“Indivd’s technology contributes to a better understanding of store visitors”
Jennie Nilsson – Associate at Baker McKenzie and named “Rising Star 2020” by the independent legal analysis company Legal 500.
– We find, after thorough analysis, that there is good support that Indivd’s processing of personal data can be motivated on the basis of the “legitimate interest” legal basis, on the basis that the personal data are anonymized. Anonymized data is not personal data and therefore should not be covered by GDPR, explains the lawyer and GDPR specialist Jennie Nilsson of Baker McKenzie in this interview, while emphasizing that Indivd’s anonymization technology contributes to a better understanding of visitors in retail stores.
What is your image of Indivd?
– My impression is that the company has recognized an existing need for retail stores and malls, i.e. to understand its visitors without challenging privacy. Like many other scaleups, Indivd’s owners are energetic, efficient, and generally positive. I admire and enjoy working with entrepreneurs, as they drive the development forward and it is fun to follow them. Imagine a society without entrepreneurs, how slow and boring it would be!
Which are the main values Indivd contributes to?
– As mentioned, retail stores have a need to understand their visitors. However, they have no interest in specific individuals. It is about understanding patterns and behaviors in order to give visitors better experiences when they visit the stores. This is what Indivd contributes to.
How would you, that has been involved from the beginning, describe the work that Indivd has done to prepare for the market?
– I can see that there has been great interest from many different actors during the year under which I have been in contact with the company. Some new stakeholder has emerged almost every time we have had contact. I think that the magnitude of the interest indicates the need from retail, while for Indivd’s part, it’s about focusing and keeping course.
What has been most important and most challenging in Indivd’s preparation?
– I’d say the handling of questions about what constitutes personal data and how anonymization is done. Assessing the latter is in my opinion primarily a technical/mathematical issue. This issue is of great importance since anonymized data is not personal data and thus not covered by the GDPR.
What are your views on whether Indivd’s technology is legal or not?
– The question of whether store owners can use Individ’s technology is currently subject to prior consultation with the Swedish Data Protection Authority. However, we have analyzed whether the processing of personal data, given that it is anonymized, can be justified on the basis of the “legitimate interest” legal basis and we think we have good support for that being the case.
What should stores keep in mind when using Indivd’s anonymization technology in the future?
– They should ensure that they are clear in informing their visitors and documenting the processing according to GDPR.
What should other companies that want to implement similar services and products think about?
– Document more. Remember that the documentation shall be easy to explain so that outsiders really understand your product.
– We have also seen numerous examples of products claimed to be “GDPR-compliant” or something similar, but if you scratch the surface there is no coverage. This is often because of the misunderstanding that pseudonymization would be the same as anonymization has persisted.
– It is cool with new technology and what opportunities it enables. However, I think the Director General of the Swedish Data Protection Authority, Lena Lindgren Schelin has formulated a sensible three-step rocket which, if I remember correctly, was expressed approximately as follows: Just because you can do something, it is not certain that it is legal to do so. And if it is legal, it is not certain that you should do it anyway.