The World Economic Forum values the global data economy at USD 3 trillion. According to the European Commission, in 2020 the value of personalised data in EU is 1 trillion euros, almost 8% of the EU’s GDP.
The growth of this sector has been escalated by the increasing collection, cross-referencing, and resale of personal data such as person's interests, locations, income, relationship status, gender, age, education, etc. And so there will be increasingly growing conflict between the value of data and person privacy and consent.
Advertising technology companies (Ad Tech) usually tries to place trackers on as many websites as possible to optimise data collection. Typically, tracking companies are also perform cookie syncing, which allows them to swap their unique identifier with other Ad Tech companies, so that the data they hold on users can be combined and cross-referenced. One does not need special knowledge to understand what consequences could be observed if combined would be such valuable information as user's location and real names.
The General Data Protection Regulation (GDPR) led to changes on a lot of websites with respect to privacy policies and cookie consent. Duty to introduce certain requirements resulted differently throughout the member states, and Baltic states as well - according to Horst Görtz Institute for IT Security and the Institute for Applied Work Science research*, which analysed the privacy policies of the 500 most-frequented websites in each EU member state between January and June 2018, approximately 74 per cent of the analysed websites did not have their respective privacy policies amended until shortly before 25 May 2018.
One of the most noteworthy results relates to the placement of cookie notices that inform users about the usage of cookies. After the GDPR came into force, approximately 62 per cent of the analysed websites provided cookie notices – 16 per cent more than in January 2018. As a result, cookie notices became the crucial element that has been on an increase in connection with the requirements of GDPR. Mostly, however, the notices do not meet the requirements, since they do not offer users the necessary options to deactivate cookies and do not inform about all actors to be collecting the information. Thus, it is apparent that consent notices are a tight spot and clear guidelines are required.
Article 29 Working Party (WP29, replaced by the European Data Protection Board) considered media, e-commerce and the public sector to present the greatest data protection and privacy risks to EU citizens. According to the sweep of mentioned sectors, conducted by WP29**, the ratio of first and third party cookies (such as Facebook or Google AdWords) set by such sites is 29,60% to 70.39% accordingly. However, there are still a number of sites which do not provide sufficient notification that third party cookies are being set, do not seek consent from the user, or provide a sufficient quality of cookie information to website visitors. In 70 of 100 cases we do not know who is tracking our experience on webpage, namely - to whom such data is sold. The sweep also identified webpages which set more than 200 (!!) third party cookies and a few cookies with duration periods of up nearly 8000 years (must be an elegant IT humor).
One of the most popular mistakes identified - web pages often starts tracking before user consent for cookie collection is actually received, in some cases banner with a cookie does not appear on a first page. The other popular mistake is implied consent and forced opt-in.
Other serious problem to resolve is a third party cookies such as Google AdWords or Facebook pixels which help to place a cookies on a web page. When a person withdraws provided consent, Ad Tech does cease targeted advertising but does not cease to collect personal data and continues the processing of personal data related to the pixel. Pixels once placed is almost impossible to delete or block when such need arise.
Despite a lot of disorder and confusion, the cookie in GDPR is mentioned only once in Recital 30, which basically says that if a cookie in combination with unique identifiers and other information received by the server can be used to create profiles of natural persons and to identify them, this is to be recognised as a personal data. The European Commission, for its part, has tried to clarify and publish an exhaustive list of cookie types which are exempt from the obligation to obtain the user's consent (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm).
So, where to start?
Tips for setting cookies:
- The cookie header banner shall be displayed on all pages of a site using cookies that require informed consent.
- A link to the specific cookie notice page should also be available.
- Make sure your website does not collect cookies before consent is received.
- Make sure your website stopped cookie collection after user objected.
- Define cookie collection and data processing term taking into account that data shall be kept for no longer than is necessary for the purposes for which the personal data are processed.
- Make sure cookie notice is transparent - inform about all third party cookies.
*Analysis on how the necessary changes have been implemented by enterprises on their websites.
Author: Marina Briškena, DPO
In 2018 the biggest Polish online retailer Morele.net (founded in 2000) lost 2.2 million customer data, including names, email, delivery addresses and telephone numbers. In September 19, 2019 it suffered 660,000 EUR fine, the highest fine in Poland we heard until this moment. Polish data protection authority (UODO) identified poor monitoring of potential threats and slow reaction to unusual behaviour. Additionally, Morele.net has not been able to demonstrate the customer consent where it should have.
According to ENISA, 60% of companies which suffered cyber attack stop operations within 6 months of attack. In case of smaller entities this is even faster. In case of Morele, since 2018 it has taken strategic actions in the area of reconstruction, strengthening and improvement of infrastructure security:
-Two-step verification when changing the email address and phone number assigned to the user's account;
- changing the hashing method and hashing sensitive data;
- expanding the monitoring of internal systems;
- additional anti-bot verification,
and at the beginning of 2019, customers received access to the morele.net application and for changes introduced in the field of visual communication on the website, the company received a nomination for the prestigious Mobile Trends Awards 2018 in the category mobile or rwd website for the redesign of the mobile website and in the stores belonging to the company.
Risen from the ashes, kept afloat and already announced an appeal against UODO decision.
And this is not only Morele story. There is still a presence of an online retailers which still have not grasped the importance of protection of data that their customers entrust to them. This is them who are responsible for the pro-active interest and activity towards privacy, security and protection by default, and not the consumer who considered to be responsible for the assessment of retailer. There is a category of consumers which are not well aware of the internet life and its rules, and retailers know it and shall be responsible for that people safety. If one does not want to learn a hard way, this is another good practical example which shall effectively discourage from violating personal data protection provisions in future.
Author: Marina Briškena, DPO
The responsibilities of each company or person in the processing of personal data depend on whether they are the controller, the joint controller or the processor. Therefore, it is very important to carefully evaluate your or your company’s role and responsibilities with regard to personal data processing activities in order to understand:
- responsibilities defined by General Data Protection Regulation (GDPR) and how to perform them;
- responsibilities towards individuals and supervisory authorities;
- possible fines related to non-compliance with GDPR;
- how to cooperate with other organizations in order to ensure a responsible processing of personal data and respect of the rights of individuals;
- what type of contract to conclude with another organisation or individual.
It is important to remember that an organisation or person which processes personal data is not by its nature either a controller or a processor. Instead, one needs to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and means of that specific processing.
Often companies or persons are unaware of their role in the processing of personal data. Even more often, they are deliberately negligent, in an attempt to avoid liability. Good news is that such attempts will be unsuccessful, as, in the case of a data breach, the controller and processor roles will be determined in accordance with the GDPR, rather than the contractual agreement.
Why do companies use such a careless approach? The answer is simple - the practice of applying the GDPR is not yet well-established - there are few court rulings and there is still a likelihood that contract terms will be taken into consideration when deciding the case.
There is, however, another pitfall in this context – by misidentifying the data processing roles initially, the parties may conclude a wrong form of contract and perform obligations that do not apply to them. When a controller defines itself as a processor, it consciously or unconsciously avoids the obligations set out in the GDPR.
In other cases, in order to be able to decide matters unilaterally, as provided in GDPR, company may convince a less knowledgeable partner that they (i.e. the partner) are the data processor. Consequently, such a "processor" would carry a liability that it would not have to carry if the company had, from the outset, devoted enough time, attention and knowledge to correctly determine its role.
Therefore, the first step in implementing personal data protection is defining your role and the roles of your partners. If you currently lack the knowledge and information or you are not sure that you have made a correct assessment, I suggest you use this TEST to determine your role in the processing of personal data.
Author: Marina Briškena, DPO
Check any 10 websites and in 90% cases there will be the wrong cookie banner presented. And by wrong I mean–the user’s consent banner tries to get, could not qualify as unambiguous.
General data protection regulation sets out crucial elements for consent to be valid: it must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his or her personal data. It could be done by a written statement, including by electronic means, or by an oral statement. This could include ticking a box, choosing technical settings or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
So this is silence we are going to speak about now. In all 90% websites you visit, you will see something similar to this statement:
It seems like a big mistake in interpretation was made by those who consider user’s conduct -further website surfing- as the one which clearly indicates the user’s acceptance of the proposed processing of his or her personal data.
The biggest question for all involved in a legal support of websites is whether the user’s subsequent usage of website could really be considered as a conduct rather than silence. On the one hand–it could. But if we look at it from required unambiguousness perspective, it will be quite easy to doubt that user really expressed his or her agreement to allow processing of personal data.
First, we all know that often we simply ignore cookie banner information, if website allows so, and using website without agreeing or declining the processing of our personal data. Which would mean that we have not seen the warning that subsequent usage of a website would be considered as a consent for processing. It also means that we have no intention to devote our time to the question, which is more important for the website than us. It is a website that needs our personal data. And this is our freedom to meet website's wishes or not. Having this in mind - does this seem a clear indication of the user’s acceptance of the proposed processing of his or her personal data? I would argue that not. Can ignorance be interpreted as a conduct? Or is it already obvious that it is silence we are speaking about.
And while websites try to circumvent users’ rights and to flirt with valid consent interpretation, European Data Protection Supervisor together with other institutions explicitly provided that inactivity from a data subject does not indicate unambiguous consent. Which is the case for websites obtaining consent with statements such as “by using our services, you consent to the processing of your personal data”. In that case, websites have to ensure that users manually and individually consent to such processing. 
Marina Briškena, DPO
 General Data Protection regulation, Recital 32
 Handbook on European data protection law, 2018 edition: Publications Office of the European Union, 2018., p.149