Is Your Data Legal? Meaningful (oxymoron?) Consent

From IIW

Is Your Data Legal? Meaningful (oxymoron?) Consent

Tuesday 2C

Convener: John Wunderlich

Notes-taker(s): Sean Bohan

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Purpose - give the IIW community a breakdown of GDPR, it's impact on the EU AND outside the EU


  • IAPP Primer on GDPR:
  • General Data Privacy Regulation - EU personal data regs
  • 75% of most companies use of personal data will be illegal
    • What does this mean for the information economy?
  • Under GDPR May 25, 2018 is the big day where the regulation AND consequences go into effect
    • $20MM OR 4% of global revenue if an organization doesn't comply
  • For EU citizens, whether they live in the EU or are travelling
    • might also apply to citizens of other countries living/visiting in the EU
  • If you process personal data on someone in EU or an EU citizen you are required to comply
  • There are some who believe the law isn't well defined enough
  • Expanded definition of Personally Identifiable Information (PII)
    • Info about or in circumstances could be about a person
  • Really important - Article 6: Lawfulness of Processing
    • Reasons/Rules why a company *could* process your data lawfully
    • See graphics, but the lawfulness includes:
      • Consent from the user
      • Contractual Obligations
      • Legal Obligation
      • Protect a Person
      • In the public interest
      • legitimate interest of the controller
  • For any reasonable enterprise, the last choice of lawful processing is CONSENT
  • Most will want to use this as a checklist
  • Consent receipts
  • No profiling clause is critical to advertising
  • Solving problems with auditability
  • Rights for Privacy under GDPR
  • Right to be forgotten, erasure, mobility
  • Can't use arcane rules to lock data in
  • No great technical issues with GDPR - lots of compliance issues
  • Resistance isn't technical - it is cultural and commercial
  • Is "information sharing agreement" a term of art?
  • In GDPR Consent must be "free and informed"
  • Consent receipt - there is a spec from Kantara 
    • Human-readable, JSON format
    • New WG @ Kantara: Consent Best Practices
  • There are those just waiting to file lawsuits over this once the law is in effect
  • Pretty good chance no one who take an ethical and informed approach to personal data will get in trouble
  • Lots of privacy law based on "fair information practices"
  • Article 29 Working Group
  • Data Protection Impact Assessments
  • Data Controllers vs. Data Processors
  • Will users face "consent fatigue"?
  • There are UX problems and there isn't UX research on how users will react/impact new GDPR requirements
  • MEF Trust Study:
    • Rise of the reluctant sharer
  • "17-25 year olds don't care about privacy" has been proven wrong
  • Social Graph Data is very valuable
  • Are governmental orgs / departments exempt? Maybe
  • 1 rule for all of EU
  • GDPR may enable businesses to do more with less data
  • "Will issue X be covered under GDPR?"