The purpose of this article is to provide our readers with some insights on the General Data Protection Regulation. It was adopted on 8 April 2016 and will take effect on May 25, 2018, ultimately replacing the current Directive 95/46/EC. The GDPR will be applicable in all Member States of the EU without the need to be altered in any way. It represents a breakthrough piece of legislation that will affect the lives of hundreds of millions of people and will force companies to rethink the way they have previously processed personal data.
a) With the forthcoming enforcement of GDPR UE 2016/679, what are the most important changes that this new law will bring?
Since the approval of directive 95/46/EC more than 20 years have passed. As mentioned under Whereas (6) of the EU Data Protection Regulation “Rapid technological developments and globalization have brought new challenges for the protection of personal data. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of the protection of personal data.”
We can infer, among many, two main reasons for the approval of the new Regulation: Changes brought in by technological developments and globalization and the need to guarantee European citizens with a high level of protection with respect to their data. Recognizing that new technologies play a pivotal role in our society means we need to address the challenges they pose and govern them as well, in order to exploit their benefits while at the same guaranteeing citizens’ protection of their personal data. New technologies such as big data and artificial intelligence are more relevant than ever, and the new EU Data Protection Regulation takes this into account without making a choice between new technologies (exploiting big data and analytics techniques) or privacy, one ruling out the other but rather to try and find a compromise between the benefits of new technologies including big data and the safeguard and self-determination of individuals.
b) Which are the legal grounds for processing personal data under the new EU Data Protection Regulation?
There are six legal grounds for the processing of personal data. The first one is consent of the data subject.
Other legal grounds refer to processing that is necessary to:
– performance of a contract;
– compliance with a legal obligation to which the controller is subject;
– protect the vital interests of the data subject or of another natural person;
– performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– legitimate interests pursued by the controller or by a third party
c) What about legitimate interest, how can a company assess whether it has a legitimate interest in processing data subject personal information?
Legitimate interest can be a valid legal ground for processing personal data when data processing is not based on the data subject’s explicit consent, provided that the data controller interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of his/her personal data.
To give an example, the EU Data Protection Regulation acknowledges that companies may have a legitimate interest in direct marketing (including market research activities), but they still need to balance their interest with the data controller’s interest and make sure that the rights and freedoms of the individual are not overridden.
Data Controller must assess the risks that data processing entails, especially when marketing research involves profiling individuals by using some form of big data method!This is strongly encouraged because more than often users are not fully aware on how their data is being used. The efforts of data controllers should always steer toward the direction of fairness and transparency, so users are fully aware on how their data is being used in order to make more informed decisions., When it comes to profiling and decision making, this could have a significant impact on individuals.
d) How the new EU Data Protection Regulation affects companies and organizations and how are they going to comply with the new rules?
Under the GDPR (General Data Protection Regulation), we can notice a mindset shift from compliance to accountability. Companies and organizations must, rather than just complying with the law, take it upon themselves to promote a trustworthy data processing system that is conducive to innovation and protection. To achieve this purpose, a Data Controller should make an assessment on the effects of its data processing on individuals by looking carefully at its data ecosystem.
Data controller must assess if its processing activities are going to produce legal effects concerning a natural personal that would significantly affect him or her. If the processing involves a repurposing of the original data, a Data controller must check if the new purpose of its processing is compatible with the original purpose of the initial processing. This includes whether the new purpose is fair and expected by the individuals concerned. The processing would be unexpected, if as a result of its automated processing activities a decision on a given individual is taken and how potential risks (if any) would be reduced and mitigated. These are just a few of the many questions Data Controllers need to take into consideration when making an assessment on their data ecosystem.
e) What does “profiling” mean under the GDPR?
Profiling under Article 4 of GDPR is “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Therefore, we can infer that such type of processing is related to a natural person, it involves an automated processing of personal data (for example through a software or algorithm), it is aimed at evaluating aspects of personality or at analyzing or predicting aspects of life including personal preferences and interests of an individual.
f) Can individuals object to profiling and if so, when?
It seems that data subjects do not have necessarily the right to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her”. Recital 58 of Data Protection Regulation provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.” It is worth noting that such decision must produce legal effects or have significant effects on individuals.
An individual can also object to profiling, where personal data are processed for the purposes of direct marketing. In that case, the data subject shall have the right to object to profiling to the extent that it is related to such direct marketing, whether about initial or further processing, at any time and free of charge.
By providing a definition of profiling, the Data Protection Regulation seems to draw a line between evaluating users’ online behaviors through automated means (“profiling”) and studying or analyzing trends and correlation between data related to a group of individuals. The attention of the GDPR is more focused on the significant effects that profiling can have on individuals rather than on profiling itself.
For example if a company use analytical means to detect trends or correlations at an aggregate level without any automated decision making process concerning one or more individuals, then this processing is different from profiling and the data controller may have a legitimate interest under the GDPR in pursuing it with the purpose of market research or statistical purposes, provided that adequate safeguards are in place and that no individual is profiled and substantially affected by such processing and that no marketing activities on individuals will be performed without data subject consent.
Such distinction can be found already in the Opinion 3/2013 on purpose limitation by the Data Protection Working Party.