Yesterday, 28 January 2021, was Data Protection Day (or Privacy Day outside of Europe). Oh yes, it is very much a thing! It celebrates the signing, back in 1981, of “Convention 108”, the first (and only) international treaty on privacy and data protection. The day is used by governments, data protection agencies, and other bodies to raise awareness about the importance of personal data and its protection. We thought The Wired Wig could jump on board too by revisiting two podcast episodes on the topic and providing you with some extra information and resources.
Since the coming into force of the GDPR (General Data Protection Regulation) in 2018, some recent high-profile data protection cases like Schrems II involving Facebook, or the latest TikTok espionage debacle, people are starting to take their data protection more seriously and appreciating the value of it. What’s more, the Covid-19 pandemic has shown that people will only agree to use digital solutions like tracing apps if they are confident their data won’t be misused in the future.
So, what exactly is the GDPR and how does it protect your data?
We could dedicate an entire blog to this but, briefly speaking, the GDPR (General Data Protection Regulation) regulates modern data collection practices and gives EU users more rights and control over how their data is processed. There are seven key principles with which businesses must comply:
1. Lawfulness, fairness and transparency – data processing must be lawful, and users must know about it. In other words, the user must consent, which can be withdrawn at any point (link to “Right to be forgotten”)
2. Purpose limitation – data must be processed for a clear, pre-defined purpose
3. Data minimization – only the necessary data needed to fulfill the purpose must be collected
4. Accuracy – collected data must be correct and up to date
5. Storage limitation – data may not be kept for longer than is necessary
6. Integrity and confidentiality – data must be protected by appropriate cybersecurity measures
7. Accountability – Organizations are accountable for their compliance with the GDPR
And, what about data travelling abroad from the EU?
The “Schrems II” (Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems) of July 2020 confirmed how transfers of international data must be protected. Generally, these transfers are illegal unless a mechanism that allows them is in place. The recent CJEU decision held that one such mechanism, known as a Privacy Shield, which essentially is a special deal for data transfer with the USA, is no longer valid. Although the framework featured an Ombudsman and possibilities for redress, there were instances of bulk collection of data. As Tobias Brautigam, Senior Counsel and Head of Privacy at Bird & Bird in Helsinki, puts it in the episode:
“You need a haystack to find the needle… and from a human rights perspective, this is terrible”.
Other mechanisms that allow international data travel are standard contractual clauses or adequacy rulings from the Commission. Annabel and Tobias discuss what these are in more detail and analyze the case further in the episode!
How does it work for data travelling to the UK since January 2021?
Brexit means that the UK has now become a third party for the purposes of data flows to and from the EU. Ideally, the Commission will grant the UK an adequacy decision, under which they deem the data protection in the UK to be sufficiently in line with those of the EU for transfer to continue. Given the far from extraordinary data protection measures in place in the UK, such a decision is by no means guaranteed. Indeed, if the Commission does not issue it, organisations will need to implement supplementary measures to deal with the possible deficiencies in the UK privacy and surveillance laws.
Speaking of surveillance, what about data collected for those purposes?
In the episode with Mahdi Assan from The Cyber Solicitor, the methods and regulation of surveillance is discussed. The Investigatory Powers Act 2016 regulates the powers used by UK security and intelligence agencies to prevent crime. The Act covers five different surveillance powers, including the interception of communication, equipment interference (ie. hacking) and bulk personal data collection. The police cannot simply collect such data for no reason, however. A warrant connected to the operational objectives, deemed necessary and proportionate, is required. As for the retention of data, a notice on organizations must be served and is valid for twelve months at a time.
What about tracking? Should I be scared of apps like Tik Tok spying on me?
Tik Tok is an app that collects a lot of personal data, including location data and even a record of the other apps installed on your phone. It is owned by a Chinese company and the American had concerns that this data could be accessed by the Chinese government.
Mahdi notes three important things about the TikTok case:
– A ban on TikTok is conveniently beneficial to many of its (American) competitors
– TikTok is not the only company engaged in big data collection and processing. Google and Facebook do the same and aren’t much more transparent about it.
– It highlights an interesting relationship between the State and private companies, particularly in a surveillance capitalism context.
Hear more from Mahdi below:
What new developments have occurred since these episodes?
Data protection is a fast changing area of technology law. In 2021 already, two big news stories have already landed:
- The browser Chrome released plans to not support third party cookies by 2022, one year ago. However, the Competition and Markets Authority (CMA) has opened an investigation into these proposals to remove third party cookies and other tracking functionalities. This could place the digital economy in a deadlock with better user privacy on one side but competition law issues on the other.
- On a technical note, Google has announced success with their new type of tracker that could replace cookies altogether: FLoCs (federated learning of cohorts). In theory, this method of tracking would be better for consumers, as users are not individually identifiable. In addition to this, Google’s sandbox tests have shown results beneficial to marketers who currently profit from cookies and other trackers.
The topic of data protection is a crucial one in the technology era and one of Annabel’s specialties. It is bound to come back, whether it is Data Protection Day or not!