Discover more from Chronicles of the Constantly Curious
Data Protection Myths that Continue to Persist
Is someone you know claiming to be GDPR compliant? Do you think PII is the same as personal data? Is consent your only man? Well, I've got some news for you ...
//Author’s note: Substack did a bad and sent out a very early draft version to people’s inboxes. I don’t know why, but it happened. Anyway, sorry for the duplicate message, but this one will absolutely make more sense, I promise.
I want to talk about some data protection myths that seem to carry on and spread. This whole topic came about after I heard a few of these uttered in the wild this week, and this intriguing YouTube video by Mark Rober on scent-tracing dogs. What can I say, my brain works in mysterious ways.
In the Rober video, he debunks a handful of myths around police/search and rescue dogs, by doing what he does best — testing the theories in practice. I can’t necessarily provide the same level of scientific rigor, but I can practice a little mythbusting by diving into the myth versus the reality.
When I think about myths in data protection, I’m awash in examples. But just in case, I asked my colleagues in data protection land (LinkedIn link, you might need to log in) on what myths they regularly come into contact. They had … many, many examples. Enough to write a book, to be honest. I may, if people like it, do more of these mythbusting posts in the future.
But for now, I wanted to focus on five examples that seem to doggedly persist, despite so many efforts to counter the misinformation. Personally, I blame marketers and the media, for some of these, but others are just baffling.
Myth 1: Consent Is Your Only Man
It’s been five years since the GDPR went into effect. Yet, the myth that you always need consent every time something is done with personal data continues to spread like a virus across the internet. I’ve even begun hearing the consent canard being applied to other laws, so it’s clear that this particular brain worm is getting worse. Ugh.
The reality is, under most laws, you need a lawful basis (which is fancy lawyer-talk for “a legal reason”) to do stuff with people’s data. As an example, the GDPR has six lawful bases when processing personal data generally, and ten slightly different ones when processing more highly-sensitive data that reveals a person’s racial or ethnic origin, criminal convictions/offenses, political opinions, sexual orientation or sex life, religious or philosophical beliefs, trade union membership, or genetic, health, or biometric data.
Consent is one legal reason, but it’s not the only one, and it’s not even appropriate for a whole host of processing activities. For example, consent would be a terrible choice if the processing involves fraud detection or even sharing data with subprocessors or service providers. If you use Google Cloud for running your SaaS application, and someone withdraws their consent from you transferring to Google, you’re hosed. In other cases, consent isn’t even legally permissible. Employers, for example, cannot tie consent to activities where there’s an imbalance in power — an employee can’t meaningfully provide “freely given, specific, informed and unambiguous” consent to handling a HR disciplinary matters or processing payroll, for example, and good luck with telling the tax man that you don’t consent to their processing activities. That’s why there are so many different lawful bases!
Nor is ‘one consent to rule them all’ a valid approach. The law, and the regulators, are pretty clear on the fact that consent must be given in relation to “one or more specific” purposes. That means, if you’re an app developer and your app tracks my location, uses my fingerprint to authenticate me, shares my data with Meta/Google, and wants access to my photos and you’re relying on consent, you better be getting individual consents for each distinct processing purpose.
And don’t get me started on the related, but still very different concept of cookie consents.
Consent is a double-edged sword in many respects. It does give data subjects a lot of control over their data if done correctly by a controller, but it’s also one of the lawful bases that is most likely to be applied incorrectly
Myth 2: Data Protection Laws Mean You Can’t Do Business Because FINES
In the early days of the GDPR, this was a persistent critique. Fatalists noted that this would be the death of marketing and ad tech, and that the GDPR would drown everyone in a sea of compliance costs and obligations. Users would swarm controllers with demands for their data (or to delete everything). Companies would be bankrupted by fines and be shut down by regulators. These arguments still get
vomited offered up every time a new substantive privacy or data protection law gets proposed or enacted.
Like many myths, there’s a kernel of truth to some concerns raised here. With more laws come new obligations and an acknowledgement that some business practices needed to change (others, like data brokers, need to be yeeted into the sun entirely). Privacy laws have added compliance obligations to controllers and processors. And some companies do get fined. But unsurprisingly, most businesses haven’t folded on account of the privacy and data protection laws. And notwithstanding the marketing hype of some opportunistic vendors, compliance costs (or worse, fines) haven’t markedly increased the cost of doing business. I think there’s a few reasons for this:
Most laws are sensible and can be implemented vast majority of businesses out there without spending a fortune. Meeting notice, transparency, information, security, and accountability requirements doesn’t mean you need to invest a ton of time and resources into compliance — if you do it right (and maybe consider hiring the right people to help when you need it). The short answer is, if you’re honest about what you’re doing, you can probably get away with making a few small tweaks to your processes. This benefits everyone (including the business).
If your business doesn’t collect a ton of personal data about people or do dodgy things with that data (y’know, like tracking them everywhere they go, spying on their location, being a creepy data broker, or using their personal details to train your AI models), you’ll likely never be in the crosshairs of any regulator. Three industries account for the vast majority of fines by regulators under the GDPR: Media, Telecoms & Broadcasting.
There’s a very good reason for this: The industries that face the most regulatory ire also tend to be those industries that collect voluminous amounts of data, in the worst way possible. They tend to also lie to their customers about what they collect, why they collect it, and how they’re using the data. They tend to openly, and repeatedly violate the data protection laws. Finally, they’re usually rather shitty to people generally, which leads to complaints, and that leads to regulatory scrutiny. And even this is small (given the number of actions against the sector). Most of the time, if you end up in front of a regulator at all, things get handled amicably. If you want to avoid a fine, you don’t need to invest buckets in compliance. You just need to not be shitty to people. In other words, don’t be Meta, Amazon, Google or Vodafone Espana.
Myth 3: Personal Data = PII
I have largely given up on correcting people when they say “PII” and mean “personal data”. But I do like to emphasize that there is a distinction when it comes to thinking about what we consider identifiable information about a person, regardless of what we call it. That’s because, after nearly a decade in this game, I really think it’s much easier to think broadly about what might identify someone, rather than try to memorize lists of ever-changing specific types of information. A diagram might help. Here, I’m looking at the US Sectoral laws and Canada’s PIPEDA:
In contrast to all of the above, the concept of “personal data” under GDPR-style laws is much broader. Once you get used to this, I think it’s much easier for people to understand:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.
Yes, the GDPR also includes examples, but the assumption is, if you can identify someone with the data you’re processing about them, it’s personal data. There are no _exceptions_ to this. It’s binary: Can you (still) identify someone with the data you already have about them or with data you can get about them? Congrats, you are processing their personal data.
Now, there might be an exception for specific processing activities and the lawful basis you can rely on (for example, it’s permissible to process more sensitive information if the data has been ‘manifestly made public’ by the data subject. But this doesn’t change the fact that if you can identify someone, you’re still processing personal data about them.
Myth 4: The Right to Privacy is an Absolute Right
Many people brought up various myths about the scope of data subject rights, but I think Debbie Reynolds identified it best: Privacy and data protection rights are not absolute.
This particular myth comes up most often not from marketers and industry folks, but from the various armchair pundits that opine on our rights. It manifests in a few different ways, including the ‘always consent’ example I mentioned above:
A company must delete my data if I file a deletion request.
A company must provide me with all the information it has about me if I ask for it.
I can sue and get lots of money if a company violates my privacy rights.
Privacy laws mean I have the right to control my data / I should get paid for my data.
There are more in this bucket, but the short answer to each is, No, No, Not unless you can demonstrate actual damages, and *sigh*, No.
Informed students of privacy and data protection laws know that exceptions abound in privacy land, and that there are few absolute, rigid obligations in place. Data subject rights including the right to access, deletion, rectification/correction, and the right to revoke consent, are not absolute.
People hate lawyers because the answer to any legal question is almost always “It Depends.” We’re not trying to be glib here, or to exact a fee for our services — the reality is, laws need to balance things, and that means absolutist positions will (almost) never fly.This is particularly true when it comes to data subject rights, because context matters. The right to data protection is but one of a constellation of human rights available to people, and it must be balanced against other important rights — like the right to speech and the press, the right to free association and movement, the right to run a business, and the right to safety and security.
Let’s take an example I know well: The right to access.
Under the GDPR, the right of access is mostly covered by Article 15. Most of Article 15 spells out obligations of the controller — it’s very pro-data subject. But then at the end, we’ve got Article 15(4): “The right to obtain a copy … shall not adversely affect the rights and freedoms of others.”
I have, quite literally written a small book on what the term “adversely affect” means in the context of the data protection right and how it applies. In the simplest sense, this section should be read as “don’t share data that might harm someone else’s rights.” More broadly, this might mean:
If your data is intermingled with someone else’s data (for example, in a database), they can’t share the whole database with you — that might infringe someone else’s rights. You also generally don’t have access to things that aren’t your personal data — like the source code or algorithm a company uses. That’s their IP, not your personal data.
Sometimes, if someone complains about you (e.g., to a school official, or a priest, or the HR department when filing a whistleblower complaint, or in a way that confidence is assumed), you won’t get access to that information — and that is totally fine and completely legal. People have a right to share confidential things, even opinions about you, and even if it’s about you, your rights and their rights must be balanced. Sometimes, it means that what you get might be heavily redacted; oftentimes, it means that the controller may say ‘Hey, yeah, we had some additional information about you, but we can’t share it because it might harm someone else. Sorry.’
Sometimes, additional laws might create an exception to sharing. And provided those laws are documented and the controller tells you about why they are rejecting your request, your recourse is to the legislature, not the data protection authorities.
If you act like a jerk and use the data protection laws to “punish” a company — especially if you do it repeatedly and without any real interest in getting access to your personal data, a controller can either reject your request, or charge a fee. This is essentially the ‘Don’t be a Dick’ rule of data protection, and it applies to most data protection rights.
As for the specific data ownership question — that must be a post for another day.
Myth 5: You can be ‘GDPR Certified’ or ‘GDPR Compliant’
I don’t know if it’s the dog-days of August, drugs in the water, some new fresh marketing hell, or whatever, but this one seems to be making the rounds again. And it’s not just me: the GDPR ‘Certified/Compliant’ pipe dream was actually one of the most cited myths mentioned in my informal polling.
Firstly, there is no such thing as being ‘GDPR Compliant’. I do not care if Brad in Information Security, or OneTrust, your marketing firm, or the ‘Data Protection Expert’ you found drunkenly singing outside the pub says otherwise, ‘GDPR Compliant’ is Not a Thing. For the love of cats, STOP SAYING IT’S A THING.
A company claiming they are ‘GDPR Compliant’ is officially telling you that they are full of shit, do not know the data protection laws, and/or they are trying to screw you out of money. It should be read with the same degree of skepticism as someone saying they’re ‘100% Hack Proof’, food being ‘Fat Free’, or a drug that’s ‘Guaranteed to Cure Cancer’. Anyone who tells you this is lying to you, and you should turn around and walk away.
As for ‘GDPR Certified’ — the next time someone says they are GDPR certified, I want you to respond with the following:
show me the certification
Then I want you to send it to me.
While the GDPR contemplates certification, to date, there have only been a handful (2?) certifications granted by country-specific data protection authorities, with some degree of sign-off by the European Data Protection Board (the overarching body responsible in the EU). The most comprehensive was granted to EuroPriSe by way of the German DPA in North-Rhine-Westphalia in Sept 2022. It was/may still be restricted as a certification mechanism only for processors and cannot be applied outside of Europe. The second was a consistency opinion issued for GDPR-CARPA initiated by the Luxembourg DPA in February 2022. It is honestly a little unclear on whether the EDPB has actually approved GDPR-CARPA at a EU-wide level though. Neither GDPR-CARPA or EuroPriSe are listed in the Register of Certification Mechanisms. Both have very narrow applications. Neither can be applied to processing that occurs outside of the EU.
More importantly, just because a company has received a ‘GDPR Certification’ does not mean they are 100% fully GDPR Compliant, because, as I said, GDPR COMPLIANCE IS NOT A THING. Certification is merely a tool in the toolbox to demonstrate that the attesting company is trying to do things right. It does not mean that they are 100%, without question, doing it right.
So yeah. Lots of myths. If you ever see these in the wild, please do feel free to forward this to the offending party with my blessing.
As always, if you think I missed something, or would like to see more of these, please drop me a comment. If you manage to finagle a GDPR Certification, I want to see it. If it’s from anyone who isn’t EuroPriSe, I want to see it and then forward it to the relevant regulatory authority.
Chronicles of the Constantly Curious is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
I could spend an entire blog post wingeing about how so many companies on both sides of the world conflate the ePrivacy Directive (the “cookie law”) and the GDPR. The ePrivacy Directive has been in force since 2002 (amended in 2009) and it’s the thing that requires all those annoying cookie banners. The reason everybody took notice in 2018 was in part due to a combination of scare tactics leveraged by vendors seeing a market opportunity, a misreading of the law by most media outlets, and the fear of “fines”.
I really cannot help myself you guys.