GDPR — Six Months and Counting

By Jan Thomas On Jan 9, 2019

As 2018 comes to a close, most companies, firms, and agencies which participate in data collection are undoubtedly aware of GDPR and have probably taken some measures to comply with new data protection rules. However, Thomas’ key questions and answers may provide even more security and awareness to all data collectors wanting to know more about what GDPR actually means to them six months in.

Fast Facts

The What

GDPR defined ‘personal data’ as any information that can be associated with an identifiable person. These data include but are not limited to names, any form of ID number, geographical or location data, and online nominatives or identifiers.

The Who

The GDPR applies to all organizations that collect or process data of EU residents, offer services, or sell goods to them regardless of the location of the organization itself.

The Members

Controllers – Bodies that control and determine the filters, purposes, and means of processing data
Processors – Bodies that carry out the function of processing data on behalf of the controller

Where Are We Now?

The legislation itself seemed strict and definitive. So much so, that it sent European and non-European organizations into a frenzy of panic and preparation before the May 25th deadline. But here we are, at the six-month mark since the legislation came into effect and as we attempt to analyze the ‘real-world’ impact, we are left with a lot of questions. For example: Where does the ad tech industry go from here? In what situation should one really be classified as a controller vs. processor? And will these classifications be practically applied?

There was widespread industry alarm before GDPR became official as almost every reputable firm buffed up with attorneys and legal consultants. Executives conferred with partners, professionals, and internal and external consultants, then took actions to make their companies ‘GDPR compliant.’ Some organizations decided on being extra cautious and over-prepared, almost stifling everyday, business life. Others seemed more lax, having changed little to nothing about their data policies. Whichever side of the spectrum of preparedness your company lands on, you might take comfort in that fact that so far, there have only been a few court cases brought to European courts using GDPR as the main argument. Even fewer fines have actually been issued by the data protection authorities.

Additionally, there are informed citizens who have made use of their rights through deletion requests and cookie opt-outs, but on the whole, it seems that nothing has really changed. Is it possible that the GDPR, which was set to destabilize the tech industry, has in fact, left everything virtually the same? Does business just continue as usual? We take a closer look in the sections to come.

Enforcement or Change: Which Came First? the Chicken or the Egg?

One reason that there seems to be a lack of action or change is that we haven’t seen much evidence of enforcement yet. Or apparently, not enough. If we look, for example, at the Facebook/Cambridge Analytica scandal, it appears that all threats of punishment or consequence have receded into the legal background.

So, then there is the question — which will need to come first. Real change and then legal enforcement? Or legal enforcement and then real change? Most likely it will be the latter. If there is no enforcement, companies are less likely to take the new legislation seriously. This calm, ‘business as usual’ period that we are experiencing now could be a side effect of this feeling. Like with all legislation, in order for a law to be upheld, it must be enforced.

Therefore, in order for GDPR to take any real effect, there needs to be fines and very public cases of violators being held accountable for their actions. One of the first GDPR rulings determined in Portugal, did in fact, result in a 400,000 Euro fine for a Portuguese hospital that gave full access to patient data to hundreds of unauthorized medical and non-medical staff. However, simply put, more enforcement and action need to be made public in order to give GDPR real weight and to set legal precedence. As these actions haven’t yet been demonstrated to a great degree, the tech industry furor seems to have stagnated.

Until enforcement kicks in, we may be settling into a long waiting period to see what will happen next. Of course, it’s easy to speculate as to why more enforcement hasn’t happened yet (too few policing officers? too little structure for enforcement?) but this unsupported speculation doesn’t make the quest for compliance any easier. In theory, change would come before harsh enforcement — meaning that companies and other data processors would take it upon themselves to protect users’ privacy without the hand of the law pushing them. However, in reality, this is very unlikely. In reality, the egg will need to come before the chicken. That is, legal enforcement will need to come in order for change to follow.

Ambivalence, Ambiguity & Uncertainty

Another possible cause for the disorientation that we’re currently experiencing in the ad tech industry could be the ambiguity of GDPR itself. For example, the definitions of controller, processor, and sub-processor as written in the law are extremely brief. This brevity and lack of clarity is actually leading to convolution. Even here at Simplaex, we’ve had to go through the legal rigamarole of trying to pinpoint exactly how we should define ourselves. In turn, then, many of our partner SSPs define their relationships to our company differently from one another.

The uncertainty doesn’t stop at the definitions of controller and processor. Many other elements of GDPR sound equally as ambiguous. Three elements remain especially uncertain – personal data, individual identification, and cookies.

For example, the legality of personal data pertains more to personal identification that it does to data itself. Personal data as defined by GDPR is data that identifies a natural person, or makes them identifiable. It’s tough to evaluate exactly how, when and where data can make a person identifiable as this need to be assessed differently for each data processing context.

In another GDPR case, C-582/14: Patrick Breyer v Bundesrepublik Deutschland, the court ruled that personal data goes beyond the dynamism of IP addresses and should be assessed on a case-by-case basis with respect paid to local law and the legality of ‘legitimate business interest’ for processing personal data. The case determined that an IP address, for example, is only considered personal data if the internet service provider can be forced to provide a definitive identity or name.

From this case, we learn that whether a data processor (and its second or third parties) can use or combine certain individual types of data to potentially identify a user is really the issue at hand. For now, it seems that the subjective/relative framework will remain in place, which will allow for each individual case to be decided depending on the company’s capabilities of combining data to identify individuals.

Personal data and individual identification are not the only matters at hand. There are still so many questions about consent management and cookies that are currently left open-ended by GDPR.

For instance, when users of online services decide to deny the collection of their data, should their access to services be totally blocked, partially blocked or should it be given freely? Furthermore, is a cookie itself personal data? This ambiguity may be yet another reason why companies are all acting differently to one another to become GDPR compliant. This ‘big wait’ period that we’re experiencing now could be a result of ambivalence toward GDPR’s ambiguity. We expect that this uncertainty could continue for months and possibly years to come.

GDPR: What Is It Good For?

As we sit here scratching our heads and waiting for the unknown, we’ve almost forgotten what GDPR is all about. Its intention, to protect European citizens and residents is good. The stated intention, that is, to make the implicit contract between data providers and data collectors more explicit so that citizens can be informed about the usage of their data, is a noble one. However, side effects from this well-intended law may be the curbing of the power of non-European tech giants such as Google, Facebook and Apple and the bolstered protection of the European economy.

Besides the obvious, positive changes that GDPR attempts to bring about, one mistake that it makes is that it cannot blanket both tech giants and small and mid-sized companies alike because of individual characteristics such as status, revenue and data collection methods. Therefore, the implied goals of the GDPR are healthy and beneficial, however, the legislation itself may be more symbolic than realistically enforceable.

Recommendations for a Future Unknown

While there may be a much longer period of guess-and-check work to come, we do have a recommendation for companies wishing to keep their sanity amidst the confusion. That is; to mind your business. Keep your head down and keep doing what you believe to be GDPR compliant. Be aware that at this time, there is still a lot of gray area so err on the side of caution. Many questions will remain unanswered until precedence is set and court rulings are decided.

As for the future, a lot is unknowable. Although GDPR has only just been enacted, already there are e-privacy laws in the form of the European Union’s EPR (e-privacy regulation) coming on this horizon. It seems that the GDPR was only the first step in what may be a long and winding road of data policy. EPR, however, may, in fact, help to enlighten the public and clarify the issue of cookies as it focuses much more on this subject than GDPR does. Therefore, it’s possible that the governments of EU member states are gearing up for the second round before the first round has even finished.

We’re in for a long wait in the hopes of a resolution, but even if that comes, e-privacy regulation will shift the playing field again.