Data Protection Series: Personal data is not a commodity

Stewart Dresner


The four year battle over the wording of the European Union’s new Data Protection Regulation was largely finished in late 2015, meaning it is time to move on from the rhetoric of the opposing camps to planning for implementation.

Personal Data: the Lifeblood of Modern Life

Business wants one legal regime for personal data across Europe. But the final agreed document is at an uncomfortably high level for many companies. Last month, Paul Nemitz, Director, Fundamental Rights and Union Citizenship at the European Commission, gave a rare commendation to a specific company for its privacy practices. He declared: “Personal data is not a commodity. It is the life blood of modern life in the 21st century. In European history and culture, a person is not an object … Personal data is like the stock market. If there is lack of confidence, then the value of a company goes down. Apple is strong on data and encryption, and is the world’s highest value company on the stock market.” He wanted to show that respect for personal data is compatible with commercial success.

For anyone not wanting to struggle through the 209 page document, here are a few of the Regulation’s most important strategic points for your organization:

People worry about what is happening with their personal data. This can lead to distrust for businesses and the government which holds and processes this data. In the US, data breaches have been the main focus of attention for companies and individuals driven by state legislation starting with California. But the emphasis in Europe is rights for individuals and resulting heavyweight legal duties for companies.

Unambiguous Consent for the Collection of Personal Data

Longstanding rights of access and correction are now greatly expanded to include “unambiguous consent” for use of a person’s data and a right of data portability. This means that, for example, individuals will be entitled to transfer their mobile device records from one supplier to get a quote from another.

A case which illustrates the unambiguous consent issue is the current legal battle between Facebook and Belgium’s Commission for the Protection of Privacy, in which the Belgian court imposed a fine of 250,000 euros (US $272,000) a day payable to the Commission. The Belgian DPA’s position has now gained the support of other privacy regulators such as those in France, Spain and the Netherlands.

The Belgian court ruled that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons. Whereas people with Facebook accounts are more likely to understand this process, visitors to Facebook who do not have an account are unlikely to understand the implications of their visit. The privacy policy relevant to them is on page 10 of a 10 page policy and even clicking on a Facebook “like” button or choosing a language option is considered an opt-in according to Facebook’s procedure.

This case is a preview of what can be expected when the EU Data Protection Regulation enters into force in 2018. The Data Protection Authorities will expect a company, such as Facebook, which has not gained “unambiguous consent” for use of a person’s data, to comply with such orders in all territories of the EU as a means of aiming for consistency with the requirements of the EU Data Protection Regulation.

More attention has been given to the Court of Justice of the European Union. Last October, it was determined in the Schrems case that the US-EU Safe Harbor to be no longer valid as a legal basis for transferring personal data from the European Economic Area to the US. As a special deal for the US based on self-regulation, some commentators regarded the Safe Harbour as “neither safe nor a harbor.” As a result, many multinational companies, such as Salesforce, have quickly turned to legal alternatives, EU model contracts and Binding Corporate Rules.

European storage and cloud services increasingly attractive

Seeing the direction of travel of the EU Data Protection Regulation negotiations, many companies are shifting their processing and storage of customer and employee data to a country in the European Union. This move will give companies more certainty about a secure legal basis for their processing of personal data. This is a substantial commercial opportunity for cloud services that give customers an opportunity to specify the country in which they want to base their service. In the same way, some traditionally US-based cloud services now offer EU-based options. Microsoft is even running a long legal battle in the New York courts denying that US law applies to these EU-based services.

Data protection day is just one day, but the values it represents are increasingly important.

For more information about data privacy, navigate to our Data Privacy & Protection Zone.


More in Privacy & Security