On November 12, Crowell & Moring chaired a plenary session during the 2018 ICPHSO International Symposium in Brussels, which was presented as part of the European Commission’s International Product Safety Week. The panel focused on how, as a result of their Big Data strategies, Business-to-Business (“B2B”) companies are affected by consumer-focused legislation such as the General Data Protection Regulation (“GDPR”). Additionally, the EU’s Digital Single Market initiatives and their expected consequences were discussed.
As a brief reminder, the GDPR is a European-wide legislation applicable since the end of May that regulates the use of personal data, which is basically any type of information that can identify an individual. Replacing a name by a number, only referring to the identification number of a vehicle or device or using a nonsensical patient ID number is not sufficient to be out of scope; only truly anonymized data, e.g. aggregate data, is.
Manufacturers of industrial equipment are a good example of companies whose Big Data strategy forced them to focus on GDPR compliance. Indeed, in order to enhance the safety of the users of their equipment, a huge amount of data is collected. As such data relates to these users, such data is considered “personal data” and thus in scope of the GDPR. Therefore, the GDPR challenges and risks are very similar or the same for both B2B and Business-to-Consumer (“B2C”) businesses.
The same applies to the Internet of Things (“IoT”) in general, and connected devices more specifically, as we have moved from people speaking to each other, over people speaking to devices, to devices speaking to each other. Because connected devices operate both in B2B and B2C environments, compliance challenges are very similar or the same in this situation as well.
While compliance with very strict legislation such as the GDPR is not impossible, it cannot be denied that organizations with innovative Big Data-based business models often encounter substantial challenges. In the medical environment, for example, both artificial intelligence and 3D-printing can undoubtedly enhance the accuracy of a diagnosis or the precision of a treatment and, thus, add significant value to the entire healthcare sector. However, as such accuracy and precision increases with the amount of personal data that is processed, the use of huge amounts of data needs to be aligned with GDPR principles such as data minimization and purpose limitation, to only name a few.
Key to this dilemma is trust, combined with true ethical behavior and a clear focus on the rights of individuals. The importance of the latter cannot be underestimated, as the right to the protection of personal data is a fundamental right in the European Union, which means that this right should be respected in a similar way as other fundamental rights, freedoms and principles such as the right to life, prohibition of torture, the right to liberty and security, etc.
The buzz created around innovative technologies such as artificial intelligence and blockchain have put the need for an ethical approach high on the agenda. While, depending on their effective role in the actual processing of personal data, developers of these technologies might entirely be out of scope of the GDPR, the parties who use their technology are not. The latter will therefore have to embrace their responsibility and accountability obligations and make sure that the individuals’ rights and freedoms are optimally respected by means of appropriate technical and organizational measures, in line with the GDPR’s Data Protection by Design requirements. Clear information and even education about the efficiency and effectiveness of these measures is crucial to ensure that the true value of innovation is not thrown away with the bathwater.
Another topic that was discussed is the EU’s strategy for the future. While the “old school” single market approach ensures a level playing field and a free flow of goods, capital, services and labor within the European Union, the goal of the Digital Single Market is to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues.
In that context, an important initiative is the proposed Cybersecurity Act, which wants to ensure safe access to online activities for individuals and businesses. The EU-wide certification scheme that comes with it is a highly debated topic, as its approach seems to differ from the GDPR’s accountability requirement, where organizations themselves need to assess the risks and, based on such analysis, take appropriate technical and organizational measures accordingly.
A last topic that was part of the discussion was the EU’s proposed New Deal, that is aimed at strengthening consumer rights online, giving consumers the tools to enforce their rights and get compensation, e.g. via class action-like representation, and introducing effective penalties for violations of EU consumer law.
The panel concluded that the challenges posed by new EU consumer legislation cannot be underestimated, and that not only consumer products will be affected by the new regulatory framework. Compliance is certainly not impossible, and a focus on ethical behavior, a clear allocation of responsibilities and a constructive collaboration between the different stakeholders seem the key to success.
ICPHSO’s next event will be its 2019 Annual Meeting & Training Symposium which will be held February 25-28, 2019 in Washington, DC.