Member News, News

EACC Insights: Personal Data: a Commodity or a Right?

By: Maia T. Spilman, Esq./CIPP[1]

To which category does your personal information/data belong?  I will answer this question the way most lawyers answer questions; it depends.  In this case, how personal data/information is perceived and handled really depends on which side of the Atlantic Ocean you are based. For purposes of this article, personal information and personal data are used interchangeably.[2]  Lack of awareness of the Atlantic divide in perspectives can lead to unpleasant surprises for individuals.  For companies in the United States who have clients or business in the EU, understanding the varying perspectives will help avert misunderstandings, reputational damage and potentially violations of the law.

In order to better understand some of the challenges that companies and organizations are facing with the soon to be enforced European General Data Protection Regulation (GDPR), an overview of perspective may be helpful.[3]  Personal data are viewed and treated very differently in the United States and in the majority of European nations, particularly European Union (EU) member states. 

In the United States, personal information is by and large treated as a commodity.  It is an asset through which companies make money.  Individual’s personal information is bought, analyzed, aggregated, shared, traded, and sold between companies.  The individual may or may not be aware of this activity and usually has little recourse regarding the use of that information.  If a person wants to use technological solutions such as apps, mobile devices and many other conveniences, they generally relinquish control of how that data will be used.  In the United States using certain services meant giving up some information or privacy, even as people professed that privacy mattered to them.[4]  Attitudes are changing but the mindset of exchaning privacy for a some benefit is deeply rooted and some studies show that roughly 50% of Americans will trade some privacy for convenience or other reasons..  [5]

By contrast, in the EU, personal data, specifically the protection of an individual’s personal data, is a fundamental human right.  The protection of personal data is one of the freedoms enumerated in Title II Article 8 of the Charter of Fundamental Rights of the European Union[6].  Personal data is not a commodity in the EU.  Instead, personal data tends to have the import given to constitutional rights in the United States such as freedom of speech or the right to bear arms.  Keeping these very different perspectives in mind is helpful when working across these borders.  Some of the very basic concepts from these contrasting perspectives are shown within the following figure.

Data Subjects’ Rights

With this is mind, one of the goals of the GDPR becomes clearer to those with an American perspective; enforcing individuals’ rights.  To be clear, individuals have had rights regarding their data since the EU Charter, if not before.  The GDPR provides more robust enforcement mechanisms than under the Data Directive (Directive 95/46/EC).  The Regulation also provides individuals with additional rights relating to their data.  Not only does the Regulation devote nearly an entire chapter (III) to “Rights of the Data Subject” but a violation of Articles 12-22 means the infringer will be subject to hefty fines, double that of fines for violating most other Articles[7].  For the precise language, please see the text of the GDPR[8].  Highlights which I would like to point out here include transparency.

Transparency

Those who have tried to read through terms and conditions and privacy statements of applications, websites or other internet based technologies, know that in most cases transparency is not a strong point or even a priority.  The GDPR requires data controllers to provide clear, concise and understandable information regarding how personal data will be used.  Specifically, data subjects (individuals whose personal data is being used) must know the contact information for the data controller, the purposes for processing the data, who will receive it, how long the data will be stored among other things.  This requires that those entities collecting the data must be precise and succinct.  The broad sweeping statements which are customary in the United States regarding the collection and use of personal data may no longer be acceptable.  

It also means that those collecting and using personal data, and their partners/vendors, will have to have clear data maps in order to know where the data flows and why it may be accessed and used by others along the way.  Data mapping is an expensive and time consuming endeavor that most companies prefer to avoid.

As part of the required transparency, individuals must also be informed that they have the right to correct, erase and port her/his data from the controller.  This last point highlights one of the United States/EU perspective distinctions; ownership of the data.

Portability

In the EU, the data subject owns the data, not the entity who collects it.  So, it seems logical that the person has the right to request data about her/him be handed over to her/him.  The Regulation requires that such requests be answered in a timely manner and that the data be provided in a structured common format so that it can be easily read by a standard computer (or its successor).  The data subject may also request that her/his data be ported to another controller.  This will be interesting to observe when it happens.  From the United States’ perspective this means possibly handing a competitor data that the company has been collected, analyzed and potentially aggregated with other data.  When personal data is treated like a commodity, giving it away to a competitor can seem contrary to business purposes.  When personal data is treated as a fundamental right of the individual, then that individual has the last say on how that data is used and who may have it.

Will this stifle innovation and cause companies to incur immense costs as some have claimed?  We won’t have the answer until some of these requests are made.  However, we’ve already seen some of the challenges raised by the ‘right to be forgotten’ which morphed into the Right to erasure in the GDPR.  In the next column, we will take a look at issues raised under the ‘right to be forgotten’ scenario and a few of the other data subject Rights under the GDPR.

[1] Maia T. Spilman is a data privacy attorney and Certified Information Privacy Professional.  www.maianyc.com

[2] Note that personal information or Personally Identifiable Information (PII) is a term used most commonly in the United States while Personal Data is commonly used in Europe and other regions.  Personal Data is defined in the GDPR (see prior Privacy Column reference) whereas PII does not have one definitive meaning.  Rather many of the various States within the US have their own slightly different definition of personal information.  NIST (the National Institute of Standards and Technology) provides a definition which is not binding upon private entities.

[3] Please see prior column in the EEAC-NY Newsletter for more information and background (https://eaccny.com/news/member-news/data-privacyprotection-1-in-series).

[4] http://time.com/money/2902134/you-say-youd-give-up-online-convenience-for-privacy-but-youre-lying/

[5] http://www.pewresearch.org/fact-tank/2016/01/14/key-findings-privacy-information-sharing/

[6]Article 8 of the Charter of Fundamental Rights of the European Union: “Protection of personal data 1.  Everyone has the right to the protection of personal data concerning him or her. 2.  Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified…”  

[7] See prior column for information on fees.

[8] http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf