Musings about the GDPR

May 25th, 2018. The day the earth stood still. Businesses scrambled and activated their countermeasures. The GDPR had arrived. Bracing for impact…

Disclaimer. I work for EURid vzw/asbl, the domain registry who manages technically, administratively and commercially the .eu and .ею top level domains. I’m the Security Manager and as such I have been involved in GDPR related themes and followed a DPO (Data Protection Officer) course in early 2016. Everything published in these blog posts is my personal opinion and does not reflect nor represent EURid’s position on the matter.

Look, I even have a Certificate of Attendance

So no, I’m not a certified DPO. As a matter of fact, certified DPOs don’t exist. There is no certification of Data Protection Officers at the moment. Ever wondered who would certify them in the first place? Or what the criteria for certification and the certifying bodies would be? One would think the European Commission or more specifically the EDPS would have come up with this, wouldn’t you?

When May 25th arrived, our industry, the domain name business with its registries and registrars, reacted in the strangest of ways. As everyone was looking and waiting for ICANN to help interpreting and offering guidelines on this new legislation, the clock ticked on and by May 25th all ICANN came up with, was a plea towards the European Commission for an additional grace period of a year. Needless to say, many were not amused.

As a result the domain name business has taken uncoordinated initiatives resulting in chaos, broken systems & processes and, in my opinion, even breaches of the GDPR. Why did we all get so worked up, you might wonder? Because of something called WHOIS, a public database which tells who is the owner of a domain name. Differently said, the thing contains personal data. More on this later; let’s first try to understand the spirit of General Data Protection Regulation.

What follows is my personal interpretation of the GDPR using ONLY the law and recommendations and references as published by the European Commission or the European Data Protection Service. Remember, I’m not a lawyer, I’m an engineer

  • who has implemented ISO/IEC 27001 and ISO 22301,
  • who is process driven,
  • who has a holistic approach,
  • who looks at the GDPR as a tool, an opportunity and not as an hinderance,
  • who tries to understand the spirit of the law
  • and who has been disappointed by the zero risk approach of many companies with regard to the GDPR.

Alright, let’s start…

The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data. Differently said, organizations cannot just do whatever they please with our personal data.

Already this poses a bit of an interpretation issue as for most people and lots of organizations personal data and privacy seems to be synonymous. It’s not. According to Merriam-Webster privacy means:

  • the quality or state of being apart from company or observation
  • freedom from unauthorized intrusion: one’s right to privacy

Protecting personal data is what the GDPR is about and it boils down to 8 distinct rights:

  1. Right to information
  2. Right of access
  3. Right of rectification
  4. Right of restriction
  5. Right of objection
  6. Right of data portability
  7. Restrictions on automated decision making
  8. Right of erasure

It doesn’t say Right of being apart from company or observation. The word privacy only pops up in a footnote in the GDPR to refer to an older Directive 2002/58/EC on privacy and electronic communication (preamble 176).

It should also be noted that the GDPR is not an absolute law (preamble 4): The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

When organizations work within these boundaries they ought to be GDPR compliant and can process personal data.

Data processing: collection, storage, usage, retention, transfer, destruction

Organizations will therefore still be able to process personal data as long as:

  • it is limited in purpose,
  • lawful,
  • fair
  • and transparant.

Differently said, if there is a legitimate reason to collect personal data over a period of time and the data subject is correctly informed and the data is protected with adequate means against unbridled access then an organization should be GDRP compliant.

Or, tell people why you collect personal data, what you do with it, how long you store it and make sure it is not excessive. If you believe this is your business case, document it and communicate it - and most importantly stick to it. There will always be people who will challenge and claim that the data collection is way too excessive and disproportional. They might even demand that you refer from doing certain things (Right of Objection) or demand that you immediately destroy their personal data (Right of Erasure). Does this mean one should comply? I don’t think so, as mentioned before the law is not an absolute law. And if one has legitimate reasons to store that data, there shouldn’t be an issue.

But since the GDPR is still very young and little or no cases exists, we will need to wait how courts will interpret specific cases. With a law that has multiple dimensions, including a very technical component, this will be quite the challenge.

It’s this legal void that causes the rather panicky reactions of many organizations like

  • US news sites that blocked access in Europe.
  • extensive cookie control options that are not only in your face, but also completely gibberish to most end users and break some functionality when switched off.
  • anonymization of data without consent of the data subject (me and you), something that happened and happens in the domain name industry.

Could this reaction be the result of a zero risk approach out of fear of the so-called monster fines? Wouldn’t it be extremely cynical that this approach leads to a breach of the GDPR by itself? And doesn’t it break the spirit of the GDPR in the end, a spirit of transparency and proportionality?