In the wake of the Cambridge Analytica scandal, the world’s attention has turned to the European General Data Protection Regulations (GDPR), which come into force 25 May 2018, and is likely to have a massive impact on how data is collected, stored and used for the foreseeable future.
Speaking to a sold out crowd at the IAB’s Industry Briefing on privacy, lawyer Peter Leonard with Gilbert + Tobin used the occasion to try and lighten the mood for the nervous members of the adtech industry and agency people in attendance.
To that end, Leonard said he’d tried to come up with a list of similarities between the GDPR and Donald Trump? His end result was a list of seven.
1 – They are both transformative not transitional, meaning they really change the ground rules of how things are being done today.
2 – They are unpredictable. The GDPR in particular is unpredictable firstly because there’s not been guidance provided with its interpretation, but most significantly, its interaction with the cookie rules in Europe remain most unclear.
3 – They both think they rule the world. The GDPR has extended jurisdictional reach provisions that have to be interpreted in the light of what is actually achievable. As does Donald Trump.
4 – There is much bluster about of them. People are spending a lot of money trying to figure out and predict how each of them will operate.
5 – They both carry big sticks. The GDPR carries big financial sticks, Donald Trump: sanctions, weapons, what have you.
6 – They both also have a somewhat strange relationship with certain Silicon Valley brand names and
7 – That affects the way in which they operate.
Why does a change of laws in Europe matter down under?
“The GDPR in many ways has to be seen as Europe flexing its muscles over global data companies. There is a risk that countries like Australia will be collateral damage in the way that Europe endeavours to bring global data giants within its reach,” said Leonard.
So why is the GDPR so complex? Firstly because of its novel extended jurisdictional reach provisions, and most particularly of relevance to Australia, reach in relation to activities of entities outside of the US monitoring activities of individuals within the US.
That regulation is expressed in terms of monitoring through the collection of personal data.
Secondly, it’s an odd mixture of prescriptive regulations and principles and abstract concepts. So you read it thinking you’re going to find an answer and it’s kind of like an extended essay with lots of clearing of the throat at the start in the form of recitals, which then have to interpreted into the provisions themselves.
“So it’s not like our Australian Privacy Principles, which are really skinnied down and you fill them out by reasoning. You’ve got all these detailed statements of how things are meant to be and then this principle stuff mixed in the middle of it. Really, reconciling statements of principle with detailed regulations is extraordinarily difficult,” explained Leonard
Next you’ve got the interaction with the cookie directive. The privacy directive. “One of the really difficult questions that’s being debated in Europe at the moment is to what extent can the way in which you attained consent for cookies and other tracking codes continue under the new GDPR regime.
“Or do you have to apply the same consent regime to the placing of tracking code, cookies and the like, as the GDPR prescribes in relation to the placing the cookies themselves. So you get into all sorts of pretty arcane debates such as can you use legitimate interest as a basis for placing cookies, do you need GDPR-style consent, that is unambiguous consent, whatever that means, before you can place a cookie as well as is in clear under GDPR in order to use data that has been collected by a cookie?
“It’s also impossible to paper your way out of GDPR readiness. It’s not about documentation, it’s not about policies, it’s about practices in the way you operate,” Leonard warned.