Dedicated Short Range Communication (DSRC) is a system in which information is shared between vehicles (V2V) and between vehicles and infrastructure (V2I). In general, this technology is intended to aid the flow of anonymised information on driving conditions. It seems however that DSRC might also entail collection and processing of personal data.
At a meeting summarising public consultations on a bill implementing the General Data Protection Regulation (GDPR) in Poland, the Ministry of Digital Affairs confirmed that during legislative work a change was approved providing for major exceptions to the GDPR. This change was proposed in October 2017 by the Ministry of Development. This proposed exception is an interesting example of how hard it can be to draft legislation properly aligned to the needs of a digital economy.
Two new documents were issued in December 2017 by the EU’s Article 29 Data Protection Working Party explaining how to interpret and apply the provisions of the General Data Protection Regulation on the consent that must be obtained from data subjects and the information that must be provided to data subjects for processing their data. The Guidelines on Consent under Regulation 2016/679 and the Guidelines on Transparency under Regulation 2016/679 demonstrate that the era of lengthy, fine-print terms and conditions is over. Data controllers will achieve better compliance with the GDPR by using brief and easily understood FAQ and notices.
As anonymisation of data appears to the main method for escaping the restrictive regime of the General Data Protection Regulation, it’s worthwhile for data processers to be aware of the risks they may be exposed to if this is not done properly or the data can be traced back to specific people. Should firms applying artificial intelligence to anonymised data expect to be held liable when it turns out that the data they are using have not been permanently anonymised but only been given a pseudonym—a reversible operation?
In February 2018 the EU’s Article 29 Data Protection Working Party published its Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. The guidelines explore Art. 21–22 of the General Data Protection Regulation, and although the title may not indicate it, provide another element in the legal framework for development and use of artificial intelligence. They also show that this framework may be truly restrictive.
The General Data Protection Regulation entering into force on 25 May 2018 is not the only privacy revolution in store for the EU. The proposed ePrivacy Regulation is also generating greater and greater controversy and may change the shape of the internet as we know it.