NOTE: This is the third in a series of articles addressing the GDPR and its effects on email marketing. For an overview of the subject, see our previous article: GDPR and Email: Part 1, an Overview.
Last time on this blog, we looked at the issues of forgetting and unsubscribing, and how the General Protection Data Regulation (GDPR) affects email marketers. That particular portion of the GDPR has received a lot of press, but there’s a far thornier issue lying in wait a few paragraphs further down in the regulation. I’m referring to the “right to data portability,” which gives the subscriber the right to receive all the data a company has collected on them.1 Compared to the other features of the GDPR, the right to data portability seems haphazardly drawn up, or, at least, drawn up without ever considering the difficulties and problems that its simple request could generate.
Briefly put, the right to data portability says a subscriber has the right to receive any data about them in a “structured, commonly used and machine-readable format.” They don’t specify what this format is. “Commonly used” would suggest a comma separated values (CSV) file, XML, or something similar. Even then, there’s no guarantee that the data can be formatted in a useful manner. Every customer relationship management system (CRM) and email-marketing service provider (ESP) has its own structure, order of operations, and, to a certain extent, terminology, so porting the data from one site to another isn’t as easy as transferring the file. Try opening a Microsoft Word file in a text editor and you’ll see what we mean. Even when the two system can read each other’s data, it doesn’t mean than one system will have a place for all the data from the other. There is no standard for formatting things like click-throughs or deletes without opening. In Recital 68 (separate clarifications to the GDPR), the regulation states that “data controllers should be encouraged to develop interoperable formats that enable data portability,”2 but they make no suggestions as to how this would be accomplished. It is the bureaucratic equivalent to a mom’s admonition for kids to “learn to get along.”
CSV and XML certainly qualify as commonly used formats, but they are also as easy for humans to read as they are for machines, which raises other privacy issues. If the “Right to Erasure,” presents the danger of someone other than the subscriber making the request, the Right to Data Portability is even more of a threat. With erasure, you’re simply asking to have your data removed from a system. Most people wouldn’t cry if to learn that their data has been accidentally erased by their ESP, but would hit the ceiling if they learned that their data was sent to someone else. Anything sent out in an email has a risk of being seen by others. Even if the format is not easily read by humans, the “commonly used” qualifier means anyone looking to steal someone’s data probably has a program that will have no trouble deciphering the information. But there are other dangers waiting in the wings.
There are plenty of examples of people pulled aside by the TSA at the airport because their names matched people on suspicious person lists. This isn’t a big concern in the email marketing field, because every subscriber already has a unique identifier: their email address. Even if someone enters the wrong email address, the email will go to the person who has the account and they can choose to ignore the message. There is some danger that if an email account is hacked, the identity thief can now request all that person’s data from the ESP, and the ESP will, by law, be required to provide all the personal data for that hacked account. Depending on the data that is kept, this could provide the thief with a wealth of information about that person. Security on an email account is even more critical than ever.
Here Come the Lawyers
It’s ironic that a regulation designed to help protect an individual’s private data might be the very thing responsible for the theft of that same data. This speaks to the rather haphazard nature of this particular clause. This is why the Internet Corporation for Assigned Names (ICANN) has filed a suit against EPAG, its German affiliate, in an attempt to get better clarification of the GDPR’s restrictions. EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules. For ICANN, this presented an untenable problem since maintaining this data is central to ICANN’s purpose. It’s a thorny issue, for sure. Right now, no one is sure where the balance between private data and public records lies. The courts have their work cut out for them.
While ICANN’s lawsuit is aimed at clarifying the regulations, other lawsuits are aimed at companies that are seen as already violating the GDPR. As of this writing, the only major lawsuits filed against companies under the GDPR are ones against Google, Facebook, Apple, Amazon, and LinkedIn. These were filed shortly after the law went into effect and are intended as test cases. The outcome of these cases will determine what happens next.
We will keep watching the events involving GDPR as they unfold and keep you posted if anything changes. In the meantime, as long as you’ve followed the rules of the GDPR that we laid out in part one of our GDPR and Email Overview, you should be alright.
(This concludes our three-part series on the GDPR.)
1. Chapter 3, Article 20: Right to data portability