Over 700 senior privacy and data innovation professionals from around the world recently joined a webinar hosted by the Data Protection World Forum, discussing Pseudonymisation-enabled Legitimate Interests processing with a focus on new legal requirements for direct marketing under GDPR.
The webinar was led by Dr. Sachiko Scheuing, European Privacy Officer at Acxiom, Martin Abrams, Chief Strategist at the Information Accountability Foundation (IAF), and Gary LaFever, CEO & General Counsel at Anonos.
QUESTIONS AND ANSWERS FROM WEBINAR:
Q1: I am confused. My understanding was that the ICO has maintained that consent is a last resort to rely on for legal basis given the resource overhead and maintainability together with constraints around legacy infrastructure (ahead of the GDPR introduction). Could you provide more context around your interpretation please.
Short A1: You are right: the ICO has previously said that consent should be a last resort. Their Draft Code of Practice for Direct Marketing instead seems to state that consent is the only basis for processing for direct marketing. We believe this is inconsistent with the fundamental risk-based principles of the GDPR, including Legitimate Interests as a potentially-available lawful basis.
Detailed A1: The ICO Draft Code of Practice for Direct Marketing discussed during the webinar is inconsistent with the prior ICO assertion that you note, namely that “consent is a last resort to rely on for legal basis.” The UK implementation of the e-privacy directive, known as the Privacy and Electronic Communications Regulations (PECR), requires consent in order to lawfully send certain types of direct marketing; PECR requirements are in addition to GDPR requirements. The ICO Draft Code raises the following four key questions which challenge the ongoing availability of Legitimate Interests for direct marketing: (see www.microsegmentation.com/ico for more information):
- May different legal grounds co-exist to support separate processes comprising lawful direct marketing, or must a single, unitary legal basis be established to support all end-to-end processing steps (e.g., collection, analytics, outreach, etc.) of personal data for direct marketing?
- Can direct marketing itself serve as the purpose for which data is collected based on consent?
- Can the further processing of personal data for direct marketing purposes be based on Legitimate Interests when supported by pseudonymised microsegments to respect and enforce the fundamental rights of data subjects?
- Does all profiling necessarily constitute automated decision making?
The following comment, submitted from the audience in the webinar, accurately summarises the situation:
- “Consent has always been a requirement for electronic marketing. The only real change is the more stringent definition of consent under the GDPR and of course the size of potential Multi Platform Networks (MPNs). Electronic direct marketing is controlled by a different piece of legislation in the UK, PECR, which must be read in conjunction with the GDPR. Companies have been relying on an 'opt-out' approach to consent which is not consent under the GDPR. Companies have been hoping that no one would not notice that their “please tick here if you don't want to receive marketing” approach does not satisfy requirements for consent under either PECR or the GDPR.”
We fully agree with the above comment. However, the ICO Draft Code appears to state that proper consent (not the “please tick here if you don't want to receive marketing” approach noted above) is not only required for the initial collection of personal data, but that it is also the only available legal basis for all processes involved in direct marketing. If this is the case, the ICO Draft Code is inconsistent with the risk-based approach that is fundamental to the GDPR, including the availability of Legitimate Interests as a legal basis when all of its elements, including the Balancing of Interests test, are satisfied.
Q2: Please explain why you say that static identifiers are not compliant with GDPR?
Short A2: Static identifiers can be GDPR-compliant, but typically only for enclave processing. When data is enriched or when datasets are combined (intentionally or through breach), personally-identifying information protected by static identifiers can be exposed. To satisfy the Balancing of Interests test for Legitimate Interests processing, dynamic identifiers are a necessary technical and organisational safeguard to prevent re-identification.
Detailed A2: We are not saying that static identifiers are not compliant with the GDPR. Static identifiers are often used as a security measure to replace data values that would otherwise insecurely disclose identifying elements (like name, email address, country identification number, etc.) with a recurring static (persistent) identifier or token.
However, static identifiers/tokens do not protect against unauthorized re-identification of data subjects when data is used on a wide-scale distributed basis. Re-identification can occur when recurring data attributes that exist within or across data sources are correlated to reveal the identity of a data subject via linkage attacks, otherwise known as the “Mosaic Effect” (see www.MosaicEffect.com). Searching for different occurrences of a static identifier used repeatedly can provide a malicious actor or interloper with sufficient information to discover the identity of a data subject.
Two well-known examples of such unauthorized re-identification are the AOL and Netflix search examples. Another example of the Mosaic Effect is where three seemingly “anonymous” data sets that used persistent (static) identifiers/tokens – each composed of the zip code, birthdate and gender of US citizens – were combined to identify up to 87% of the population of the United States by name.
If you want to use Legitimate Interests as a legal basis for processing personal data under the GDPR, you must have technology and organisational safeguards in place that satisfy the “Balancing of Interests” test. This can help to protect data subjects’ interests, so that they do not override the legitimate interests of the data controller (or third party) in the results of the desired processing. Without adequate technical and organisational safeguards to satisfy the Balancing of Interests test, data processing activities that have been commonplace for years are no longer legal. Using static identifiers in distributed processing activities will not satisfy the Balancing of Interests test required for Legitimate Interests to be available as a legal basis. If Legitimate Interests processing is desired, something other than static identifiers are required to serve as technical and organisational safeguards. For example, see the effect of using Pseudonymisation to balance the interest of the data controller (or third party) and data subjects’ rights and freedoms at www.MosaicEffect.com.
Q3: Are 3rd party cookies “anonymised,” "pseudonymised,” or neither?
Short A3: 3rd party cookies do not meet the definition of “anonymised” or “pseudonymised” under the GDPR, as both of these terms have been newly-defined in the regulation.
Detailed A3: 3rd party cookies are static identifiers used to refer to a consumer who visits a website and places them into the Adtech ecosystem. One goal of 3rd party cookies is to disguise consumers so that they are not immediately identified. According to joint Spanish AEPD (Agencia Española de Protección de Datos) and European Data Protection Supervisor (EDPS) guidance, “anonymisation procedures must ensure that not even the data controller is capable of re-identifying the data holders in an anonymised file.” As a result, 3rd party cookies are not “anonymous” because they can be used to link back to the identity of consumers.
For the reasons described in the answer to Q2 above, 3rd party cookies – as static identifiers – also are not “pseudonyms” as newly defined under GDPR Article 4(5) and will not satisfy the Balancing of Interests test for Legitimate Interests processing. The 5th Cookie Initiative is a working group that advocates the use of Pseudonymised 1st party cookies to enable ongoing lawful processing for Adtech purposes.
Q4: Taking into account what you have said, do you consider a SHA256 hashed email or a hashed CRM ID as a valid pseudonymisation process to rely on for legitimate interests, or for subsequent data processing (scoring, profiling)?
Short A4: A SHA256 hashed email or a hashed CRM ID do not meet the requirements to be described as Pseudonymisation processes under the GDPR when data is used on a wide-scale distributed basis.
Detailed A4: For the reasons noted in the answers to Q2 and Q3 above, a SHA256 hashed email or a hashed CRM ID serves as a security measure but does not satisfy new requirements for Pseudonymisation under GDPR Article 4(5) and will not satisfy the Balancing of Interests test necessary for Legitimate Interests processing when data is used on a wide-scale distributed basis. To read more about the requirements for GDPR-compliant Pseudonymisation, see www.EnisaGuidelines.com.
Q5: What’s the big deal about Pseudonymisation? Isn’t it just an example of failed Anonymisation?
Short A5: No! Failed Anonymisation techniques do NOT produce GDPR compliant Pseudonymisation. Anonymisation requires the non-linkability of data back to the identity of data subjects. In contrast, GDPR compliant Pseudonymisation permits the controlled re-linkability of data back to the identity of data subjects, however, this re-linkability must be possible only under controlled conditions enabling authorised data uses.
Detailed A5: The answers to Q2, Q3 and Q4 above highlight shortcomings of static identifiers when used in attempts to anonymise data used in widespread distributed processing. As noted above, static identifiers do not protect against unauthorised re-identification of data subjects if the data is used on a wide-scale distributed basis. In these situations, re-identification can occur when recurring data attributes that exist within or across data sources are correlated to reveal the identity of a data subject via linkage attacks, otherwise known as the “Mosaic Effect” (see www.MosaicEffect.com). When a static identifier fails to protect the privacy of a person due to the Mosaic Effect (i.e., - failed Anonymisation), the data in question does not satisfy the GDPR requirement for Pseudonymisation that re-identification is possible only with access to “Additional Information” held separately by the data controller. This is because the identity of the data subject is compromised via correlations and linkages made possible by data sources beyond the control of the data controller. To comply with GDPR requirements for Pseudonymisation when data is used for widespread distributed processing, dynamic de-identifiers are necessary so that re-identification is possible only with access to “Additional Information” held separately by the data controller. To read more about the requirements for GDPR-compliant Pseudonymisation, see www.EnisaGuidelines.com.
Q6: You mentioned during the webinar that you have an English translation of the Dutch Data Protection Authority (AP) decision against the Royal Dutch Lawn Association Tennis Union (KNLTB). That case held that commercial interests can never support legitimate interests as a legal basis for marketing. Would you please share that translation?
Short A6: We believe that the decision by the AP has been widely misinterpreted. It is our view that KNLTB was penalised because they had no interest other than a claim of commercial interest, and had inadequate technical and organisational safeguards to protect personal data of the members or to show demonstrable, technically enforced, accountability. Our translation of the case is available at www.PrivacyTranslations.com.
Detailed A6: The decision by the AP holding that commercial interests can never support legitimate interests as a legal basis for marketing has caused great concern in the industry. However, we believe this ruling has been widely misrepresented by people having access only to summaries of, and not to the full, analysis by the AP. We believe the reason that the AP penalised KNLTB was not because they were using personal data to achieve commercial purposes – as has been widely reported – rather, KNLTB was penalised because all they had was a claim of commercial interest. Of particular significance are paragraphs 137 and paragraph 141 of the AP ruling against KNLTB which highlight that the lack of demonstrable – technically enforced – accountability controls is what caused the AP to penalise KNLTB.
An English translation of the AP analysis is available at www.PrivacyTranslations.com. We do not believe this ruling stands for the proposition that commercial interests can never support a finding of legitimate interest.
If adequate technical and organisational safeguards like Pseudonymisation were in place to ensure demonstrable, technically enforced, accountability, the AP decision likely could have been very different.
Q7: Is Pseudonymisation-enabled Legitimate Interests processing part of an organisation’s Privacy by Design program or is it a stand-alone process?
Short A7: Pseudonymisation-enabled Legitimate Interests processing should be part of an organisation’s Data Protection by Design and by Default program. Data Protection by Design and by Default has a new, more stringent definition under the GDPR that goes beyond Privacy by Design, and is defined as explicitly including technical and organisational measures such as Pseudonymisation.
Detailed A7: Pseudonymisation-enabled Legitimate Interests processing should be an integral part of an organisation’s Data Protection by Design and by Default program. In answering this question we highlight that Data Protection by Design and by Default, as newly-defined under GDPR Article 25, goes beyond Privacy by Design. An important element of Data Protection by Design and by Default is the requirement that the limits on data processing be built into the technology itself.
Article 25 defines Data Protection by Design and by Default as requiring that “appropriate technical and organisational measures, such as pseudonymisation” must be applied at the earliest opportunity. This is to limit data use to the minimum extent necessary to support the offering of each specific product or service that has been authorized by an individual data subject. This is a more stringent standard than simply Privacy by Design, which is sometimes viewed as “considering data protection and privacy issues upfront in everything you do.”
Encryption and traditional Privacy Enhancing Techniques (PETs) were developed long before the GDPR requirements for Data Protection by Design and by Default were established. When used alone, encryption and PETs likely fail to satisfy new Data Protection by Design and by Default requirements under Article 25.
Static tokens and identifiers used for marketing purposes such as “the ‘Google Advertising ID’ (ADID), the ‘Identifier for Advertising’ (IDFA) on iOS and the ‘Advertising ID’ on Windows 10” highlighted on page 95 of the ICO Draft Code fall short of requirements for Data Protection by Design and by Default because links between data subjects and identifying information are readily ascertainable (see answers to Q2, Q3 and Q4 above).
The Draft Code highlights this danger in the statement on page 95 that:
- “Whilst often described as an ‘anonymous identifier’, an advertising ID forms an example of an ‘online identifier’ which Recital 30 of the GDPR states can be personal data.”
Data Protection Authorities are likely to conclude that static tokens and identifiers used for marketing purposes fail to satisfy GDPR Data Protection by Design and by Default requirements because of the risk of unauthorized re-identification via the Mosaic Effect (see answers to Q2, Q3, Q4 and Q5 above). The Mosaic Effect occurs when a person is indirectly identifiable via linkage attacks because information can be combined with other pieces of information, enabling the individual to be distinguished from others (see www.MosaicEffect.com).
Q8: During the webinar you highlighted certain benefits that are specifically provided under the GDPR for using properly Pseudonymised data. Why are these benefits not associated with other Privacy Enhancing Techniques (PETs) like static identifiers or tokenisation?
Short A8: The benefits under the GDPR only arise when data is properly Pseudonymised, with GDPR-compliant Pseudonymisation. Static identifiers, tokenisation, and other PETs do not meet the definition of Pseudonymisation, and so the benefits do not arise.
Detailed A8: Static identifiers, tokenisation and other Privacy Enhancing Techniques (PETs) do not satisfy the requirements for GDPR-compliant Pseudonymisation if personal data can be attributed back to specific data subjects without requiring the use of separately kept “Additional Information.” This means that the express GDPR benefits set out at www.Pseydonymisation.com that are available for properly Pseudonymised data are not expressly available for other PETs. Proper Pseudonymisation leverages incentives built into the GDPR to encourage the use of state-of-the-art technical and organisational measures to enable compliant secondary processing of data, including lawful direct marketing when data is used on a wide-scale distributed basis.
While Article 40(2)(d) highlights Pseudonymisation, it does not mention Encryption, Anonymisation or any other Privacy Enhancing Technology (PET). Differential Privacy and Tokenisation are never mentioned in the GDPR. In fact, no PET other than Pseudonymisation is explicitly called out in the GDPR.
Q9: Does Legitimate Interests still have a role in marketing? Namely, scenarios such as voluntary associations and other societies and clubs where data subjects would expect to receive newsletters etc.
Short A9: We believe so. We believe that Legitimate Interests has a clear role to play in terms of processing data for marketing purposes, as expressly provided for under the GDPR and as stated by the Internet Advertising Bureau (IAB) and the Data & Marketing Association (DMA). The ICO should not be prescriptive as to which legal bases should apply to any given processing act.
Detailed A9: Legitimate Interests should always play a robust role in marketing: both with respect to voluntary associations, societies and clubs as well as in the context of direct marketing generally. These situations have all been envisaged by and provided for in the GDPR. A primary point of the webinar is that the ICO Draft Code should not diminish the rights provided under the GDPR. To quote the Internet Advertising Bureau (IAB) and the Data & Marketing Association (DMA) comments letters filed in response to the ICO Draft Code for Direct Marketing, highlighted during the webinar:
- IAB: “The ICO should not be prescriptive about which legal bases are or are not available for a particular processing activity…. We do not agree that ‘if PECR requires consent then in practice consent will be your lawful basis under the GDPR….Our view is that subsequent processing of personal data is subject to the legal basis provisions of the GDPR. Legitimate interest is therefore a possible legal basis for processing personal data in these circumstances.”
- DMA: “The Draft Code has a general negative bias against marketing as if it is a nefarious activity…. The document generally favours consent and suggests that LI is always the more difficult option….By more or less denying legitimate interest for marketing purposes, ICO is ignoring the fundamental premise of the GDPR and the EU Charter of Fundamental Rights…. differentiation should be made for cases where technical and organisational measures are taken where profiling is conducted….Pseudonymisation, for instance, helps marketers gain insights into their client base while the identities of the data subjects are protected… Consent provides a stronger level of permission initially and acts as a “gateway” for subsequent Legitimate Interest use.
It should also be noted that GDPR Recital 47 specifically notes that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Q10: Is there still a (limited) space or relevance to use anonymisation for marketing activities?
Short A10: For data to be considered truly “anonymous” under the GDPR (so as for data collection and processing to be exempt from the GDPR) the standard is very strict, to the point where even the data controller cannot re-identify the data subjects. This means that effectively, while you could make data anonymous (as defined under the GDPR), you would not be able to use it for direct marketing purposes because identities would not be able to be re-linked.
Detailed A10: As noted by Dr. Sachiko Scheuing, European Privacy Officer at Acxiom, during the webinar
- “Under the GDPR, for data to be “Anonymous,” the data must not be capable of being cross-referenced with other data to reveal identity taking into account “all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.” This very high standard is required because if data does satisfy the requirements for “Anonymity,” it is treated as being outside the scope of legal protection under the GDPR. Why? Because of the very “safe” and protected nature of data that actually satisfies the requirement of not being cross-referenceable or re-identifiable. According to joint Spanish AEPD (Agencia Española de Protección de Datos) and European Data Protection Supervisor (EDPS) guidance, “Anonymisation” could not support direct marketing to customers since their identity could not be revealed. The AEDP and EDPS guidance states that “anonymisation procedures must ensure that not even the data controller is capable of re-identifying the data holders in an anonymised file. As a result, other than data aggregated on say a neighborhood or micro-geographic level instead of data attributes on a personal level, regulators will not consider data anonymous.”
However, in the context of AdTech, data is often only meaningful if it can be cross-referenced. This is why the webinar focused on Legitimate Interests processing (rather than anonymisation) as a critical legal basis for direct marketing and other innovative uses of data. As noted during the webinar, GDPR Recital 47 explicitly states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Q11: It seemed that some of the presenters referred to pseudonymisation as "pseudo-anonymisation". What is meant by pseudo-anonymisation? GDPR only talks about “Anonymisation” and “Pseudonymisation” which are very different things. Could you please clarify?
Short A11: We apologise for any confusion. The word Pseudonymisation is difficult to pronounce and is sometimes mispronounced “Pseudo-Anonymisation.”
www.Pseudonymisation.com suggests the following phonetic pronunciation:
Q12: Don't you think that the e-Privacy Regulation will change things?
Short A12: PECR and the e-Privacy Directive require consent for some direct marketing. There are discussions currently that the e-Privacy Regulation should embrace Legitimate Interests. With respect to PECR and the e-Privacy Directive, we believe it is inconsistent with the GDPR, if only consent can be used as a legal basis to support all end-to-end processing of personal data for direct marketing. With respect to the potential e-Privacy Regulation, we believe acknowledgment of the privacy-respectful capabilities of Pseudonymisation-enabled Legitimate Interests processing makes tremendous sense.
Detailed A12: The terms of the e-Privacy Directive, as embodied in the UK Privacy and Electronic Communications Regulations (PECR), and potentially the terms of the e-Privacy Regulation (if it does not recognise Legitimate Interests as proposed by the Croatian presidency), require consent for some methods of direct marketing. However, it is inconsistent with the risk-based nature of the GDPR to mandate that a single, unitary legal basis must support all end-to-end processing steps (e.g., collection, analytics, outreach, etc.) of personal data for direct marketing. As contemplated by the GDPR, different legal grounds should be allowed to co-exist to support separate processes comprising lawful direct marketing, including Legitimate Interests processing.
Q13: Are you suggesting that “soft opt-in” processing under PECR could not work with subsequent Legitimate Interests processing?
Short A13: The ICO Draft Code seems to state that the “soft opt-in” could not be combined with further processing based on Legitimate Interests. We believe this is incorrect, and that different lawful bases should be able to be applied to different steps in the data processing chain.
Detailed A13: The ICO Draft Code highlights the “soft opt-in” is an alternative which applies only to electronic mail (e.g. emails and texts) and does not apply to other methods of direct marketing. The “soft opt-in” alternative breaks down into five requirements;
- You obtained the contact details;
- In the course of a sale or negotiation of a sale of a product or service;
- Your similar products and services are being marketed;
- Opportunity to refuse or opt-out given when you collected the details; and
- Opportunity to refuse or opt-out given in every communication.
However, the ICO Draft Code in its current form seems to state that “soft opt-in” cannot be combined with further processing based on Legitimate Interests. As contemplated by the risk-based nature of the GDPR, different legal grounds should be allowed to co-exist to support separate processes comprising lawful direct marketing, including Legitimate Interests processing.
Q14: What about direct marketing to existing clients for similar goods and services? This is a specific situation.
Short A14: See the answer to Q12 above in the context of “soft opt-in” marketing via electronic mail (e.g. emails and texts). However, as noted in the context of Q12, the ICO Draft Code in its current form stands for the proposition that “soft opt-in” or other forms of securing consent could not be combined with further processing based on Legitimate Interests. We believe that the risk-based nature of the GDPR mandates that different legal grounds should be allowed to co-exist to support separate processes comprising lawful direct marketing to existing clients for similar goods and services, including Legitimate Interests processing.
Q15: How does the concept of demonstrable evidence extend to unstructured data?
Short A15: The GDPR treats structured and unstructured data the same. In either case you must use demonstrable technical and organisational controls to protect the data to satisfy the Balancing of Interests test, if you want to conduct processing based on the Legitimate Interests lawful basis under the GDPR. An example of an appropriate technical and organisational control is Pseudonymisation.
Detailed A15: The GDPR (and PECR for that matter) apply restrictions equally to unstructured and structured data. If processing of unstructured (or structured) data is desired using Legitimate Interests processing, you must have technology and organisational safeguards in place that satisfy the Balancing of Interests test so that data subjects’ interests do not override the legitimate interest of the data controller (or third party) in the results of the desired processing.
Using static representations of unstructured (or structured) data in distributed processing activities will not satisfy the Balancing of Interests test if it is possible to correlate recurring instances of the same representation to reveal the identity of a data subject via the Mosaic Effect. If Legitimate Interests processing is desired, something other than a static representation of a recurring unstructured (or structured) data element is required as a technical and organisational safeguard. For example, see the effect of using Pseudonymisation to balance the interest of the data controller (or third party) and data subjects’ rights and freedoms in the context of structured data at www.MosaicEffect.com.
Q16: What are they key ways you think this will impact nonprofits?
Short A16: The concerns and issues discussed in these FAQs will apply equally to for-profit and non-profit organisations.