Andreas Wabro
Santa Clara Law
LLM Candidate
There is one upcoming date most lawyers throughout the Bay Area and the Western world are curiously anticipating: May 25, 2018. This included Santa Clara Law School a few weeks ago at the Bridging the Privacy Gap: GDPR Symposium sponsored by the High Tech Law Institute and the Santa Clara Journal of International Law.
In the basement of Benson, a room without daylight but wrought with artificial illumination, the atmosphere was perfectly reflected by what others would simply describe as suspicion.
During the keynote speech, accordingly presented during lunch as the last part of a deep-diving panel discussion with some of the most recognized privacy lawyers of the region, Google pointed out why American companies should be somewhat cautious about current and future European privacy legislation. Earlier in the day, the audience somehow reached the conclusion that Facebook wants to comply with GDPR, and that Seagate understands that GDPR is all about good data handling. Nothing to be afraid of, actually. But first things first.
GDPR?
The General Data Protection Regulation, issued by the European Union in 2016, shall apply from this specific date in May 2018 and forces some new provisions on “processors” of “personal data,” such as technology companies that make gains on the transfer, storage and sale of the data of their European customers. Yet, being one of the core operations of Silicon Valley’s businesses, a restriction of data processing not only poses extra costs on technology giants, but also has the potential to eliminate small start-ups, which already struggle to survive in the world driven and fueled by big data. The main part of this symposium, called “GDPR – Bridging the Privacy Gap,” centered on first hand compliance advice, combined with an in-depth examination of some core provisions of this European Regulation. An interesting and mind-broadening lesson for all attending staff, professionals and students of Santa Clara University School of Law.
So tell me – how can I comply?
Sona Makker, Zerina Curevac and Kenesa Ahmad took a very personal and engaging approach towards business compliance with GDPR. In what they call “the data cycle” (the lifespan of data within a company, “Data collection – data usage – data transfer – storage retention and deletion”), the key question to comply with GDPR remains: How does my business properly organize, collect, and process personal data?
Their key take-aways: Take a look at the actual text of the regulation, gather information across the company with regards to the personal data collected therein and work towards closing gaps by providing recommendations based on “data mapping.” Build records of the processing by following the official guidelines. Ensure that you have the right stakeholders involved and try to maintain sustainable, repeatable processes. As a large company, start with the high-risk products, e.g. those which are highly sensitive and contain a lot of personal information. In case you are a small company (under 250 employees) and therefore exempted from the record keeping obligations in some situations, you still benefit from applying the same procedures from the start, as you will be subject to those obligations if you succeed and grow. Train people in order to recognize and solve high risk issues, conduct threshold risk impact assessments and start with just a few trigger points before directing a full Data Protection Impact Assessment (DPIAs). Use the available resources. Hence, no need to be afraid of GDPR when preparing for its impacts.
Of Processors and Sub-Processors
Felicity Fisher, Virginia Lee and Susan Lyon-Hintze focused on Art 28 of GDPR (the “processor” provision) and stressed the importance of addressing the different issues outlined in the Regulation within the data agreements concluded with suppliers and vendors. As those contracts have to define the subject matter, the nature and the purpose of the processing, it is extremely important to clearly understand your relationship with them, e.g. whether they provide SaaS or other services.
The panelists’ key take-aways: Try to find a commercially fitting solution, be a “thoughtful processor,” create a compliant template, but don’t forget to customize every single contract, and design a strategy to deal with “sub-processors,” for you need prior written authorization of the controller when engaging with those “other processors.” On the other hand, the rather vaguely drafted audit-provision of GDPR should be implemented in a functional way. This should enable processors to “provide you with third-party audit reports”, not forcing them to “sit with your lawyers and prepare depositions.” It is expected that processors will try to avoid obligations to perform on-site audits. As a result, when taking those steps and complying with GDPR, there is no need to be afraid at all.
Designing privacy?
Finally, Mark Webber and Emily Yu introduced their way of thinking about “Privacy by Design,” a principle of GDPR found in Art 25. Doing so, they referred to two common types:
- data strategy (minimizing and anonymizing, encrypting and separating data to handle it in a way reducing personal intrusion)
- process strategy (providing dashboards, aligning design teams to understand the privacy concepts as a hands-on learning experience rather than long and complex legal presentations)
What this really centers on: Leadership. Their key take-aways: As a leader, try to introduce proactive privacy programs. The benefits of addressing privacy clearly lie at hand: You constantly focus on potential risks and how privacy design can mitigate them. Therefore, create checklists of requirements and use them in order to assess those risks. Ask yourself various questions: Do you have consent? What about privacy notice? Which data are you processing? Where is it stored? How do you want to monetize your data? Rewardingly and as a means of learning by doing, the panelists also engaged the audience to work on a fictitious product (a smart fridge), addressing various privacy issues and how to possibly handle them by using the techniques they described. A good way of starting into lunch.
A challenging future?
Keynote Speaker Struan Robertson concluded this symposium by seriously questioning the future of European Privacy legislation, for there is more to come within the next few years – and their first drafts seem to frighten companies like Google. The European Union seems to be on an ongoing trip, establishing even more data protection measures. Tackling the Spain-centered ECJ ruling about the “right to be forgotten,” Robertson also referred to several other judicial developments which took place in the recent past, regarding for example the application of the right to be forgotten to criminal convictions, which can cause risks by decreasing public awareness. A more than challenging balancing task of fundamental rights, primarily left to technology companies.
Still, Silicon Valley should not be afraid of GDPR and its requirements. It is a chance for all tech companies to actively engage in ensuring that EU data is protected according to Europe’s expectations. It is the first major improvement in the field of data protection in years, making effective what the European treaties view as a fundamental right since the Treaty of Lisbon nearly a decade ago: The protection of personal data and the individual right to control that data to render it safe and secure. Those are definitely issues tech giants and other players do not have to be afraid of when implementing their GDPR compliance instruments. As always, it really depends on your point of view. As Emily Yu proclaims: “Individual data subjects have individual rights. Do not always think of data as your data, but as the data of the individual – we tech companies are only custodians.”
We thank the Santa Clara Journal of International Law and its co-sponsors, the Santa Clara High Tech Law Institute, the Privacy Law Student Organization and the International Association of Privacy Professionals, who hosted this symposium on February 9, 2018 at Santa Clara University.