Data Protection Series: Personal Data is No Longer a Commodity [Podcast]

Topics: Store and Protect Information

New data protection regulations and changes to existing privacy laws are being revealed in Europe and the U.S. This podcast, featuring Stewart Dresner of privacylaws.com, discusses some of the key provisions and how they will affect the protection of personal and business data moving forward.

How the European Union General Data Protection Regulations impacts on European companies


Part 1 - Transcript


Hello and welcome to Iron Mountain’s Data Privacy podcast – Personal Data is not a Commodity. With us today is Steward Dresner. Stewart has written and researched extensively on data protection, privacy and freedom of information since 1975 and he was a founder and first chairman of the UK’s Data Protection Forum. He has spoken on Data Protection and Privacy Law at conferences across the US and Europe. In 1987 he established Privacy Laws in Business. The Privacy Laws in Business International report covers over a hundred countries with data protection legislation and proposed legislation. The Privacy Laws in Business website www.privacylaws.com provides details of the firm’s services and links to privacy information worldwide. Thank you for joining us Stewart.

Well it’s a pleasure Karen to join you, we at Privacy Laws of Business have been in this field for - it’s now our thirtieth anniversary year and we keep up to date by maintaining long standing and close relationships with the National Data Protection Authorities, the Privacy Commissioners around the world who interpret all the National laws and we provide links to all those sources on our website in the link section, so we spend all our time on this subject; we are sort of a laser beam of attention on Privacy Law around the world.

Great, well we are so happy to have you today. Just to get started let me ask you, can you tell us a bit about the new European Union General Data Protection Regulation and how it impacts companies in Europe.

Sure, it’s a new law which has been negotiated over a four year period where currently we have the European Data Protection Directive which was adopted in 1995 and this sets one system of law to cover personal data and sensitive personal data across all the member states. But for various reasons it is considered to be increasingly out of date after all the directive was adopted before the internet really got going and before a lot of people used email and mobile devices, so lots of things have to be updated to provide a seamless system of law across the European Union. As far as companies are concerned they always want one system of law, after all several European countries are really quite small with small populations such as Luxemburg and Ireland and for any multi-national company doing business across Europe it would be ideal to have one system of law. The trouble is as far as companies are concerned the current way the regulation has been agreed is that the standard is going up, that is more rights for individuals and so companies have to get their act together to improve the way- they have many more legal duties so they have to get their act together to meet these new demands. Some examples of how the regulation will affect companies for example - there are increased fines at the alarming end of the scale for both administrative problems and where companies ignore the substantive privacy requirements. The fines are now at the greatest extent the greater of twenty million Euros or 4% of annual worldwide turnover. I don’t want to be too alarmist because I don’t think companies can be hit by these kind of fines usually but is there to say privacy is important and the idea is that from the decision makers in Governments is that this is an important subject and it has importance similar to competition policy, monopolies and mergers, where very high fines of course are the norm. Other areas of substance is that there has to be consent or another proper legal basis for the processing of data often a consent to be given in the first instance but what about when data is processed later on down the line, so there is a comprehensive coverage of the way that personal data is protected. The term right to be forgotten is being used quite a lot, it’s from a Spanish case which went to the European Court of Justice but its best to think of that as a stronger right to erase data that is incorrect. Much has been written about right to be forgotten but I think anyone listening to this should think of it as a stronger right for someone to delete information which is incorrect or misleading. Another point is a right to object to receiving marketing information and profiling, profiling is at the heart of the tracking of data and the use of social media, so companies that use social media and the social media companies indeed themselves need to reflect on how this new provision will affect their services. There is a familiar thing for people listening from the US, that is, data breach notifications, this has been unevenly covered in Europe in the past and now there is a requirement to inform the Authorities if a company loses data or has it hacked into and the idea is to report to the National Authorities within seventy two hours of a breach being discovered and, obviously in some cases it can take longer to actually work out what’s going on but this provision stating clearly that this is something which should happen as soon as possible. Another point which has been reported is the requirement to appoint a Data Protection Officer often know in the States as a Privacy Officer or Privacy Manager and someone to report to someone at the top of the company and to reflect the idea this is something really important - a strategic issue for companies and not a sort of minor administrative detail so the regulation is saying this is something really important for companies to take seriously. Well that’s a few points, I can go on at greater length but these are some points which companies ought to know about the regulation.

Great, thank you Stewart and thank you all for attending today’s podcast.

For more information about data protection visit the Iron Mountain UK and US websites, thank you

And you are welcome to visit the Privacy Laws of Business website as well we have links to information in over a hundred countries www.privacylaws.com


How are US companies affected by GDPR?


Part 2 - Transcript


What about the companies in the US how are they affected by GDPR?

One of the most important points for companies in the US is that it states quite clearly that any company in the US offering services in Europe are covered by this regulation. Several in the past, some companies say that because we are based in the US, based in California or wherever then these laws don’t apply to us and this became a point of argument in the UK. For example in a case called Google versus Vidal-Hall where Judith Vidal-Hall said that her privacy was being invaded her feelings were being hurt that is none monetary loss and Google said that... we don’t recognize the jurisdiction of the English Court if there is a case we want it to be heard in California. This went to the court of appeal and the court of appeal were quite clear that this is a case that needs to be heard in the UK, so in other words, there is National law and the new EU regulation pulling in the direction saying on the questions of personal data and privacy this EU regulation is supreme and European law applies, so that’s one point. The other thing that companies may have heard about is the so called Schrems case at the European case of Justice where Safe Harbor is no longer regarded as valid in the European Union this is a special deal negotiated between the European Commission and the United States about fifteen years or so in which companies could self certify they were protecting their personal data held in the US and that this arrangement would be regarded as adequate that is good enough as far as protecting personal data as if it were in Europe. However the European court of Justice has taken a good look at this and suggested this is not a proper basis for transferring data from the European Union to the US and therefore the three or four thousand companies that have been relying on this provision in the past will now have to seek stricter legal basis for exporting data from the European Union to the US and the two most well recognized are using EU model contracts, contracts drawn up by the European Commission which will protect personal data in a proper way and the other thing is finding corporate rules that’s a very comprehensive set of arrangements which companies can engage in but it does take months to get organized to comply with binding corporate rules and as the European Court of Justice and the European Commission has given the negotiations to run until the end of January before a new agreement must be reached and I think wise companies are now looking to protect their personal data by using the new model contracts which is the quickest way to fix this problem and others may be considering binding corporate rules but as I said that will take longer to get organized. So the main message for companies in the US is the European Data Protection Regulation will apply. There is a two year running in period from some point soon to 2018 but this is something companies should take seriously.

Great, thank you Stewart and thank you all for attending today’s podcast.

For more information about data protection visit the Iron Mountain UK and US websites, thank you

And you are welcome to visit the Privacy Laws of Business website as well we have links to information in over a hundred countries www.privacylaws.com


Why is personal Data no longer a commodity?


Part 3 - Transcript


In your recent blog for Iron Mountain you wrote personal data is no longer a commodity. What exactly did you mean by that?

What I wrote was personal data is not a commodity as far as Europe is concerned it is to do with the fundamental rights privacy in Europe is regarded as a fundamental right its’ reflected in the EU Charter of Fundamental Rights and that’s the basis on which this regulation has been built and that’s why the European law is rather strict on this point and this is by contrast with the US where US law has emphasized certain problems that have occurred , for example regarding data breaches California was the first State to pass a law to take action on data breaches that need to be reported to the individuals affected and to the State authorities and most other states now follow that. So that’s become very famous in the States and other companies have now paid attention but its dealing with a particular problem of loss of data or data being stolen or hacked into which is certainly a data security issue certainly important as far as the loss of individual data but it doesn’t deal with the fundamentals of individual rights, the rights that we see reflected in European Law of data should be people should have the right of access to information to know it is being collected at all, how it’s been protected, to whom it’s being transferred and a right of correction. Even the Federal Trade Commission which is the most active government body dealing with privacy basis its work on section five of the Federal law on which it’s based and the idea is to stop deceptive practice so if a company is claiming its protecting data and it turns out that they don’t properly then the FTC Federal Trade Commission takes active steps and has reached settlements with both large and famous and less famous companies to ensure they have audits into the future. For what’s lacking in the US is a comprehensive sense of what privacy is all about and that’s where Europe is stronger and that’s why there is some discomfort in the States about tackling this subject quite differently in Europe. So in short in Europe personal data and the rights of individuals are not considered a commodity whereas in the States there is a tradition of money off coupons and sacrificing your rights in order to gain an advantage and such things in Europe are not considered proper so there is different cultural basis there.

Great, thank you Stewart and thank you all for attending today’s podcast.

For more information about data protection visit the Iron Mountain UK and US websites, thank you

And you are welcome to visit the Privacy Laws of Business website as well we have links to information in over a hundred countries www.privacylaws.com


The role of cloud in transferring data between US and Europe


Part 4 - Transcript


Where does the cloud fit in? Will there be any changes in how information is transferred between the US and Europe?

There is increasing demands in Europe for cloud centers to be based in Europe, the reason for that is because where cloud services are outside European jurisdiction; companies in Europe don’t know exactly where the data is being processed. Obviously many cloud companies have mirror sites in Asia and many different countries and there is uncertainty about where the data is and, if EU rights are to be taken seriously and to be protected seriously, the simplest thing for companies to do if they wish to use the cloud service is to base it somewhere in Europe and therefore European law will apply and companies won’t have to jump through hoops to satisfy the European Authorities and that is why there are many companies with existing cloud services setting up cloud services in Europe and even offering a guarantee that the data will be held in Europe. And, so that makes it much easier for client companies or users of cloud services to comfortably work with US based cloud services.

Great, thank you Stewart and thank you all for attending today’s podcast.

For more information about data protection visit the Iron Mountain UK and US websites, thank you

And you are welcome to visit the Privacy Laws of Business website as well we have links to information in over a hundred countries www.privacylaws.com