Enforcement of the General Data Protection Regulation (GDPR) began on May 25. The GDPR is a set of European Union data protection and privacy regulations that apply to American e-commerce with European customers, and that designate European individuals as legal owners of their personal data. GDPR requires specific procedures for processing the personally identifiable information of individuals inside the European Union, and applies to all enterprises, regardless of location, that are doing business with Europeans. Consequently, GDPR compliance best practices have necessitated technological changes by American internet goods and services providers.
The GDPR is a regulation, not a European Union directive. Thus, it does not require national governments to pass any enabling legislation to be enforceable. The legal changes require those internet companies that participate in the European Economic Area to store personal data using pseudo-names or making all data anonymous.
The use of the highest-possible privacy settings by default is prescribed by GDPR. Said default setting would result in personal data not being available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. Personal data may only be processed in accord with a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in informed consent from the data subject.
The GDPR makes the subject of the personal data the owner of the personal data. The personal data owner has the right to revoke this permission at any time. Personal information or personally identifiable information is any information that may be identified with an individual person, whether or not formally defined as such by any applicable statute, regulation or other legal requirement.
In addition to clarifying what data is considered personal, who is responsible for protecting personal data, what protection standards are necessary for personal data, a processor of personal data—such as an internet goods or services providers—must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third parties or outside of the EU. Internet goods or services providers must upon request give personal data owners a copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Internet goods or services providers must also report any data breaches within 72 hours if they have an adverse effect on user privacy.
In addition to introducing new data protection obligations for businesses, GDPR provides increased data protection rights for data subjects as well as significantly increasing fines for non-compliance. Thus, technological strategies should be considered to comply with the GDPR. These technological strategies are necessary due to the fundamental changes in the way organizations need to manage their people, policies and processes to properly manage privacy and data protection.
To efficiently comply with the GDPR a three-step technological process should be considered. Specifically, a firm’s incoming internet data stream must be modified to allow the identification, separation and processing of information from European sources. Particularly, a tagging system should be installed in a firm’s incoming Internet data stream capable of identifying domain names that are associated with the EU.
More particularly, the net nanny should be programmed to specifically identify the proximally 350 individual domain name extensions that are associated with the EU region (such as .eu.com for the EU region, .de for Germany, and .fr for France). The complete list of EU domain related names may be found at https://www.101domain.com/european_domain.htm (last visited June 16, 2018).
One low-cost option is to employ an internet filter software, such as net nanny software. Net nanny programs provide content-control software capable of monitoring computer activity. The software allows a computer user to tag specially identified content. Some net nanny software systems allow the user to block and filter internet content, place time limits on use, and block specific transactions, in addition to tagging incoming content. Many internet filter software programs, such as net nanny software, exist—some with a cost of 50 cents per server, per month.
Next, a governor system must be installed, capable of diverting tagged content from a firm’s incoming internet data stream into a side stream. This side stream is commonly known as the GDPR cul-de-sac, or simply the “cul-de-sac” for GDPR compliance purposes.
The governor system will transfer content tagged by the aforementioned filter system into a database. For conceptual purposes, the governor system diverts tagged content from a firm’s incoming internet data stream into a cul-de-sac or holding area.
Finally, an exception processing system takes the content from the cul-de-sac (the database containing the tagged and then diverted internet content which arrived in the firm’s incoming internet data stream), processes the data, and returns it to the firm’s incoming internet data stream.
The process can range from simple to complex. The simple option is to remove content that allows the internet communication to be associated with a specific individual. This process can be implemented by identifying and removing content that is identical to information in a database of common names and addresses. A word-for-word comparison of the content of each cul-de-sac communication with a database of common names and addresses is made. In the event of a match, the matched content is deleted. Once each word of the cul-de-sac data has been processed, the processed internet communication is returned to the firm’s incoming internet data stream. Arguably, the cul-de-sac option would make all data anonymous and result in GDPR compliance without disrupting a firm’s non-European operations.
A more complex option could include adding additional databases to the common names and addresses noted above. Such additional databases might contain information sufficient to identify a specific individual due to an individual’s association with a particular email. In short, adding a user address database to the common names and addresses noted above, and using these databases as the common names and addresses noted above was used. This type of database might, for example, identify Jonathan Bick as the user associated with firstname.lastname@example.org and email@example.com.
The most complex systems employ artificial intelligence to identify GDPR-relevant data and assess risk, as well as take action such as deleting or replacing elements of content. These commercially available programs, such as IBM’s Guardium Analyzer scan cul-de-sac data, tag potential risks associated with such data, and apply a risk scoring to the classification and scanning results to identify and prioritize the databases that may be most likely to fail a GDPR-oriented audit. This information may be integrated into a system that allows the user to modify or delete data, as well as store personal data using pseudo-names or making all data anonymous, prior to returning it to the firm’s incoming internet data stream.
GDPR compliance will derive from the capabilities of existing and new technologies and, systems as well as legislative, administrative and legal actions associated with data owner’s property rights. When such rights attach, the data’s lifecycle, classifications, and controls and constraints can be automatically applied and enforced. In short, GDPR compliance is likely to be a moving target, and complete compliance may not be commercially possible.
Thus, substantial compliance should be an acceptable alternative to GDPR compliance. It is likely that substantial compliance can be established when internet data processors’ conduct, although not literally complying with the GDPR rules, is nevertheless in accord with the reasons for the rule.
Jonathan Bick is of counsel at Brach Eichler in Roseland. He is also an adjunct professor at Pace and Rutgers law schools, and the author of 101 Things You Need to Know About Internet Law (Random House 2000).