Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

This can be used for decision-making by governments for national defence and policy analysis, or by companies to optimize their products and services, such as targeted advertisements based on individual preferences. Some examples of different sectors include retail, transportation, healthcare, insurance, media and entertainment or public sectors such as medical research, statistics on demographics, etc.

The collection, storing, analysis, and use of large amounts of data, to produce useable outcomes is in conflict with what Article 8(2) of the Charter of Fundamental Rights and the GDPR guarantees individuals. Personal data should be protected and processed in a fair manner for specific purposes and should not be kept longer than necessary. The collection and analysis of huge amounts of data can be useful in many cases. Hence, companies should incorporate security, privacy and technical measures in their internal processes and services right from the start, in order to guarantee data subjects their rights.

Compliant Big Data Collection Under GDPR

Big data aims at collecting as much data as possible to analyze and make decisions based on it. The GDPR, on the other hand, states that only the minimal amount should be used for clear purposes. These protecting principles apply to the processing of personal data and are regulated in Article 5 of the GDPR. One such principle states that the processing must be lawful, fair and conducted in a transparent manner in relation to the data subject, i.e, the person whose data is used, Article (5)(a) GDPR.

This means that organisations must evaluate whether a given use of personal data is within the reasonable expectation of the data subject concerned in clear contradiction with big data practice. The purpose of the collection should be explained to the data subject through a clear privacy notice that is concise, written in plain language and easily accessible.

In some instances, the further processing of personal data for different purposes other than the original intention can take place. This is not necessarily  incompatible with the GDPR. Compatibility needs to be assessed on a case-by-case basis where the relationship, the expectations of the data subject at the time of collection, the context and the nature of the data should be considered. This is outlined in opinion 03/2013 on purpose limitation, by the Article 29 Working Party (predecessor of the European Data Protection Board).

Furthermore, the purpose for the collection should be specified, lawful and not incompatible with the original purpose. However, this is hardly the case when the processing is based on legal grounds like consent whereby consent is only valid if it is given for a known (disclosed) purpose. Problems arise when the intended purpose is not clarified nor when personal data is analyzed for unstated reasons. 

Do data subjects own their (big) data?

Many organisations assume they are GDPR compliant since they use the personal data lawfully and fairly but forget to either delete unused data or to articulate why they need to collect and process particular datasets. According to Article 5(1)(e), personal data should not be stored longer than necessary. Organisations should therefore set retention periods and implement automatic erasure of the data after the period expires.

Data subjects have the right to access, rectify and erase personal data as well as restrict its processing, Article 17 GDPR. This means organisations should be able to dig into the large amount of data stored across several different systems to locate and/or erase the data belonging to the data subject. Many tools such make it easier to categorize the data, while metadata management can be used to catalog data assets (for e.g. Talend, Apache Atlas, Collibra, AtScale and etc). Data analysis of data collected on the legal base of consent is risky since the data subject can withdraw their consent and ask for the erasure. So, organisations should consider only having legitimate interest for the data.

Generally, organisations circulate data on a global scale, to their customers, partners or subcontractors. Data controllers, those organisations responsible for determining the means and purposes for the processing, must ensure data is transferred in terms with GDPR safeguards and supplement measures where needed. On this topic, the transfer of data to the US has been dramatically limited since the CJEU’s (Court of Justice of the European Union) issued its judgement on the so-called Schrems II case (C-311/18). In the wait for official solutions, the current consensus is that organisations should implement technical measures to supplement those they currently rely on. This can take the form of encrypting data before exporting it from the EU and keeping the encryption keys in the EU.

Can anonymization be the solution?

The GDPR stresses the difference between pseudonymization and anonymization. According to the definition found in Article 4(5) of the GDPR, pseudonymization, is the substitution of direct identifiers in a way that data can no longer be attributed to a specific data subject without the use of additional information. Anonymization on the other hand, refers to the practice of rendering data unidentifiable in such a way that it is impossible to re-construct the identity of the data subject. Anonymized data falls outside the scope of the GDPR, provided it is carried out optimally.

Article 29 Working Party stated in its opinion 05/2014 that organisations need to evaluate the robustness of its anonymization techniques, ensure that it is secure and that re-identifying the individual is not possible. Failure to do so would result in a situation that is similar to when Netflix released anonymous information of movie rankings by 500,000 individuals that partly got de-anonymized by associating information from iMDB with it. Using privacy models like k-anonymity, an organisation can pretty much achieve the anonymization of its released data.

Machine Learning and Artificial Intelligence

Organisations can use a large amount of data to either make automated decisions based on it or profile the individual using sophisticated algorithms. This is one of the biggest use cases of big data and is commonly referred to as the practice of machine learning or artificial intelligence. This poses as a double edged sword; they might be useful in certain areas like medical research or controlling pollution, while at the same time, might invasively predict an individual’s likelihood to fall ill and as a consequence lead to refusal for a loan or health insurance.

Individuals have the right not to be subject to automated decision making, including profiling, according to Article 22(4) GDPR. Organisations can still use automated decision making if it is necessary to perform or enter a contract, authorised by the law in a member state or if the data subject has given its explicit consent. Most often profiling is invisible to individuals, a practice that data protection law strives to protect individuals against by forcing organisations to provide clarity and the option of opting out of profiling. In effect, this is why the use of cookies is highly regulated by the GDPR and the ePrivacy Directive, making it an obligation for data subjects to be informed of the intended purpose of the processing of cookies so they can freely decide to opt in or remain opted out.

The data subject should also be able to have a good understanding of the logic of how the data will be processed and how it will affect them. Article 13(2)(f) of the GDPR offers them the right to be offered meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing”. In addition to this obligation imposed on the data controller, Article 22(3) provides data subjects with the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the [automated] decision. The GDPR’s flexibility clauses allow for member states to craft further restrictions. This is the case in the French data protection act that makes it compulsory for data controllers to provide explanations as to how the algorithm works.

In the area of digital advertising and real time bidding, organisations should not target individuals without making them aware of the fact that they are subjected to tailored advertisement. The analysis of data should not be used to manipulate individuals via political messages or tailored messages based on their personality. The algorithms behind the processing should not have a discriminatory effect, this, it has frequently been debated, occurs in decisions made that involve processing personal data such as an individual’s residential locality (postcode), gender, sexual orientation, race. Organisations often unknowingly collect or process sensitive data, regulated by Article 9 of the GDPR, exposing them to compliance risks.

Big Data and the GDPR

Big data is important for organisations of any kind to analyse their data assets and improve their processes and products. But returning control to the data subject, as made possible by the GDPR, means that organisations now face different problems when collecting and analysing data. While processing data in a compliant manner comes with design challenges, it positively impacts data subjects’ confidence in the organisation they entrust their data to. Data subjects who trust organisation are more likely to give their consent.

At the end of the day, big data is part of our lives in this digital age. It is useful for many practical applications and can lead to great development of both organisations and countries. However, if misused, it can lead to a general distrust amongst the public and can have a detrimental effect.

The post The impact of the GDPR on Big Data appeared first on TechGDPR.

About WIFI-tracking

WiFi-tracking technology relies on devices such as smart phones sending so called probe requests. With enabled wireless network, a device will broadcast a probe in regular intervals to see which known or unknown wireless networks are available to possibly connect to. By capturing these requests along with some other information such as signal strength and time, a fairly accurate analysis of the location and behavior can be made. By combining data from different access points in close vicinity, an accurate location can be determined through trilateration.

The GDPR as introduced on May 25^th 2018, does make this practice harder: as MAC (Media Access Control) addresses are considered (pseudonymised) personal data, e.g. it can be used to single out a person, it requires a valid legal base and adherence to the other articles of GDPR. This article explores the possibilities for meeting these requirements.

Personal data and scope of the GDPR

The definition of personal data under the GDPR is outlined in Article 4(1):

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

On 19 October 2016, the Court of Justice of the European Union (the “CJEU”) published its judgment in Case 582/14 – Patrick Breyer v Germany. This judgement concludes that dynamic IP addresses are to be seen as personal data, and following the same logic, MAC addresses of personal devices are therefore certainly to be seen as personal data.

While alternatives for MAC addresses, such as hashed or encrypted versions, can be stored and processed, these would still be considered pseudonymous if they can uniquely single out a single device belonging to a natural person. Pseudonymising data does not move it out of scope of the GDPR as the data can still be linked back to a natural person, with the use of extra information.

As soon as position of devices is determined, there is location data available as well which certainly falls under the GDPR.

Once data is truly anonymized (e.g. aggregated data with a significant enough sample size), and it can no longer be related back to a single data subject, it will be out of scope of the GDPR and can be further used. Nevertheless a valid legal base will be required for the initial collection of any personal data.

Who is the controller?

Defining the different stakeholders is important to further analyze the GDPR compliance. The data subject within WiFi-tracking is the person with a personal, WiFi-enabled device that is being tracked. This person should be guaranteed GDPR compliant processing of his or her personal data. That includes the requirement of properly informing them about their data being processed their rights under the GDPR.

Defining the data controller and data processor is more challenging. The GDPR has defined that the controller is the one ‘determining the means and purpose for processing’ and the processor as the one ‘processing data on behalf of the controller, based on specific written instructions’. In a WiFi-tracking situation this may mean different things based on the specifics of the setup.

If a venue utilizes WiFi-tracking for its own purposes (such as capacity planning) with its own hardware using a third party software, it is quite likely that the venue is the controller, and the third party software provider the processor. This also requires a data processing agreement to be in place between the two to ensure the processor is given specific written instructions for processing.

In case the hardware is placed in the venue by a third party service provider, and the data is then made available directly to them for purposes pursued by the service provider, this may as well be determined to be the controller.

Legal bases

For the processing of personal data under the GDPR, the controller needs to define the legal base of processing. There are 6 possible legal bases (Art 6 GDPR, sub 1): (a) consent, (b) performance of a contract, (c) legal obligation, (d) vital interest, (e) public interest and (f) legitimate interest. Legal bases c, d and e do certainly not apply as WiFi-tracking can not be seen as a legal obligation, in anyone’s vital interest or in public interest in general. The other possible legal bases are analyzed hereunder.

Consent (Art 6.1a)

To claim the legal base of consent, the data subject will need to freely give prior consent to the processing in case. It is important to emphasize that consent need to be freely given and can therefor not be required for the provision or ‘payment with data’ of a service.

Recital 42: “… Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Recital 43: “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

If consent was a precondition of a service, but the processing is not necessary for that service, consent is deemed to be invalid. Mixing in the consent for tracking with the use of guest WiFi or a loyalty program, is therefor not possible. Consent to WiFi-tracking should be given as an additional, non-required option.

In addition, consent should be revocable as easily as it has been given. A system should be in place that allows for consent to be revoked at any place and time.

Collecting consent

1. Using a captive portal
2. Using proximity push notifications
3. Through a loyalty program

Performance of a Contract (Art 6.1b)

The performance of a contract may be used for fulfilling contractual obligations, as well as for the preparatory stages of concluding a contract. This however, would imply that at least at some point a ‘business’ relationship for the usage of data can be substantiated.

If data subjects may be rewarded in some kind of way for providing their tracking details and usage data, this could be a way to explore the use of Article 6.1b as a legal base, but not until the data subject has shown interest in such a relationship themselves, e.g. it can not be assumed. In short, for tracking behavior without further reward program, this legal base can not be applied.

Legitimate Interest (Art. 6.1f)

Legitimate interest may be the legal basis for processing user data if the interests of the user do not override the interest of the controller when considering the reasonable expectations of the data subject and their relationship with the controller, according to the GDPR. The determination of legitimate interest requires “careful assessment” of these reasonable expectations and the context of data collection.

A legitimate interest could be a purely commercial interest. The legitimate interest and it’s balancing against the interest of the data subject, need to be well documented and the essence of it is to be explained to the user.

What is important to consider for legitimate interest, is to analyze if there are less privacy-intrusive methods of reaching the same goal. If this is the goal, legitimate interest is unlikely to hold up.

Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (which has been adopted as guidance under the GDPR) states:

The economic interests of business organizations to get to know their customers by tracking and monitoring their activities online and offline, should be balanced against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored.

According to the same opinion, in case the goal of the tracking is marketing, there are more specific requirements under the ePrivacy Directive:

consent is required under Article 5(3) of the ePrivacy Directive for behavioral advertising based on tracking techniques such as cookies storing information in the terminal of the user.

Public space vs. private space

Strong opinions by data protection authorities, for example the Dutch DPA have been issued on WiFi-tracking in (semi-)public spaces. While WiFi-tracking within private (commercial) space can be legitimized, the moment personal data of those outside of the premises (e.g. passers-by) are analyzed it is very difficult to base this on legitimate interest.

If legitimate interest is used as a legal base, measures may need to be in place to ensure that only data subjects in the companies premises are being tracked.

Fulfilling the duty of information

Whichever legal base is chosen, as soon as personal data is collected of data subjects, they need to be informed. The regulation prescribes this as follows in Article 13:

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: …

This means that the controller has the duty to inform data subjects. Which is in the situation of an app or website, normally practiced by publishing a privacy notice. In the case of WiFi-tracking, this is obviously more problematic. One way may be to display a clear notice at the border of the perimeter, for example with a sticker on the door.

At the same time, data subjects should also have the choice not to be subjected to data processing, and would therefor need to be advised to switch off their WiFi in case they wish to opt out.

Data minimization and storage limitation

Whatever personal data is stored under the GDPR needs to be the minimum amount required to meet the specified purpose, and needs to be stored no longer than required for this purpose.

In current implementations of data protection for WiFi-tracking, there is a big emphasis on timely anonymization and limited storage as means to protect the privacy of the users. NS, in the example below, uses a different hash per day in order not to be able to correlate information across multiple days.

Mechanisms to exercise rights

Whenever personal data is collected from data subjects, they have rights under the GDPR, and they need to be informed about them and given ways to execute their rights. These rights could be rights to justification, right to erasure, right to information and the right not to object to automated decision making. The first ones could be surfaced through a website, portal or app of some sort. The last one needs to be closely considered in terms of what happens with their date.

Example of WiFi-tracking in practice and their explanation of compliance to the GDPR.

At the time of writing, Nederlandse Spoorwegen (Short:NS, translated: Dutch Railways) uses WiFi-tracking on (at the time of writing) 6 of its larger train stations. They make travelers aware of this with stickers indicating the use of WiFi-tracking around the station, and explain the mechanics behind it in their privacy policy: https://www.ns.nl/en/privacy/in-and-around-the-station.html

In summary, they use the legal base of the legitimate interest “to improve our services and to increase your safety in and around the station.” and use technical measures to limit and further pseudonymize the MAC addresses collected:

“The MAC address is immediately ‘hashed’ – converted into a series of characters. This series is then sent to a server, where we add extra random characters and hash the series again (a process known as ‘salt’). The extra characters differ per day, and are not stored on a computer. We then ‘cut out’ some of the characters, so that there is no way that the series can be traced to an individual.”

Other requirements under the GDPR

As WiFi-tracking counts as monitoring of behavior, and should in most cases be considered on large scale, both the controller and processor will need to designate a data protection officer, and, in case it has no establishment in the EU, also designate a EU representative.

ePrivacy Regulation and Directive

The ePrivacy directive, and in the future the ePrivacy Regulation deals with communication instead of data processing, and is therefore relevant for the use of WiFi-tracking. It will be further scrutinized with the introduction of the ePrivacy regulation. The regulation prohibits companies from using consent collection methods that force users to agree to tracking in order to receive access to services. The Regulation provides three possible purposes for tracking:

• When it is necessary to transmit an electronic communication.
• When it is necessary to provide an information society service requested by the user.
• When it is necessary to measure the reach of an information service requested by the user.

The original draft of the ePrivacy Regulation also contains provisions for the protection of data subjects using public WiFi. That initial draft stated that tracking an individual’s location through a WiFi or Bluetooth connection was permitted. However, in response, Parliament and the Working Party proposed solutions that would require businesses that have locations which provide WiFi to obtain a data subject’s consent before tracking and to post a notice on the possible dangers of using their WiFi connection in a prominent place.

The latest draft of the ePrivacy regulation, dated October 2018, contains the following relevant passage in recital 25:

A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer physical movements’ tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, such as providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc referred to as statistical counting for which the consent of end-users is not needed, provided that such counting is limited in time and space to the extent necessary for this purpose.

Providers should also apply appropriate technical and organisations measures to ensure the level if security appropriate to the risks, including pseudonymisation of the data and making it anonymous or erase it as soon it is not longer needed for this purpose. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection.

Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. This information may be used for more intrusive purposes, which should not be considered statistical counting, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers locations, subject to the conditions laid down in this Regulation, as well as the tracking of individuals over time, including repeated visits to specified locations.

There is no final draft of the ePrivacy Regulation yet, so the exact implementation of these requirements remains unclear for the time being. It is expected that once officially adopted, the Regulation will come into force 24 months later.

Conclusion

Generally spoken, WiFi-tracking under the GDPR (and ePrivacy regulation in the future) is challenging. The main problems revolve around:

1. WiFi-tracking relies on MAC addresses, which are considered personal data, even in hashed form.
2. It is required to inform data subjects before collection of personal data takes place.
3. Consent as a legal base is challenging as it’s very difficult to collect valid, freely given consent from data subjects. Where consent may be collected, e.g. through a captive portal, it is quite unlikely to have a high conversion rate.

Possible approaches to GDPR compliance

There are some approaches that can be considered to utilize WiFi-tracking within the requirements of the GDPR:

1. Informing and asking for consent through a captive portal, push notification or app before tracking users.

Where the legal base of processing personal data would be consent, one approach may be to ask consent through a captive portal. This could be set up as an additional option when asking people to agree to conditions for using guest WiFi.

2. Relying on legitimate interest for tracking.

It seems possible to rely on legitimate interest for tracking in certain cases, but this limits what the tracked data can be used for. It needs to be possible to argue for a real, legitimate interest that can not or hardly be met using less privacy-intrusive methods. It can be further debated if direct marketing or advertising can constitute a legitimate interest for this purpose or not. If that is the case, all data subjects need to be given an easy way to opt-out of this tracking.

3. Find a way to moving the data out of scope of the GDPR though anonymized collection.

If a way can be found to properly anonymize data following the requirements of the GDPR, it will be out of scope of the GDPR and can therefor (from that point onwards) be processed freely. The challenge with this approach is the correlation of data which will become impossible if the data is anonymized right at collection. Also, for low traffic areas, the sample size may be too insignificant to ensure that tracking is truly anonymous.

NOTE: This article does not constitute or replace legal and professional advise. Consult your lawyer or privacy professional before using WiFi-tracking.

The post WiFi-Tracking and Retail Analytics under the GDPR appeared first on TechGDPR.

Data and the Problem of Purpose

Few things are likely to make a bigger impact on GDPR compliance than purpose limitation. Purpose limitation refers to one of the principles mentioned in Article 5 of the GDPR. It states that there must be a specific, explicit, and legitimate reason for a processor to collect the personal data of customers.  Additionally, the moment there is no longer a specific, explicit, and legitimate reason for collecting that data, the company is obliged to stop processing it. Designed to promote trust and limit abuse by data processors, this principle represents a sizable effort to protect data subjects. It is also, to the horror of many data-dependent ventures, painfully vague.

Such vague wording is not good news for those fighting to stay afloat in the already hyper-competitive markets for products that rely on what the world increasingly refers to as ‘big’ data. The term Big Data in this sense is used to describe the process of collecting and analyzing vast amounts of data from various sources, including personal data and ‘sensitive data,’ as defined under the GDPR. This, too, is a rather vague definition if you are concerned about compliance, and a definition that will be hard to understand without further legal context – context that will ultimately come from how the GDPR will actually be enforced in the coming months and years.

The Opportunity Cost

In the meantime, the potential costs to innovation in the form of fines on forward-thinking (but non-compliant) tech companies are hard to understate.  Larger still could be the opportunity costs faced by corporations, or even entire economies, if they are not able to realistically capitalize on the innovations that big data enables.  This is especially the case when looking at the advances in productivity that good data analytics can inform. As many already know, big data is regularly used alongside data analytics, which reviews large volumes of data in a short amount of time. Such technology is already helping companies and research institutions around the world make unbelievable gains in terms of the speed and quality of their work. A process that, for obvious reasons, hopefully even the most hawkish regulator would not want to hinder.  

The stakes are also highest for the firms that have been most effective at digging opportunities out of big data and the many technologies that orbit it. Advances in capturing the most value from data analytics have been uneven between public and private institutions – as well as among different industries. Retailers, for example, fare far better than the EU public sector or US healthcare when it comes to making the most out of the data in their possession. This could be in part due to retail’s need to keep up with fickle shoppers and public institutions’ more siloed data between departments, but what is clear is that the institutions that have benefited most from new technology also know that they are the ones who have the most to lose should their use of it be hindered. The cost of a GDPR violation is high enough, but being slowed down by the process of collecting consent from vast numbers of people is no cheap affair either.  

Plenty to collect

Startups, too, with fewer resources for compliance could also suffer. Big corporations may have more numbers to crunch, but they also have more manpower and connections to get them through it. Smaller, more innovative companies are not just trying to keep up with, but redefine marketplaces throughout Europe and beyond. Big data regularly informs the development of better business models, better ad-targeting measures, and various cost-cutting practices throughout an array of industries. The potential cost to nearly every industry as it regards corporate profits is astoundingly high, even for slow adoption, let alone not adopting certain technologies at all. Still, for all of the risks to business that purpose limitation poses, A GDPR-compliant startup or corporate is still in a far better position to seize upon big data’s blooming opportunities than those that are not.

A Data-Driven Path to Compliance

For all of the innovative risks and potential headaches posed by the sometimes clumsy fist of regulatory enforcement, it must be noted that the principle of purpose limitation does not entirely prohibit processing big data. A company can be granted permission to keep doing so, provided it is able to prove that the data being processed is necessary in order to provide a service and that consent has been given regarding its collection. In some cases, authorization from the person giving away their data can ensure that this data may go on being collected, even if the original purpose for its collection is no longer the same as it was in the beginning.

It must also be stated that the purpose limitation will likely do much to help data subjects, so that their personal data is not processed without their explicit consent – But the problems it puts on firms’ backs are not to be underestimated.  Companies that deal with big data analytics must check if the data they process is being processed for the same reason for which it was collected in the first place – No easy task, even for companies with modest amounts of data. If that is not the case, processors must try to get explicit consent from their data subjects, which is also tedious.

Perhaps most important to note is that this process, however painful, also has the potential to inspire more comprehensive regulatory enforcement.  The way in which the GDPR is interpreted and enforced within the sophisticated and ever-changing ecosystem of data-driven business models will certainly evolve. Staying engaged by keeping tabs on advances in technology as they overlap with changes in regulation is especially important. So too is ensuring that you have technical and legal protocols in place to respond to change when it comes.  Taking these and other measures will ensure not only that you reach a reliable level of GDPR compliance, but also remain there.

To learn more about data privacy and the GDPR, follow us on Twitter. 

The post GDPR’s Big Issue with Big Data appeared first on TechGDPR.