Estuardo Ustaran Talk
Crownpeak Logo Posted by Crownpeak October 12, 2018

The Future of Digital Privacy and Its Potentially Grave Impact

A couple of weeks ago, leading UK-based privacy and internet lawyer, Estuardo Ustaran, presented his perspective on the future of digital privacy to a group of Crownpeak customers at our annual Empower event in New York City. His talk was so well-received and thought-provoking, we wanted to share it with a broader audience.

As a partner of renown global law firm Hogan Lovells, Ustaran has been practicing law for over two decades so his view that the increased level of anxiety around data privacy is unprecedented is worthy of our attention.

To put the future of data and privacy in context, Ustaran started his talk by sharing a slide with a photograph of a dark gray, ominous sky ready to unleash heavy rain on a plot of beautifully cared for, ready to harvest crops.

Risk Of Non Compliance
A slide from Ustaran’s presentation that illustrates the weighty risk of non-compliance

He referred to the crops as the data that companies are currently tapping into, and he likened the storm clouds to the impending enforcement of laws like the GDPR, ePrivacy Directive, and others. His point was to illustrate that this risk doesn’t exist in isolation – it’s a risk from something we are desperately trying to protect (our ability to mine and leverage data) so we need to look at how we realize the true value of data in a responsible and sustainable world that will protect it.

When you look at privacy laws, particularly how they are developing in Europe, Ustaran noted that their complexity reminds him of the magnificent gothic Sagrada Familia in Barcelona.

Sagrada Familia Barcelona
Sagrada Familia, Barcelona

Composed of a vast combination of styles and materials, the famous temple has a lot in common with European and global privacy laws, which combine general principles with very prescriptive rules and rights for individuals. Like the temple, each component of the law has its own intricacies.

In Ustaran’s opinion, one of most difficult aspects of European data privacy law is that it works in two different dimensions. On one level, the GDPR establishes a general framework for laws on when and how personal information – digitally or not digitally – is collected and used.

The most challenging part is that because it’s a principle, it doesn’t tell you what to do. Instead, it says that to collect personal data, you need to find a lawful ground that allows you to do so. This requirement is at the core of the GDPR. And like those pillars of the Sagrada Familia, this justification for gathering and using data supports the entire structure.

However, as Ustaran points out, given the massive amount of data available, it’s unrealistic that companies could ask for permission every time they want to use someone’s data. So, the law created this concept of legitimate interest, which allows you to collect and use data if you have a solid legal basis (still subject to certain conditions).

Most data collection activities are justifiable under this, but (and this is a big one) the law requires that you are transparent about what you’re collecting, that you only collect the data you truly need, and that people have control over their own data.

Like the cathedral, there are many different bits and pieces, one of which is the second dimension Ustaran mentioned – the ePrivacy Directive. Dating back to 2002, and updated in 2009, the ePrivacy Directive affects uses of data that relate to behavioral targeting, profiling and tracking individuals in the digital world.

e-privacy law affecting behavioral targeting
Ustaran’s slide highlighting an excerpt from the e-Prviacy Directive

Even if a company is relying on legitimate interest under the GDPR, the ePrivacy Directive requires that you still need to give notice and get consent in two situations:

  1. When you are storing something on someone’s device (like a cookie)
  2. When someone is using a device and you are accessing data already stored on their device

There are two exceptions to this rule:

  1. If you need the data on their device to carry out a transmission of communication over an electronic communications network (which protects telecommunication companies).
  2. If it is strictly necessary to provide a service that someone is requesting. For example, if someone makes a purchase online, then any tracking required to process the transaction can be subject to this exemption.

Other than that, most use cases are subject to the notice and consent requirement, which has been the case under the e-Privacy directive for nearly ten years. The question is, how does the GDPR affect this?

As Ustaran explains it, the GDPR introduces a reinforced concept of consent. The regulation is trying to ensure we don’t abuse consent because in the past, it’s been commonly abused. Companies have assumed consent.

GDPR European e-privacy law
Ustran’s slide simplifying how the GDPR and e-Privacy Directive work together side-by-side

GDPR defines what’s considered valid consent (often referred to by marketers as “opt-in”). The GDPR says consent must involve some type of action, that it can’t be assumed, and that it must be as easy to withdraw, as it is to give. People have the right to say, “I’ve changed my mind. I gave you my consent, but now I don’t.”

It also must be given freely, and not under pressure. Ustaran reminds us to think about the occasions where we’ve browsed a website and found a gated piece of content that we wanted to read, so we gave our consent in order to get it. Under the GDPR, that’s not an example of truly free because we were forced to give consent (our data) in exchange for access.

So, in practice, what does it look like? What are the elements of valid consent?

Ustaran explains that notice (the explanation of why you want consent) must be meaningful. He jokingly but very earnestly refers to the number of websites that say “this site uses cookies to enhance your experience.” He poses the question “Is that meaningful? Maybe to the person who wrote it, but what about the person reading it?” He suggests that what companies need to explain is how the experience will be enhanced. So, for example, “We use cookies to make our website work better for you, by analyzing how you use it so that we can provide content that is relevant to you.”

valid consent e-privacy
Ustaran’s slide on what constitutes valid consent

Besides meaningful language, consent involves positive acceptance. Someone must do something actively to indicate they are giving their consent. Browsing a website or using an app does not constitute consent.

Additionally, and this is where many companies are failing, the sequence of events must be correct. Until the visitor has given consent, cookies cannot be dropped. And finally, there must be a mechanism for people to change their election that is easy to find.

At this point, Ustaran asks what everyone is already thinking – is anyone even paying attention to whether companies are complying with these requirements? His answer is, “there has been a history of tolerance and regulators have been very easy-going in Europe but things are changing. We haven’t seen a massive multi-million dollar fine but my clients are being asked questions.” He continues, “There is anxiety by policy makers that this has been abused for so long, that something needs to happen.” His message was clear: just because it hasn’t been enforced in the past, does not mean it won’t be enforced in the future.

Adding further nuance and potential confusion, in 2016 the European Commission (the body that proposes new laws) proposed a new regulation to replace the ePrivacy directive. Now, the way laws are made in Europe, this is only the first step which means we’re probably a year or so away from seeing a final version of the law. In the meantime, what we need to know is that right now, the GDPR and ePrivacy Directive work alongside each other.

Given that Europe, the US (specifically California), and other parts of the world (like Brazil and India) are considering or implementing their own privacy laws, Ustaran strongly suggests that there may eventually be a global framework. This could lead to broader, more far-reaching implications, according to Ustaran, including a rethinking of the way the internet operates.

To make his case, he reminded us that content and many of the services we use today are largely free in the sense that we don’t have to pay for them. We use social media, email, and messaging apps without any cost. However, he argues that they aren’t truly free because they are being offered by the most highly valued companies on the planet. That’s because their business models rely on data, advertising, and the ability to exploit our information.

This leads us to Ustaran’s million dollar questions about the future of digital privacy: What happens if the regulators change this model? Will the internet be reinvented? Will we be forced to pay to search Google or use Facebook?

Careful not to put a Debbie Downer damper on the day, Ustaran concludes by encouraging everyone to consider how we can continue to operate in a very prosperous digital age where we can still use the data we’ve learned to love, while providing individuals with control over their online privacy.