Thank you for speaking with us Chiara. I always love to start an interview by knowing how a person first got involved in his or her respective field. So how did you get involved in privacy?
In 2005 I was researching differences in legal reasoning between common law and civil law systems, when I stumbled on two problems raised by digital metadata: its evidential value in court and its quasi-indestructibility.
The first was an eDiscovery issue and had its own, small but growing community of experts. At that point in time, as the legal profession at large did not seem to be aware of the vast implications of digital data as evidence, and academic undergraduate curricula had mostly yet not caught up, I set up a collaboration between the Edinburgh University professional training arm, then known as the Office of Lifelong Learning, with the UK subsidiary of Kroll Legal Technologies, the data recovery and digital document review specialists, to produce a series of seminars for the profession. Despite Academia’s traditional aversion to being seen to be taught by corporate R&D, the eDiscovery, (or eDisclosure as the UK refers to it) conversation had kicked off and slowly metadata found its place in the lawyer’s toolkit.
But the second issues raised by metadata, its ability to outlast attempts at deletion, struck me for the privacy issues it raised: yet it had no corresponding research field. Even today most Data Protection experts I speak to do not hold the view that legal definitions of personal data include metadata.
In 2007 I moved out of academic research and into the professional knowledge market. While working as producer of executive courses for a commercial financial training company, I launched The Data Protection Audit, the first course on the topic in the UK market taught by one of the most respected corporate privacy lawyers in the UK, Lucy Inger. In the following years, charting digital metadata both in a legal context and in the personal space continued to be a personal project.
On the first front, I continue to benefit from the insights of the fellow members of the EDRM research effort, while on the second front, I was part (albeit very briefly) of the conversation within the Mozilla community that eventually resulted in their digital literacy map. 2015 is really the year I felt this private passion needed to be ‘outed’ and started contributing to the privacy debate surrounding the GDPR. Fair to say, my thoughts on privacy follow ten years of metadata thinking.
Interesting background. I have to say, a mixture of jurisprudence and entrepreneurship is really unusual. How does your professional journey help you offer advice on GDPR compliance?
Good question. You are right in pointing out that people get into privacy from a variety of backgrounds. Mostly are solicitors. Others have years of IT management behind them.
What I am offering to organizations is not legal advice as such: it’s business advice on what questions boards and CEOs should be asking their legal function, and every other function in the business, for that matter.
Formulating a long-term data strategy and privacy posture for the business remains a board responsibility: just like deciding a suitable business and revenue model. CEOs would not delegate those decisions to in-house counsel. Neither should they delegate their data and privacy model.
I trust that clarifies the distinction between legal advice and advice on what legal support is needed.
As a jurisprudence scholar, and policy analyst, part of what I do is research and compare — as far as client-attorney privilege allows — the type of advice that seems to be dispensed to businesses in dealing with GDPR requirements. Some advice can be tactical and short term. Other advice is longer term and much more strategic in that it reads beyond the letter of the law and sees the regulatory horizon and geopolitical direction of events. Ultimately, it is up to CEOs and boards to distinguish the two and adopt the blend that is right for their organization.
As a business person myself, having worked both for start-ups and listed companies, and with a keen eye for profitability drivers, when confronted with a legal text like the GDPR I break down legal statements into questions such as: How can that general principle be tied into KPIs? Which functional and divisional heads need to be involved in this conversation and in what order of priority? How are the product development guys going to weave that right into the user experience? What is a company to do with legacy data sets where nobody ever thought of tagging personally identifiable data and keeping it separate from other data?
Each company has to find the answers that are right for them, of course.
In short, a mixed professional background allows me to evaluate legal choices with a business mind and business choices with a legal one: being aware of both legal and business priorities makes it possible for me to translate one into the other and vice-versa.
What are the challenges organizations face now that the EU legislators have agreed on the new General Data Protection Regulation (GDPR)?
The final text of the GDPR has only been agreed in December 2015 and is being translated in the different languages of the EU members states as we speak. It technically will only become official EU legislation after its publication, expected before the end of Q1 2016. After that, organizations have only two years to comply.
The first challenge is the complexity of data flows.
Data flows within the business and between each business and its network of suppliers, managed services providers, channel partners and clients are truly global. Outsourcing and adoption of SaaS and PaaS models have moved costs off businesses’ balance sheet but have also hidden corporate data stewardship out of sight. Quite simply: regaining visibility of data flows for which companies are responsible I.e. for which they are “data controllers”, is the first significant hurdle.
The second challenge is time.
How many large scale change programmes are successfully completed in less than 24 months come to mind? If organisations have already adopted privacy by design principles, they have a head start. If not, time is dangerously short.
One timing issue is intrinsic to the way the GDPR is designed to operate in practice. In fact, the task of clarification, interpretation and implementation guidance, including crucial notions of what exactly amounts to personal data, has been devolved to a new body: the European Data Protection Board, comprised of the Data Protection Authorities of the member states.
At the time of writing, this new EU institution is not yet operational: no Europe-wide co-ordinated advice is being offered yet to businesses wanting to implement the GDPR ahead of time. Each of the 28 Member States Data Protection Authorities is exercizing their prerogative to investigate, on a case-by-case basis, compliance with the current set of Data Protection rules.
The legal profession’s characteristic deference to the higher judicial authority may lead some to wait before dispensing legal advice on GDPR implementation: no in-house counsel or private practice solicitor wants to be in a position where their expensive advice, leading to costly redesign of the data architecture, is subsequently contradicted by the binding opinions of the EDPB. Thus, the inclination is to refrain from discussing GDPR data architecture until further EDPB guidance and focus on the present. Paradoxically, however, waiting for absolute certainty may leave businesses short of time.
The third challenge is interdependency.
After the GDPR has tied data controllers and data processors together with liability for each other’s non-compliance and has placed a clear obligation to notify individuals and authorities of personal data breaches, the idea that a business can ever do data privacy “solo” has been shown to be flawed.
A while back it would be common to hear privacy being “sold” by activists and policy makers to the corporate world as a competitive advantage and a market differentiator. Because of the joint and several liability mechanism established by the GDPR, privacy has been turned into an systemic issue: you are only as strong as your weakest link. Just like health and safety and cyber security, it makes no business sense to keep data protection protocols within the corporate perimeter and not share them with all the players in a specific vertical.
If a business is looking at privacy as a competitive advantage, it won’t be going far.
Do you have best practices to share?
The short answer is no: it is too early to see implementation of this specific regulation.
Interestingly, however, rather than examples of GDPR compliance, I have come across a few telling cases of opportunistic GDPR non-compliance, worth sharing as examples of a legal loophole being exploited to the full. These concern data collection that is, strictly speaking, legal now, but a most clamorous breach of the ratio legis of the GDPR. Presumably this is conduct believed to bring commercial returns in the future.
One of my favourite, witnessed in person around the pre-Christmas days in which the GDPR was being agreed: online shopping delivery for next door neighbours.
A man in a delivery van was asking to accept a package on behalf of a neighbour, as no one next door is in. He promptly reassures me of the hassle-free signed-for equivalent: could I just touch a portable fingerprint reader as proof of delivery?
Let me give a legal re-description of that event.
If the online retailer imposed the “if no-one-at-home-deliver-to-neighbour-and get-their-fingerprints” confirmation procedure on their subcontractor, the retailer is the data controller, our delivery van man is the data processor and, in light of the GDPR, both would be jointly and separately liable for non-compliance.
If the online retailer did not impose the procedure on the subcontractor, was unaware of it, and the delivery van man took the initiative to do so, our delivery van man is both a data controller and a data processor, and GDPR non-compliant. But where that does that leave our online retailer?
Even if the online retailer is in no way associated with the data processing, i.e. does not store such biometric data on its own servers, does not directly retrieve or consult the data, to the extent that the retailer accepts a next door neighbour fingerprint as proof of delivery to its customers, in GDPR terms, that retailer is accepting a GDPR non-compliant contractor as part of its supply chain and therefore would still bear responsibility for GDPR non-compliance.
Thank you for the illustration. That certainly puts things into perspective!
If there is one message you want to give businesses, what would it be?
Privacy is hard. The conflict between our expectations of privacy as a basic human right and our expectation of progress via machine learning and predictive analytics is still unresolved.
Law makers round the world have started to mandate a core set of principles, and established research programmes and ethical councils. But the technology solutions to this dilemma are for entrepreneurs to find, working in collaborative mode.
I’ve really enjoyed this in-depth interview. Thank you Chiara!
Chiara Rustici is a London-based independent EU privacy analyst.
Formerly a tutor in Jurisprudence and in International Law at the University of Edinburgh, teaching fellow in Philosophy of Law at the University of Genoa, CNR (Italian National Research Centre) research fellow for 2000-2001, recipient of multiple postgraduate research grants, she is a published author of legal reasoning articles and the Italian translator of Frederick Schauer’s Playing by the Rules.
In 2007 she moved from Academia to The City, where she led several businesses from start-up to profitable growth. In the employ of Euromoney Institutional Investor Plc. and Steel Business Briefing Ltd. she gained invaluable insights in the way commodities and markets work. As both a policy buff and a keen entrepreneur, she is passionate about translating current and forthcoming regulation into concrete and workable business objectives, as well as feeding back into policy-makers the strengths and limitations of market drivers. She can be reached via her LinkedIn profile.