One Year GDPR: What Comes Next?

The General Data Protection Regulation (GDPR) came into force on May 25, 2018. Many EU and U.S. businesses rushed to take measures to comply with the new requirements. The GDPR is still the strictest and most comprehensive privacy law in the world. With the GDPR, data protection has risen to the top of the agenda of many corporate boards. Many companies have spent serious money on compliance. The GDPR also brought changes for many U.S. consumers that U.S. companies now treat on equal footing with the EU data subjects. They now enjoy various rights under the GDPR such as data access rights, a right-to-be-forgotten, consents, etc. Moreover, the GDPR mandates companies to take technical and organizational measures to protect personal data. They must comply with the principles of privacy by design and privacy by default, among others, for their products. Within a few months of the GDPR coming into effect, it seems that the new rules are already yielding tangible results, although the compliance process is ongoing in many cases.  While this is very positive for the individuals (the GDPR’s “data subjects”), there are areas where companies struggle. Here are the top five:

  • The right-to-be-forgotten: When does it apply? What scenario does it cover? How must companies and regulators balance this right of the data subjects against other rights (e.g., free speech or law enforcement requirements)?
  • Data retention periods: Under the GDPR, personal data must be stored no longer than needed for the purpose collected. How does a company square these requirements with its business needs?
  • Data breach reporting: When must a company report a data security breach (hacking, data theft, data loss) to the data protection agencies and what is the time period for it?
  • Vendor contracts: When are vendors allowed to pass on personal data to their agents and third parties (data sub-processors)?
  • International data transfers: Will the EU-U.S. Privacy Shield remain? When does consent justify an international data transfer out of the EU/EEA to the U.S.?

Privacy Laws Still Vary and Make Compliance Challenging

Although the GDPR has yielded a solid degree harmonization in Europe, the data protection laws are still not the same in each jurisdiction. The implementation laws of the GDPR in the EU vary significantly. Brexit will add an additional layer of uncertainty for companies with UK operations. In the U.S. there are various privacy laws that companies must follow that are their own definitions and requirements, such as in the financial sector the Gramm-Leach Bliley Act and the Fair Credit Reporting Act. In the healthcare sector HIPPA (Health Insurance Portability and Accountability Act of 1996) and the Illinois Biometric Privacy Act, for instance, have their own rules. In addition, there are U.S. state privacy laws that companies must observe. The much-debated California Consumer Privacy Act (CCPA) will bring sweeping changes for companies doing business in California. The CCPA mirrors some rights and obligations that companies dealing with the GDPR will be familiar with, but the CCPA is far from being a copy of the GDPR. There is no end in sight to the debate if and when the United States will have a federal privacy regime that will be comparable with the GDPR.

New Suggestions by the German Ministry: Use Icons and Pictograms

It should not come as a surprise that the GDPR has resulted in corporate privacy statements becoming longer and longer (and altogether incomprehensible). “In the case of Paypal, it takes about 24 minutes to read the privacy policy,” complained the German Consumer Federation (VZBV) recently. This calculation does not even take into account the 48-page list of third parties who may receive personal data as sub-processors. It is clear why this has happened: Companies hope to cover all possible eventualities in the privacy policy. However, not only privacy policies are mushrooming; users also complain about lengthy notifications to individuals according to Articles 13 and 14 of the GDPR that arguably require a law degree to be understood. There are also complicated cookie consents with technical descriptions of cookies or web pixels.  Users prefer to scroll over them. In particular, this happens when they download apps and lengthy data protection statements appear on their smartphones. The constant barrage of requests for consent have led to “consent fatigue” among users.

The German Federal Ministry of the Interior is not pleased with the situation as is evidenced by a recent statement in response to an information request (Kleine Anfrage) from the Free Democrats (FDP) dated April 5, 2019 (BT-Drs 19/9168). The Ministry proposes some measures against overly lengthy policies and user “click fatigue”:

  • Pictograms or icons in the privacy statements that would be well suited to “provide users with a better understanding of privacy policies.”
  • Software should “automatically scan the privacy statements and point [the user] to certain privacy risks (e.g., data processing based on consent, tracking, data transfer to third parties).”
  • A legally compliant Europe-wide uniform model privacy policy.

There is also the Ministry’s earlier proposal, in collaboration with the German IT company Zalando, for compact privacy notices. Zalando’s software tool analyzes privacy statements based on what data a website or app collects and generates a short explanation (a one-pager). Another practical possibility is that the providers in the privacy policy work with hyperlinks that allow the user to click on further information, or with summaries at the beginning of the explanation. App developers often use this approach.

Back to the Ancient Egyptians?

Having EU-wide templates for the business sector is probably daydreaming. It is not going to happen anytime soon. Using software to summarize a privacy policy may miss the complexity of the data processing and is currently prone to errors. Hyperlinks within a privacy policy may confuse or misguide users and entice them to skip reading important information. Having icons or pictograms in privacy policies to guide users is an interesting idea that requires more discussion. They would likely look like traffic signs. The EU Commission’s GDPR Guidance: “Better rules for small business” uses various icons, e.g., a “thumbs-up” for consent or a mailbox sign for contact information. Recital 166 of the GDPR states that “[t]he Member States should issue, in respect of criteria and requirements for certification mechanisms, information to be presented by standardized icons and procedures for providing such icons.” However, no such icon has been approved yet in Europe. Currently the data controllers bear the risk that an icon is misleading.  Users should therefore not expect that the privacy policy of the future will look like the hieroglyphs of the ancient Egyptians.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American Institute for Contemporary German Studies.

Axel Spies

German attorney-at-law (Rechtsanwalt)

Dr. Axel Spies is a German attorney (Rechtsanwalt) with Morgan Lewis & Bockius (Washington DC) and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).