Reading the law – Part One

If you have not read the core of the GDPR law, you should. You need to understand what the law is about to prevent making interpretation mistakes. The law has two mayor textual parts;

  1. The considerations, that explain what the law is suppose to be about.
  2. The actual book/core of the law, that explain the rules in a series of chapters and articles.

The law itself is the 'what' and 'how' of the law, but it has a large number of consideration as a pre-amble to the law. These provide understanding - the why - of the intentions of the law, laying the ground for the actual rules of the law that follow. A few of these considerations are gems of insight. Lets look at a few;

Cookies bars are bogus GDPR
Consideration 15:

"In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. .."

Now, ask me again why a cookiebar is not GDPR proof.

The GDPR cares about the data you collect, for how long you store it, where you store it and a whole lot of other aspects. What it - explicitly - does NOT care about, is the technological means by which you captured that data. The word 'cookie' shows up exactly once in the laws text and only then as an example of an online identifier.

Other regulations, like telecommunication laws may still require you to show your cookie bar, and it is a good practise to inform your visitors of your activities. But a cookiebar is about technology, and asking permission to place the cookie in the visitors browser is not the same as asking permission to store personally identifiable information on your or a third parties servers.

Some data you may simply not process
Consideration 19:

"The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. ..."

You should not ask about, or store information on someone's criminal past, fines and investigations they have been under. This may not be a common thing to collect for most webshops, but recruitment websites and HR departments need to scrub any data they have and no longer collect these data items.

GDPR free if you obviously don't serve the EU
Consideration 23:

"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. ..."

In short that says, that if you are not targeting the EU, you are not obliged to be GDPR compliant, even if a EU citizen accidentally comes to your site or emails you directly. A local bakery in rural australia does not have to bother with the GDPR. (It has other local laws to worry about.)

No GDPR if you are dead
Consideration 27:

"This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons."

This was not tackled in the GDPR alas. If this leads to data harvesting from deceased, profiling of next-of-kin becomes easier if details of a past life become public goods.

The manual for collecting consent
Consideration 32:

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

This consideration is, in my humble opinion, an absolute key statement of what the GDPR is about. The person owns their own data, and you may not trick them, mislead them, cohers them or refrain from supplying ample information. What this practically should result in, is the granular requesting of processing rights, where and when it is needed in a website, even with anonymous visitors.

Child protection gets a boost
Consideration 38:

"...The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child..."

In other words, children have the right to give their personal details to a couselor or child carer without a possible abusive or addicted parent having to consent. Well done.

Lawful and fair
Consideration 39:

"Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used."

This paragraph is the basis for why you need to explain what you are going to do with all that data you are collecting. And it means you must be open and clear about everything related to collecting personally identifiable information.

Consents must be unique
Consideration 43:

"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

One button will not rule them all in the GDPR. Each time you collect information for a new (or extended) unique purpose, you must collect a confirmation accoording to the 'freely given' rules from consideration 32.

The GDPR can be lifted in times of disaster
Consideration 46:

"The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. ... ... as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."

So when disaster strikes, emergency services can create a map of all cell phones in an area without being sued afterwards.

legitimate interests vs consumer rights
Consideration 47:

"The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. ..."

The first section is why many website owners may claim that tracking for analytical reasons is fine, because it serves their interests. But as a web browsing european citizen, there will be no 'relevant and appropriate relationship', because there is anonimity. Once a users logs into a website, there is a relationship, but not before that. So, you are really not allowed to load Google Analytics without permission, even if you anonimised the collection of the data - you dont have a relevant relationship yet.

That's ten of the 173 considerations that have gone into the law. These thoughts and directives are the raw material of  the GDPR's law articles. Next up, the actually rules.