GDPR 360: Practical Use Cases for Senders and Receivers
With so many branches of email marketing participating in the CSA Summit 2018, a panel discussion was organized with attorney and data protection specialist Dr. Jens Eckhardt and four representatives of the email marketing community: Magnus Eén from the brand Westwing, Kerstin Espey from the ISP HeLi NET Telekommunikation, Dr. Isabel Feys from the ESP Mailjet, and
Don Owens from the security provider Cisco Systems. The discussion was moderated by CSA attorney Rosa Hafezi, and looked at the impact of the GDPR for all players in emailing.
The discussion revolved around several topics, including definitions, the setting up of processes, the responsibilities of data controllers and third-party service providers, cross-border transfers, and data portability.
Dr. Jens Eckhardt presented “the Holy Trinity of the GDPR”: The three questions that need to be answered are:
1. Is personal data concerned?
2. What is the purpose of processing?
3. What is the legal basis of this processing? – consent, or lawfulness on the basis of a balance of interests
Defining “personally identifiable information”
What does “personally identifiable information” mean? This is something that companies need to understand, in order to know which data will be involved in GDPR compliance issues. Dr. Jens Eckhardt pointed out that although this is defined by law as “personal data” – and it does not matter whether the data is particularly sensitive or not – nobody is quite clear about what this should mean. He went on to say that the same problem exists in reverse with “anonymous data”: during the legislative process, the lawmakers were unable to develop a workable definition. Recital 26 provides some information – what Eckhardt considers to be “a definition to explain a definition”: Personal Data takes into account “all the means reasonably likely to be used to identify a person,” with “reasonably likely” further depending on the expense and technological developments at the time of the data processing. For Eckhardt, this means that no-one can be completely sure about whether data can be considered anonymous or not – in the end, he commented, there will be almost no anonymous data in a company.
The Setting Up of Processes
Magnus Eén, talking about how Westwing is working towards GDPR-readiness, explained that it was a big challenge to identify what precisely personally identifiable data means, to clarify how they store and work with data internally and who has access to the data, and to identify all third-party service providers. He commented that their choice to outsource their emailing to an ESP did not have an impact on their compliance issues, as the data processing is still largely taken care of internally. One challenge was to prepare for the possibility that a customer requests deletion of all data. With GDPR, it becomes very important to define processes to know how to find and delete everything from everywhere.
Dr. Eckhardt pointed out that companies will not be able to have one standard process to delete data: there will be some data that needs to be retained – e.g. for tax purposes – meaning that data deletion will need to be largely manual.
The Responsibilities of Data Controllers
Rosa Hafezi posed the question to Magnus Eén of who is responsible for implementing GDPR – the brand or the ESP? In Eén’s opinion, this is mainly the responsibility of the brand – the brand collects and owns the data, whereas the ESP only makes use of the data. On this point, Eckhardt argued that the brand is primarily, but not solely responsible: The ESP has its own duties, and the brand will hand over some duties to the ESP. This does not make it joint data-controllership, but it is important to work together. If a mistake is made, the ESP could also face legal action. When it comes to sanctions & fines, both may be charged, but primarily the brand. But nobody can take the attitude of “that’s not my problem”.
According to Magnus Eén, one main challenge was to track down who data is shared with to ensure that they are also behaving compliantly and in accordance with the data processing agreements. From the reverse perspective, as an email service provider that can act as said third party, Dr. Isabel Feys explained the opportunity that Mailjet saw in the GDPR to become an EU leader in email marketing by making compliance a competitive advantage. Her motto is “change before you have to.” Mailjet examined the impact of the GDPR on their business case: What does it mean from an IT perspective? How can the deletion of data be carried out in one push? One gray zone remaining concerns how long the data can and should be stored. A clear impact for the company has been that the legal team has doubled, and there is considerably more consulting being done to help customers understand compliance.
Another gray zone that Dr. Isabel Feys raised was about transporting data across country borders. Dr. Jens Eckhardt made clear that data transfer to non-EU countries is a question of an “adequate level” of protection. This “adequate level” as defined by the EU Commission will stay in force after the GDPR. But more discussion will be required, at least when it comes to the US. In short, if you were allowed in the past to send your data to non-EU countries, then you will be allowed to in the future. The safest approach remains the EU model clauses and Binding Corporate Rules.
Speaking from the perspective of an ISP, Kerstin Espey commented that one big challenge she is still facing is data portability. It is a question of what personal data is, what kind of data is involved, and how to transfer this data to another controller. Dr. Jens Eckhardt clarified that data portability does not apply to all data – it is about data provided by the data subject to the controller. But there is no definition of “provide”, nor is there clarity concerning whether an end-user simply uploading something to a platform equates to “providing” data to the data controller.
Data portability has its genesis in mobile phone portability, and the concept is for the end-user to be able to take all personal data to another provider (Eckhardt gave the example of Facebook and photos and messages from the last 10 years). Data portability does not apply to the metadata of an order, for example. The question of which format the data should be in is also not defined; merely, that it should in a be machine-readable form. For Eckhardt, this is an advantage: It is not necessary to switch to a new system to provide data portability. Most important for ISPs is to simply implement a process by which data portability can be undertaken when a request comes from a client, even if the person responsible needs to go step by step to decide whether the request needs to be fulfilled or not.
An interesting reverse take on the privacy question
Don Owens turned the discussion of privacy on its head at the end of the panel session. As a security vendor, he explained, Cisco Systems collects data through spamtraps to analyze malicious behavior and create better forms of protection. But spam may be sent using, for example, hijacked or disused personal email addresses. This is potentially personally identifiable information that is being collected. Does data privacy or the right to be forgotten apply to security vendors? Can a malicious actor or a spammer – or the original owner of that hijacked email address – have the right to demand that security vendors delete their data? As Don Owens pointed out, “We don’t want to forget him. If we delete his data, we can’t block him anymore.” Further, security analysts need to share such data with other parties for the development of security applications. He went on to recount that after his initial panic at the legislation, he consulted with several lawyers, and subsequently calmed down considerably.
Dr. Eckhardt agreed that, yes, this is personal data, but that does not mean collecting it is necessarily prohibited. Going back to the Holy Trinity of the GDPR, what is important is to look at the purpose: security. There is a legitimate interest in collecting and storing this data, and the rule of the balance of interests takes precedence here. However, it is necessary to document that balancing process. In the end, it is important to have a process that can be shown to a Data Protection Authority (DPA). But it is unlikely that a security vendor will be required to delete such data: To take advantage of the rights of the data subject, the data subject needs a verified identification, and spammers and malicious actors will have trouble authenticating.