Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 4

In this part 4 of the series (see Part 1, Part 2 and Part 3), we review the new rules on obtaining consent, profiling, data portability and pseudonymization of data

(January 2017: edited to reflect draft E-Privacy Regulation)

Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 4

1. Obtaining consent

Consent from the data subject will still be a valid basis for processing personal data. But it will be more difficult to obtain. The Regulation requires consent to data processing to be “freely given, specific, informed and unambiguous … by a statement or by a clear affirmative action”. To the extent under current laws we have been able to rely on any implied or opt-out consent, this will no longer be sufficient. The Regulation explains that what is envisaged could include “ticking a box when visiting an internet website, choosing technical settings for information society services or another [clear] statement or conduct … Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

There are some further limitations to this:

  • the data controller must be able to show that consent was given
  • any written declaration of consent needs to be distinguishable from other matters in that declaration, easily understood and accessible, in clear and plain language with no unfair terms, and indicate at least the identity of the data controller and the purpose of the processing. The user should have a “real choice”
  • it should be as easy to withdraw consent as to give it
  • consent is presumed not to have been freely given where there is a clear imbalance in bargaining power between the parties (and especially where the data controller is a public authority)
  • separate consent should be obtained for different operations
  • processing of special or ‘sensitive’ categories of personal data (on racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, health or sex life, plus additional categories of genetic data, biometric data and sexual orientation) if based on consent, will require “explicit consent”. Although the list is expanded, the requirement for explicit consent is unchanged, and clearly constitutes something greater than the specific consent referred to above. So it would be hard to imagine that for example ‘browser settings’ would be sufficient
  • data transfers to third countries not providing a sufficient level of protection would – if based on consent – also require explicit consent
  • for consent given by children, specific rules apply
  • consents given under the current rules will remain valid – but only if they meet the requirements of the new Regulation.

The ‘technical settings’ method overlaps with the ‘cookie consent’ provisions of the proposed E-Privacy Regulation. However, the EU’s Article 29 Working Party of data protection authorities issued guidance (back in 2010, in the context of behavioural advertising) to say that this may only truly signify consent if our browser’s default setting is to reject all cookies and we deliberately turn them on…

2. Profiling

Profiling is addressed by the Regulation as a form of automatic processing. It is defined as automated processing intended to evaluate someone’s ‘personal aspects’ and in particular their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. This clearly covers many marketing and advertising data use cases.

Although automatic processing is already regulated under current data protection legislation, this definition of profiling is new and quite explicit.

Applicable controls include providing meaningful information about the logic involved in the automatic processing, as well as its significance and envisaged consequences for the data subject and ensuring appropriate mathematical or statistical procedures are used. Data subjects have the right to prevent at any time automatic data processing for direct marketing. Decisions based on profiling should never concern a child. They can be based on the processing of sensitive (special) categories of data, but normally require explicit consent (see above).

Profiling is specifically picked out as an activity that should require a data processing impact assessment, provided that the evaluation of personal aspects is (i) “systematic and extensive” and the basis for decisions “that produce legal effects … or similarly significantly affect the natural person”. It seems reasonable to think that marketing decisions would not produce these sorts of effects.

3. Data portability

The Regulation seeks to help users transfer their personal data between service providers. So, data controllers would be obliged to provide data subjects with a copy of their personal data in a widely-used format and to facilitate its provision to another controller, including directly to that other controller.

We might question whether provision of personal data really constitutes a significant anti-competitive “switching cost” creating barriers for new market entrants. And there is no requirement that the transferor and transferee be in the same market sector, so any controller processing the most or the best structured data may find themselves targeted by this even when no switch is intended. However, in conjunction with the “right to be forgotten” this does seem to give data subjects some additional control and choices over how their data is processed.

4. Pseudonymization

Pseudonymization is a new legal concept under the Regulation. Personal data is information relating to an “identified or identifiable” person, and the Regulation does not apply to data made anonymous in a way that the data subject is no longer identifiable. Pseudonymization refers to processing where the data can no longer be attributed to a specific data subject “without the use of additional information.” So it lies somewhere in the middle – but clearly on the side of personal data and the Regulation still applies, as the data subjects are still capable of being identified. The additional identifying data must held separately and securely from the pseudonymised data to ensure non-attribution back to the data subject.

The idea is to encourage controllers and processors to reduce the privacy risks associated with data processing, without losing the entire utility of the data. Under the Regulation pseudonymization may help to make compatible with the original purpose the processing of data for purposes other than those for which collected, even without consent or another legal justification. It may also be a central pillar of techniques of data protection by design and by default. It may also facilitate the anonmyization of data – if the data controller deletes the separate identifying data then the data will no longer be subject to the rights of access, rectification, erasure and data portability – we would not be required to retain additional data merely to be in a position to comply with these rights.

The question may be where the border lies between pseudonymized data (subject to the Regulation) and anonymized data (outside the Regulation). The Regulation indicates that the key is to examine the means “reasonably likely” to be used. So even if a data set could theoretically be re-linked to particular data subjects, if this not reasonably likely, e.g. due to cost, time or technological constraints, then the data is more likely to be regarded as non-personal data, which under the present laws was not always easy to establish.

In the final part of this series, Eden Legal will return to review: obligations on processors (and new rules on processing contracts), and the need for some organisations to appoint a data protection officer.

Read this next
READ THIS NEXT: Infographic – International Data Transfers from the EU