Category Archives: GDPR

Guidance and Un-Legislated Law

In 2016 and 2017, the Article 29 Data Protection Working Party (WP29) adopted Action Plans which set forth its global implementation strategy related to the General Data Protection Regulation (GDPR).  Pursuant to these Action Plans, the WP29 has produced seven Guidelines and has indicated it will produce at least eight more.  As the data protection community digests the massive amount of guidance coming from both the WP 29 and the individual data protection authorities, the impact of this guidance is not new; for better than thirty years, regulator guidance has changed markets. What has changed is the velocity, descriptiveness and volume of this guidance and by extension its impact on markets.

One of the most consequential privacy decisions made was by the U.S. Federal Trade Commission in the 1980’s when it issued an unofficial staff opinion that credit prescreening was permissible because the minimal invasion of privacy was counter-balanced by the consumer benefit of competition in credit card markets.  That decision, pursuant to the federal Fair Credit Reporting Act, while specific to pre-approved credit offers, unleashed the power of data driven advertising in the United States by creating an example about how data driven marketing can be effective.  The broad and deep credit files of Americans were used to granularly segment markets.  By 2001, one bank executive told me that his 60-terabyte prospecting file made it possible to pick the right credit product, out of the 6,000 he offered, for each consumer in the United States.

The key concepts in credit marketing were soon expanded to other markets as well.  With the introduction of a consumer Internet in 1993, digital marketing soon had the rich overlay of highly granular data to segment markets in a fraction of a second.  However, the whole movement began with that FTC opinion issued back in the 1980’s that balanced minimal privacy invasion against much more competitive credit markets.

Today, as we rush towards GDPR implementation, there is more and more guidance, and we should be cognizant of the impact of that guidance on how organisations will operationalize data protection law requirements.  Moreover, regulatory guidance is not just a European issue.  The FTC has been holding workshops and issuing reports since the late 1990’s.  Those reports have had real impact on data use.  The recent Canadian Office of the Privacy Commissioner report on its consent consultation has business guidance that will impact privacy practices well before recommendations are or are not enacted into law.  Recent guidance on data transfers from the Superintendent of Industry and Commerce in Colombia has caused a vigorous debate among all stakeholders.

The IAF as a research organisation focused on the future finds some guidance very helpful and finds other guidance backward focused.  Our views on the WP 29 draft guidance on profiling and automated decision-making can be found here.

To date, the IAF, as an organisation, has not stepped back to actually ask hard questions about the role of guidance in shaping the legal, fair and just use of data at a time where technology continually changes the way data is created, collected, and used.  In January that focus will change.  The IAF will hold a policy call with its stakeholders to begin exploring the role of guidance and the role of policy centers in responding to that guidance.  That call will be followed by a brainstorming session in the Spring of 2018.

As always, your comments are welcome.

Demonstrating Responsible Use for Legitimate Interests Is Necessary Now

Elizabeth Denham, the United Kingdom’s Information Commissioner published a blog 16 August, busting the myth that consent would be required for all processing under the General Data Protection Regulation (GDPR). In addition to the GDPR-consent myth, over the years, many businesses have actually relied predominantly on consent as a means to achieve the lawful processing… Continue Reading

Europe Sets the Standard – Other Regions Follow

Europe Sets the Standard – Other Regions Follow The Ibero-American Data Protection Network (“network”) adopted “Standards for Personal Data Protection for Ibero-American States“ (“SPDP”) on June 20, 2017 at its meeting in Santiago, Chile, with the official English translation now available. Most data protection experts have predicted that the adequacy provisions of the European General… Continue Reading

Assessments are the Hub of a Forward-Looking Data Protection Program

The term assessments appear a great deal in IAF work. We have written about comprehensive data impact assessments, ethical assessments, digital marketing assessments, Canadian assessments and legitimate interests assessments. All these references are part of the same theme; a family of comprehensive assessments of how data is used and how it impacts individuals is necessary… Continue Reading

IAF Policy Call

The ePrivacy Regulation may swallow any flexibility built into the GDPR.  What does mean for effective data protection governance and the ability for companies to build value by thinking with data?  Does the adequacy drive from Latin America cause additional disruption?  Will the International conference in Hong Kong bring balance back to global discussions?  Join… Continue Reading

AI Without Data is Artificial Ignorance

Many years ago, I attended a seminar in Prague on the state of credit scoring in numerous locations in what had been Soviet Europe.  I was taken aback by the stretch to find any data that would facilitate the growth of consumer markets through credit.  This followed a session on credit scoring at the International… Continue Reading

Detailed Overview of the Effective Data Protection Governance Framework and Components—A Data- and Use-Based Approach

In the Information Accountability Foundations blog in Sept, the Effective Data Protection Governance (EDPG) project was introduced. The EDPG proposes a re-alignment of responsibilities, the introduction of new obligations and a different way to think about obligations for each participant in increasingly complex information ecosystems. The objective the framework is to better align responsibilities while… Continue Reading

IAF Policy Call on Research as a Legal Basis to Process

Thinking with data, the discovery of new insights through the processing of large diverse data sets, has already become a driver of innovation. One of the truly remarkable outcomes of the European Data Protection Regulation, is a liberalization of data for research. Is research essentially a new “legal basis” to process data? Viktor Mayer-Schonberger and… Continue Reading

Trust Deficits, Bright Lines and Verification

Freight trains heading through a tunnel are pretty hard to miss. The equivalent of a freight train in the world of privacy is a privacy trust deficit related to information use in an observational age driven by analytics. The many, many indicators that have piled up over the recent days, weeks and months are coming… Continue Reading

Accountability in an Observational, Analytics-Driven Digital Economy

Since a multi-stakeholder group first defined them in 2009, the essential elements of accountability have become well established in the field of data protection. These elements are reflected in guidance from data protection and privacy authorities in Canada, Hong Kong, Australia, Colombia and France. They have been adopted as key elements in the European General… Continue Reading