Recently, the European Union updated the rules in the area of personal data protection. Historically, the Data Protection Directive (Directive 95/46/EC) regulated the processing of personal data within the European Union. However, in April 2016, after 20 years, the European Parliament approved a new law named GDPR (General Data Protection Regulation). The GDPR provides important updates to the existing directive, but also, will have a broader scope and bring several new requirements for data controllers and data processors. It will be applicable as of 25 May 2018, and at that time all companies operating in the EU, wherever they are based, are expected to comply.
We are about to publish a series of articles to introduce the importance of personal data protection, and provide an overview of how the new regulation will impact businesses that process personal data. Let’s start analyzing the scope of applicability of the Regulation: we will break down the definition of “Personal Data” and “Processing” of such data, the players involved and territorial scope.
Personal data and its processing
1. What is “Personal Data”?
The Regulation already gives us the definition of Personal Data: Article 4 (1): “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”.
The definition, mostly based on the Directive 95/46/EC (still effective), is deliberately broad, to allow a better protection for the individual. Indeed: - the wording “any information” already calls for a wide interpretation of the statement.
From the point of view of the nature of the information, it covers any sort of statements about a person: “objective” information (such as the blood type) or “subjective” information (such as opinions or assessments), regardless the truthiness of it. It can even be incorrect (that’s why the Regulation provides us, among others, the right to rectification).
Content-wise, it can include everything is related to the individual: also family life, working relations, economical or social behaviors.
Considering the format or the medium on which that information is contained, the definition is technology neutral: it may include information available in any form, be alphabetical, numerical, graphical, photographical or acoustic and, of course, information stored in a computer memory by means of binary code, or on a videotape, for instance. On the other hand, it is not necessary for the information to be considered as personal data that it is contained in a structured database or file.
Also, information contained in free text within an electronic document can be qualified as personal data, provided the other criteria in the definition of personal data are fulfilled. E-mail can, for example, contain 'personal data'.
Special reference should be made, also, to biometric data (i.e. fingerprints, retinal patterns, facial structure, voices, but also hand geometry, vein patterns or even some deeply ingrained skill or other behavioural characteristic, such as handwritten signature, keystrokes, a particular way to walk or to speak). A particularity of biometric data is that they can be considered both as the content of the information about a particular individual, as well as an element to establish a link between one piece of information and the individual ("identifiers", that we will discuss in more detail later on in this article).
- The personal Data has to be “related to” a natural person: in general terms, information can be considered to “relate” to an individual when it is about that individual. At first sight, this scenario is easy to be recognized. However, in some situations, the information conveyed by the data concerns objects in the first instance and not individuals. Those objects usually belong to someone, or may be subject to particular influence by or upon individuals or may maintain some sort of physical or geographical vicinity with individuals or with other objects. It is then only indirectly that it can be considered that the information relates to those individuals or those objects (let’s think about the value of the flat owned by the individual, which may reveal the financial situation of the subject).
- “Natural person”: to be intended as human beings. Information relating to legal persons (i.e. a Corporate) is in principle not covered by the Regulation, and the protection granted by it does not apply. However, certain data protection rules may still indirectly apply as long as such information about legal persons may also be considered as "relating to" natural persons on their own merits, in accordance with the criteria already explained in this article.
- the Natural Person has to be “Identified or Identifiable”. Identification is normally achieved through particular pieces of information which we may call “identifiers” and which hold a particularly privileged and close relationship with the particular individual (height, hair color) or a quality of the person which cannot be immediately perceived (profession, function, name etc.).
The Directive mentions those “identifiers” within the definition of personal data (as on an open list) and afterward in the Regulation by referring to “online identifiers”. Indeed, according to the Regulation, there are two ways of potentially being identified. One is directly, the other is indirectly: the terms of this statement clearly indicate that the extent to which certain identifiers are sufficient to achieve identification is something dependent on the context of the particular situation: a person's full name is an obvious likely identifier. A person can also be identifiable from other information, including a combination of different identification elements.
That is indeed a large number of potential identifiers. Just take the above-mentioned online identifier, for instance: this could be a cookie, with cookies already existing in many shapes and flavors for several purposes, from web analytics to advertising.
Other forms of online identifiers are described in Recital 30 of the GDPR where it is clarified that natural persons may be identified with online identifiers which are provided by (the list is intentionally not exhaustive):
- Tools and
- Protocols, such as
- IP (Internet Protocol) addresses,
- Cookie identifiers, or others such as
- Radio Frequency Identification (RFID) tags (which brings us to the Internet of Things).
All these online identifiers can leave traces which, when combined with unique identifiers and/or other information received by the servers (remember the importance of context and aggregation) can be used to create profiles of data subjects and identify them. We’ve picked online identifiers to illustrate the vastness of possible identifiers, but you can imagine the vastness of potential identifiers with regards to all the other mentioned factors, relating to pretty much about anything indeed that concerns a data subject.
Depending on your industry and the area of (processing) activities, you need to look at the factors that could concern the privacy of data subjects within this scope. Moreover, to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The key thing to remember is that identifiers such as the mentioned ones are considered as personal data because in combination with unique identifiers they can lead to the identification of a data subject (indeed online identifiers, again in combination with other identifiers can and de facto are used for profiling, which is explicitly mentioned in the GDPR).
Genetic data are clearly considered as personal data as you can read in Recital 34. Moreover, genetic data are considered sensitive data and deserve special protection. The same goes for personal health data, which include information derived from genetic data, but goes much further, as is explained in Recital 35 of the GDPR that sums up various forms of healthcare-related personal data which fall under the GDPR (and for which there are special protection rules). So the golden rule is: context is important. The more data gets combined and aggregated, the more substantial the personal data becomes and the more difficult it becomes to de-identify and the higher the risks and responsibilities – and the potential GDPR fines and penalties. Sometimes an email address can be enough to identify someone. Sometimes you need a mix of online and other identifiers.
Last, but not least, the EU GDPR does not cover anonymous data. However, it does cover the so-called pseudonymized personal data because the pseudonymization, an often used ‘tactic’ in, among others security and analytics, can be reversed and, as opposed to anonymous data can be traced back to an identifiable natural person, the data subject. However, pseudonymization, along with encryption, is one of the methods the GDPR recommends as “an appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.
2. “Processing” of personal data and privacy risks
In this section, we will go through a brief explanation of the processing of personal data and will briefly refer to a number of privacy risks that may conclude to a data breach. We will begin with the GDPR itself.
The upcoming regulation provides the definition of “Processing” (of personal data) in Article 4 as follows:
Article 4 (2): “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Towards a more thorough understanding of the processing, we have to understand the parts that are involved in this procedure. So, we have three main parties that may participate in the procedure of processing. The “controller”, the “processor” and the “data subject”.
- The “controller” means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- The “processor” means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
- The “data subject” means the individual whom particular personal data is about.
We will give two examples of processing of personal data by online services: a non-automated and an automated processing example.
Non-automated processing example: An online service requires from a user to fill in a form and submit his/her personal information (name, gender, email etc.) order to be stored in an online database.
Automated processing example: An online service captures the IP and the behavior of a user and systematically collects and stores this information.
So, GDPR is regulating both the automatically or not automatically collected, recorded, stored etc. personal data. But, additionally, the definition that GDPR provides regarding the processing includes some interesting points. Just to mention one, we focus on the ‘disclosure by transmission’. This could be translated both into a functional or non-functional requirement for the developers.
Firstly, because the service that will process the data must ensure that it does not disclose any information i.e to third parties, without the upfront consent from the user. Secondly, because this could be a result of a bad design of the functional part of the service i.e. by making GET requests over HTTP. As a result, when the service transmits the user data, it would be very easy for an unauthorized third party to potentially capture the users’ personal data i.e. via the URLs in case of no encryption or/and pseudonymization.
Furthermore, GDPR in Article 5 provides the principles related to the processing of personal data. Hereunder their descriptions as provided by the regulation:
- Lawfulness, fairness, and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy: personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;
- Accountability: the controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
Based on the description provided so far, it is easy to understand how often personal data are being processed by online service providers (data controller/processor) without the awareness of the data subject Indeed, there are many different scenarios of personal data sharing models between users and online service providers. For example, a user shares his data with an online service provider with his consent, so he can use its services. A usual issue, in this scenario, is that the service may ask more, than the actual required, data than the service actual needs in order for the service provision. This is the actual point where the GDPR requires the data minimization.
Another different scenario of personal data sharing model could be the following: a service doesn’t ask from the user to submit any of his personal data, but at the same time the service profiles its users by automatically collecting several data that can be used to de-anonymize or track the users i.e. for advertising or marketing reasons. As a result, today a user can be ‘spied’ and be profiled by online services with or without his consent for several reasons.
The latter scenario, also, requires user’s consent (under GDPR) for his personal data processing by the service provider on what data it is collecting, why they are being collected for, how it will be processed, how they will be protected, how they are moved and how long they will be stored for, up front collecting any information.
On the next articles we will analyze the territorial scope and the legal grounds for processing of personal data and we will explain the category of “sensitive personal data”.
Legal disclaimer This article contains general information about legal matters. The information is not advice, and should not be treated as such. You should not rely on the information on this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.
Authors: Alberto Nutricati https://volunteers.joomla.org/joomlers/2349-alberto-nutricati
Achilleas Papageorgiou https://volunteers.joomla.org/joomlers/2399-achilleas-papageorgiou