Luc Gommans/ blog

GDPR is nearly identical to the previous law

Written on 2018-05-26

Since people are spreading a lot of fear, uncertainty and doubt, here is an overview of the changes the GDPR introduced.

What already existed

The Dutch privacy law, WBP, is based on the European Data Protection Directive from 1995. I use this as my basis because it's the one I know, and because EU member states had to implement the same law and there will be only minor differences. My information on GDPR is largely based on information I gathered from different places on the the Dutch privacy agency's website (autoriteitpersoonsgegevens.nl).

Under WBP, we already had the following aspects of GDPR:

What is new

Summary

The biggest changes are:

Costs

Previously, you were allowed to charge a few euros to cover your costs. Now, you're only allowed to do so when someone repeatedly sends in many requests, or when you can prove that the requests are unlawful. In such cases, you can also refuse the request.

Consent

In cases where you are required to collect consent, one can only give you consent if they:

You should record when consent was given (and what they were told, to prove that you collected it for the purpose you intend to use it for).

The difference with WBP is somewhat subtle. The only concrete change is that you have to inform people about their rights.

Collection registry

In most cases, you need to keep track of what you are collecting, for which purpose you collect it, and how long you will store it. Technically, this is new, but in practice you should already store when you got consent, from whom and for what, because you might later need to prove that you got this consent. Now this was expanded to keep a register on all personal data that you process, not just that which needed consent.

Data portability

People already had the right to know what was being collected about them, so you had to show them on request. You could invite them to your office, charge them a couple bucks, and show them their files.

With data portability, the data has to be handed over in a usable format. You have to include the person's own data, but not any derivatives. For example, if your algorithms decide he's a Caucasian male with 70% certainty because he's born in year X and has nationality Y, then your portability data export does not have to include that assumption.

Note, however, that when someone requests to see what data you have on them, such derivatives are part of it. The right to view your data and data portability are slightly different things.

Right to be forgotten

This right is very similar to the existing right to have your data removed, but slightly expanded.

In a number of cases, organistions need to remove someone's data upon request. This applies when:

And of course when you are not supposed to have the data (any longer), e.g. when you are only allowed to store something for six months and it has been seven, or when you should have collected consent but you never asked for it.

You do not have to remove someone's data when it is necessary. There are a number of cases defined for this, such as when the data is necessary for a lawsuit, when the law requires you to collect the data, when you're a public agency which has a mandate to collect this data, etc. All quite obvious and not very broadly applicable (not many companies are unaware that they're public agencies and that their mandate is to keep certain data).

Note that backups are also included in this: you have to remove the data from backups as well. This is not necessary when it is difficult for your organisation to remove them, such as when you write them to tape archives where you can't efficiently remove a random part.

Automated decisions

When you make a decision about someone in an automated manner, you have to tell them that you did this when they request their data. People also have a right to request that a human has a look and makes a new decision. One example of this is applying for a job online, where the computer might reject you automatically based on its programming.

This was already part of the law (WBP article 42 sub 1), but it was a prohibition on making important, automated decisions based on data whose purpose was to determine your personality. "Important" means it either has legal consequences or it "impacts you significantly". Now it applies to any automated decision based on data about you. It was also changed from a prohibition to a right on a human review, but that works out similarly in practice. (You'd go "hey you're not allowed to do that!" and then someone would review your case. Now you go "I want human review!" and get the same result.)

Data protection officer and impact assessments

You are required to have a DPO if:

Additionally, you have to do a impact assessment (DPIA) if: you collect data on a large scale, systematically do extensive profiling, or track people on a large scale in public spaces (such as with cameras).

If these apply to you, you probably already employed an army of lawyers.

Fines

The fines can be higher. The often cited number is 20 million euros or 4% of revenue, but these are maxima. Among the list of possible santions is also a written warning. Of course fines need to be substantial, or else the law won't have any effect, but it's not going to be an all-out mayhem like most Americans seem to think.

Conclusion

It still looks like a lot of changes, but if you read all of the above, you've seen that the vast majority of changes for the vast majority of companies is just details here and there. The largest change is having to keep a list of personal data that your company processes, and even that is only partially new. The other change that will require some real manhours is checking all your consent pages, because they now need to contain some boilerplate info on people's rights.

Unless, of course, you never complied with the old rules. Or your name is Facebook and you do things like facial recognition on a global scale... yeah, then some bigger changes are in order. To that, I say: hurray!

PS. About international applicability

I'm not a lawyer and I never got a straight answer from a trustworthy source, so this one is based on what I've read in different places and cases. It is said that GDPR claims to apply to anyone who processes data about someone from the EU. Well, I've got news for you: that's about as true as saying that the local law about anything applies internationally. You can shoot a bullet from Mexico into the USA and kill someone, and the USA will claim their law applies, but so might Mexico. There might be an extradition treaty, but given that issue about the wall ("and they'll pay for it"), I doubt there exists such a thing between these two countries. Hypothetically, it might have been legal in Mexico to kill the specific person you killed because they were an enemy of the state.

As far as I've heard, both from people who studied law and amateurs on the internet, it's pretty much whatever the authority feels like that day. Also before the GDPR, if Google would do something to a Dutchman that is illegal here, and Google has a Dutch office or something else here, the government could (if they felt like it) decide to seize assets and enforce things that way. This never happened as far as I know (under privacy laws at least), but with GDPR they are making a bigger point of it, so anyone doing business here might risk a ban by not complying. But, similarly, if some island in the middle of the ocean claims "you must pay tribute whenever one of ours does you the honor of coming to your country", that doesn't mean it is actually enforceable. Of course, the EU doesn't like to admit that.