12 January 2018 - Post by:David Smith
The Article 29 Working Party has been working overtime to publish guidelines on a wide range of GDPR requirements. Not surprisingly, given the impact of the GDPR, there have been calls for even more guidance but the data protection authorities that make up the Working Party have limited resources and it is not always easy to find a consensus amongst them on the more tricky points of interpretation. The Article 29 Working Party therefore deserves a pat on the back for producing so much so quickly whilst managing to include an element of consultation in its processes. Also, for the most part, the published guidelines are helpful even if they might fall somewhat short of the GDPR’s privacy notice requirement of being “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
However there are a small but increasing number of instances where the Working Party appears to be trying to rewrite the GDPR rather than merely interpret it. Attention has been focussed by some on the guidelines on the right to data portability. Here, whilst the GDPR gives an individual the right to receive “the personal data concerning him or her, which he or she has provided to a controller”, the Working Party has interpreted this right as extending to personal data that are not directly provided by an individual but are “observed from the activities of users” such as smart meter data or internet activity logs. Although some will argue that that this is an extension of the law, others argue with force that without the Working Party’s interpretation, it is hard to see any practical benefit that the data portability right might bring for individuals and that this interpretation appears to reflect the intention behind Article 20 even if not its exact words. At least the Working Party stopped short of trying to extend the right to what it calls inferred data and derived data.
Some other instances are more worrying though. The guidelines on automated individual decision-making and profiling have attracted much interest. Although Article 22 talks about the data subject having “the right not to be subject to a decision based solely on automated processing” and this Article appears within Chapter III of the GDPR with the title “Rights of the Data Subject”, the relevant guidelines interpret this as meaning that “as a rule there is a prohibition on fully automated individual decision making”. This interpretation appears to reflect the approach currently taken in some EU Member States but not, for example, in the UK. It is an interpretation that will bring many challenges for businesses which rely increasingly on automated decisions, that arguably does not bring any proportionate benefits to individuals who would anyway have the right to opt out, and that runs counter to the general proposition that rights, as elsewhere in the GDPR, have to be exercised by individuals rather than applied by data controllers by default.
Another instance is in the guidelines on personal data breach notification. The GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. However the relevant Article 29 Working Party guidelines discuss the loss of availability of personal data and indicate that “If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify”. Loss of availability, however serious, is not though a personal data breach within the GDPR definition. Of course, loss of availability, particularly permanent loss, may well come about as the result of a data breach. For example, if personal data are accidentally destroyed or corrupted as the result of a hacking attack they will become unavailable. But, as the guidelines recognise, there may be a temporary loss of availability perhaps because of a power failure or a denial of service attack. The personal data may still be intact and unaltered so how can such a temporary loss of availability translate into a personal data breach to which the reporting requirements in Articles 33 and 34 apply?
Then there are the guidelines on consent. Article 6 provides a range of conditions for the lawful processing of personal data, one of which is the data subject’s consent. There is nothing in this Article that indicates that only one condition can be applicable to a specific processing activity. It is, for example, quite likely that processing that is necessary for the performance of a contract will also be necessary for the purposes of the legitimate interests pursued by the controller or a third party. However the guidelines say that, “As a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases”. They go on to say that “controllers that ask for a data subject’s consent to the use of personal data shall in principle not be able to rely on the other lawful bases in Article 6 as a back up”. This certainly reflects good practice and may be what members of the Article 29 Working Party would like the law to be. However, whilst reliance on a new lawful basis may require the provision of new or revised information to data subjects under Articles 13 and14, this interpretation appears to go beyond the actual requirements of the GDPR. If, as a matter of fact, processing is necessary for compliance with a legal obligation, necessary for performance of a contract, or even necessary for legitimate interests this remains the case, and thus Article 6 is satisfied, even if the data controller initially thought that it needed the consent of data subjects and mistakenly sought to obtain this.
In fairness some of the instances referred to above are in guidelines that are still at various stages of the Article 29 Working Party’s consultation process so it is possible that they will be revised before the final versions are published. It is though worth remembering that the Article 29 Working Party guidelines are just that. They are guidelines, albeit authoritative ones. They inevitably involve a compromise between what, in some cases, can be a range of different views held by the Working Party members. It would be a foolish data controller that ignores the guidelines, but it would be advisable to reflect on the GDPR requirements that sit behind the interpretation that they provide.