Top 3 privacy insights from Summer Legal Conference
Interesting issues arose from the privacy related discussions at the Summer Legal Conference with major thought leaders on the GDPR obligations and their impact on businesses.
I was invited on 24 July 2017 as a speaker at the Knowledge Nomads Summer Legal Conference in Berlin. There was a very interesting debate on privacy issues together with Max Schrems, the guy “liable” for the invalidation of the Safe Harbor data transfer scheme, Lanah Kammourieh Donnelly, Public Policy Manager at Google, and Sandra Wachter, Privacy Expert at the The Oxford Internet Institute.
After having “thanked” Max Scherms for the long nights subsequent to the invalidation of the Safe Harbor scheme and took a nice picture together, below are my top 3 insights that arose from the discussion:
1. The GDPR is a “rebus” when it comes to automated decision-making
There was an interesting speech from Sandra Wachter on whether the General Data Protection Regulation provides for a right of explanation in relation to automated decisions. Her position is that the GDPR provides for
“a right to be informed” about the existence of automated decision processes and system functionality, if solely based on automated processes and with legal and significant effects, but no explanation about the rationale of an individual decision
Her conclusion is based on the fact that the right to obtain an explanation of automated decisions is only mentioned in Recital 71 of the GDPR which is a mere recommendation, while there is no reference to it in article 22 of the GDPR.
This is an interesting point, but it assumes that recitals will not be considered as a guidance to identify obligations by EU Data Protection Authorities. Also, if individuals can contest the decision and the entity relying on the automated decision cannot explain it, would the individual be able to claim the damages potentially suffered by a system that took either a wrong decision or a decision that cannot be explained?
I recently published an article on intuitive artificial intelligence and whether AI should have freedom of choice. It is likely that privacy authorities did not have such technology in mind when they drafted the GDPR, but the open question is whether such technology would be GDPR compliant.
Also, another open issue is whether automated decisions based on health related personal data can be just dependent on the individuals’ consent as provided by article 22.4 of the GDPR. This might have a massive impact on for instance the online application process for life insurance policies. In my view it is possible to argue that companies cannot consider economically feasible the management of applications from individuals that do not grant their consent to the performance of automated decisions relating to their health data and therefore deny their requests.
2. The GDPR might lead to excessive costs and uncertainties for businesses
The right of access, the portability right, the obligation to put in place adequate security measures and the other rights and the other obligations provided by the GDPR might require a very large investment by businesses. Google apparently invests over half a billion dollar a year on security measures and has a very large team dedicated to management of requests relating for instance to the exercise of the right to be forgotten.
However, in my view the market benchmark and the level of compliance required cannot be considered what Google does! No many businesses can afford to bear similar costs, but unfortunately the “risk based approach” provided by the GDPR is very broad and uncertain and the GDPR refers to the exercise free of charge of privacy rights by individuals.
The above rules together with the principle of accountability oblige companies to demonstrate the performance of what is required by the GDPR. The need to demonstrate the compliance with an adequate parameter of diligence is definitely a heavy burden and accountability programs shall be very carefully drafted. Also GDPR rules might prevent small businesses from entering markets involving the processing of personal data, just because they cannot afford to comply with the obligations set out by the GDPR.
It would have been better if the GDPR was giving more detailed instructions on what to do to comply with its obligations, also providing fees to be paid for the exercise of privacy rights as otherwise the whole burden is on the industry.
3. Is there a solution to privacy rules on data transfers to the US?
Max Schrems gave an interesting presentation outlining the whole process that led to the invalidation of the Safe Harbor, also emphasising that the current Privacy Shield might have the same issues previously challenged to the Safe Harbor.
National surveillance by EU Member States is exempted from the EU Treaties and therefore from the applicability of European privacy rules. But the same principle does not apply to investigations run by the US Government that in any case might be difficult to control.
Google joined the Privacy Shield, but the issue is around the lifetime of this scheme and whether businesses should bet on it. There is a risk of invalidation of also the Standard Contractual Clauses, but not all business can afford to relocate their servers to the European Union in order to at least switch to them in case of new decisions on data transfers.
During he conference I gave a speech entitled “The Internet of Things meets the Law” and I published the presentation here and below since someone asked for it
Also, on the GDPR you might find interesting my series of blog posts below:
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.