
Dave Cohen (IAPP)
[44:18] Terrific. Thanks, Ailidh. That was fantastic. All of you - Rocco and Gary - that was an excellent presentation and we do have some time now to enter the question and answer portion of our program. We’ve got some great questions in the queue here, so I would remind everybody that the field is just to the right of the PowerPoint window. You can type in your questions and we will ask them anonymously to the panelists so now is a great time to submit those questions. Go ahead and type them in there.
[44:47] Ailidh, let’s go ahead and start with you just on that last point there, and I think Rocco mentioned this as well. What seems really interesting is there is this interpretation that there is a difference between the letter of the law and what the law actually requires and those processing purposes that may or may not be surprising to individuals. It seems like that was kind of a major theme here that there perhaps was a gap between those two. So, given having heard you just say that and Rocco having you comment on that as the third of your bullet points as well on balancing those individual rights versus these legal requirements, there is a question on the queue that says: Given the last slide, Ailidh, that you were mentioning (slide 24), can you use legitimate interest for B2B marketing since it is technically still outside the scope of ePrivacy or no? And Rocco, perhaps you would like to comment on this after Ailidh provides comments, if you have any.

Ailidh Callander (Privacy International)
[45:44] Thank you. Yes, I mean, obviously, it does depend on the context and what processing you’re talking about. I think what I was trying to get at was that the letter of the law respects rights but the problem has been when this has been interpreted and implemented in practice that has not been the case. In terms of B2B marketing, it would really depend on what marketing that was being carried out and the way that that interacts with the other regimes.

Dave Cohen (IAPP)
[46:34] That makes good sense. Rocco, do you have any comments on this? I’m sure you’ve dealt with this with some of your clients.

Rocco Panetta (Panetta & Associati)
[46:40] Yes, let me add just something that probably could sound a little bit surprising but considering that the marketing online is ruled by the ePrivacy Directive and then the ePrivacy Directive is still not yet substituted by the ePrivacy Regulation, which is still under draft, in a different jurisdiction, the ePrivacy Directive has been implemented in a different way. And for instance - I’m sorry if I’m bringing you the Italian case again. But in Italy, the B2B is not out of the scope of the privacy rules at the time of the ePrivacy Directive. Now, the ePrivacy Directive was modified or has to be newly interpreted thanks to the GDPR that the B2B in Italy is under the ePrivacy framework at large. And so, as you can see, legitime interest is a way to take into consideration a number of elements. But please, always be careful of what your local legislation is applying to the local jurisdiction because this could make a lot of difference.

Dave Cohen (IAPP)
[48:18] Terrific. And Ailidh, did you have some follow up to that as well?

Ailidh Callander (Privacy International)
[48:22] I think I just wanted to add that this issue of kind of changing the legal basis as the kind of processing progresses was something that we were particularly concerned of when we looked at these companies and it has been called out by the ICO this idea that you may seek to justify the collection on the consent just to satisfy the ePrivacy part of it, but then just go and do whatever else under legitimate interest. The way that this has been implemented and practiced undermines both those legal bases and it undermines that necessity to think first. What is it I am going to be using this data for? And how am I being transparent about this. So, I think that there is a risk there that undermines both those justifications and getting mixed up in terms of using both of these in tangent.

Dave Cohen (IAPP)
[49:31] Wonderful. And, Gary, did you have some comments to make on this topic as well?

Gary LaFever (Anonos)
[49:50] I just wanted to jump in because this is not what's required. Yes, it's one of three. You do have to have a legitimate interest in the use of the data. You didn't have to show that you can’t get the data from other sources. It’s the third one, which is the balancing of interest test that a lot of people haven’t satisfied in the past. And so, if you note in the ICO report, they don’t say that legitimate interest processing could never be used within the AdTech ecosystem, but they say the way that it has been attempted does not work. And so, it is possible if you had the right technical safeguards to show and prove statistically through audit, etc., that you have demonstrable accountability and that’s really a focus. Demonstrable accountability that can show that you have mitigated the risks of the data subjects that it may be available.
[50:39] And so, this comes back to the fact that legitimate interest is one of six legal bases. It is available for many, perhaps not all processes, but it’s not something you just claim. You have to prove and you have to prove that with demonstrable accountability that is a combination of both the appropriate policies to ensure that the rights of the data subjects are respected and protected, and those techniques and technologies that enforce that to ensure that those rights have been mitigated. So, it is possible to achieve but not the way that people had done in the past and may require a restructuring of how data has been done. And what we’ve heard from our customers at Anonos is that they actually do want to do this right and they’re looking for guidance and the guidance does exist. Again, I’ve talked about the ENISA documents and I would highly recommend those. So, I just wanted to comment. It’s not that it’s never possible, but you have to do it in accordance with obviously both the statute and the interpretation guidance and enforcement actions.

Dave Cohen (IAPP)
[51:41] That makes really good sense, Gary. And getting back to this question about what bases to choose with regard to your legal justifications for the processing of the data as legitimate interest and/or consent, we have an interesting question here from the audience. Ailidh, I think I’m going to direct this one to you and it goes back to the information you were discussion on slide 24 mentioning that legitimate interest is not available where the personal data falls within the ePrivacy Directive, and the question is: Is it possible to use consent to collect the data under the ePrivacy Directive and then use legitimate interest for secondary use of the data? It’s kind of interesting here.

Ailidh Callander (Privacy International)
[52:21] I think that's the point I was trying to get in the sense that I think that that’s muddying the water here in the sense of what is that secondary purpose and what basis did you get consent in the sense that you can’t just switch legal basis necessarily like that and that’s something that was, as I mentioned, called out in India if you report as well because yes you need consent under the ePrivacy framework to access information on any equipment and for the majority of the tracking techniques that there are. But that that is in place too and because it acknowledges the intrusive nature of this processing and that’s where the guidance from the Article 29 Working Party pre-GDPR and the report I mentioned today too is that it’s quite clear that there are issues in the way that this being carried out and that’s almost being used like a checkbox and I would say often implemented badly but then moving on from that, it’s using legitimate interest then to justify whatever else you want to do with it and that can be quite a tricky position to be in.

Dave Cohen (IAPP)
[53:45] That’s great. And, Gary, did you have some follow on on this?

Gary LaFever (Anonos)
[53:49] Yeah. I totally agree with Ailidh on this. The checkbox approach of legitimate interest just does not work. Period. You have to show that you have assessed the risks. You have to show that you put the data subject on notice at the time of the data collection. But for example, if you put the data subjects on notice at the time of data collection that they have the opportunity to consent to further processing that that processing would be conducted using legitimate interest and then you go on to some detail and provide even further access to more information that they wanted. And then, they would have the right to revoke that consent at a later time. The issue is that consent for describing some of the analytics and automated facilitation of decision making would be very difficult to satisfy because of the requirements with specificity.
[54:41] And so, you can have consent for one process, put them on notice that they’re data would be processed under legitimate interest and provided you have the technical controls in place to actually balance the interest and provided they have the right to revoke that consent at a later time. More sophisticated analytics could be supported using legitimate interest. So, I think Ailidh’s point is it’s not a checkbox at all and that’s what the industry has used it for in the past. And so, for companies who want to do sophisticated processing, they have to do the assessment. They have to do the impact assessment. They have to show that they have the safeguards in place. So, it’s not that it’s impossible. But it’s not possible the way that the industry has said in the past.

Dave Cohen (IAPP)
[55:25] Terrific. And Rocco, I wonder if you have any additional comments there? And Rocco, I also have another one here from the queue that I think would be a very practical question that many are probably wondering about. And it's this: What would you consider a “good documentation practice” to corroborate the data controller’s position who relies on the legitimate interest as a legal basis to lawfully process personal data? I’m sure you deal with this with many of your clients. Do you have any comments first on what we were just talking about and then also on the documentation question?

Rocco Panetta (Panetta & Associati)
[55:56] Yeah. Sure. You know, the phenomenology of data processing and also the best way to assist a client in this respect is to know your client in the best possible way and to suggest to him how to react to legitimate interest assessments as the case may be. What I want to say is that it is never possible to rely only to a software or to an automatic procedure to assess the legitimate interest. This is a complex exercise that requires skills coming from the legal department from the DPO where appointed because never forget that the Data Protection Officer is not only a subject adapted to monitor the implementation of the GDPR within an organization, but there’s also a consultancy function and also an external lawyer. So, the sum of legal opinions, internal assessments, and also an exchange of emails based on this kind of reasoning could be useful for the purpose of being accountable in taking the decision on legitimate interest.

Dave Cohen (IAPP)
[57:46] Perfect. And I think that's just about all we have time for. Thank you for that Rocco. And thank you Ailidh and Gary for the excellent presentations here. I want to make a quick mention that we can let you know that Gary referred earlier to the ENISA documents that just came out in the last edition in November and some of you may be wondering where you can find those. You can certainly submit to questions@anonos.com. We can provide the link for that to get you a copy of that.
[58:26] And also, we got a tremendous amount of questions here and some excellent questions from you, the audience. Thank you so much for submitting those. We didn’t have time to get to all of them. So, we will do our best to export those anonymously and provide some written answers. So, keep an eye on the Anonos website in the near future for some answers to those questions that we can address.