The GDPR and 25 May 2018: The finishing-line or starting pistol for data protection compliance?

Crispin Maenpaa

25 May 2018. A date that has been evangelised by the Commission for the last 2 years, etched into the minds of all privacy activists, and overflowed your inbox as emails on ‘consent’ arrived from companies you’d long thought forgotten. This historic date represents the entry into force of the General Data Protection Regulation (GDPR), the EU wide rules which empower citizens to have more control over their personal data and govern how companies can process this data.

While this date may have felt like a sprint to the finish line, I would argue that the starting pistol has only now begun to echo throughout the EU and beyond. While many thought they were engaged in a 100 metre dash, the reality is that the GDPR heralds an iron-man triathlon which will progressively transform how companies can process data. GDPR compliance is not a single skill race, and companies will need to be aware of evolving interpretations so as to make sure they are up to speed with the compliance requirements of EU data protection.

Swimming against waves caused by other companies

Firstly, there will be a need to swim through GDPR interpretations imposed by other companies. Data protection addendums will be added to all third party contracts so that any shared data complies with the GDPR. This best practice will be replicated company wide, even for the occasional use of survey monkey or sharing documents internally on Slack. Naturally, there will be divergence in how each company interprets the new GDPR provisions such as the right to data portability, or the right to object to automated decision-making. These divergences will take time to settle before there is an industry wide common approach to these addendums; this alone is likely to mean contract addendum revisions and the need to closely follow industry practices.

While there are many participants in GDPR compliance, the clear pace setters are the largest players involved in the processing of personal data. Unsurprisingly, Google will create significant waves for the evolving compliance requirements of other companies. A prominent example is Google’s request for publishers to take ‘extra steps’ in obtaining user consent for the use of Google’s ad services. In essence, Google shifted the burden of getting consent to publishers in requiring them to give proof of such consent in order to use their dominant online ad service. In reaction, a collection of publisher associations sent a letter to Google CEO Sundar Pichai stating that it could seem that Google ‘is in effect dictating to the market which companies any publisher can do business with’. Evidently, while companies may have undertaken their own internal compliance measures, the requirements set by large technology players will shape how the GDPR plays out over the coming months.

Pedaling to keep up with the European Data Protection authorities

Secondly, the European Data Protection Board (EDPB) has been given performance enhancing drugs and is ready to pedal ahead with enforcing the GDPR. The EDPB brings together the EU’s national data protection authorities and comes into existence on 25 May with a new legal mandate. This replaces the current Article 29 Working Party (WP29), and the expected Chair of the EDPB, Andrea Jelinek, has commented that this body’s objective is to be ‘defenders for data protection (…) and to support data subjects to fight for their rights’.

Thanks to provisions under the GDPR, the EDPB will be empowered to ensure compliance and can issue guidelines, recommendations, and best practices that are certain to shape the GDPR’s practical application. Already, there has been industry criticism regarding how over prescriptive these data protection authorities have been in interpreting the GDPR through their ongoing guidelines. For example, the Guidelines on Consent significantly expand on what is meant by consent being ‘freely given, specific, informed and unambiguous’. In addition, the Guidelines on Transparency suggest that providing information on how you are using the data should differ between intended audiences and account for their ‘level of understanding’. For children, the data protection authorities recommend that they are informed about how their data is being processed through the use of cartoons, pictograms, or animations.

Having already flexed their muscles, the EDPB will now be empowered by a legal mandate and increased powers. They are at the ready to put their hands firmly on the handle-bars, and not allow companies to free wheel with their interpretation of data protection.

Running long-distance with the European Court of Justice

Thirdly, the long-term marathon of compliance requirements will be set by privacy activists and the European Court of Justice (ECJ). At numerous Brussels events, policymakers and privacy experts have commented on the need for case law to clarify exactly what is meant by the provisions of the GDPR. Without protracted legal interpretations, there will not be fully certainty on what is meant by consent, the GDPR’s application to children, a true meaning of a ‘legitimate interest’, and how the GDPR’s right to be forgotten can apply to key databases with a significant public interest.

Already, La Quadrature du Net, the French privacy activist association, has announced that as soon as the GDPR enters into force, it will launch class action lawsuits against Google, Apple, Facebook, Amazon and Microsoft. These separate cases will argue that giving consent cannot be ‘free and explicit’ when companies require you to hand over data to access their services.  It seems that this action may have the support of the EDPB as their Guidelines on Consent found that consent cannot be considered as freely given if a controller argues that a choice exists between its service (which requires personal data) and an equivalent service by a different controller which does not. This is only the first legal battle for the GDPR, and its legal assessment could significantly alter how personal data is processed.

Importantly, everyone’s’ favourite privacy activist Max Schrems is still raising funds for his new organisation called noyb (an abbreviation for none of your business). This promises to use the GDPR to ‘bring privacy cases in a much more effective way than before’ and deliver ‘targeted and strategic litigation’. Already, Schrems has tweeted, on 12 May 2018, that

‘WTF?! So the ‘solution of Facebook, Google, or Microsoft for the GDPR is to claim they have a ‘legitimate interest’ to take all the data they can get their hands on and use it for any of their ‘products’ (…’.

Given Mr. Schrems’ existing track record on dismantling EU data rules, it can be certain that noyb will have the stamina to last for the long run.

Crossing the finish line?

Evidently, compliance with the GDPR is not a simple sprint towards the finish line of 25 May 2018. Being compliant with the GDPR and the EU’s data protection standards will involve navigating the tempestuous waves caused by the activities of other companies, keeping up with the EDPB as it cycles ahead with new powers, and following the pace set by the longer term cases and adjudications before the European courts.  These dynamic actors will all determine who are the winners and losers in this test of endurance.

Suffice to say that while 25 May 2018 may have been announced as the finishing line for compliance with EU data protection rules; in reality, we have only started the multi-faceted and evolving race towards guaranteeing privacy in the EU.