Much has already been written about the forthcoming EU General Data Protection Regulation (GDPR): about how to comply, what to watch out for, how steep the fines are, and where to find help. Here, we place the focus on relevant aspects of the GDPR for specific areas of the Internet industry – and the eco Association’s activities in 2018 to support companies in a seamless transition to the new legal framework.
Domains – Balancing ICANN Requirements with EU Law
One of the biggest activities in the eco Names & Numbers Forum currently is the eco GDPR Playbook for the Domain Industry. This playbook is based on a detailed analysis of the conflicts between ICANN processes and the requirements of the GDPR. In particular, as Lars Steffen, Domains specialist at the eco Association, explains, “The Playbook attempts to propose a solution to the significant challenges for registries and registrars. The most debated issue is the public Whois database, which ICANN requires registrars to use, and which may give rise to questions on compliance with the GDPR once it comes into effect – given that the data of registrants as published in this context might be regarded as personal.”
“The Playbook attempts to propose a solution to the significant challenges for registries and registrars.”
To respond to this predicament, eco took on the role of attempting to develop a solution that will comply with the GDPR and that ICANN will accept. This involved a public consultation in Brussels with domain industry representatives in late 2017, and further consultations on the draft by email. On 10 January 2018, eco submitted a proposal to ICANN based on the eco GDPR Domain Industry Playbook, which has been published for public comment.
Blockchain & The Right to Withdraw Consent
How can the Right to Erasure enshrined in the GDPR be implemented in the context of blockchain?
In considering the GDPR, questions arise concerning how the law can be implemented in the context of blockchain. Questions arise concerning how the Right to Erasure enshrined in the regulation can be implemented in the context of blockchain. Where are the boundaries for what types of data can be stored in a blockchain when it comes to end-consumer data? The end-consumer has the permanent right to withdraw consent for the storage of personal data and to demand erasure. With a technology like blockchain, it is not actually possible to delete data. An argument put forward by some parties is that it would be sufficient to encrypt all data within the blockchain, and then to delete the encryption key to the relevant data in the case of consent being withdrawn. However, if a strict view is taken of the GDPR, it could be counter-argued that deleted means deleted. The eco Competence Group Blockchain will be exploring the impact of the GDPR in their event and paper on blockchain and e-government in the 2nd quarter of 2018.
CSA – The Impact of the GDPR on the Emailing World
The basic principles of the GDPR are largely already implemented in the Certified Senders Alliance regulations.
The GDPR is expected to have an enormous impact on the email marketing community. Even for regions within Europe that already have high standards of data protection, like Germany, the new sanctions form a strong motivation to ensure compliance with the law. The Certified Senders Alliance (CSA) has been striving over the last year to provide information and advice to the email industry as a whole on implementation of the GDPR requirements. The basic principles of the GDPR are already implemented in the CSA regulations, apart from a couple of minor changes. As Julia Janssen-Holldiek, Director of the CSA, says, “We have heard from our certified senders that they are actively working with their customers to get the requirements in place in time for 25 May.” One key issue is consent – this should take the form of a Double Opt-In (DOI) subscription – and another is offering an unsubscribe option. The CSA team is currently preparing a set of guidelines for emailing under the GDPR, and there will be a panel discussion on practical examples of the GDPR in everyday email life at the 2018 CSA Summit on 18-20 April. A detailed discussion of the requirements for legal email marketing and the most important points on the GDPR can be found in the current issue of the eco Directive for Permissible Email Marketing.
IoT & Personally Identifiable Information
Connected Car: How quickly does it become possible to identify the driver?
Data protection is certainly a major issue for the topic Internet of Things. Pseudonymization and encryption of data are both important processes for protecting the identities of data subjects. However, when enough different data from a single source are triangulated – for example, location data from a connected car that is recharged overnight in the garage of a smart home – how quickly does it become possible to identify the driver? This then becomes Personally Identifiable Information (PII), even though it was initially pseudonymized data. The GDPR will have an impact on how Personally Identifiable Information is collected, stored, and transferred, and on the responsibilities of data controllers and third-party data processors. The implications of the GDPR will be taken up as one of the topics in the eco Paper on the Connected Car, to be published this year. The paper will give treatment recommendations for business compliance and legislation on the basis of different levels of autonomous driving, and will also explore the impact of the GDPR on Software Design, Security, and Data Protection.
It should also be kept in mind that all of these considerations do not yet factor in the e-Privacy Regulation currently being debated by the European Council.
Cloud Platforms: Conflict Between Data Minimization and Data as a Necessary Foundation for Digital Business Models
eco and EuroCloud, the European umbrella association of cloud providers with an interdisciplinary team of lawyers, data protection authorities, standardization and accreditation authorities, associations, auditors and cloud service providers, are working on a set of criteria for certification in accordance with the GDPR.
In the context of the AUDITOR project, EuroCloud is dealing with the specific requirements of the GDPR for the cloud computing sector. Most interesting will be the question of how we can deal with data and data protection in the context of interconnected digital platforms. Here, fundamental challenges are not only emerging in the technical area, but are also taking on a not-to-be underestimated socio-political dimension.
The GDPR is a friend and a foe. Of course we need some safeguards, but we still need to be able to breathe.
Andreas Weiss, Director of EuroCloud Germany and Head of the eco Digital Business Models Division, has mixed feelings: “The GDPR is a friend and a foe. Of course, we need some safeguards, but we still need to be able to breathe. We should be very clear that the industry should take care of privacy by design and privacy by default as a good sign of willingness to respect the privacy of individuals. On the other side, we need sufficient space to develop innovative business models where we are not yet very clear about potential side effects, and we need to learn how to live within these paradigms of privacy by design and privacy by default.” Initially, as Weiss sees it, the GDPR is very abstract and has no specific reference to technology. “Now is the time to clarify the targets for digital platforms to be compliant with GDPR regulation.” A key challenge will be the guidance for design of services and the separation of duties for all players within a complex network of combined services.
Digital self-determination is also a key direction. The individual should have an opt-in/opt-out option.
It's very simple to transform two pieces of information into PII (Personally Identifiable Information) and Weiss believes we need to learn how to deal this. “For me personally, I say that's ok to have services which know who I am and where I am. If I want to change it, I need the option to deny the tracking for this service. And of course, as soon as I realize that this service has disclosed my information without my consent to any third party – for example for advertising purposes – I want to keep the option of complaining about such behavior. At the end of the day, I think digital self-determination is also a key direction. The individual should have an opt-in/opt-out option.”
The eco Association provides a range of Data Protection Services for members, including support in data protection risk assessment and compliance, the eco EU Data Protection Representative, for members not based within Europe, and the eco External Data Protection Officer for members based within Germany.