data sharing. The information provided was not in plain and unambiguous language and was too generic for users to understand.
- Secondly, the CNIL determined that Google did not obtain valid consent from its Android users to process their personal data for ad targeting.
- Google has been fined 50 million euros by the French data protection authority under the severe breach category and is the largest penalty to date.
Right to be forgotten (Finland)
- The Supreme Administrative Court ruled Google to permanently erase the convicted man’s personal data from its URL links. The ruling was in support of the “right to be forgotten” laws in GDPR.
- The court held that a man convicted of murder in the preceding case has a right to privacy, and request for the removal of his information does not violate the right to information on an important person.
- The court observed that the convict had diminished responsibility for the murder due to his health condition. Therefore, the personal data about the man was held sensitive and private data.
The Facebook “fan page” case.
- On June 5th, 2018, the Court of Justice of the European Union ruled that the users of a Facebook fan page be deemed as the data controller jointly with Facebook Irland. The ruling has widened the range of the data controller.
- The case came into the picture when a private training academy named WirtschaftsakademieSchleswig-Holstein GmbH created a fan page on Facebook to promote its business activity. As per the algorithm, Facebook provided the academy a compilation of user’s data who visited the fan page.
- The Data Protection Authority ordered the organization to either deactivate the account or bear a fine.
- The charge was; visitors of the page were not notified of collecting their data by auxiliary means via cookies.
ICANN vs. EPAG
- The debate was whether collecting administrative and technical data of a user is compliant with GDPR.
- ICANN is a non-profitable organization that coordinates the Domain Name System. Upon commencement of GDPR, the entity named EPAG responsible for registering a second-level domain barred on collecting technical and administrative contact. On May 25, 2018, ICANN filed a complaint against EPAG. ICANN alleged that the defendant, by not providing information, is in breach of contract. The defendant argued that most of the data that ICANN demanded was unnecessary.
- The German court rejected the plea of the applicant on three grounds:
- The agreement between the parties did not demonstrate the information required;
- Collecting additional information that is not necessary could identify the actual person behind the domain; [Article 5(1) of GDPR)
- Collecting information beyond the registrants is not necessary.
- The court thus rejected injunctive relief filed by the applicant on May 30,2018.
- Data security failure can shatter small organizations simply by the nature of non-compliance and/or the cost of dealing with it. Large corporations can have to sustain huge fines and class action, damaging the organization’s reputation.
- According to GDPR, all companies, irrespective of their business presence, that store or process personal data within the EU, will incur repercussions in non-compliance.
- According to the survey report of propeller insights, technology will be the most impacted sector, followed by online retailers, software companies, financial services, SaaS, and retail packaged goods.
- Of all the failures, the most notable hurdle organizations face and fail to comply with is – addressing the data subject’s requests. About 70% of businesses failed to comply with the GDPR when it came to complete requests from end-users within one month’s time limit (according to the senior director data governance).
- Technology companies being run through an automated way, by the use of artificial intelligence and algorithms are more likely to become responsible for a breach in data privacy under GDPR. An algorithm with its complex system programme creates a “black-box”, that gives least scope to seek as to what is going inside an algorithm. The data processor or controller has to be in a position to explain the data subject about the decision making process of their automation process. However,this does not mean that they have to disclose their source codes and formula applied in making the automated decision. According to the European data protection authority group, the company should find a simple way to inform data subjects about the rationale behind or the passage through which it reaches its decision rather than always attempting a complex explanation of the algorithm used or disclosure of the full algorithm.
- One of the key materials in GDPR compliance is: keeping a level of transparency. That means, data processing has to be transparent enough for a company to become compliant with GDPR.
GDPR is built with six data protection pillars of principles:
- lawfulness, fairness, transparency,
- Purpose limitation,
- Data minimization,
- Storage limitation,
- Integrity, confidentiality, accountability, and compliance.
A good starting point to proceed with GDPR compliance is to establish that your business and team follow the principles of GDPR. An organization should practically determine a full set of strategies and schemes to assure compliance with the GDPR and order relevant laws. This includes documentation around governance, management structure, roles and responsibility, risk management, compliance & assurance program. These are crucial measures to determine that the principles and associated protocols are fully embedded in the business.
On the other hand, one should also observe that companies need to adopt cost-effective and efficient plans for responding to the requests by the data subject. Technology plays a vital role here, specifically in data portability, management, and mapping obligation. Installing the right technology will not just help mitigate risk but also help companies to be responsive in a more efficient manner. Due to the evolution of GDPR, many organizations have already adopted technology support to improve their workflow. Other organizations have also felt the need to escalate the priority of embracing new technology to aid with GDPR compliance. It is evident by now that addressing GDPR compliance will require open-ended revision of workflows and processes. A proper compliance framework and technical measures will help the organization achieve compliance challenges associated with GDPR.
- EU General Data Protection Regulation – IT Governance Privacy Team
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: