Happy 2016, in which new privacy legal rights emanating from Europe and complex interplay between data value, privacy, security, terror and governance around the world will drive more significant changes in technology business models than ever. In such a year, what should a data law blog become? As the questions have been growing in size and importance, I have been privileged to be drawn into dialogues with thought leaders and innovators around the world. Curating the insights from these dialogues can make this blog much more valuable to you (helping to make what lawyers do more valuable). That is why this blog will open up to include posts by lawyers associated with many types of organizations, non-lawyers and scholars, making the best of the flow of ideas that data law has and needs.
Let’s start with Europe. The world of privacy rights, emanating from Europe, threw down the gauntlet with the Schrems decision (and you have probably noticed the recent absence of heartening messages about the Safe Harbor 2.0 resolution in January, particularly from some Data Protection Authorities (DPAs)) and most recently administered what appears to be its coup de grâce with agreement on the final text of the pan-European General Data Protection Regulation (GDPR).
Between now and 2018, when the GDPR will be effective, and potentially before then given the ever-increasing powers being grasped and exercised post-Schrems by the individual DPAs, the tech world will be coming to grips with enormous expansion of European privacy rights and restrictions. Every entity that processes personal data of people in the EU when offering of goods or services to them or monitoring their behavior, including U.S. websites, will now purportedly be subject to the GDPR, and many U.S. companies will become enforcement targets in the context of huge penalties (up to 4% of global annual turnover, including the revenue of affiliates). Here is a quick summary of the most unsettling and provocative requirements for readers of this blog:
- Analytics: After many years of discussions of alternative approaches, the most restrictive approaches to data analytics were in fact codified in the final text of the GDPR, reaffirming data minimization and purpose limitation; the specific uses of data must be explicitly disclosed at the time of collection and not exceeded, and nothing else collected. People have many more notice rights, including about third-party collection (naming names), profiling, retention periods, purpose and transfers. And profiling based on sensitive data can only be done with explicit consent.
- Statistics: Permissible secondary purposes include statistical purposes. All analytics are statistics, of course, but we will see the extent to which the GDPR means that the individual may not be targeted.
- Rights: Existing rights have been strengthened, and new individual rights, including data portability, the right to be forgotten, and restrictions on profiling, are established. Companies must respond to assertions of these rights within a month.
- Consent: No longer, it now seems, is it possible to condition any service upon consent to data use not necessary to that service (such as for advertising). Ad-based revenue models will continue their migration to choice-based models.
The near-impossibility of giving all these notices and enforcing all of these restrictions within the Internet of Things and mobile life generally will accelerate the creation of new business models involving greater control by the individual customer (formerly known as the consumer). I have tried to bring the work being done on some of these models to your attention, but that was just me talking. I hope the next post you see on this subject from this newly open blog will be a new voice going deeper….