Is GDPR fit for the digital era?

null

Like thousands of other organisations, HERE Technologies is busy preparing for GDPR. For us, as a digital location technology company, it is an incredibly important piece of legislation. By replacing what was a patchwork of privacy laws in place across all EU member states, the logic behind having one single piece of regulation is clear.   

Nevertheless, GDPR does fall short in some areas. Fundamentally, as a piece of regulation that has been designed to serve the smartphone and social networking age, we believe it presents challenges for the new, emerging digital era – a world of autonomous transportation and logistics where machine-to-machine communications, time-sensitive exchanges of data and constant information flows will become more pervasive. 

One key area that poses a challenge within GDPR is the consent scheme. We believe that the consent scheme provided by GDPR, which requires informed consent related to specific processing operations, is too static and cumbersome for the dynamic and multi-actor environment of machine-to-machine, vehicle-to-vehicle and vehicle-to-infrastructure scenarios. As such, it threatens to be an obstacle to realising the overwhelmingly positive impact of these and other technologies on society. We strongly believe that consent applied in this way is not the best means when it comes to protecting individual privacy. Even though the law requires an “informed” consent, the reality is that consent is typically “uninformed”. Let’s be honest, who seriously looks at the fine print before ticking a box?   

Let us then apply this approach to the future. Imagine a scenario in which someone on a business trip arrives at Heathrow airport, enters an autonomous car, and heads into the centre of London to run some errands, followed by a lunch meeting with a colleague. During her time in the car she listened to music, browsed for clothing, and made a phone call. In this scenario, a huge number of vehicles and machines would have communicated with her vehicle for a wide variety of reasons.   

Infrastructure beacons collected information about her car to monitor traffic data and to levy the correct toll charge for non-residents. The car’s routing service is connected to her digital task list in the cloud, allowing it to plan the most efficient route for the car to run all her errands and ensure she makes her lunch appointment on time. The car also notified the restaurant a few minutes ahead of her arrival. Meanwhile, parking garages in the surrounding area identified the vehicle and charged her accounts appropriately, and other vehicles traded data with hers, sharing information about road hazards and recent hyperlocal map updates like street conditions.   

Based on informed consent as set out in GDPR, it is difficult to envisage this scenario playing out in a seamless fashion, where her music listening, online shopping and phone call proceed uninterrupted. Many of the technologies and services described would require permission to access the different levels of personal data. Some may have been connecting to her car for the first time. The vehicle would have been transmitting data to and receiving data from multiple actors unknown to our passenger, be it other cars, roadside infrastructure or service providers, in split-seconds. All this makes it practically impossible for individuals to grant consent, on a truly informed basis, each time before the data is processed.     

This brings us to the ePrivacy Regulation, currently in drafting and which is expected to be brought into law a year or two after GDPR. In a way, the ePrivacy Regulation can be seen to be making up ground where GDPR falls short. We hope that it will adopt the hallmarks of good regulation – that is, regulation which is clear and consistent enough to serve industry, while at the same time flexible enough to accommodate new emerging digital services. In a world where new technologies are being rapidly developed, the regulation must be technology-neutral.   

Unfortunately, at present in its draft form, the ePrivacy Regulation does not appear to bear these hallmarks. We believe that the proposed ePrivacy Regulation does not adequately address the protection of personal data in the context of machine-to-machine communication in the Internet of Things, neither in the context of connected and autonomous vehicles nor Cooperative Intelligent Transport Systems (C-ITS).   

It is essential that the ePrivacy Regulation includes other legal bases – in addition to consent – that are more suitable in the context of connected and autonomous vehicles, such as “legitimate interests” or “performance of a contract”. Instead, the current draft relies heavily on consent. Consent is king, but consent here remains problematic.     

We believe that the better approach – one enabling people to enjoy seamless, uninterrupted services – would be through the use of user-friendly settings or other relevant management interfaces, even automated ones, to grant consent or manage related preferences. Instead of having to give consent every time a connected vehicle wants to interact with other vehicles, service providers or pieces of infrastructure in the surrounding area, users should be able to configure their device settings to either accept such an interaction or not. Another option is that they grant this right only to selected parties, be it truly trusted partners or third-party providers simply offering an indispensable service.  

If we return to our earlier example, in an ideal world our protagonist would have been able to maintain complete control over what personal data is shared, at a granular level, with each requesting entity. Furthermore, she could review, update, and revoke all prior and future data collection – or edit her preferences – at any time. Such a transparent and configurable way of managing privacy is technologically well within the realms of possibility, and the ePrivacy Regulation should be able to accommodate a shift in this direction. However, whether this happens remains to be seen. 

What we do know is that simply applying today's consent-related practices to the faster-paced communications of the new digital era is not practical. We must acknowledge that communication has changed dramatically. In the vehicle context, it entails crowd-sourcing and machine-learning functionalities that allow for and educate AI models, a prerequisite for automation. This sort of communication is at risk of coming to a standstill without the availability of legal bases that are more suitable and practicable for such types of communication than the consent scheme. And for Europe, there is the very real risk that in its current form, the ePrivacy Regulation could hamper innovation.    

Companies are working intensively on ensuring GDPR compliance; they have to. But, they must be sure not to lose sight of the ePrivacy Regulation. Now is the time to ensure that we can collectively shape this regulation to be fit for the new digital era.    

Philip Fabinger, Global Privacy Counsel at HERE Technologies 

Image Credit: Wright Studio / Shutterstock