In May of 2018, the EU’s General Data Protection Regulation (GDPR) becomes effective. DataXu is reacting proactively to approach GDPR readiness and compliance with a dedicated cross-functional strike force that we’re calling “Team Voltron” – a name we’ve borrowed from the 1980s cartoon featuring five astronauts piloting lion-like spaceships which come together to form a super robot named Voltron!
The name seemed fitting because DataXu has a space-based history. Originally, our founders were doing their PhD work at MIT on Mars mission software. More recently, we have gathered employees from our company as well as outside counsel in order to build a GDPR compliance solution which is robust and operational well in advance of GDPR’s effective date. We are coming together like lionbots forming a super robot. Here is what DataXu is doing with “Team Voltron.”
Today, the EU Data Directive 95/46/EC (the “Directive”) mandates that the movement or processing of “Personal Data” essentially includes any data which can identify an individual. Think: name, address, e-mail etc. But over time as technology has advanced and as the Directive has been interpreted and expanded, Personal Data has come to include the data that advertisers utilize; subtler data like IP Addresses, browser cookies and mobile device IDs (“Ad Data”). The law moves at a glacially slow pace compared to technology, so the text of the Directive wasn’t necessarily formally amended to include this data (cookies were handled by another law). Still, by comment and implication, this Ad Data has eventually been placed in the Personal Data category. While all this was happening, GDPR was simultaneously being written and passed.
The idea behind the EU’s privacy regulation is that GDPR should simplify things. Under the Directive, all EU member states have similar laws which are built upon the Directive’s guiding principles. But as you can probably imagine, this creates compliance challenges for global companies. GDPR aims to smooth these challenges out by removing the individual member state laws from the equation and creating an overarching framework for the EU, along with a data protection authority to help manage issues. GDPR also places Ad Data in the Personal Data category.
Processing And Moving Data
To move data between the EU and US in a lawful way, there needs to be a mechanism which affords compliance under both the Directive and GDPR. Compliance used to be covered by a program called Safe Harbor. But last year, the EU Court of Justice struck down Safe Harbor and labeled it inadequate protection of EU citizens’ Personal Data. A replacement, Privacy Shield, was approved for companies to use instead. Companies began certifying under Privacy Shield… but even Privacy Shield faces legal challenges.
Many companies have used the “model contract clause” framework to process and move Personal Data under the Directive. Model clauses are contracts which cover security and data use protocols to ensure that companies moving and processing Personal Data do so under defined, reasonable terms. The model clauses are still a valid form of compliance. It’s possible that model clauses could face legal challenges in the future under similar grounds as those which invalidated Safe Harbor. An additional method used by companies to process and move Personal Data are binding corporate rules (“BCRs”). BCRs require a company to build a detailed framework of data use and processing rules and seek approval from an EU data protection authority. BCRs are detailed, costly and expensive, and may also face future legal challenges.
GDPR requires consumer-facing openness about processing activities. We like this aspect of GDPR. It promotes responsible data use and ensures privacy, which we care about. GDPR compliance also requires back-end technical solutions designed to protect rights in data. These solutions are complicated and require thoughtful planning, privacy-by-design and analysis. DataXu’s approach is to maintain current compliance with one or more of the methods described above, and to proactively monitor developments to always ensure that our customers can continue to use the Platform and process data. DataXu will continue executing on GDPR planning through the efforts of Team Voltron and hit compliance ahead of the 2018 effective date.
Execution And Innovation
GDPR compliance should make all global companies more focused on data and consumers. Some industry factions view the shifting privacy landscape on the EU as somewhat heavy-handed. But, in leading Team Voltron, I know that the EU approach, while complex, ultimately makes for a more open consumer-facing data use policy and affords an opportunity to engage in focused, privacy-by-design. The real trick is making sure that any GDPR plan thoughtfully focuses on not just compliance, but also forward-thinking privacy-by-design to accommodate new technology growth like DataXu’s television offerings or the “Internet of Things.”
Here at DataXu, we are working hard to ensure that all data is managed and processed appropriately now and in the future.
Want to learn more about DataXu’s approach to privacy regulations? Feel free to email me at firstname.lastname@example.org.