CI: And the right to be forgotten?
BH: One of the important things to remember about the right to be forgotten, like some of the other data subject rights, is that it’s not an absolute right. Nonetheless, the data controller has to take into account the request of the data subject, and it has to treat it seriously. And that also means that the controller has to have mechanisms in place with its service providers who are data processors. Specifically, the controller has to ensure that in its contracts with processors there is a provision for honoring data subject rights. As we move to GDPR 2.0 here, past the May 25 implementation deadline, the data subject rights are one of the more interesting areas. The companies that have been working on being compliant have been making their beds. And now the public at large gets to peek under the sheets and see what it looks like, and how companies are going to implement the procedures that were put in place to address data subject rights, such as the right to be forgotten.
CI: Now that information governance has taken center stage, are more companies hiring information officers? And should everyone?
BH: I think so. In today’s Information Age, not having somebody in charge of your information is in many cases like not having someone in charge of your finances. The central function of information officers is, to a certain extent, risk management, but they also have to take into account governance of the information—things like data classification schemes, data retention schemes, and any number of centralized policies and procedures that bear on the appropriate handling of information, which is both a tremendous asset and a tremendous source of risk. Appropriately coordinating all those efforts is key. It’s no longer the case that a company can rely on a bunch of well-managed technical procedures maintained within the IT department.
CI: What is the EU’s ePrivacy Regulation? When does that go into effect? Who needs to comply?
BH: The ePrivacy Regulation was supposed to come into effect at about the same time as the GDPR. It is expected to have a similar remedy structure—very big potential fines for noncompliance. But finalizing the ePrivacy Regulation continues to be controversial. Two of the main topics of ePrivacy in the EU are cookies and electronic marketing communications. Any business in the EU that has a website and is involved in email communications cares about ePrivacy, or should care.
One of the challenges is that there have been ePrivacy laws in the various member states of the EU for some time, but they haven’t been enforced much. So what we’re looking at is a single set of rules that actually will be enforced. And that’s causing a lot of debate and careful thought around the associated restrictions of, and implications for, commerce that flows from the cookies requirements and eMarketing laws. Remember also that ePrivacy regulation is a separate set of requirements from those in the GDPR. So to the extent that the ePrivacy Regulation might not require consent for some particular data processing activity, such as email communications or cookie collection, that doesn’t mean that you don’t have to look to see if it’s required by the GDPR. And vice versa.
LBB: Generally speaking, what are the organizational challenges for companies in this still-emerging Information Age?
BH: There needs to be more of a formal internal structure for assessing and managing the risks of processing data, including the creation and enforcement of data handling policies. Companies are starting to see that there needs to be an interdisciplinary team or a set of teams that focuses on these issues and reports up.
CI: What are some of the important legal issues for in-house lawyers to focus on?
BH: Having policies in place that are actually followed is important with respect to information governance, and that entails getting real review and buy-in from the various stakeholders. As key building blocks, a solid understanding of the company’s various data practices and something akin to the processing inventory we discussed with respect to the GDPR are really important. Understanding the processing that is going on is key if a company wants to avoid piecemeal attempts to comply or is repeatedly trying to address issues after the fact. It’s also very important to maintain open lines of communication in the contracting process with vendors and service providers. And, of course, there’s the whole cybersecurity topic as well. There’s some overlap with privacy, but these days it’s at least as important to be aware of and on top of security in the cyber world as it is in the real world.
CI: How might evolving privacy laws affect business models?
BH: Consumers and other individuals increasingly demand respect for their privacy, even as they realize that they have less privacy in the normal sense. So the focus is on demonstrating responsible behavior, and being open and honest about data practices. For data practices to stand, a company should be ready to demonstrate the value associated with the decisions that the company has made about how it approaches privacy.
There is an old way of doing things—having a privacy policy and getting away with whatever the privacy policy doesn’t really speak to—and there is the new way of being up-front about the value associated with the processing of the data and what the consumer gets in return. There is this classic problem with the privacy bargain, in which people exchange their privacy and data in return for free services. I think we will see more emphasis on historical fair-trade practices about disclosing the actual terms of the deal to individuals, helping them to understand what exactly the bargain is, and perhaps giving them the option to pay for a service or use a service with different features in exchange for less collection and use of personal data. Of course, appropriate disclosures and choices have to be balanced with the goal of not overwhelming the consumer with too much detail.
There’s also plenty to be done in the privacy engineering field in terms of privacy-enhanced technologies, including clever ways of advising and giving choices to people and coming up with uses of data that are minimally invasive. Especially in the face of next-generation privacy laws such as the GDPR and the forthcoming ePrivacy Regulation, we’re going to have to see some of the same creative ingenuity applied to the privacy field that has been applied to the development of apps, and of the internet in general.