Ok, I'm lying.
These are not exactly lies about the GDPR. More like misconceptions. Or gross misrepresentations. But the first two are repeated so often that you suspect it must be due to some kind of conspiracy. And the third is so obviously in the service of the #adtech and #martech ecosystem that you feel it's directed by a ministry of propaganda.
The GDPR concerns the personal data of EU citizens.
Nope. At least not in the sense that the protections afforded by the GDPR are available only to EU citizens. On the contrary, if, say, Christopher Waltz is scrolling through his Facebook feed in Chicago's O'Hare airport, his personal data enjoys no more protection than that of the US citizens surrounding him. Conversely, when Quentin Tarentino travels to Vienna to visit Waltz, he enjoys the same protection as his host.
In fact, the word "citizen" does not appear in the text of the regulation. Rather, the reference is consistently to some variation of data subjects (people) or data controlers and processors "in the Union" (my emphasis) -- which clearly indicates that it is a matter of location, not nationality.
So the short version is, the GDPR applies to anyone in the EU, regardless of citizenship, and regardless of where the processing takes place; and/or it applies to the processing of personal data about anyone, residing anywhere, regardless of citizenship, by an organization established in the EU.
The more accurate and elegant formulation is from a wise participant in this LinkedIn discussion: "The Regulation applies to the processing of personal data in the context of the activities of an organisation ‘established’ in the EU, regardless of whether the processing takes place in the EU. It also extends the current scope of EU data protection to all organisations, whether ‘established’ in the EU or not, processing data of EU residents [that is, people located in the EU], if they either offer goods or services in the EU (whether payment or not is required), or monitor behaviour within the EU. Namely, the GDPR will apply even if the organisation processing the personal data has no physical EU presence and when an organisation tracks individuals on the internet to analyse or predict their personal preferences."
Explicit consent is required for data processing.
I quote from a recent eBook on the GDPR: "So, for you to be able to use personal data, consumers have to give explicit consent. End of story."
Ah, no. And no again, for this misconception is wrong twice. First, consent is one of six legal grounds for processing data (see Article 6). Others include servicing a contract, compliance with a legal obligation, and legitimate interest (see below). Second, when you do use consent, the standard to meet is, usually, "unambiguous" consent, not explicit. (Explicit consent is required, for example, for processing "special categories" of sensitive personal data (see Article 9) and for receiving the data subject's permission to evade the restrictions on automated processing (see Article 22)).
Granted, for marketers and CX professionals, consent and legitimate interests will most likely be the legal grounds for data processing. (On the benefits of the GDPR for CX, see my recent article, "Can the GDPR Save CXM (From Itself)?")
"Legitimate interest" will authorize and shield existing data-intensive marketing practices.
Dream on. This fairy tale is based on a deep-seated nugget of truth . . . although it's more like a cavity in a decaying tooth.
Article 6 states that lawful processing may include that which is “necessary for the legitimate interests pursued by the controller.” And Recital 47 says that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
This reference to direct marketing has encouraged some observers to conclude that legitimate interests is a kind of get out of jail free card that effectively shields established marketing and advertising practices from the GDPR. But, as an EU data protection authority pointed out, it says "may be regarded," not "is to be regarded." The conditional is critical, and could be costly if ignored.
First, you don’t simply assert a legitimate interest to justify processing. You need to conduct a so-called balance test that weighs your legitimate interest against the interests and fundamental rights and freedoms of the data subject (consumer). And, even if the balance test falls in favor of the business, you must in most cases still offer the consumer the opportunity to object to the processing. (In the form, say, of a very clearly presented and worded opt-out option in an email.)
Second, although many parties complain that the scope and application of legitimate interest is opaque in the GDPR and they thus demand more clarity and guidance before acting, the fact is that EU regulators (the so-called Article 29 Working Party, aka WP 29) have already issued a detailed opinion on legitimate interests. (This document, WP 217, was issued in 2014, and addresses legitimate interest in the context of the Data Protection Directive, not the GDPR. But as the WP 29 said in their November 2017 Opinion on consent, existing Opinions "remain relevant. . . as the GDPR codifies existing WP 29 guidance.")
In this Opinion, the WP 29 acknowledges, for example, that companies typically have a legitimate interest in “getting to know their customers’ preferences” in order to “better personalize their offers.” And they grant that legitimate interest "may be a legitimate ground for some kinds of marketing activities."
But, the WP 29 also very clearly states what kinds of marketing activities are not valid under the legitimate interests ground. The passage is worth citing at length, since it reads like a Wikipedia entry on many of today's favored data-driven marketing practices. (My emphasis; see page 26 of the document linked above.)
However, this does not mean that controllers would be able to rely on [legitimate interest] to unduly monitor the on-line or off-line activities of their customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes, and create [. . .] complex profiles of the customers' personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent. Such a profiling activity is likely to present a significant intrusion into the privacy of the customer, and when this is so, the controller's interest would be overridden by the interests and rights of the data subject.
In short, for the programmatic advertising ecosystem in particular, over-reliance on legitimate interest might better be symbolized by that other Monopoly card about jail. (For more detail, see Dr. Johnny Ryan's analysis of the impact of the GDPR on the Adtech Lumascape and of the limits of legitimate interest.)
