European Parliament Highlights the Need for More Effective Data Protection to Comply with GDPR and Schrems II Requirements

The EU Parliament highlights that organisations can no longer rely on simple “data housekeeping” practices alone; instead, they must shift towards advanced data protection approaches — such as GDPR Pseudonymisation — to control Big Data use.

The methods and purposes of data processing have changed dramatically over the past several decades: ongoing technology developments make it easier to switch seamlessly from primary purpose data collection and processing to advanced secondary analytics, complex artificial intelligence (AI) and machine learning (ML). As Big Data continues to advance using these technologies, data protection techniques must also evolve to keep pace. The General Data Protection Regulation (GDPR) was a major step towards ensuring that organisations comply with required data protection obligations to respect data subjects’ fundamental rights. However, widespread non-compliance remains an issue. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) recently released a Motion for a Resolution that considers the current privacy law landscape now that the GDPR has been in force for over two years.[1] A review of the Motion for Resolution highlights that the most popular Privacy Enhancing Technologies (PETs) do not provide adequate protection for popular Big Data use cases.

Beyond Simple Data Protection

Many companies still find themselves focusing on simple data protection for primary data collection and processing and nothing more. Organisations are aware of what data they are collecting, where they are storing it, and what direct identifiers are in their data. They are also conducting data inventory and data flow assessments, all of which comprise good “data housekeeping” techniques.

However, none of these approaches satisfies the real issue, that “secondary processing” via analytics, AI, and ML is becoming more pervasive each day. While contracts and consent may cover most primary data collection and processing practices, secondary processing falls outside these legal mechanisms’ realms. In most cases, and certainly, when it comes to AI and ML, a different lawful basis must be satisfied for lawful secondary processing, known as legitimate interests processing. These secondary processes and associated global data transfers were the focus of the highly-impactful Court of Justice of the European Union (CJEU) ruling known as Schrems II.[2] This case puts additional pressure on organisations to consider what data they are processing and what technical and organisational measures they have put in place to support lawful secondary processing and data transfers.