General Data Protection Regulation (GDPR)
by Ty Myrddin
Published on April 15, 2018
The old Data Protection Directive of 1995 was outdated. It failed to cover for example, social networking sites, cloud computing, location-based services, smart cards and biometric data, and in 2012 the European Commission proposed a comprehensive reform of the EU’s data protection rules to strengthen privacy rights and boost Europe’s digital economy. Unlike directives, the GDPR does not require national governments to pass any enabling legislation. It is directly binding and applicable.
All seven principles governing the OECD’s recommendations for protection of personal data are incorporated into the new EU regulation.
Personal data
Article 4(1) defines “personal data” as follows: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is broad and fairly all-encompassing. It includes any information relating to an identified individual (which makes such information personal to that individual), or any information relating to someone who could be identified based on a variety of identifiers.
Controllers and processors
Article 4 defines data controllers and data processors as follows: (7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; and (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Lawfulness of processing conditions
Data processing must be “lawful”, meaning it must be justified by a legitimate purpose in order to be permissible. For “legitimate interests” the interests that are important to a business or organisation are not enough. These conditions must include
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.
Biometric data
It defines biometric data as special categories of personal data and prohibits its processing, thereby protecting people from having their information shared with third parties without their consent.
Biometric data are: _“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data”. _
Conditions for processing special categories of data
Processing of special categories of data for the purpose of "uniquely identifying a natural person" is prohibited, but it contains some exceptions.
- Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
- Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
- Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
- Processing relates to personal data manifestly made public by the data subject
- Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
- Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
- Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
The right to be forgotten
The Regulation states that consent must be explicit before the collection of the data. As in, users must be opted-out by default and be provided with an opt-in, instead of default be opted-in (often without their knowledge) and then have to search for an opt-out. Also, “the data subject shall have the right to withdraw his or her consent at any time”. Data breaches must be notified within 72 hours
If a company or organisation discovers a data breach, then processors must inform the authorities within 72 hours of discovery. Companies managing biometric information can be hit with penalties if they do not make efforts to secure that data. Big penalties.
Data protection by design and by default
The Article 25 Data Protection by Design (DPbD) seeks to embed privacy protection at every level from conception to deployment. DPbD is not only about technological design. It extends to IT systems, accountable business practices, and physical design and networked infrastructure. This integrated approach is “an important factor in avoiding falling into techno-centric solutions to a sociotechnical problem.”
In usual engineering practice, legal issues are considered obstacles to be overcome after a novel IT solution has been built and is to be rolled out. DPbD uses a reversed approach, whereby systems and processes are conceived and developed with privacy protection at their core.
Legitimate interest
Under the old directive that aimed to regulate data correlation, not just data collection, it was illegal to process personal data without a “legitimate interest”, and that legal basis was unavailable to data brokers (Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC). Now, Recital 47 - General Data Protection Regulation (GDPR) - Overriding legitimate interest* states: ”[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest“.
Can the data industry rely on legitimate interests or is it required to obtain consent despite the absence of a relationship with the data subjects? Under the GDPR, the legal basis for processing personal data requires that the processing to be described with specificity in advance. Without it, using that data for Big Data Analytics & AI produces unlawful results exposing organisations, their partners and their customers to legal liability.
Anonymised data
Recital 26 - General Data Protection Regulation (GDPR) - Not applicable to anonymous data* explicitly states that ”The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation [...] should be considered to be information on an identifiable natural person.“
Recital 26 also states that data that has been truly anonymised lies outside the scope of the regulation: ”The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.“
This means that anonymisation not only offers a more powerful means of securing personal data, but also enables the use of data for, for example, marketing or analysis purposes without violating an individual's data privacy. That is to say, if it adequately protects the data.
Representation of data subjects
Article 80 of the GDPR allows civil-liberties or consumer-protection representatives to advocate on behalf of the community or public interest.
It is a global law
Non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects.
Raw magic crackled from their spines, earthing itself harmlessly in the copper rails nailed to every shelf for that very purpose. Faint traceries of blue fire crawled across the bookcases and there was a sound, a papery whispering, such as might come from a colony of roosting starlings. In the silence of the night the books talked to one another. A student