The GDPR – how will it affect us?
I have been inundated with questions about the upcoming General Data Protection Regulation (GDPR).
My default excuse of “I haven’t had time to look at it yet” was wearing a bit thin, so I decided to make the time to have a (very quick) look at it and attempt to answer the FAQs, starting with most asked to some others that raised interesting points.
Q: “Is this an attempt by our neo-nazi Irish Government to infiltrate us and destroy us from within?”
(Yes, this was the most-asked question. I substituted the phrase ‘neo-nazi’ for more offensive expressions).
Just to be clear, the Irish Government is a fairly passive player in this whole thing. In fact, there are certain aspects of the GDPR that must be scaring the bejaysus out of the Government. More on that later.
As the GDPR is a Regulation, it has “direct effect”, which means it automatically becomes Irish law on its commencement date, simply by virtue of Ireland being a member of the EU.
This is unlike the other source of EU law, the Directive, which allows the Member State quite a long time to implement it, and the Member State is also allowed to modify the contents to align it with its own national law, as long as the national law maintains the core values and spirit of the original Directive.
Irish governments do have a bit of a reputation for delaying the implementation of Directives for as long as they can or even after holding out after the final date. They also are often guilty of diluting the core values, or in the case of Aarhus for example, actually removing some of the best bits to the detriment of its citizens.
They are certainly not the only EU Government guilty of such shenanigans, and the EU decided to avoid all that nonsense this time by supplying the law through a Regulation.
In other words, this is something imposed on all Member States by the EU. I say imposed, but there would have been a huge amount of talks and backroom deals being done before the EU Parliament could agree on the final draft. The GDPR really is a collective effort, rather than the work of some evil genius sitting in a chair stroking his cat.
The official reasons provided by the EU Commission for replacing the Data Protection Directive (Directive 95/46/EC + Directive 2002/58/EC) with this Regulation were as follows:
“eliminating inconsistencies in national laws”;
“raising the bar to provide better privacy protection for individuals”;
“updating the law to better address contemporary privacy challenges, such as those posed by the Internet, social media, mobile apps, cloud computing, “big data,” and behavioural marketing, that were in their infancy when the Data Protection Directive was drafted”;
“reducing costly administrative burdens for companies dealing with multiple data protection authorities.”
In other words, the primary policy objective is uniformity across the EU with regards to government departments and online businesses keeping all your personal information for years on end so they can bombard you with email advertising. I personally applaud this, given how often we are doing electronic transactions etc. with people in other countries or completing electronic questionnaires for some or other government department.
Q: “Can the GDPR be used to find out details about fund-raising for example?”
No. The GDPR is all about “personal data”.
Personal Data is defined in the Definitions section of the GDPR as:
“ … any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The first thing to notice is that this is only about information on a “natural person”. This means a flesh-and-blood human being. It does not include organisations or juristic persons (a person ‘created’ by the law so it can sue or be sued in its own name – a company being the most well-known example).
The main thrust of the GDPR seems to be to force governments and businesses to not hold onto personal information about citizens or clients and where they do have to hold onto some information about you, to anonymise that information, or if that is not possible, to secure and safeguard that information from any outside access. Its main stated objective is to stop the government or businesses from “profiling” people, either with regard to things like their political beliefs or their consumer trends.
A person will be entitled to approach any government department or business and ask them if they are holding personal data about that person and furthermore insist that it destroys that personal data that they are holding unless they can show that it is necessary to achieve the legitimate purpose for which that data was originally gathered (unless that person specifically consents to the department or business continuing to hold onto that personal data for use in a specified future activity).
Article 6 of the GDPR explains these parameters of fair use of personal data:
“Lawfulness of processing.
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”
It is also interesting to note that the definition of “personal data” is attempting to eliminate the huge confusion caused under the current Directive when attempts were made to define what was meant by “personally identifiable information”. Adding the phrases “location data” and “online identifiers” to the existing language of the Directive makes it more likely that the Regulation will capture various forms of identifiers used in mobile devices and apps, advertising networks, and website analytics (infamously used by big providers like Google and social media like Facebook for commercial and content profiling – the so-called ‘knowledge algorithm’).
The existing Directive already allows data subjects to opt out of direct marketing, and it requires transparency if there are automated decisions such as computers declining transactions based on risk scores. These provisions are expanded in the Regulation, in sections entitled “Right to object” and “Measures based on profiling” (Articles 19 and 20). Automated decisions must include safeguards such as an appeal to a real human. In addition, automated decisions (i.e. by a computer) cannot be based solely on the defined sensitive categories (mentioned below) of personal data such as race and health.
An indirect benefit of the GDPR is that it will hopefully stop a lot of people living in an information bubble where they were only exposed to news / information that they would find “agreeable” (i.e. consistent with their beliefs/prejudices/religion). I suppose if a person specifically asks for that information bubble to be created, that will constitute consent, which means I am being ridiculously optimistic. People generally want their beliefs and prejudices confirmed, not challenged, hence the massive growth of Facebook and Twitter.
Article 9 carries over from the Directive the concept of “special categories” of especially sensitive data concerning race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These types of data collections are expressly prohibited in the general sense. Where such collections are necessary, they generally require express consent or a legal obligation in order to collect or process the data, and they require heightened security and attention to data storage limits. The Regulation adds genetic and biometric data to the categories of sensitive data. This will clearly include membership of community (non-commercial) organisations that are organised around a political, social or religious belief.
The law is fairly clear on the point that fundraising is not a commercial activity (which is why charities are now being closely watched after the recent scandals involving some high profile Irish charities). The collection plate at Sunday mass will never be legally classified as a “commercial activity”! There is therefore little chance that somebody who dropped a euro into the collection plate will now have the right to ask for that information, and even if they did, they could only ask that you delete the reference to the fact that they were a contributor. This is not like the FOI laws, it is about not storing and/or removing personal details, rather than trying to reveal details that somebody else is trying to hide.
Q: “Is this an attempt to emasculate NGOs, especially environmental / conservation / community groups?”
I could really just answer ‘no’, but I know that would never satisfy the conspiracy theorists among you, so here goes:
This is really a two-fold question. The one obvious fear is that people are concerned that the government will be able to infiltrate and destroy community groups from within by having access to their data. The second fear seems to be that the community groups (including their FB pages, their blogs and their newsletters) will be regarded as Data Controllers and therefore be susceptible to requests (from the wind industry for example) for what they would regard as sensitive information?
In this regard, notice must be had to Clause 18 of the Preamble, which says:
“(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or 4.5.2016 L 119/3 Official Journal of the European Union EN (1) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium‑sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). (2) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
Household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”
I would argue that this should exclude FB pages and blogs, depending on the interpretation of the phrase “no connection to a professional or commercial activity” and just before it: “purely personal or household activity”. So for example, the fact that I am a law lecturer by profession, does that mean if a write a (non-commercial) blog with legal content that there is a connection to my professional /commercial activity?
I doubt that very much, as that would be an incredibly expansive interpretation of that clause. As neither phrase is defined in the Definitions section, they must be given their ordinary everyday meaning. I would argue that this involves public authorities / government departments and/or commercial organisations who are operating for profit or some other material gain. It cannot and should not be extended to private or personal activities that a person does at home without the primary aim of making money.
The definition of “enterprise” in the Definition section of the GDPR as meaning a “natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” seems to support the view that this Regulation concerns government departments and commercial businesses.
The related question is whether a government department or agency, or a business (like a wind farm) could seek information from a community group engaged in opposing that government or business?
This GDPR is not replacing the Freedom of Information legislation (including the freedom to environmental information legislation). Its purpose is different to typical freedom of information legislation. The purpose of the GDPR is to empower a citizen to have the right to demand to know what personal data is being held about him or her, to be told what is the reason for holding that personal data, and if that personal data is being held purely on the basis of consent, to allow the person to withdraw that consent or at least challenge the retention of their personal data.
In other words this is not so much about asking a government department or business to disclose information per se, but rather to disclose the extent of their information on you, and to justify their holding onto it after it was used for its initial or original purpose.
Therefore the GDPR is going to be used by private individuals against government departments or commercial organisations, but not the other way around.
Another clue is the fact that the GDPR says it is also applicable to organisations outside the EU (for example the USA and China) where those organisations practice personal data processing that relates to “the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behaviour”.
This interpretation is confirmed by the definition of “controller” (i.e. data controller):
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
Whereas the person identified by the personal data was clearly defined as an individual flesh and blood human being, the definition of ‘controller’ is very wide and embracing. Public authorities are expressly included, and the more general description of “other body” can be linked to that commercial or economic activity that we talked about earlier, i.e. businesses. I do not think that a non-commercial / charitable / political NGO can ever fall into that net. That is clearly not the objective of this Regulation.
Another clue that this only covers the government and big business is that Articles 35-37 stipulate that an organization must appoint a data protection officer (DPO) if it employs “250 or more persons” or if its core activities require “regular and systematic monitoring of data subjects”.