The old Data Protection Directive of 1995 was outdated. It failed to cover for example, social networking sites, cloud computing, location-based services, smart cards and biometric data, and in 2012 the European Commission proposed a comprehensive reform of the EU’s data protection rules to strengthen privacy rights and boost Europe’s digital economy. Unlike directives, the GDPR does not require national governments to pass any enabling legislation. It is directly binding and applicable.
All seven principles governing the OECD’s recommendations for protection of personal data are incorporated into the new EU regulation.
Article 4(1) defines “personal data” as follows:
'personal data' means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is broad and fairly all-encompassing. It includes any information relating to an identified individual (which makes such information personal to that individual), or any information relating to someone who could be identified based on a variety of identifiers.
Article 4 defines data controllers and data processors as follows:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data processing must be “lawful”, meaning it must be justified by a legitimate purpose in order to be permissible. For “legitimate interests” the interests that are important to a business or organisation are not enough. These conditions must include
Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.
It defines biometric data as special categories of personal data and prohibits its processing, thereby protecting people from having their information shared with third parties without their consent. Biometric data are:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data”.
Processing of special categories of data for the purpose of “uniquely identifying a natural person” is prohibited, but it contains some exceptions.
The Regulation states that consent must be explicit before the collection of the data. As in, users must be opted-out by default and be provided with an opt-in, instead of default be opted-in (often without their knowledge) and then have to search for an opt-out. Also, “the data subject shall have the right to withdraw his or her consent at any time”.
If a company or organisation discovers a data breach, then processors must inform the authorities within 72 hours of discovery. Companies managing biometric information can be hit with penalties if they do not make efforts to secure that data. Big penalties.
The Article 25 Data Protection by Design (DPbD) seeks to embed privacy protection at every level from conception to deployment. DPbD is not only about technological design. It extends to IT systems, accountable business practices, and physical design and networked infrastructure. This integrated approach is “an important factor in avoiding falling into techno-centric solutions to a socio-technical problem.”
In usual engineering practice, legal issues are considered obstacles to be overcome after a novel IT solution has been built and is to be rolled out. DPbD uses a reversed approach, whereby systems and processes are conceived and developed with privacy protection at their core.
Under the old directive that aimed to regulate data correlation, not just data collection, it was illegal to process personal data without a “legitimate interest”, and that legal basis was unavailable to data brokers (Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC). Now, Recital 47 - General Data Protection Regulation (GDPR) - Overriding legitimate interest* states: ”[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest“. Can the data industry rely on legitimate interests or is it required to obtain consent despite the absence of a relationship with the data subjects? Under the GDPR, the legal basis for processing personal data requires that the processing to be described with specificity in advance. Without it, using that data for Big Data Analytics & AI produces unlawful results that exposes organisations, their partners and their customers to legal liability.
Recital 26 - General Data Protection Regulation (GDPR) - Not applicable to anonymous data* explicitly states that ”The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation [… ] should be considered to be information on an identifiable natural person.“
Recital 26 also states that data that has been truly anonymised lies outside the scope of the regulation: ”The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.“
This means that anonymisation not only offers a more powerful means of securing personal data, but also enables the use of data for, for example, marketing or analysis purposes without violating an individuals data privacy. That is to say, if it adequately protects the data.
Article 80 of the GDPR allows civil-liberties or consumer-protection representatives to advocate on behalf of the community or public interest.
Non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects.