How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy?

If you’re a regular reader of the blog series on GDPR Piwik PRO is focusing on, you possibly noticed our posts are leading you through the questions your company should answer to assure readiness and minimize compliance risks with a view to the May 2018 deadline.

We initially talked about whether GDPR applied to your company. We addressed the thorny issue of whether “we don’t collect PII” would still be enough to assure compliance. Then, we skipped a couple of articles and discussed consent.

This article focuses on the heart of the GDPR and privacy legislation as it reviews the principles related to the processing of personal data, as well as how to assure such data endeavors are lawful. Consent will then be revisited, considering the upcoming ePrivacy Regulation that is currently being drafted and expected to come into force at the same time as GDPR.

Processing of personal data – main principles

Europe and the GDPR didn’t exactly re-invent the wheel when it comes to principles relating to the processing of personal data. As highlighted back in 2014 in the Privacy Engineers Manifesto, privacy legislation around the world shares common principles, which we can see below.

As such, Article 5 of the GDPR is no different, yet attention should be drawn beyond the first paragraph to focus on the enhanced notion of accountability.

Indeed, paragraph 2 highlights that “the controller shall be responsible for, and be able to demonstrate compliance, with paragraph 1 (“accountability”).”

The chances are therefore that data controllers, those dealing directly customers, will turn to their data processing partners for support in their compliance claims. How compliance can be demonstrated becomes part of the data equation: for example, how do you demonstrate that data is only kept for as long as necessary?

Or how do you prove data is “not further processed in a manner that is incompatible with those purposes” (the ones for which data was collected in the first place)?
Evidence related to data deletion, or at least anonymization, should become part of sound data practices under the GDPR.

Data minimization

Also note that one principle sits rather uncomfortably with “big data” practices: the “data minimization” principle in paragraph 1 (c) of Article 5 highlights that “personal data shall be adequate, relevant and limited in what is necessary in relation to the purposes for which they are processed”.

This principle can be upheld only if the data industry keeps track of the initial purpose for which the data was intended and assures alignment through traceability mechanisms. While certain traceability mechanisms seem to be in development, structuring of purpose unfortunately seems overlooked, which doesn’t bode well for forthcoming Internet of Things initiatives!

Lawfulness of processing

Once the principles related to processing of personal data are understood – including defining purpose, the reason for which data is being used in the first place – your company can move on to defining which mechanisms will make the processing of data lawful.
GDPR allows for a range of possibilities, of which legitimate interest is typically the most widely used.

Imagine for example someone contracting a subscription with a Telco operator to be able to receive and make calls under a personal phone number. The data processed to create this account, make the service work, and send invoices would typically fall under the concept of “legitimate interest”: the parties involved have a legitimate interest to make these data processing operations lawful, both the citizen/consumer whose data is being treated under this contract as the data controller and the Telco company delivering the service.

There is a lot of discussion about how far this concept of legitimate interest stretches, certainly when talking about digital data. Recital 47 specifies further that “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned”. Fraud detection gets a free pass for lawfully processing data, one that is also used in digital endeavors.

Direct marketing, however, while also listed in recital 47, is not endorsed. Indeed, the last line of this recital states “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. In other words, it doesn’t constitute a legitimate interest by default, as opposed to fraud.

And this is where, when it comes to digital analytics, it is essential to note that legitimate interest for now is not among the options available under the ePrivacy Regulation to assure lawfulness of processing. Indeed, article 8.1 of ePrivacy, while talking of consent, as does Article 6 of the GDPR, does not include this part of the GDPR. At the same time, the GDPR does include cookies and unique identifiers in the list of personal data, so privacy legislation applies to digital analytics.

ePrivacy and lawfulness of processing

While we can’t talk of direct transposition of the GDPR logic into the ePrivacy Regulation, which is considered lex specialis, Article 8 addresses the protection of information stored in and related to end-users’ terminal equipment. Indeed, this is about accessing cookies and other information available on devices.

The article states that processing data from a device by another party than the user is prohibited unless either consent is given by the end-user (option b) or it falls under the exception of web audience measurement (option d).

Obviously we’ve come a long way in digital analytics since the ePrivacy Directive was passed back in 2009. This time around it seems that while the law will be applicable for all countries – it will be a Regulation, not a Directive – we will have to do better in respect of how end-users understand the manner in which their data is accessed and used.

On top of that, they’ll probably have a lot to say about it, as “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (GDPR, article 4 (11)).
Considering the previously discussed accountability obligations, the ICO provides guidance related to consent in their GDPR Consent Guidance (p34) to give an idea of what would be required for proof of compliance.

The question of consent under the ePrivacy Regulation

It’s probably rather soon to state with absolute certainty that Article 8 will remain as it is. What’s sure is that time is short for the legislator and companies active within the digital data ecosystem to come to an understanding.

Consent obligations, also in line with the GDPR’s Conditions for Consent (Article 7) under which it can be withdrawn at any time by data subjects, should be at the heart of finding solutions to build accountable systems for the rapidly-emerging IoT.

Summing up

 The GDPR and its partner ePrivacy Regulation apply to digital analytics. Similar privacy principles apply in both laws, such as transparency, choice, information review and correction, information protection and accountability. However, in order to make processing lawful, while the GDPR allows for the use of “legitimate interest”, ePrivacy takes only consent into consideration.

The final text of ePrivacy is still under discussion. Companies should think about how they will best deal with consent obligations (remember cookie walls?) to enhance consumer trust.
The law can only go so far: it’s a minimum standard for compliance and aims to remain technologically neutral in order to assure durability. Solutions might be found in the form of old friends like DNT, where both the law but also industry bodies could play a role towards rebalancing the (digital) data equation.