Is data protection an obstacle for Big Data, IoT and AI?

One year after the European General Data Protection Regulation, most companies have still not yet implemented all the points. Christiane Bierekoven, Doctor of Law specializing in IT law, names the most serious problems and illuminates the special challenges involved with the use of big data, IoT and AI.

• Companies must keep exact documentation and provide information about how they use personal data. Documentation and information are especially difficult for big data and AI applications. Complete anonymization is the preferable means of ensuring that data are processed in compliance with data protection law.
• In the case of big data analytics, IoT platforms and AI technical solutions such as privacy by design and privacy by default are becoming increasingly important as a means of ensuring that data are used in compliance with data protection law.

Christiane Bierekoven has advised companies on data protection and IT law for more than 20 years. The Doctor of Law specializing in IT law actually wrote programs for the Apple II at one point in her life. And so she knows how software works and is also familiar with cloud technologies. She regularly publishes articles in law journals and reference books on the subject of IT and data protection law and lectures at the German Law Academy (DeutscherAnwaltAkademie) and the Beck Academy (BeckAkademie). In the interview below, she answers questions about the implementation of the European General Data Protection Regulation and its effects on cloud, AI and big data.

Ms. Bierekoven, the General Data Protection Regulation (GDPR) has been in force in the EU for around a year now. To what extent has it been implemented in companies and where are problems still occurring?

Not all companies have completely implemented the GDPR, not by a long shot. Big companies have made more progress, but they are also subject to different compliance requirements. Small and medium-sized companies, on the other hand, are having a tougher time, though they also have less manpower.

Most companies are encountering the same problems with the implementation. Data subjects such as customers (for example) have a right of access under the GDPR: They can ask what personal data concerning them are stored and can also demand the erasure of these data. However, many companies have not yet implemented this right of access to personal data to the necessary degree and many of them are also encountering great difficulties with the implementation of an erasure concept. It is often not easy for companies to obtain a complete overview of all the data collected on a given person. However, this is necessary for the rights of access and erasure. Companies also need a technical solution to ensure they can fulfil access and erasure requests automatically.

On what problems are your clients seeking advice?

They often have questions about the need for a job processing agreement regulating the processing of personal data by external service providers. Many big companies have set up a separate department for this purpose. Also, new data protection notices conforming to the GDPR must be drafted for websites and newsletters, for example. In the case of newsletters, they must also answer the question of whether renewed consent must be obtained from subscribers. Companies do not like doing this because they could lose 60 to 70 percent of subscribers if they have to actively respond to a request for consent. Even in the case of Facebook fan pages, companies have questions about how to design them to conform with the GDPR and enter into the necessary agreements.
SMEs often do not know whether or not they need an internal Data Protection Officer. The German federal government has just amended the law to specify that this is only required for companies with 20 or more employees. But even then, there remains the question of whether an external data protection officer is appropriate or whether it is better to appoint an employee to exercise this function.

The regulatory authorities are complaining about a lack of resources for performing the necessary reviews.

I would still advise any company to implement the GDPR at least in core areas such as the record of processing activities, the obligation to provide information, the right of access, data processing and the like. For one thing, this creates a competitive advantage for the company; besides that, a company cannot know whether it will be included in the samples chosen by the regulatory authorities. It can also happen that the authorities receive a complaint and investigate the company for that reason. And so, there is no reason to not fully implement the GDPR. Companies should also know that the authorities will first thoroughly review any complaint to ensure that a violation has actually been committed before taking action against the company. This could take some time.

Do you see a need for improvements to the GDPR and changes to the law in Germany?

Some grey zones still need to be clarified. The requirements laid out by the German Federal Data Protection Act (BDSG) were more precise than those in the GDPR. Regarding the right of access, for example, the form in which information is to be provided is not clear. Moreover, the required contents of data protection notices, including on the subject of cookies for example, still need to be clarified. The same goes for the obligation to report data protection violations: Companies tend to report too many instead of too few potential violations right now out of fear of heavy fines. This circumstance dramatically increases the number of reports to the regulatory authorities.

How has the GDPR changed data protection at companies? Do Data Protection Officers have to start over from the beginning?

They do not need to start over, but they must get training because implementing all the requirements is a daunting task. Those companies that have already completely implemented the BDSG are in good shape. However, they need to rethink some aspects, including the obligation to provide information and establish the purposes of processing (for example) because the collected data can only be used for the stated purpose. Companies need to think in terms of European law now.

In bigger companies, however, training courses will probably not be enough. They will have to hire additional personnel. That is because it is a rather costly process to devise the required erasure concepts and records of processing activities. That is especially true of the erasure concepts because they must also be implemented technically. Companies will need IT specialists for that.

Do the new data protection requirements stand in the way of using new technologies like big data and AI?

The GDPR does not stand in the way of such new technologies, but it also does not make it easier to implement them. As I mentioned before, the processing purpose must be stated in the information about and consent to the processing of personal data. Therefore, every process must be precisely defined. However, big data analytics will often only be introduced later with data that were originally collected for another purpose, say in an online shop for the purpose of contract performance. In that case, data analysis represents a change of purpose, concerning which the company must provide exact information to customers: How the data are processed and what is done with the data, and so the company will need to describe the algorithm in comprehensible language. And yet, that is hardly possible in the case of an AI system. And for that reason, practically no company is doing that right now. Many data protection notices on websites do not even use comprehensible language. It makes sense to design systems from the outset to ensure that no problems arise in the first place because the data to be analysed are completely anonymized, for example. There is a reason, after all, why the GDPR requires privacy by design, that would be a solution. But with technologies like AI, the requirements of privacy by design are not yet truly fulfilled. A complicating factor with AI is the fact that purchased algorithms are often used for this purpose. In that case, companies first need to have the functioning of the algorithms explained to them before they can inform their data subjects.

What about cloud computing, what should companies pay attention to in that regard?

They will first have to clarify where the data are processed, whether in Germany, the EU, or third countries. That is not always easy because the hosting service is often located in the EU, but maintenance and support are provided from third countries. But when entities in third countries have access to the data, it will be additionally necessary to agree on standard data protection clauses. In any case, an agreement is always required for data processing. For this purpose, you need to know the provider’s technical concept. However, many providers do not want to disclose that; this is often difficult in the case of the big U.S. providers in particular. In such cases, I as a lawyer sometimes need to press them for a long time on this subject.

What law is applicable for German customers when they choose U.S. offerings like Azure or AWS Cloud?

Companies usually prefer German law for the contractual relationship. But that needs to be negotiated, which can be difficult in some cases, though even medium-sized companies have done that successfully. However, some U.S. or even California laws are included in the license terms and are therefore also agreed. Some clauses are not necessarily valid in Germany. But providers often operate data centres in Germany or the EU. Given the current developments in US politics, many German companies have become more reluctant to work with providers from the United States. Many of them separate the data that could be of interest to the US authorities from the rest of the data and store them somewhere else. Uncertainty is rising and the trade conflicts are causing companies to reconsider some of their business models.

Author: Uwe Sievers