GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕
Read free book «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) 📕». Author - Adv. Prashant Mali
Examples could range from simple categorisation (such as when a person says that they live in postcode 10963, Germany, and their file is automatically tagged with “Berlin”) to cases where there are human comments (such as when a doctor examines a patient and writes “symptoms of bronchitis” in the file). It could be a car navigation service that classifies a person as a “fast” driver, based on observed behaviour, in order to estimate driving times for that individual; it could be a tag to indicate that someone has a propensity to be susceptible to food-related advertising if presented before 9am.
This kind of data can in some cases fall under the definition of ‘profiling’, that is explicitly covered in the GDPR in the context of direct marketing or when automated decisions are made on the basis of profiling that have a legal or significant effect on the person. (Another little glitch in the GDPR is that a person can object to direct marketing based on profiling and have it stopped immediately, but there is no obligation on the controller to inform the data subject that any profiling is taking place — unless it produces “legal effects…or similarly significantly affects him or her” — despite a recital that does not include this limitation.)
A 2014 CJEU judgment (YS v Minister voor Immigratie) determined that a legal analysis of an individual is not “in itself” personal data, even though it contains personal data, and therefore the data subject was denied the right to get a copy of this analysis. This conclusion was on the basis that the analysis was an assessment of how an external factor (in this case, relevant laws) applied to the situation of the data subject, not information related to the data subject. A further reason was that an individual’s right of access to their personal data was in place to allow the person to verify the accuracy of the personal data and that it is processed in a lawful manner (and thereby exercise other rights, such as rectification or erasure), and access to the analysis was not necessary for this purpose.
This appears to conflict with the GDPR (a subsequent law), in which Recital 63 states that an individual should have the right to access their personal data, including “access to data concerning their health, for example the data in their
medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided”. An “assessment” by a physician would appear to fall into the same category as the “analysis” that was the subject of the 2014 legal case.
However, recitals only serve to convey the purpose and help to interpret the articles of an EU law — a recital cannot derogate from the actual provisions (articles) of the law. In Article 15.4 (covering a data subject’s access rights), the GDPR states “The right to obtain a copy [of the individual’s personal data] referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” This is backed up by further words in Recital 63: “That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.”
The “others” here can be legal entities, such as the controller of the data. Any time a controller combines personal data from an individual with data from another source, or transforms it through an algorithm, they could use the reasoning from the 2014 “YS” judgment and refuse to provide a copy of this data.
Taking this a step further, an organisation wanting to keep personal data about individuals, without being subject to many of the obligations that come from GDPR rights for data subjects, could simply transform the data by some method (probably by a ‘proprietary’ algorithm, to increase the levels of legal defence). This method could even be reversible, allowing the organisation to re-create the original personal data if wished — in the meantime, deleting the individual’s original raw data on the principle of data minimisation.
The resulting data would still, probably, be legally recognised as containing personal data and so the organisation would need to observe the provisions of the GDPR: processing the data lawfully, only doing so for the defined purpose, minimising the data held, keeping it up-to-date, minimising the storage time, maintaining security of the data and being ready to be held accountable. However, it would only need to tell data subjects (in response to requests) about the categories of personal data held but not the details — and would not have to provide a copy (assuming the interpretation of the law given above).
If individuals cannot access a copy of the data, they will not know exactly what data is held. They will not be able to correct inaccuracies, nor of course contest the ‘inferences’ made by the data controller. Even if they had given consent to use of the original data, they would not be able to obtain data portability of the inferred data. They would be left with the right to withdraw consent, or to object to all data processing or to require erasure of all records, but this would be an “all or nothing” result that might not be practical for an individual — implying, for example, withdrawing entirely from a social media platform.
Closing this loophole probably requires further case law on the interpretation of “personal data”, particularly in the context of the GDPR rather than the 1995 data protection directive. Future case law on the meaning of “legal effects….or similarly
significantly affects”, in the context of profiling, would also be relevant due to the explicit rights given to individuals in this situation.
Legitimate interests
It may seem reasonable that organisations should be able to process personal data if they have a good reason to do so, after considering the interests of the individuals involved. However, the way this will work in practice means that many organisations could see it as a loophole in the law. The concept of “legitimate interests” of the organisation processing personal data has not changed from the 1995 data protection Directive, and the wording of the provision in the GDPR is almost identical. It requires that the controller balances its own (or a third party’s) legitimate interests against the interests or fundamental rights and freedoms of the data subject. Unless the data subject’s rights override the controller’s rights, it can proceed with the processing.
In the past, most businesses did not elect to use “legitimate interests” as the lawful ground for using personal data because it does require an assessment of the balance of interests and this could be subject to later challenge. In most EU jurisdictions, there has been a lax regime applied to the use of ‘consent’ from individuals — with it normally being sufficient to give a data subject an opt-out option covering a broad usage of the personal data — so businesses having tended to go this route. Once they had a ‘consent’, they didn’t need to provide any further justification for what they were doing.
This is changing. The GDPR definition of consent is more demanding than that of the 1995 directive and — crucially — the GDPR is a regulation that automatically applies across the EU. The 1995 directive had to be transposed into national legislation, which gave a lot of scope for different interpretation in different countries. Some national legislation did not even include the definition of data subject consent that was specified in the directive.
In addition, the supervisory authorities that ensure organisations comply with data protection law have indicated that they are going to take a strict approach to judging whether consents have been obtained validly. From May 2018, all consents must be according to GDPR definitions. Since this means specific ‘opt-in’ consents, businesses can assume that they will receive far fewer consents than under the old regime. Organisations handling personal data, particularly those that are in the business of marketing, are in general revising their data protection procedures to use the claim of legitimate interests instead of consent.
Processing personal data on the basis of legitimate interests should not be a loophole. It has been long accepted as valid, since there are many situations where individuals would accept the processing of their personal data and may not want to be bothered by the mechanisms of giving consent. They have not lost their rights in this case. They can still request access to their data, object to processing and pursue other rights such as rectification and erasure.
However, the problem is in the procedure.
Data controllers, that might be commercial businesses, should have a good idea of their own legitimate interests — to make money can be one of them. They have to balance their own well-defined legitimate interests against the diffuse and varied interests of the mass of the data subjects, probably applying a single approach for all potential subjects. As was indicated by the Article 29 Working Party, in its opinion on legitimate interests, the interests of the data subjects are highly dependent on context and may depend on the personal circumstances of the person.
Under the GDPR — except in cases where there is a high risk to individuals, such as in large-scale processing of sensitive data — the data controllers independently make their assessment of the balance of interests, without supervision and without consulting with the data subjects themselves. The controller has to inform the individual (under Article 13) that it is using a legitimate interests ground for the processing, and it has to describe its own (or a third party’s) legitimate interests, but it does not have to say what interests of the data subject it has taken into account, nor how it has calculated the balance of interests.
If the individual makes a ‘subject access request’, for details of the personal data processing that are taking place, at this point the controller does not even have to tell the person that the processing depends on a legitimate interests assertion. (It is presumably assumed that the data subject was notified at the time of data collection.)
The recourse is meant to be via the right to object, according to Article 21. This is the only way a data subject can find out how a data controller decided that its own legitimate interests were of greater value than his or her own interests. The wording of Article 21.1 is:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(Note that it is presumed that the objection is expected to be on the basis of the “particular situation” of that individual, implying that any assessment of the balance of interests will only be applicable to that one person.)
The problem with this stage of the procedure is that the assertion of predominant legitimate interests by a controller against a whole body of data subjects is then only questioned in the circumstances of individual cases.
Furthermore, when the controller is called upon to “demonstrate” its compelling legitimate grounds that override the interests of the individual, there is no process defined for a potential independent assessment. Presumably the controller has to
demonstrate its position to the data subject, but there is no requirement to inform the supervisory authority or anyone else — unless the data subject is unhappy and complains.
Nearly all organisations, particularly those with commercial interests, will take a decision on how to deal with the GDPR in terms of a balance of cost, risk and reward. This will not be the “risk” as generally covered by the GDPR, which is the risk to the rights and freedoms of individuals through misuse of their personal data, this will be the risk to the enterprise.
The costs, risks and rewards equation of using ‘consent’ looks bad (for
Comments (0)