The “feared” GDPR: what is its impact on shipping?
As is known, EU Regulation 2016/679 , i.e. the so-called “GDPR” (acronym of “General Data Protection Regulation”), entered into force on 25 May 2018.
Such Regulation constitutes a historical turning point for the development of data protection and is thus bound to also have an impact on the shipping industry, where the amount of information being processed daily is constantly increasing, with the operators in this sector continuously collecting personal data of customers, associates, suppliers and so on.
If it is true (as is the case) that, as a result of the GDPR, a new era has begun for the regulations protecting the right to exercise control over personal data concerning individuals, it is worth investigating – a few months after the entry into force of the Regulation – the impact of the new legislation on the companies operating in the shipping sector.
This is also in light of a fact that cannot certainly be ignored but rather should be taken seriously into account, that is to say, the fact that heavy penalties are imposed on those companies that are not compliant with the GDPR provisions .
But what does the GDPR reform imposed on companies actually mean? The real revolution is the paradigm shift: until the entry into force of the GDPR, the person, understood as individual, was placed at the core of data protection rules and data was protected as indirectly representing the person.
Technological progress has however involved data becoming valuable in itself, which means that data must to be protected for what it is, even regardless of the people to whom it relates. In a nutshell, data has become a legal interest deserving protection.
From this perspective, the GDPR is in fact an instrument of economic competition for the operators concerned.
That being said, let’s have a look at the criteria to determine whom the GDPR applies to, starting for example with a simple question: “Which law applies If a non-European company handles data concerning European citizens?” Before the GDPR was enacted, the answer would have been: the applicable law is that of the data controller (i.e. the organisation or individual collecting the data). Nonetheless, the GDPR introduced the principle that EU law shall apply also to data processed outside the EU, when related to the offering of goods and services to EU citizens or to the monitoring of data subjects’ behaviour.
Moreover, up until the GDPR was enacted, obligations on data protection were based on formal criteria: companies were sanctioned for their failure to comply with applicable requirements, upon supervisory authorities finding and alleging the same. By contrast, companies are now required to develop a privacy management system proving that all GDPR compliance requirements have been fulfilled: this is the logic of accountability, involving correct planning, adequate documentation and the monitoring of processing.
In brief, the data controller shall adopt policies and implement appropriate security measures in order to ensure and demonstrate that the data processing performed is compliant with the GDPR. Any entities that fail to properly handle the data they collect shall be liable for this only, regardless of whether or not abusive use of such data has been implemented.
Over the past few years, the Internet has brought a revolution in the transport sector as well. From websites to apps to other instruments that allow people to compare prices, the digital switchover is almost complete. For example, it is estimated that, nowadays, almost 80% of travellers worldwide book their trip online (providing a tremendous amount of personal data ranging from personal to banking data).
The real “transformation”, however, goes far beyond allowing travellers to make researches or reserve means of transport through a wide range of devices. Whenever a user navigates, clicks, gives a like, shares or reads an article, he/she leaves an invisible data trace. And such data (including cookies – which allow tracking users online –, which is personal data under the GDPR) is just the lifeblood of businesses. And it is precisely on collecting such data that a company will have to provide information on data processing.
A privacy statement is no longer a formal tool that a company must provide for compliance purposes but it must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Such document shall also lay down procedures aimed at facilitating the exercise by the data subjects of their rights, including the mechanisms for requesting free access to data, their rectification and cancellation.
Furthermore, organisations are required to adopt the new principles on protection of both privacy by design and privacy by default. Privacy by design means that the protection of personal data shall be conceived and organised by the company as from the very first design stage of the information collection and throughout the entire data lifecycle management. Privacy by default means that the collection of information exceeding the purposes emerging from the information about data processing shall be avoided. Thus, both privacy by design and privacy by default – merging into a single organisational precept – become the real north star, for the company, in the path towards a proper processing of personal data.
Let us now give details on the penalty system.
As a result of the introduction of the GDPR, “fixed-amount” penalties have been replaced by “customised” penalties, which are much heavier since they are not only administrative pecuniary sanctions but also criminal penalties. As far as the former are concerned, they can range from 10 to 20 million Euros, or, if higher, from 2% to 4% of the company’s global annual turnover of the previous financial year. Moreover, in the event of non-compliance, reputational damage and potential customers’ loss of trust shall also be taken into account .
In spite of the foregoing, many companies are still not fully compliant with the GDPR. In this sense, the “GDPR problem” should be “addressed” not only from a legal standpoint but also from an operational perspective. Typically, both the devices used and large databases can be vulnerable from a data protection standpoint, in that companies processing personal data may fall prey to cybercriminals.
As concerns large organisations, a new key player in personal data protection has been introduced, i.e. the Data Protection Officer (“DPO”). In essence, this is a mandatory role if (i) processing is carried out by a public authority or body; (ii) large amounts of personal data are processed; (iii) sensitive or judicial data is systematically processed. The DPO, who can also be an external consultant of the organisation, must meet the requirements of professionalism, independence and expenditure autonomy, becoming a kind of internal auditor on personal data processing and the contact point with the Privacy Authority to obtain information or submit complaints to data processors within the company.
As concerns consent to data processing, the GDPR provides that “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement” (recital no. 32 of GDPR).
The above could include ticking a specific box when visiting an Internet website, choosing technical settings or another consent statement. Therefore, silence, pre-ticked boxes or inactivity shall not be deemed as acceptance of the proposed processing of personal data .
Lastly, a further requirement of the GDPR relates to impact assessment, which must be beforehand carried out when a type of data processing, which in particular calls for the use of new technologies, may entail an high risk for the rights and freedoms of natural persons.
To conclude, we can say that today the subject of privacy, while implying a need to adapt to changes and, therefore, a workload for companies, may at the same time be an instrument for economic competition. Indeed, ensuring that a company has the best compliance model with respect to the legislation in question would guarantee a competitive advantage as well as an opportunity to stand out on the market.
Given that the GDPR is, together with Directives 2016/680 and 2016/681, part of so-called “European Data Protection Package”, in the next issue of this newsletter we are going to make a specific, in-depth analysis about the air transport sector. In such sector, even more than in other industries, there is a need for a balance between data collection and processing limits and public security problems (including in terms of fighting global terrorism) emerges. It is therefore useful to put the scope of Directive (EU)2016/681 – on PNR management – in relation with the GDPR, also in order to assess their combined effect.
This article is for information purposes only and is not intended as a professional opinion. For further information, please contact Ilaria Todaro.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 Based on statistics, the percentage of companies that have so far implemented structured GDPR compliance projects has exceeded 51%, compared to 9% as reported about a year ago; companies that have set an ad hoc budget for GPDR compliance have increased from 15% to about 60%; companies that announced that they will increase their staff with privacy protection roles are 49%, while the percentage of companies that allegedly have already resourced or appointed a Data Protection Officer to facilitate compliance with the GDPR is approaching 30%. (Source: www.agendadigitale.eu)
 Take the case of Uber, which, allegedly (see “Il Sole 24 Ore”) hid the theft of 57-million personal data of its users (even paying off hackers for keeping the secret). Had such loss of data occurred after the entry into force of the GDPR, based on evidence provided by www.securityinfo.it, Uber would have had to pay up to 260 million dollars.
 For example, organisations will have to review the concept of telemetry, to be regarded as personal data in its widest sense, for which the express consent by the employees is no longer permitted because of the imbalance of power between the parties. Anyway, companies can continue to track their cars, as holders of a legitimate interest (since they pay for the driving time, they are fully entitled to monitor the employee to make sure he is traveling to his destination).