22.10.2018

GDPR 6 Months On – Report from the CSA Session at M3AAWG

From 8 – 11 October 2018, Rosa Hafezi, Lawyer for the eco Association and related companies, including the Certified Senders Alliance (CSA), and Julia Janssen-Holldiek, Director of the CSA, attended the M3AAWG Meeting in Brooklyn.

At the meeting, Rosa Hafezi gave a talk on the EU General Data Protection Regulation, or GDPR – looking back at what really happened from the perspective of 6 months after the law came into effect.

Hafezi gave an overview of the situation before GDPR came into effect, with many European companies panicking, undertaking revalidation campaigns, sending out hundreds of emails re-confirming newsletter subscription, and updating multitudes of privacy policies.

Then she went on to look at what happened after the law came into effect.

Firstly, the many revalidation campaigns were not really necessary for every company: If companies already had a Double-Opt-In, then the revalidation campaign was redundant, and represented the risk that subscribers may not respond and revalidate, meaning mailing lists would shrink. Conversely, if the companies did not already have consent or Opt-In at all, then the revalidation campaign may have brought that fact to the attention of the subscribers.

Complaints to Data Protection Authorities

The number of complaints about data protection transgressions in Europe tripled after the law came into effect. Data Protection Authorities received approximately three times more complaints than in whole previous year. According to Hafezi, the DPAs had the impression that people were complaining simply out of doubt – they were not really sure whether something was illegal or not, so they sent in a complaint on the off-chance. This flood of complaints has, in the meantime, abated.

Court decisions relating to the GDPR

Rosa Hafezi went on to give an overview of three relevant court decisions:

  • The European Court of Justice (EUCJ)Facebook decision, which concluded that if you have a Facebook fan page, you and Facebook are joint controllers according to GDPR,
  • The EUCJ ICANN judgement, in which ICANN lost their case against EPAG, who didn’t want to collect all contractually-agreed privacy-related whois data, in particular, the name of the administrator and the technical contact, and
  • The Italian Federal Court of Justice decision that opt-in can be combined with the reception of free services; Italian DPAs were not in accord with this verdict, and want to be more restrictive in the interpretation of Article 7 Para 4 GDPR.

GDPR compliance and DMARC, tracking, and deletion of data

Finally, she also provided an overview of DMARC compliance with the GDPR. DMARC is compliant with the GDPR under certain circumstances and restrictions: Hafezi and the Certified Senders Alliance recommend the use of DMARC aggregated reports, since there are less personal data included. The eco Association Competence Group Email has produced a “Report on the compliance of DMARC with the EU GDPR”, which is available on the CSA website.

Questions of interest to the participants included the subject of tracking. Is tracking still allowed under the GDPR? Yes, it is, says Hafezi, but it depends on whether the tracking is personalized or anonymized – personalized tracking remains a highly controversial subject in relation to the GDPR. Tracking will also be a topic with e-privacy (not expected to be in force before 2020). Hafezi reports that here is still a lot of uncertainty, and people are still waiting for official, binding statements from the DPAs.

Another area which generated interest was the question of deletion vs. burden of proof. Hafezi pointed out that there is no obligation to delete everything, if you have a legal justification to keep the data. The CSA has published an outline of the legal issues on deletion vs. burden of proof.

Rosa Hafezi
© eco - Association of the Internet Industry