The architects of GDPR stress their intention of the regulation: to increase both individual privacy and innovation. If innovation includes finding ways to be exempt from GDPR, they would be right. In a growing consumer marketplace that heavily relies on massive amounts of data, it only makes sense that the most realistic approach to compliance will be to find ways to fit through its ‘loopholes’. At the thousand-mile level the regulation is innocuous enough: individuals must be aware of how their data is being used by giving consent and if they choose to, they can request that their personal data be completely removed from further ‘processing’. A closer look of the regulation lends itself to a few scary sections – especially for data driven industries – which are followed by rather vague exemptions.
Business and other organization are increasingly finding ‘secondary’ uses of data – That is to say, data that collected for one purpose, later ends up fulfilling the need of another purpose. An example would be if an online retail company collected address information for shipping purposes, and later ran models on all address data to determine where frequent buyers reside. Under the GDPR’s ‘Right to be forgotten’ – there are some obstacles to this:
- “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” (GDPR, Article 17.1)
We may be able to understand quite easily, the concept of consent. What is unclear, however, are the events where obligation becomes the condition for erasure. As mentioned previously in the case of the online retail company, would the data have an obligation to be erased? Here we have a condition where the data is no longer is needed for the original purpose but remains very valuable. Of course, the company may foresee the need for the data and include something in the written consent along the lines of ‘this information will be used for shipping purposes and general marketing reasons’ but this could be a violation of the law’s definition of consent “‘consent’ of the data subject means any freely given, specific, informed and unambiguous “ (GDPR, Article 4.11).
A more concrete example may be the tremendous value of Google search queries. Google Trends, is a way to visually see in infographics how people are using the search engine – what they are searching, what news they are looking for, and what is interesting to them. In 2006, AOL released over 20 Million search queries. Each user remained ‘anonymous’ by substituting their name for a unique ID. An article written by The New York Times reported that the identities of some users were able to be discerned based on search history, leading to AOL removing the information (Barbaro, Zeller 2006). This is a case of seemingly general data revealing a personal identity. Even though Google Trends represents a mind numbingly large amount of data being aggregated, would it not be possible to discern an identity from it? Furthermore, can the aggregation of each trend ever be considered the “purpose(s) for which they were collected or otherwise processed” (GDPR, Article 17.1)?
Or Not To Forget?
The architects of the GDPR accounted for reasons to continue processing data past its original purpose and allowed for a variety of exceptions. One of such exceptions are in cases of law compliance, essentially leaving all government agencies exempt (as if this was any surprise). Other conditions relate to the public value of the data stated in Article 89 which allows exceptions for “Safeguards and derogations related to processing for archiving purposes in the public interest, scientific or historical purposes or research purposes”. This would also seem to exempt government sponsored research such as anthropological and other population based research as well as medical and scientific research. For a great read about the research exceptions, check out this article from the International Association of Privacy Professionals: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research. Thus the main innovation that would come from the law may be for business to find a way to fall into an exception category by expressing a reasonable need for data retention after its initial use.
Consider for example, another use of search query aggregation where Google claimed that they could use the information to locate the spread of the flu virus by analyzing user’s symptom searches. An article from the Guardian, notes that “They also found that the Google statistics, which can be gathered daily, were up to two weeks ahead of the federal government’s data, which took time to assemble because it came from so many doctors” (Pilkington, Google Predicts use of Flue using huge search data). Under the GDPR regulation, this specific use case may qualify as being exempt. However, it is highly unlikely that Google could have foreseen the exact use of its query data. Had GDPR come a few years earlier – this incredibly valuable analysis may have never come to light.
Although regulations and their interpretation have a way of veering in different directions from each other, it will be interesting to see how GDPR will be enforced, what exceptions or exemptions will be made, and how companies, especially ones that rely heavily on large amounts of data will adapt.
Barbaro, Michael and Tom Zeller Jr. “A Face Is Exposed for AOL Searcher No. 4417749” The New York Times 9th August 2006. https://www.nytimes.com/2006/08/09/technology/09aol.html
Maldoff, Gabe. “How GDPR changes the rules for research” iapp.org. 2018. https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/
General Data Protection Regulation. https://www.eugdpr.org/