Internalizing the history and philosophy behind the General Data Privacy Regulation is key for every designer in privacy-critical contexts. The GDPR is not a law that specifies detailed demands for consent forms or the like---it is a change agent for embracing ethical principles in dealing with personal data, across the EU and beyond.
The spirit of the new EU-wide privacy regulation applicable from 25 May 2018 commonly demands much deeper changes to the design of not only websites, but of organisational processes and entire business models, than cosmetic updates to user interfaces and privacy statements. Instead of giving in to last-minute panic, it is advisable to take a deep breath, step back and evaluate the challenges and opportunities at hand from a bird's eye perspective before diving into solutionism.
This article suggests lenses of history, human rights, and ethics---and, hopefully needless to mention, does not represent legal advice, but the discussion of a suggested privacy-centric path to ethical design.
A look behind the GDPR
Adopted in 2016 and in force since 24 May that same year (the omnipresent May 2018 date only marks the end of the transition period, after which it applies and can be enforced), the GDPR's main objective was to finally harmonize privacy legislation between EU member states.
Roots in the 1980s and beyond
Its predecessors, initially the Council of Europe's 1981 Convention for the protection of individuals with regard to automatic processing of personal data (commonly referred to as CoE convention 108, and still today the globally widest-reaching treaty on privacy), and since 1995 the Data Protection Directive 95/46/EC always had the role of guidelines for national legislators to adhere to. International treaties like CoE108, as well as EU directives have no direct effect before being transposed into national law, while an EU regulation such as the GDPR has immediate effect in the entire Union, even overriding potentially conflicting national law. This led to significant discrepancies in policies between member states---making it difficult to enforce and, above all, to grant all EU citizens an equal level of privacy protection.
In other words: the GDPR is not an entirely new set of rules, but the first ever measure to guarantee an enforceable level of privacy protection across the EU. At least as far as theory goes; in practice, the final version of the regulation consists of many ambiguous formulations and received a range of so called "opening clauses" which again allow certain aspects to be regulated on a national level, making its interpretation non-trivial.
Its core, while obviously evolving to match technological advances and in certain parts being more specific than previous instruments, is actually not that different from the 1995 Data Protection Directive it is going to repeal in May 2018; we are talking about an evolution, rather than a revolution.
However, the former directive's transpositions into national law differed widely; hence, depending on the applicable jurisdiction, the newly imposed rules may represent more or less significant changes to previous policy. Example: German companies in compliance with existing national law are expected to have a comparatively smooth migration, as the Bundesdatenschutzgesetz &lparen;BDSG&rparen; already represented one of the tightest privacy laws in Europe; in some aspects the level is seen to be even lowered by the GDPR and revised BDSG. The now harmonized and soon enforceable law is putting an end to practices that could previously thrive despite clashing with chartered privacy rights---which is why the required changes are perceived as extraordinarily painful by some (the behavioural advertising industry, and any business models built on top of this highly privacy-invasive technology, in particular).
The GDPR protects the human right to privacy
It is of utmost importance to acknowledge that (notwithstanding the challenges its implementation admittedly poses in practice) the GDPR is not a new law that primarily aims to put "unachievable" requirements on businesses dealing with personal data: The regulation is the formalisation of some of the most fundamental humanist thinking and values of post-WWII societal foundations, for example represented by the OECD guidelines on privacy from 1980. If anything, the widespread concern about stricter rules highlights how acceptable it had become to ignore such essential aspects of humanity because legal loopholes allowed to do so---and technology made it possible.
The purpose of the new regulation is to fortify the right to protection of privacy and personal data enshrined in Article 8 of the European Convention of Human Rights (ECHR), drafted in 1950 and in force since 1953:
Article 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
The same rights are also anchored in Art. 16 of the Treaty on the Functioning of the European Union &lparen;TFEU&rparen;. The ECHR later served as a baseline template for the Charter of Fundamental Rights of the EU (proclaimed 2000, in force since 2009), which expresses these rights even more specifically:
Article 8 – Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
The GDPR is the first-ever universally and directly applicable pan-EU law that bindingly defines (again: with all the room for interpretations such multilaterally negotiated law inevitably brings along) how this human right to privacy is to be ensured in any context where personal data is at stake. If past practices of data processing now require alterations in order to comply with the GDPR, that indicates that they may in some way be in conflict with the requirements of Art. 8 of the Charter: fairly, with permission, transparently, controllably. In other cases, new GDPR requirements should mostly surface in documentation and operational challenges.
That said, it has to be highlighted that the makers of the GDPR always had in mind to find a balance between interests: protecting the human right to personal data, but also to establish a legal base, for instance for lawfully engaging in business based on the processing of such data. Looking closely at the GDPR, the human right to one's own data is highly valued but never an absolute right---the law for example makes clear exceptions where public interests of a functioning society are affected; it further provides a range of lawful means to non-public organisations to process such data under strict rules.
Not a deadline---a process
Besides the excessive scaremongering with million-Euro fines in the currently growing media hype, one thing to leave behind is the almost religious sole focus on Monday 25 May 2018 midnight: aligning an organisation with the philosophy of ensuring the absolute human right to privacy is nothing less than a paradigm change for many.
Hence, the path to adherence to the GDPR is not a one-time exercise before May 2018, but an ongoing process that needs to be baked into how an organisation operates in present and future. Naturally, the transition end date---which in this spirit really should be seen more as a start date for social change---stands immovably nonetheless, so any such process should start as soon as possible.
There is no absolute "GDPR compliance"
First of all, it is important to accept that no organisation in the world will be able to claim to be "100% GDPR compliant" by May 2018. To understand why any such promises are bogus, the complexities of European law and privacy law need to be taken into account.
For a deeper understanding of how the GDPR came to be, the documentary "DemocracyFilm: “Democracy – Im Rausch der Daten” &lparen;de&rparen; As already mentioned, the GDPR itself---with its often purposefully imprecise formulations and 70+ opening clauses demanded by member states during the final trilogue phase---is not specific enough to validate one's implementation against.
As with any law, the final interpretation will be taken care of by the judiciary branch of the parliamentary system: the ultimate evaluation of the GDPR and its national counterparts will take place in court, and a more reliable understanding of what "compliance" truly means will only emerge over years to come. The comparably short history of privacy legislation has always been a complicating factor in its application, with only a limited body of questions exhaustively assessed in the past.
An example for illustration
One of the more obvious examples for illustration: Under currently prevailing interpretation and guidance, outsourcing the processing of EU data subjects' personal data to a US company can be considered GDPR-compliant as long as such company has certified itself under the "EU-US Privacy Shield Framework" and the data controller has a data processing agreement with that company.
Two NGOs, Digital Rights Ireland and La Quadrature du Net, had already filed legal challenges against the EU Commission regarding Privacy Shield in 2016; both cases were rejected by the CJEU for procedural reasons. However, it is likely only a question of time before that framework will be challenged again for being incompatible with European standards; the US are not even meeting the most minimal international standards in privacy laws (as defined by the OECD guidelines from 1980). In case the Court of Justice of the European Union (CJEU) would rule in favour of such position, this could invalidate any processing of personal data based on the "Privacy Shield" as not meeting the requirements of the GDPR.
This already was the destiny of its predecessor, the "Safe Harbour Principles": overturned by the CJEU in 2015, German companies keeping to transfer data to the US found themselves being sued in 2016.
A volatile legal construct
So the intrinsic details of the GDPR's application are not set in stone, but a rather volatile legal construct. Therefore, just glueing "consent models" or "privacy statements" on top of existing solutions, in order to meet the 25 May deadline, may not be sufficient for anything than the most simple contexts.
The EU commission has a list of links to national DPAs.Data Protection Agencies While more and more national data protection agencies (DPAs) have started to roll out valuable guidance documents to aid compliance (which also give an indication of the regulatory perspective they will take when auditing for compliance) and following these will help to mitigate the risk of getting in trouble, even the DPAs' interpretations of the GDPR are subject to outstanding (and regularly reviewed/updated) guidelines by the Article 29 Working Party and the European Data Protection Board EBCP---and ultimately scrutiny by the courts.
In short: The GDPR is not a law that states "do this, this, and this, and you are compliant". The reality is more like "here is a bunch of baseline rules, along with a range of exceptions, and the requirement to self-assess the weighing of interests between your users and your own interest, along with a text that intentionally leaves plenty of room for interpretation". Any GDPR compliance advice (and there is a growing amount of really good advice from lawyers and other professionals, though unfortunately mixed with a lot of sources simply trying to sell the usual snake oil) can only be the attempt to reduce the risk of being in conflict with how a DPA or court might evaluate an organisation in relation to the evolving jurisdiction. There is no 100% guarantee as there is no 100% absolute definitions.
Human rights and values as a safe core
This leads to the value of a human rights -based ethical design approach: in order to achieve the highest possible level of adherence to the GDPR, it is not only important to follow published guidelines by the DPAs and the WP29/EBCP on a detail level, but to first and foremost pay attention to the core principles behind this legislation:
- the inviolable right to privacy for everybody (CoE108, and Art. 8 Charter of Fundamental Rights of the European Union),
- the core concepts of privacy already present in the to-be-repelled Data Protection Directive:
- general prohibition of processing any personal data unless explicitly proven lawful in the specific context,
- purpose limitation (using data only for the purpose it was collected for),
- data minimization,
- the individual's control over their data, and
- the not-new, but now formalized-as-requirement, principles of
- Privacy by Design and
- Privacy by Default, as well as
- the underlying spirit of the GDPR that personal data is always first and foremost the property of the individual and needs to be treated with the appropriate care.
The tighter a specific solution rests on these foundations, the more likely it is that any changes in the law's interpretation will only bring upon minor changes; courts will interpret the GDPR, among other factors, based on these underlying values. And that is why striving for "GDPR compliance" should start with general considerations on values, ethics and data ownership; only in last consequence to be finalized by complying with specific interpretations and guidance:
Designing the treatment of personal data from a privacy core towards legal complianceensures that an organisation's personal data processes are built on a solid privacy-centric foundation. The benefit goes way beyond the GDPR: no matter the details, such process is likely in sync with pretty much any existing or upcoming privacy legislation worldwide---most privacy laws share their common roots of CoE108 or the OECD guidelines.
GDPR is not about building a permission scheme
One common approach to adjusting operations to the GDPR requirements is to evaluate personal data currently processed and then identify what lawful purpose can be applied to define that as legal---from "legitimate interest" and permissive contracts to specific consent and other lawful reasons permitted by the GDPR. This is a crucial step in any organisation's efforts to evaluate their operations.
But while sometimes presented as a solution ("find the gaps and figure out how to patch them"), this should only be a starting point to the broader process of solving the big questions, such as:
- Can we justify why collecting, keeping and processing this specific data deserves to be exempt from the universal rule that processing personal data is forbidden?
- Do we need that data?
- How can the data be minimized (in scope, but also regarding the duration of its storage)?
- How can we achieve transparency in the data collection, storage, processing and the individual's control over it?
- Is privacy one of the key design drivers for all our processes (only deviating from it for well-justified reasons)?
- Is the default to ensure the strictest privacy possible and only collect data where it becomes necessary and the individual is made aware of and agreeing to it?
It is good to remember that the more personal data an organisation processes, the more expensive its handling may become due to increased GDPR requirements. And since an potential audit will always be based on a case-specific weighting to the respective interests of the data subject and the data controller, every piece of personal information held always comes with a risk of non-compliance.
This is why adjusting to the requirements of the GDPR cannot be seen as merely a deadline. Purely focussing on apparent compliance of the visible bits by May 2018 bears the risk that true privacy issues are overseen (along with potential opportunities to streamline internal processes) and patched with a glued-on permission layer requiring constant review and always bearing risks for the individual (these risks are the true concern of the GDPR) and the organisation (these risks are the GDPR's "shark teeth" to ensure it is being taken seriously).
Privacy-law compliance starts with ethical design
Accepting the human right to privacy as an ethical imperative permits to see privacy law compliance as
- a commitment to treating humans as humans,
- a process,
- a core strategic element,
- a long-term asset for sustainability,
- a mitigation of risk
- a competitive advantage, and even
- a branding opportunity.
Organisations, businesses, and designers who act with respect for human beings acknowledge the high value that privacy has for our society, and do their best to treat any such data they are entrusted with with the highest respect. The new EU law is only the legislative's attempt to create a level playing field for everybody, making privacy rights a societal priority---where needed, by means of hurtful fines: the GDPR, as I read it, is really a call to practice ethical design.
- While this text generally refers to "organisations" (in an attempt to cover a wide range from NGOs to businesses), the points are valid for anybody affected by the GDPR no matter are they an "organisation" or not; otherwise the correct term would be "data controller" which would make for a horrible reading experience.↩
- With all the digital industry debates, it is easily overseen that the GDPR not only applies to websites and digital processes, but for example and under certain circumstances even to a paper-based list of addresses or the like.↩
- Some state laws, however, are by some considered to be even more strict than the GDPR (e.g. B. Marcinkowski on the California state law in: Datenschutz und Datensicherheit 6/2017, p.360)↩