Insights on GDPR compliance from Salvador Rodriguez, a Reuters reporter operating on the front lines of the technology sector.
As a technology correspondent with Reuters San Francisco bureau, Salvador Rodriguez covers enterprise software and cloud-computing markets with a special emphasis on some of the biggest names in the technology industry. These days, his reporting frequently brings him into close contact with the movers and shakers driving – and being impacted by – the European Union’s General Data Protection Regulation (GDPR) program.
We sat down with Rodriguez to discuss what he is hearing among market participants about this landmark piece of regulation and what it means for companies in Europe and abroad.
ANSWERS: In your role as a technology correspondent for Reuters, you’re keeping a close eye on the tech industry and the companies operating in that space. In your reporting on data privacy and the GDPR, what are corporations and financial institutions telling you about its potential and likely impacts? What are you hearing?
SALVADOR RODRIGUEZ: The way that we’ve been describing it in our stories is that this is essentially the biggest shake-up to data privacy regulations pretty much since 1995, which is really when the internet was first starting to reach consumers. In many ways, this is the biggest shake-up in the history of the internet when it comes to data privacy. Even though this is a European regulation, this is really something that is being watched by companies around the globe, whether they are multinational companies or just startups in San Francisco that have ambitions of someday making it to Europe. This is a pretty big deal.
ANSWERS: In your reporting have you been talking with regulators? What’s their take on the GDPR?
RODRIGUEZ: Recently, I’ve had the chance to speak with the Irish Data Protection Commissioner. She is going to be one of the folks enforcing GDPR when it comes to several major American tech companies. She’s focusing on educating companies on what exactly they’re expected to do and clarifying the more ambiguous portions of GDPR regulation.
With the regulation taking effect on May 25, the way it’s described to me is that any incidents that occur before that date will be governed under the current regulations. We won’t start to see the fallout of GDPR until after that date and as cases and complaints come about.
ANSWERS: How aggressive do you think regulators are going to be at the outset? Do you think that we’ll see a grace period where companies will really get an opportunity to be educated on GDPR and what it means for them? Or will regulators take the position that companies have had plenty of fair warning, and if they don’t have their act together the regulators will come after them?
RODRIGUEZ: The sense around the industry in speaking with regulators and data privacy lawyers both in Europe and in the U.S. is that there may be a little bit of a grace period for companies to really get acclimated, especially the companies that are more data heavy and have to do a lot more indexing. Or, maybe they are a startup and have a lot of data and they haven’t really had the chance to just get all their ducks in a row. As incidents start to unfold, however, I don’t think the EU will hesitate to step in.
Regulators are not likely going to fine everybody 4% whenever anything goes wrong. I think that they’re going to take various factors into consideration as they dole out penalties. For example, let’s say you had a security breach. If you had pretty healthy security practices in place, detected the breach and then informed the authorities quickly and were very cooperative as they investigated, those are all things that are going to be considered by the regulators. It will be reflected in whatever fine you ultimately receive.
In many ways, this is the biggest shake-up in the history of the internet when it comes to data privacy.
ANSWERS: Where are the blind spots for regulatory actions such as GDPR?
RODRIGUEZ: There are parts of the regulation that tell you what you may do or what you could do, but they don’t really specify as to how exactly you should go about doing those things. From my current reporting, two of the biggest glaring holes concerns automation and legitimate interest.
Regarding automation, I think it more commonly would be referred to as artificial intelligence (AI). Essentially, it says that if a company uses AI to make an important decision on someone’s life, then the company may have to provide an explanation for how that decision came about. I think there’s some ambiguity to when exactly that will apply. For instance, would that apply with the content that a person is seeing on his or her Facebook newsfeed? Probably not, but it’s not said in blatant words in the regulation. There will be a line that needs to be determined as to what kind of situation that applies.
The other hole that perhaps draws the most concern and confusion is the idea presented in the regulation called legitimate interest. Essentially, there are many ways to collect data that are covered in the regulation and the one that we think most companies will rely on is by getting user consent. This is telling a user, “For this service, we need to use this, this, and this. Are you okay with that? Yes or No?”
The way to get around user consent is using legitimate interest. The way it’s spelled out is that you had to collect that data because, in order to carry out whatever service the user requested, you needed that data. For example, let’s say you’re ordering pizza and you give your information to the pizza delivery company. You tell them, “This is my name and my address.” You never explicitly say that you give consent for your address to be used to deliver the pizza to you. That’s a situation where the pizza company will likely be able to say that it was in your legitimate interest that they use your personal data (your address) to deliver your pizza. That’s the simple version; it’s going to be interesting to see how other kinds of companies try and use legitimate interest to justify their data collection practices.
ANSWERS: Do you think some companies (say, some social media companies) will tell customers that, in order to enjoy their service for free, they’re going to collect your personal data and that’s part and parcel of consenting to use their service?
RODRIGUEZ: I think we’ll actually end up seeing varying approaches, even in the same market. In social media, you might end up getting some companies that decide to provide services for you using your data without ever asking you for your consent. They may justify it by saying it was a case of legitimate interest. We’ll probably see other companies that take more risk-adverse approaches and just ask you for your consent at all times.
The concern there is that, if you’re asking for consent at all times, your user might end up seeing tons and tons of permission screens. It’s unknown at this point whether that’s going to hurt the user adoption of services. Will a user get annoyed at having to press Approve or Okay every single time he or she wants to do something? Those are the ambiguities with the regulation.
ANSWERS: Do you anticipate a possible change in the types of consumer information being collected by companies and financial institutions as a way to sidestep privacy concerns and penalties?
RODRIGUEZ: I don’t know about the types of data, but there’s certainly a good chance that we’ll see some companies rely on less personal data. For example, some folks I’ve spoken with have told me that they can imagine scenarios where more online advertising budgets shift back to search advertising. Companies like Google would stand to benefit and the reason being is that, when someone is searching for something, they’re giving you an indication of what his or her intent is.
You can target a pretty precise ad without having to know who the person is, what’s their gender, what’s their race, what’s their location. They’re basically telling you everything in their search query and that’s not personal data. At that point, that’s not covered by GDPR. In general, we could see trends like that start to emerge, with companies going away from trying to know exactly who you are and in some ways reverting back to older styles of advertising with presumptions of the buying interests of their audience. Essentially, we could see a trend in companies choosing to rely less on personal data, not just advertising but with all kinds of behavior.
ANSWERS: Do you anticipate that the United States or other geographies will follow suit with their own versions of GDPR?
RODRIGUEZ: Yes, I think that this is a standard that, from what I’m hearing, is pretty good. People think this is a pretty good starting point. I think there’ll probably be a wait-and-see period just to see how it actually works in practice. If it works the way regulators and industry watchers anticipate it will, then there will likely be other geographies that follow suit with their own kinds of data protection regulations. This will likely start to occur in places like Asia and elsewhere. It’s generally accepted or anticipated that the U.S. will be bringing up the rear on these kinds of regulations, given the political atmosphere in the U.S. at the moment and because GDPR is so far reaching.
In general, many consumer-facing companies that I’ve spoken with will be giving their American customers the same kinds of rights that they’ll give to Europeans, such as the right to be forgotten, the right to transfer your data, those kinds of things. The reason for that is you face a brand issue if an American becomes aware of these extra features that a European has access to that the American does not. At that point, you risk an American perceiving that you are treating him or her as a second-class user compared to your European customers.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.