Is Your Data Legal? Meaningful (oxymoron?) Consent
From IIW
Is Your Data Legal? Meaningful (oxymoron?) Consent
Tuesday 2C
Convener: John Wunderlich
Notes-taker(s): Sean Bohan
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Purpose - give the IIW community a breakdown of GDPR, it's impact on the EU AND outside the EU
Notes:
- IAPP Primer on GDPR:
- General Data Privacy Regulation - EU personal data regs
- 75% of most companies use of personal data will be illegal
- What does this mean for the information economy?
- Under GDPR May 25, 2018 is the big day where the regulation AND consequences go into effect
- $20MM OR 4% of global revenue if an organization doesn't comply
- For EU citizens, whether they live in the EU or are travelling
- might also apply to citizens of other countries living/visiting in the EU
- If you process personal data on someone in EU or an EU citizen you are required to comply
- There are some who believe the law isn't well defined enough
- Expanded definition of Personally Identifiable Information (PII)
- Info about or in circumstances could be about a person
- Really important - Article 6: Lawfulness of Processing
- Reasons/Rules why a company *could* process your data lawfully
- See graphics, but the lawfulness includes:
- Consent from the user
- Contractual Obligations
- Legal Obligation
- Protect a Person
- In the public interest
- legitimate interest of the controller
- For any reasonable enterprise, the last choice of lawful processing is CONSENT
- Most will want to use this as a checklist
- Consent receipts
- 2018 - YEAR OF THE BIG DATA FLUSH
- No profiling clause is critical to advertising
- Solving problems with auditability
- Rights for Privacy under GDPR
- Right to be forgotten, erasure, mobility
- Can't use arcane rules to lock data in
- No great technical issues with GDPR - lots of compliance issues
- Resistance isn't technical - it is cultural and commercial
- Is "information sharing agreement" a term of art?
- In GDPR Consent must be "free and informed"
- Consent receipt - there is a spec from Kantara
- Human-readable, JSON format
- New WG @ Kantara: Consent Best Practices
- There are those just waiting to file lawsuits over this once the law is in effect
- Pretty good chance no one who take an ethical and informed approach to personal data will get in trouble
- Lots of privacy law based on "fair information practices"
- Article 29 Working Group
- Data Protection Impact Assessments
- Data Controllers vs. Data Processors
- Will users face "consent fatigue"?
- There are UX problems and there isn't UX research on how users will react/impact new GDPR requirements
- MEF Trust Study: https://mobileecosystemforum.com/programmes/consumer-trust/global-consumer-trust-survey-2017
- Rise of the reluctant sharer
- "17-25 year olds don't care about privacy" has been proven wrong
- Social Graph Data is very valuable
- Are governmental orgs / departments exempt? Maybe
- 1 rule for all of EU
- GDPR may enable businesses to do more with less data
- "Will issue X be covered under GDPR?"
- ASSUME YES