Lawful & Ethical Direct Marketing Under GDPR
Shortcomings of Consent-Based Processing in Complex Situations
Benefits of MicroSegmentation
For more information go to MicroSegmentation.com
4 March 2020
Via Email: directmarketingcode@ico.org.uk
Direct Marketing Code Consultation Team
Information Commissioner’s Office (“ICO”)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Re: Consultation - Draft ICO Direct Marketing Code of Practice (“Draft Code”)
We appreciate the opportunity to participate in the public consultation on the Draft Code. Our aim is to assist in the ICO’s goal of providing practical guidance and promoting good practice in relation to the processing for direct marketing purposes in compliance with data protection and e-privacy rules.
This feedback letter is submitted in our capacities as (i) Chief Strategist - Ethical Data Use, and (ii) Chief Executive Officer and General Counsel, of Anonos Inc. (www.anonos.com, “Anonos”). In lieu of providing responses to the specific questions identified in the ICO Consultation - Direct Marketing Code Draft Guidance, this comment letter provides feedback in narrative form due to the interrelated and overlapping nature of answers to the questions posed in the consultation.
As such, this letter takes the following approach.
I. Questions For The Benefit Of Society And The Industry
For what we believe is ultimately for the benefit of both society and industry, we respectfully request clarification from the ICO in relation to the following questions:
II. Plea for Cooperative Trans-Disciplinary Approach
The General Data Protection Regulation (“GDPR”), as enacted in the UK via the Data Protection Act 2018 (“DPA”), is a complex and nuanced law. Numerous good faith interpretations of the GDPR will be put forward by different stakeholder groups until final determinations are made by the Court of Justice of the European Union (“CJEU”).
The Draft Code has been introduced amidst concerns that industry has made no attempt to safeguard the fundamental rights of data subjects as well as counter-concerns that in the Draft Code the ICO inadvertently risks halting innovative uses of data.
We believe that to solve this issue in the midst of such discord and distrust, a trans-disciplinary approach should be taken, one in which both innovation and privacy rights can ultimately be respected. To that end, we highlight the following plea, originally published in the Duke Law & Technology review. This plea was raised in relation to some of the complications that come from complex processing such as ML and AI, which play a core role in the direct marketing industry issues that the ICO is trying to solve through the Draft Code:
III. Fictions in the Industry
Three fundamental “fictions” must be dispelled before real progress can be made in achieving a trans-disciplinary collaboration. We believe this kind of collaboration is critical if the goal is to balance data innovation for the benefit of society with the protection of fundamental rights for the benefit of individual data subjects.
If the goal is to achieve a trans-disciplinary collaboration to balance data innovation and protection, the above-noted fictions must first be dispelled. With this objective in mind, the following comments are hereby respectfully submitted to the ICO.
IV. Draft Code and Discussion on Relevant GDPR Provisions and Concepts
We would first like to highlight several relevant GDPR provisions and concepts that play a role in the legal and technical morass that the ICO is currently dealing with. We examine the process of determining a lawful basis for processing personal data, some issues with the legal ground of consent, and then look at the potential of Legitimate Interests processing. We then move to discuss GDPR concepts such as purpose limitation and data minimisation, secondary processing, and technical and organisational controls.
We then conclude with an example of direct marketing in practice, Anonos Microsegmentation, that we believe provides support and clarity in finding a way through the myriad of the issues discussed below.
A. Lawful Basis for Processing Personal Data
An honest assessment of the current situation leads to the conclusion that historically, processing under the legal ground of Legitimate Interests has been misused and misapplied for processing personal data to the benefit of data controllers and the detriment of data subjects. A number of key industry players and commentators, including Privacy International, Brave, and the IAB, have noted that:
This prior improper behavior, however, does not justify the revocation of the rights of current and future data controllers. They should still be able to avail themselves of the different legal bases available to them under the GDPR, PECR and the e-privacy Directive (and eventually the e-privacy Regulation), as applicable to their specific circumstances. The following quote speaks to the trans-disciplinary collaboration necessary to balance data innovation and protection:
The Draft Code provides inconsistent guidance regarding the availability of Legitimate Interests as a lawful basis to process personal data related to direct marketing.
The Draft Code is correct that PECR and the e-privacy Directive (and potentially the e-privacy Regulation) require consent for some methods of direct marketing. However, as noted below it is not correct that the same legal basis must be used for all of the various processes that may be associated with direct marketing.
The Draft Code accurately describes the situation with the comment:
It is certainly true that consent and Legitimate Interests both “require work” to ensure compliance with GDPR requirements.
However, the following quotes from the Draft Code leave the incorrect impression that: (i) assuming compliant consent is secured for lawful collection of personal data, the basis of Legitimate Interests is not available to support further processing of the data even if data subjects are put on proper notice at the time of collection and all underlying requirements are satisfied; and (ii) only one legal basis (consent) is available to support all of the various processes associated with direct marketing.
The GDPR provides for the right to use different legal bases for different processes that relate to the same data. This is highlighted in ICO Guidance - Lawful basis for processing - as follows:
The GDPR explicitly recognizes that a number of different legal grounds may co-exist, provided that the requirements for each legal basis are satisfied.
The statement in GDPR Article 17(1) that “…and where there is no other legal ground for the processing…” suggests that “other” legal grounds may exist parallel to consent.
In addition, in its Guidance - Guidelines on consent under Regulation 2016/679 - the EDPB writes: [11]
This supports the existence of multiple legal grounds for a single processing activity, or multiple connected processing activities that require different legal grounds for each portion.
Accordingly, so long as:
then a non-consent legal basis, including Legitimate Interests, should remain available for use.
B. Shortcomings of Consent in Complex Situations
A critical consideration to note is that there are a number of situations in which consent as a legal basis for processing fails. One of the first issues is the requirement that information provided to data subjects must be clear and easy to understand.
This creates several issues when attempting to explain complex processes to data subjects, such as processing performed using AI tools, machine learning processes, or complicated algorithms that operate in a “black box” environment. In addition, even basic privacy policies or statements worded in plain language are still often not understood (or even read) by data subjects, making consent an extremely complex issue in the direct marketing space and online more generally.
While the importance of consent under the GDPR cannot be overstated, we must not ignore the clear standards established for securing GDPR-compliant consent. We do not want to run the risks of (i) nullifying the protections intended for data subjects by “watering down” the requirements for compliant consent under the GDPR, including requiring that the data subject is sufficiently informed and aware of what they are agreeing to, and (ii) removing from the global data ecosystem all societal benefits from processing that is too difficult to explain at the time of data collection.
The following commentary highlights this predicament:
If consent is the only basis on which information for these purposes can be processed we face a Hobson’s Choice: [17]
C. Benefits of Proper Legitimate Interests Processing
The foregoing limitations of consent in complex processing situations is one of the reasons that Legitimate Interests exists as an alternate legal basis. ICO Guidance - What is the ‘legitimate interests’ basis? - noted that:
The Draft Code highlights the following requirements for Legitimate Interests as a processing ground for direct marketing.
“The legitimate interests lawful basis is made up of a three-part test:
The above quotes from the Draft Code highlight the importance of satisfying all three of the tests required for lawful Legitimate Interests processing. The Purpose, Necessity and Balancing tests must all be satisfied, and “high marks” in one or more tests does not overcome the failure to satisfy other tests.
As a result, attempts to use Legitimate Interests processing for data uses that violate GDPR, including Article 5 (Principles Relating to Processing of Personal Data), such as discrimination against protected categories of individuals, illegally influence the results of elections, etc. will fail the first test. These data uses would not be lawful under Legitimate Interests grounds regardless of the outcomes of the Necessity and Balancing tests.
If a proposed data use satisfies both the Purpose and Necessity tests, then the Balancing test must be applied to assess the impact of the use on the interests and fundamental rights and freedoms of data subjects. In performing the assessment of relevant “impact”, the Article 29 Working Party has stated:
The need to assess the collective interests at stake on both sides of the balancing of interests equation – i.e., the interest of the data controller (or third party) and the interests of the data subject – are affirmed in opinions of the Article 29 Working Party and decisions of the CJEU. They note that “the clear signal is that collective interests must also be involved in these considerations. Only then can full account be taken of the constitutional basis for personal data protection at the EU level.”[20]
The Draft Code includes the following statement under the heading “How does legitimate interests apply to direct marketing?”:
The above statement is confusing since date controllers will always need consent under PECR – at least for the initial data collection.
The ICO should clarify this statement to make it clear that the analysis of the availability of Legitimate Interests should only occur after the satisfaction of baseline PECR consent requirements. Once these PECR requirements have been satisfied for the initial collection of the data, Legitimate Interests processing is then available for evaluation.
D. Purpose Limitation, Data Minimisation and Storage Limitation
Another core issue exists surrounding the concepts of purpose limitation and data minimisation. These concepts play a major role in discovering a potential balance between industry goals and individual data subject privacy rights.
The Draft Code correctly highlights the following in the context of GDPR Articles 5(1)(b) Purpose Limitation, 5(1)(c) Data Minimisation and 5(1)(e) Storage Limitation:
The GDPR principle of purpose limitation, [21] with its origins in international standards developed by the OECD [22] and the Council of Europe [23], reflects the rights articulated in Article 8(2) of the Charter of Fundamental Rights of the European Union as follows:
The GDPR principles of data minimisation [24] and storage limitation [25] are linked to purpose limitation in that no more data may be processed, or stored for longer, than necessary for the purpose stated at the time of data collection. In the past, the collection or processing of personal data was primarily a by-product of the primary purpose for which the data was collected.
In this circumstance, if the purpose of data collection is not the same as the purpose of the desired data processing, then the GDPR principles of purpose limitation, data minimisation and storage limitation would prohibit lawful processing of the personal data. [26]
One potential approach for enabling lawful expanded use of data for direct marketing purposes in a manner consistent with the expectations and consent of data subjects is described in detail in Anonos Microsegmentation in Support of Direct Marketing below. In brief, our suggested approach combines (among other things):
E. Further Processing and the Compatible Purpose Test
We believe that the Draft Code should discuss the lawfulness of further processing of personal data under certain conditions for purposes of direct marketing.
Under GDPR Article 6(4), personal data collected on the basis of Legitimate Interests, a contract or vital interests may be further processed for another purpose if the new purpose is compatible with the original purpose. The European Commission in its guidance - Can we use data for another purpose? - highlights the following points (as stated in the GDPR) as being relevant for determining whether a new purpose is compatible with the original purpose:[28]
In addition, they also note that if a data controller wants to use the data for statistical or scientific research “it is not necessary to run the compatibility test.”
Furthermore, the European Commission guidance [29] states that if a data controller has collected the data “on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible.” In these instances, “further processing would require obtaining new consent or a new legal basis.”
This underscores the “Hobson’s Choice” noted above: if the processing is too complex to explain simply, (or too complicated to comprehend, but data subjects consent anyway, rendering the consent invalid) then either the processing cannot be allowed at all (with the attendant loss of societal benefits) or a non-consent legal basis must, in practice, actually be available for use.
F. Profiling and Automated Decision Making
Another issue we would like to highlight is the issue of profiling and automated decision-making. We believe that the difference between these terms is starting to become obscured, leading to confusion about the applicability of these concepts from a legal perspective.
The GDPR Article 22(1) prohibition on decision making “based solely on automated processing, including profiling, which produces legal effect concerning him or her or significantly affects him or her” was ported to the GDPR from Article 15(1) of the Data Protection Directive (“DPD”), [30] which itself was derived from France’s 1978 Act on data processing, files and individual liberties. [31]
With one notable exception, neither DPD Article 15 nor GDPR Article 22 has to our knowledge been the subject of litigation before the CJEU or any national courts, nor have they figured prominently in enforcement actions by DPAs or assessments of the adequacy of third countries’ data protection regimes. [32]
The one notable exception is the judgment by the German Federal Court of Justice in the so-called SCHUFA case [33] concerning the use of automated credit-scoring systems. In this case, the court held, on appeal, that the credit-scoring system fell outside the ambit of the German rules embodying DPD Article 15 because the automated elements of the decision-making process related only to the preparation of data. The court found that ultimately the actual decision to provide credit was made by a person.
We believe the Draft Code should include the following language from prior ICO guidance that further clarifies that:
The previous ICO guidance - Rights related to automated decision making including profiling - outlined that:
G. GDPR Technical & Organisational Safeguards to Enable Lawful Direct Marketing
In order to advance the trans-disciplinary collaboration necessary to balance data protection and innovation, the Draft Code should be expanded to address more than “data protection by design” to include a description of the full requirements of Data Protection by Design and by Default, as newly defined in Article 25 of the GDPR.
In addition, we (as the audience for the Draft Code) would benefit greatly from a description of the requirements and benefits of “Pseudonymisation” as newly defined in Article 4(5) of the GDPR.
The combination of GDPR-compliant Data Protection by Design and by Default and Pseudonymisation could assist greatly in enabling readers of the Draft Code to ensure lawful direct marketing activities. [35]
1. Data Protection by Design and by Default
We respectfully disagree with the ICO’s statement in the guidance - Data Protection by Design and Default Principles - linked to on page 26 of the Draft Code that:
Contrary to the ICO guidance language quoted above, the GDPR requires more than just Privacy by Design. [37]
Data Protection by Design and by Default, as newly defined under GDPR Article 25, goes beyond Privacy by Design. An important element of Data Protection by Design and by Default is that the limits and requirements applicable to data processing must be built into the technology itself. [38]
The GDPR requires that Data Protection by Design and by Default be applied at the earliest opportunity (e.g., by pseudonymising data at the earliest opportunity) to limit data use to the minimum extent and time necessary to support each specific product or service authorized by an individual data subject. [39] This is a more stringent standard than basic Privacy by Design, which is simply “considering data protection and privacy issues upfront in everything you do.”
Encryption and traditional Privacy Enhancing Techniques (PETs) were developed long before the GDPR requirements were established. When used alone, encryption and PETs will likely fail to satisfy new GDPR Data Protection by Design and by Default requirements.
For example, static tokens and identifiers used for marketing purposes such as “the ‘Google Advertising ID’ (ADID), the ‘Identifier for Advertising’ (IDFA) on iOS and the ‘Advertising ID’ on Windows 10” highlighted on page 95 of the Draft Code fall short of requirements for Data Protection by Design and by Default because links between data subjects and identifying information are readily ascertainable.
The Draft Code highlights this danger in the statement on page 95 that:
DPAs are likely to conclude that static tokens and identifiers used for marketing purposes fail to satisfy GDPR Data Protection by Design and by Default requirements because of the risk of unauthorized re-identification via the Mosaic Effect. The Mosaic Effect occurs when a person is indirectly identifiable via linkage attacks because information can be combined with other pieces of information, enabling the individual to be distinguished from others. [40]
These static tokens and identifiers will not satisfy the requirements for GDPR-compliant Pseudonymisation if personal data can be attributed to specific data subjects without the use of separately kept “additional information.” This means that the benefits enumerated below associated with properly Pseudonymised data will not be available under the GDPR.
Finally, stateless tokens [41] developed for PCI compliance in the payment card industry fail to enforce re-linking and revealing of personal data under the controlled conditions necessary to support iterative analytics, including the secondary uses of data necessary to support lawful direct marketing.
Data Protection by Design and by Default leverages incentives built into the GDPR to use technical and organisational measures for compliant secondary use of data that could enable lawful direct marketing.
2. Pseudonymisation
One of the technical and organisational measures set out in the GDPR is Pseudonymisation, as newly-defined in Article 4(5). [42]
The GDPR provides incentives to use technical and organisational measures, including Pseudonymisation, to enable the flow, commercial use, and value maximization of data in a way that recognizes, respects, and enforces the fundamental rights of individuals.
Pseudonymisation involves the separation of the information value derived from processing activities from the ability to re-identify data subjects using direct or indirect identifiers. The definition also requires that re-identification can only occur via access to separately stored “Additional information” in support of authorised purposes. [43]
The use of GDPR-defined Pseudonymisation helps to:
V. Anonos Microsegmentation in Support of Direct Marketing
This discussion on Anonos Microsegmentation [45] is offered in response to the question asked in the ICO Consultation – Direct Marketing Code:
Anonos Microsegmentation is at the core of the 5th Cookie working group [46] proposal to use GDPR-recommended technical and organisational safeguards in digital marketing. The central 5th Cookie proposal is to leverage consent and Legitimate Interests, as well as enhanced pseudonymisation and anonymisation techniques to create privacy-respectful datasets containing “microsegments” that support compliant AdTech. Anonos Microsegmentation, however, extends beyond AdTech to apply to direct marketing, as well as applications in data processing more generally.
Anonos Microsegmentation leverages Anonos’ technology, which transforms digital representations of people - or “Digital Twins” - into privacy-respectful “Variant Twins” of personal data by applying Pseudonymisation-enabled anonymisation techniques. [47] The resulting Variant Twins are use-case-specific, privacy-enhanced versions of Digital Twins. Privacy policies are embedded at the data element level, satisfying statutory and contractual requirements for lawful data use. [48] Variant Twins are ideal for creating privacy-respectful microsegments that support GDPR-compliant direct marketing, as explained below.
Anonos Microsegmentation – Benefits and Advantages
With Anonos Microsegmentation:
Anonos Microsegmentation enables direct marketing data ecosystem into which data subjects opt-in. This helps to meet high regulatory standards for consent by enabling:
In doing so, Anonos Microsegmentation offers strong incentives for users to consent to data collection for the express purpose of being included in microsegments processed by the system.
They key to building trust whilst ensuring privacy is to encourage direct marketing models to evolve in ways that provide transparency and leverage technical and organisational safeguards to enforce privacy protection and to secure data subject rights. This opens up the possibility of broader reliance on legal bases such as Legitimate Interest to process personal data for direct marketing purposes.
Here too, Anonos Microsegmentation can support compliance. Its use of enhanced pseudonymisation, anonymisation techniques, and k-anonymity create strong technical safeguards that support the use of Legitimate Interests as a legal basis by reducing the risk to data subjects’ rights. This risk is reduced to such a degree that the balancing test can be tipped in favor of the data controller, which allows greater flexibility in the processing of personal data for direct marketing.
Anonos Microsegmentation enables and enforces trust and ethical business practices. In addition, Anonos Microsegmentation can demonstrate to regulators that innovative technologies and new industry approaches can meet the rights and expectations of data subjects while allowing responsible data use.
A trusted party handles the “last mile” [50] of data subject interaction to ensure that no identifying information about data subjects is revealed, except as specifically authorized by the data subjects.
Using their relationship with the trusted party, data subjects can consent to receive relevant ads based on their inclusion in dynamically-changing and privacy-respectful microsegments.
The trusted third party has separately-stored information and secret keys necessary to “re-identify” individuals from within the microsegments for direct marketing purposes (this would be the “additional information” necessary under the GDPR Article 4(5) definition of Pseudonymisation required for authorized re-identification to occur). During processing, all personal data is pseudonymised and organised into privacy-respectful microsegments, and the processor during the microsegmentation process does not have access to the “additional information,” keeping data subject privacy intact.
The trusted party has a direct relationship with data subjects participating in the microsegmentation system and takes steps necessary to comply with data subject rights under the GDPR, including the following, as applicable:
Anonos Microsegmentation – The Details
The following is a more detailed explanation of how microsegments work to preserve privacy and data utility for direct marketing purposes.
This is accomplished as follows:
As noted at the outset of this comment letter, we respectfully request clarification from the ICO in the form of answers to the following questions posed below:
In closing, Anonos would like to express its sincere appreciation for the opportunity to submit this comment letter in response to Draft Code to provide practical guidance and promote good practice in regard to processing for direct marketing purposes in compliance with data protection and e-privacy rules.
We would also welcome the opportunity to discuss any of the foregoing at your convenience.
Respectfully Submitted,
Magali (“Maggie”) Feys
Chief Strategist - Ethical Data Use
M. Gary LaFever
CEO & General Counsel
Please email CommentLetters@anonos.com with any questions.
Brussels
Rue Belliard 40 / Belliardstraat 40
B - 1040 Bruxelles / Brussel
Belgium
Colorado
4770 Baseline Road
Boulder, Colorado 80303
USA
[1]: Edwards, Lilian and Veale, Michael, Slave to the Algorithm? Why a 'Right to an Explanation' Is Probably Not the Remedy You Are Looking For (May 23, 2017). 16 Duke Law & Technology Review 18 (2017). Edwards, Lilian and Veale, Michael, Slave to the Algorithm? Why a 'Right to an Explanation' Is Probably Not the Remedy You Are Looking For (May 23, 2017). 16 Duke Law & Technology Review 18 (2017). https://ssrn.com/abstract=2972855 at 84.
[2]: GDPR Recital 4.
[3]: See https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html?smid=nytcore-ios-share
[4]: See GDPR Recitals 78, 108 and Articles 25 and 47(2)(d).
[5]: See GDPR Recitals 26, 28, 29, 75, 78, 85, 156, and Articles 4(5), 6(4)(e), 25(1), 32(a), 40(2)(d), and 89(1).
[6]: Privacy International; see https://privacyinternational.org/sites/default/files/2018-11/08.11.18 Final Complaint Acxiom %26 Oracle.pdf at 28.
[7]: Johnny Ryan, chief policy officer at Brave; see https://iapp.org/news/a/critics-on-croatias-eprivacy-proposal-legitimate-interest-provisions-not-legitimate
[8]: IAB, see https://www.iab.com/wp-content/uploads/2020/02/IAB_The-Great-Collab_ALM-2020-Keynote-Script.pdf at 8
[9]: Eduardo Ustaran - Hogan Lovells Privacy and Cybersecurity Practice Global Co-Head; see https://iapp.org/news/a/critics-on-croatias-eprivacy-proposal-legitimate-interest-provisions-not-legitimate
[11]: During its first plenary meeting, the European Data Protection Board endorsed the WP29 Guidelines on consent under Regulation 2016/679, WP259 rev.01.
[12]: WP259 rev.01 Article 29 Working Party Guidelines on consent under Regulation 2016/679 at 22
[13]: Moerel & Prins, Privacy for the Homo Digitalis, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123 at 9.
[14]: World Economic Forum Report: Unlocking the Value of Personal Data: From Collection to Usage, http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionUsage_Report_2013.pdf at 11. See also note 13, supra.
[15]: Koops, “The trouble with European Data Protection Law,” International Data Privacy Law, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2505692 at 4. See also Moerel & Prins, Privacy for the Homo Digitalis, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
[16]: See Dutch Minister of Economic Affairs in a letter on Big Data and Profiling. Parliamentary Documents II, 2014/15, 32761, nr. 78, p. 4. See also Moerel & Prins, Privacy for the Homo Digitalis, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
[17]: See https://www.merriam-webster.com/dictionary/Hobson%27s%20choice
[19]: See Article 29 Working Party 06/2014 at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf at 35.
[20]: See Moerel & Prins, Privacy for the Homo Digitalis, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123 at 36; citing Case C-131/12 Google Spain and Google Inc. May 13, 2014, EU:C:2014:317; Case C-362/14, Schrems, October 6, 2014, EU:C:2015:650; Opinion WP29 06/2014; Kranenborg, H.R. - Verhey, L.F.M. (2011), Wet bescherming persoonsgegevens in Europees, Kluwer; and Hijmans, H. (2016), What the EU does and should do to make Article 16 TFEU work, by means of judicial review, legislation, supervision by independent authorities, cooperation of the authorities and external action, diss. Universiteit van Amsterdam (handelseditie te verschijnen bij Springer Verlag).
[21]: GDPR Article 5(1)(b).
[22]: See Section 9 of the OECD, 1980: “The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.”
[23]: See Article 5(b) of the Council of Europe, 1981.
[24]: GDPR Article 5(1)(c).
[25]: GDPR Article 5(1)(e).
[26]: But see discussion below regarding lawful further processing if the “compatible use” test is satisfied.
[27]: See www.ENISAguidelines.com
[29]: Id.
[30]: See Articles 12(a) and 15 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[31]: Loi no. 78-17 du 6. janvier 1978 relative à l’informatique, aux fichiers et aux libertés.
[32]: See Mendoza & Bygrave, The Right not to be Subject to Automated Decisions based on Profiling at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2964855 at 4.
[33]: German Federal Court of Justice judgment of 28 January 2014, VI ZR 156/13.
[35]: Anonos is a founding member of the 5th Cookie working group (see www.5thCookie.com) which was established to support exploration of using GDPR recommended technical and organisational safeguards – like Data Protection by Design and by Default and Pseudonymisation – to enforce greater accountability and ethics across the AdTech real-time bidding (RTB) ecosystem. See also https://www.pseudonymisation.com/ for additional information on the benefits of GDPR compliant Pseudonymisation.
[37]: Privacy by Design is the approach championed by Ann Cavoukian, Ph.D., former Information and Privacy Commissioner of Ontario, for embedding privacy into the system design process. See https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf.
[38]: Moerel & Prins, Privacy for the Homo Digitalis, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123 at 82.
[39]: See GDPR Articles 15(1) and (2).
[40]: See www.MosaicEffect.com
[41]: Stateless tokens are tokens that change frequently to replace identifying information.
[42]: The definition of Pseudonymisation as now found in Article 4(5) of the GDPR was created roughly four years ago during the early drafting days of the GDPR. It requires that personal data must not be able to be attributed to a specific data subject without the use of additional information kept separately, and subject to technical and organisational measures.
[43]: See www.MosaicEffect.com
[44]: See https://dataprotectionmagazine.com/?p=975
[45]: See www.MicroSegmentation.com for more information.
[46]: See note 35, supra.
[47]: Newly defined GDPR compliant Pseudonymisation protects against negative effects from data breaches and prevents profiles from being used for decisions to communicate to an individual without the assessments required by Data Protection by Design and by Default as required by the GDPR. The European Union Agency for Cybersecurity (ENISA) has published two reports since the adoption of the new GDPR definition of Pseudonymisation on best practices for compliant pseudonymisation - in November 2018 (at https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions) and 2019 (https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices). EDPS Opinion 7/2015 on Meeting the Challenges of Big Data further highlights Pseudonymisation as playing “a role in reducing the impact on the rights of individuals, while at the same time allowing organisations to take advantage of secondary uses of data” at https://edps.europa.eu/sites/edp/files/publication/15-11-19_big_data_en.pdf at 15. A comparison of Anonos Pseudonymisation technology to ENISA published guidance on Pseudonymisation is available at https://www.ENISAguidelines.com/.
[48]: Anonos state-of-the-art Pseudonymisation technology enables lawful repurposing of data while preserving 100% accuracy to maximise data utility by expanding opportunities to ethically process, share and combine data in compliance with evolving data privacy regulations. Additional information about Anonos Pseudonymisation technology is available at www.anonos.com.
[49]: Consent-based data collection and processing does not work in all circumstances - e.g., where processing cannot be described with sufficient detail at the time of data collection. For example, privacy notices may lack clarity, processing may be difficult to define, etc. The GDPR provides for an alternative legal basis for processing - which picks up where consent leaves off - to enable lawful processing in these situations if the requirements for Legitimate Interest processing are satisfied.
[50]: The term “last mile” is used in the telecommunications, cable television and Internet industries to refer to the final leg of delivering communications to a retail customer.
[51]: See GDPR Article 4(5).
[52]: See GDPR Article 25.
[53]: See www.ENISAguidelines.com