A way out of the Brexit morass?
09 May 2019 – 14:15 | No Comment

Brexit-bound Britain will participate in this month’s European Parliament (EP) election, unless UK prime minister, Theresa May, and opposition leader, Jeremy Corbyn, manage to push the thrice-rejected EU withdrawal agreement through the House of Commons …

Read the full story »

Energy & Environment

Circular Economy

Climate Change


Home » Data security

Up close and personal with Mr GDPR

Submitted by on 30 May 2018 – 12:20

Government Gazette’s Janani Krishnaswamy caught up with the European Data Protection Supervisor, Giovanni Buttarelli for an exclusive interview to discuss everything relating to the new regulation on personal data protection – the General Data Protection Regulation

Giovanni BUTTARELLIDozens of websites have shutdown their activities completely and several others have forced users to agree to new terms of service, as the General Data Protection Regulation (GDPR) came into force on May 25, 2018. There was a sudden overflow of emails, with companies either sharing their privacy policies, trying to refresh consent or sometimes request consent from customers who have never used their services before.

Most of these companies have either acted on poor legal advice, a fear of fines or lack of good examples to follow. The cascade of messages varies of course and some explicitly cite the GDPR.  “Failure to accept the new terms by 25 May, we are told, will mean you can no longer use our services” is one of the most common among them all. In fact, several medium and small enterprises have been sending emails – to a vast range of data subjects, including ones who had not originally subscribed to their services – simply asking questions such as: “Would you like to continue receiving our communication?”

“Most of these GDPR emails are unnecessary”

JANANI:  Is this sudden flood of emails really necessary under GDPR?

BUTTARELLI: No and I criticise such a practice. A week ago, closer to the eve of 25 May, there has been an unbelievable flow of useless mails, asking for consent to keep recipients on their mailing list, which are totally unnecessary. You do not need to automatically refresh all existing consents in preparation for the new law. Some companies are taking this opportunity to review their existing practices on data sharing. However, doing it altogether in one go has turned counter-productive.

Quoting from his blog, he noted that “for most people outside the esoteric data protection bubble this represents first contact with the new dispensation of digital rights and obligations in the EU. If this encounter seems a take-it-or-leave it proposition – with perhaps a hint of menace – then it is a travesty of at least the spirit of the new regulation, which aims to restore a sense of trust and control over what happens to our online lives.”

The GDPR was actually adopted two years ago, in 2016, so there has been plenty of time for people to prepare to this. I wonder why everyone had to wait until the last minute to become complaint.

What is more controversial is that most of these messages have been oriented to protect the data controller rather than the data subject, and have been drafted in a way, which is not fully compatible with GDPR, which requires concise, transparent, intelligible and easily communicable form, using clear and plain language.

Consent is just one of the pre-requisites to comply with the law, but not the main one.

Independent regulators for the last two years, according to the guidelines of the Article 29 Data Protection Working Party (WP29), have insisted upon the point that consent should be used in a much more selective way when needed. This consent needs to be freely given and must be informed.

With the new dimension of consent, which should be more specific, targeted and with proper information, you should allow the data subject to choose without any detrimental effect.

“It’s time U.S. services rethink their approach” 

JANANI: While a great number of U.S. news websites have shutdown temporarily to European readers, they still hold massive amounts of personal data of European users. How do you plan to deal with organisations such as these, which try to escape fines?

BUTTARELLI: They can do whatever they want. They are not obliged to provide services to Europeans.

However, I was impressed because this could be either a result of anxiety or unjustified privacy mode. For the time being, GDPR provides for some principles to be complemented by the e-Privacy Directive, which will be in place for at least another few months.

The law is very clear. GDPR does not provide any novelty. They should be compliant to the e-Privacy Directive, regardless of the GDPR.  GDPR doesn’t replace PECR but sits alongside it and European regulators are coming up with a new set of e-privacy rules to replace it.

Several organisations including Salesforce, Microsoft, Google and Facebook sent out ambitious messages to say that they are fully ready for GDPR. IBM was the only company that initially raised the concern about the difference in dealing with European and U.S. users.

However, they had nearly two years to prepare for this day. Is this precaution or panic mode? Either way, it is nonsensical.

I sincerely hope they rethink their practices and go back to providing their services to European users.

“There will be a new social media subgroup to tackle the manipulative practices that should end with GDPR”

JANANI: With Facebook and Google already being sued under the GDPR, what is the fate of other tech firms? Have there been any major complaints already? How do you think GDPR will control the same old harmful habits packaged in new bottles?

BUTTARELLI: One hour and 26 minutes after the midnight of May 24, we received a preliminary set of detailed complaints from across four or five countries about social networks and other tech companies.

The concern is to deal with the new system in GDPR which builds on speaking in one voice across cross borders operations.

We have reactivated a social media subgroup of data protection regulators to tackle the “manipulative approaches” that must change with GDPR. We aim to share investigations at a national level on Cambridge Analytica and similar cases and develop an overall strategy for the future, including potential guidelines for processing personal data for political purposes.

Is Europe fully ready for GDPR?

JANANI: To your best knowledge, which of the member states are fully prepared for GDPR?

BUTTARELLI: We are monitoring the activities of national governments.

According to the information from the European Commission and after the first meeting of European Data Protection Board, when we received more information about the efforts of national governments, I can say that roughly, at least 2/3rd of the member states are prepared to embrace GDPR.

Some of them will be ready in the coming weeks.

On 23 May 2018, representatives of the Council and the Parliament agreed on a new regulation on the handling of personal data by EU institutions and other EU bodies.

The European Data Protection Supervisor (EDPS) as an independent EU body will be responsible for monitoring the application of data protection rules within the European Institutions and for investigating complaints.

I don’t care about the short delay in some countries. The regulation itself is a self-sustaining stand alone piece of legislation, which does not need support of national governments.

While there are few reasons which require cooperation at the national level, most areas are directly relevant to all countries. GDPR prevails over conflicting and overlapping provisions at the national level.

Will small and medium enterprises dealt with, differently?

JANANI: A recent IDC survey indicates that only 29 percent of European small businesses and 41 percent of midsize businesses have taken steps to prepare for GDPR. Elizabeth Denham, the UK Information Commissioner has recently made a statement in media that small businesses which did not make extensive use of customer data will not come under close scrutiny. Will you be mainly targeting the big companies that persistently, deliberately and negligently flout the regulations?

BUTTARELLI: I’m not directly confident about supervision of small businesses, but I have similar problems here in the EU bubble.

For instance, in Italy, about 80% of small and medium industries are entirely on a panic mode, as they are rediscovering their existing practices, with most of them asking for an extension.

I think we should make a distinction in terms of scalability and in terms of new requirement. While we cannot be tolerant of a law dating 1995, we can’t allow them to circumvent data subjects.

“I don’t care about Facebook’s declarations. They are simply bound by GDPR” 

JANANI: Did you have any major takeaways from Mark Zuckerberg’s testimony before the European Parliament and the U.S. Congress?

BUTTARELLI: I appreciate that he came to Brussels; although he had only seven minutes to make some comments and not to provide detailed answers to the more challenging questions from MEPs.

However, the two hearings in the U.S. show the need for a cultural change.

Facebook made several comments about GDPR. Zuckerberg stated that Facebook has nothing against GDPR, that they did not believe it is a model for the U.S. system, but appreciate GDPR in spirit, although they will not implement GDPR to all services.

For a tech giant, it may be difficult to fragment its privacy policy, depending on the country where they may offer services. Yet, I don’t care about their declarations. They are simply bound by GDPR.

The takeaway from Zuckerberg’s testimony does not relate to Facebook only, but relates to U.S. policy.

As Tom Wheeler, former chairman of the Federal Communication Commission said in a recent article in New York Times, “The New World (i.e., the U.S.) must learn from the Old World (i.e. Europe).” They should have a change at the federal level.