GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕
Read free book «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕». Author - Adv. Prashant Mali
Untitled1.jpg We can imagine the scenario of, let’s say, a Chinese company that markets a broad range of products and services that are sourced from third parties. This Chinese company creates a global portal, with a large catalogue of items. The catalogue is accessible worldwide, and might include European languages — and possibly a currency conversion tool to see prices in Euros — thereby presumably constituting an “offering” to people in the EU, but only in the sense of marketing, not selling products. Potential customers would browse this catalogue anonymously and, when they decide to buy a product or service, they click the appropriate link. This link would then take the individual to the website of an independent third-party company, outside the EU (whose website perhaps is not at all EU-centric, being written in English and Chinese, with prices in US dollars). The personal data interchange then takes place with this third-party company.
Following GDPR Recital 23 could put personal data outside the scope of the law
The original company with the catalogue portal would not handle any personal data, so it would not be subject to the GDPR. The third-party company would have deniability about offering goods or services to someone in the EU, since it
simply placed its products in a global catalogue. Any personal data given over would escape the scope of the GDPR.
Even without this slightly complicated scenario, there is a problem in the detail of the GDPR wording: “where the processing activities are related to the offering…” Effectively this does not cover any processing of personal data that arise from the “offering”, but only the processing activities related to the offering. If “offering” is interpreted narrowly, to only being the phase prior to a transaction or provision of a service, then all the processing activities that take place later — when the most personal data would be obtained — are not covered.
So, a global company wanting to find a loophole in the GDPR can set up a marketing company in the EU. Having done the minimal personal data processing needed to obtain customers, these customers are then transferred for transaction fulfillment, including personal data handling, to a non-EU business.
Once the personal data are “outside the law”, they stay outside the law — if not transferred back into the EU. A non-EU company with personal data, and not subject to any restrictions under the GDPR, could sell on the data to any other non- EU company.
The only evident way to block this loophole is for the CJEU to rule that Recital 23 is a misinterpretation of the purpose of the law and that “offering” should have the same interpretation as applied in competition law.
It should be noted that non-EU organisations might still become subject to the GDPR due to Article 3.2(b) that covers when processing activities are related to “the monitoring of their behaviour as far as their behaviour takes place within the Union”. This would cover tracking and profiling of individuals in the EU.
The proposed ePrivacy regulation, that is also due to come into force next year but is still at the drafting stage does not have this problem of territorial scope. The current draft covers “the provision of electronic communications services to end-users in the Union”, “the use of such services” and “the protection of information related to the terminal equipment of end-users located in the Union”. It does not have separate rules depending on the location of the provider (except that a non-EU provider has to designate a representative in the EU). It would cover, for example, any use of a website by a person who is in the EU (and any automated personal data collection, such as via cookies).
Data losing GDPR protection
Even if data is collected and processed legally under the GDPR, it can be transferred to others and then escape the protection of the law. Personal data processed in the EU are clearly covered by the GDPR — no problems here. However, there are further consequences due to the way Article 3.2(a) describes the territorial scope.
Since, in the case of a non-EU data “controller” (an entity that processes data), it is only subject to the GDPR when the processing activities are related to the offering of goods or services to the individual in the EU (or monitoring the behaviour of the person), the same personal data could be processed for another purpose without being subject to the GDPR.
Take an example of a US-based company that collects personal data from someone in the EU. The company complies with the GDPR and follows a valid consent process to get the agreement from the data subject, saying “Please give your permission to process your data so that we can offer you a tailor-made service.” The individual gives their permission, the company carries out its processing accordingly.
Then the company sells the data to a third company, also in the US. This onward transfer of data would normally count as processing under the GDPR, but since this is a processing activity not related to the offering of goods or services to the individual, it is now outside the scope of the GDPR. Of course, the company buying the data is not subject to the GDPR since its processing of the data will also not be
related to an offering of goods or services (and certainly not to processing activities related to this).
The personal data will have leaked out of the GDPR scope. The only hope would be to try and ‘catch’ this data again, if and when it is used to direct an offering to someone in the EU. It could be very difficult to spot that this is happening via targeted advertising, and even harder to find the controller responsible.
It could be difficult to close this loophole. However an EU court would look to the purpose of an EU law when making a judgement and not just to specific wording of a provision, so it is perhaps feasible that the CJEU could determine that the words “related to” in the phrase “processing activities related to the offering of goods or services” should be interpreted to include “arising from” the processing activities —
therefore saying that any personal data collected during the original processing activities would continue to enjoy the protection of the law when used for alternative purposes.
Invisible data chain
If organisations obtain data indirectly, in most cases (and excluding loophole 2) it should still be subject to the GDPR. However, the application of the law in these cases may be only theoretical, particularly in the case of “data chains”. The intention of the GDPR is that individuals will always know what is happening with their data and will be able to exercise rights over this data. For example, data subjects have the right to access data held by a controller, correct errors, object to processing and request erasure. The starting point for exercising these rights is given in Article 15: “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.”
However, how does the data subject know to which controller it has to ask this question?
Transparency is meant to start from the point of data collection. The controller has to provide a set of information to the data subject at this time, in accordance with Article 13. One of the items of information that the controller has to provide is “the recipients or categories of recipients of the personal data, if any”. A “recipient” is a third party to whom the controller discloses or transfers data.
The controller is not obliged to provide the names of recipients since it can choose to only provide the “categories of recipients”. Even if the individual does an access request, the controller can still limit the response to categories. Under Article 14 of the GDPR, each recipient controller would have to inform the data subject within a month of receiving the data. But what if the recipient doesn’t do this?
There might be valid reasons why the recipient controller does not provide this data. It might not be able to identify the data subjects whose data it has (and it has to have a high level of confidence that it doesn’t provide the data to the wrong person). Even if the individuals are identifiable, the recipient controller may not have their
contact details. Nothing in the GDPR obliges a controller to provide enough information to a recipient to allow it to comply with its (the recipient’s) obligations under the GDPR and the controller itself is no longer legally liable (except in the case of joint controllers).
If an individual does discover that a company is using its personal data (for example, if they receive a direct marketing communication from a company they do not recognise), then the person can make an access request under Article 15. However, it might be impossible to find out from where that company got the data since the obligation on the company is only to provide “any available information about the source”. Furthermore, Recital 61 says “Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.”
The subject of non-identification of the individual concerned is covered by Article 11. A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification. The individual can provide the controller with further information to aid the identification, but how this would work in practice is not clear. Although Article 11 does not exempt the controller from complying with Article 21, the right to object, nor to the provision of this article that requires a data subject to be informed of their right to object, at the latest at the time of the first communication, this right has no value if the controller never communicates directly.
Then, of course, there will be controllers that decide to ignore their obligations under the law. Unless they communicate directly with the individuals whose data they have, or do something flamboyant with the data that attracts attention, complaints are unlikely and their non-compliance may well go undetected.
In reality, there are currently long ‘data chains’, with personal data held several steps removed from the data subjects. Personal data is bought and sold like a commodity and whole industries, have developed on the back of this data interchange. Despite the clear obligations under the GDPR, these invisible data chains are likely to exist for a long time: perhaps few businesses in the chain will have the motivation or the means to comply and make Article 14 notifications. In many cases, the lawful basis for processing this data does not exist — or was based on pre-GDPR consent implementation — so businesses will not want to declare that they have the data.
In the best of scenarios, there will probably be a continuing black market for personal data.
Closing this loophole would require proactive steps by supervisory authorities to study data chains in operation and pinpoint businesses for enforcement action without waiting for complaints. Also, the modalities for informing data subjects under Article 14 could be facilitated: by encouraging controllers in direct contact with data subjects to be a conduit for Article 14 notifications from the recipients to
whom they provide data and introducing a special provision in the forthcoming ePrivacy regulation that explicitly recognises, subject to conditions, the use of unsolicited communications in order to comply with GDPR notification requirements.
Inferred data
Personal data is any data related to a living person. The GDPR gives obligations to processors of the data and it gives rights to individuals. But, even when the data stays personal, users may lose a number of rights. Organisations can take advantage of this. The term “inferred data” is not perfect — other phrases are sometimes used, such as “derived data”. It means data that is not in the original format that was collected, but which could still be considered personal data because it
Comments (0)