Adriana Minovic, Group Head of Data Privacy and DPO at the Betsson Group, talks about the tension between the demands of different regulatory bodies from a use-of-data perspective.
Two years after implementation of the General Data Protection Regulation (GDPR) started, it became clear, through diverse case law and decisions of local authorities, that the GDPR had set a good framework for personal data protection. However, it also became clear that this is a general framework that can’t be applied in the same manner across all industries. For that reason, industry-specific interpretations by regulatory bodies or local data protection authorities (DPAs), as well as industry codes of conduct, become the key tools for further interpretation of the GDPR. In addition, due to the multidisciplinary nature of personal data protection, which tackles numerous areas, such as human rights and ethics, legal/regulatory issues, technology/security, business and operational processes, and even market/economic issues, it became evident that use of data is not only the issue of local DPAs. Data protection and use of data became the main topic on the agenda of many other regulatory authorities, such as consumer protection and competition authorities, ethics committees, and other regulators. However, the enforcement actions of local authorities in different industries reveal that still there is no harmonized approach and no established way of cooperating when it comes to the intersection of data privacy with other areas.
One would think that at least this should be an easy task in the context of clinical trials and the life-science industry, since personal data protection and privacy are among the key ethics/regulatory requirements in the industry. However, although the GDPR did not bring substantially new concepts to the industry, there was a lot of struggle when it came to its implementation in clinical trials. The main challenge is exactly the fact that personal data protection was present in the industry regulatory requirements for a very long time before the GDPR, so that when the GDPR came into force it was difficult to understand the difference between regulatory and GDPR requirements. This was clearly presented in additional GDPR consents now required on top of the regulatory Informed Consent Forms (ICF) required from ethics committees and/or regulatory authorities. Although this was explained as being in the interest of participants of clinical trials and transparency requirements, in the end, it turned out that demanding multiple lengthy consents with the same information just explained in a different manner only caused consent fatigue and even confusion among participants. The European Data Protection Board already tried to clarify this relation in its January 23, 2019 Opinion Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR), but, the EDPS made it very clear in its January 6, 2020 Preliminary Opinion on Data Protection in Scientific Research that we can have one legal basis from a regulatory point of view (i.e., ICF) but another from a data protection point of view (i.e., not necessarily consent). Although it is still too early to see developments based on this Opinion, we can expect that the current approach of regulatory bodies will change in this area for the benefit of the industry as well as participants of trials by presenting brief but relevant and comprehensive information.
On the other hand, unlike in the previously mentioned example, where DPAs and regulatory authorities have the same approach to the use of data, we have a whole set of industries, such as the gambling industry, that is bound by strict AML and regulatory requirements (such as responsible gaming – RG, sports integrity, etc.) that are looking at the use of data from a completely different perspective: that of data maximization. In the last few years, we have noticed that, among regulatory authorities in this industry, on the one hand we have higher regulatory expectations from operators asking for extensive checks and assessments of customers (such as the single customer view initiative in the UK1), while on the other the way that these will be conducted is left up to operators to define. As a result, operators are put in a very difficult position where, from a regulatory point of view, they need to collect, process, and even share huge sets of data in order to do extensive AML, RG, and other checks. However, at the same time, they need to make sure that this is in line with data privacy requirements that, among other things, require an adequate legal basis for the collection/processing of personal data and data minimization. Therefore, this relationship between data privacy and regulatory/compliance requirements in the industry is becoming ever more conflicting and complex due to the lack of clearly defined requirements in new regulatory obligations, especially where these should include processing of special categories of data, use of innovative technologies (such as AI), extensive profiling, etc.
Finally, and currently maybe one of the most controversial topics, is the relation between data protection and data markets. Although many human rights advocates are trying to separate these two issues since they consider that giving an economic value to data and accepting the trade of data would undermine the very idea of personal data protection, which is closely attached to the right to privacy, it is clear that that the reality is different. In the last few years, we have seen big tech companies being fined by competition or consumer protection authorities for violating competition rules due to their use of personal data2. Therefore, it is becoming clear that the use of personal data is a market issue as well, which should be monitored by the relevant market (competition and consumer protection) authorities. This is also confirmed by the EU Commission Commissioner Margarethe Vestager during her keynote speech on the IAPP conference in 2019 who said that: “to tackle the challenges of a data-driven economy, we need both competition and privacy regulation, and we need strong enforcement in both. Neither of these two things can take the place of one another, but in the end, we’re dealing with the same digital world. Privacy and competition are both fundamentally there for the same reason: to protect our rights as consumers3.” Therefore, it is clear that, in the future, market authorities will focus closely on the use of personal data and its implications on competition on the EU market.
Having in mind the above, some of the authorities have recognized the necessity to cooperate and have started to work together to draft joint documents such as the guidelines of the Maltese gambling regulatory authority and the data protection authority that explain how to implement the GDPR into the gambling industry4. In addition to the efforts of relevant authorities, industry representative also realized the necessity to explain specifics in their areas within the industry codes of conduct5, which can be of significant value to regulators as well. However, we can’t avoid asking the question: Is this enough, given that we see so many sectoral laws and regulatory requirements also dealing with the use of data in different industries? Should privacy impact assessment be a part of sectoral legislative proposals that are regulating the use of data? In addition, should an economic impact assessment of legislative proposals also address market implications coming from the use of data?