EPA GDPR Webinar Summary – 2 – Legal grounds to process personal data

On the 27th of April, the European Privacy Association held the second webinar of the General Data Protection Regulation Webinar Series, on the topic “Legal Grounds to Process Personal Data”. The webinar included a 45-minute long presentation and a Q&A session during which the participants could ask direct questions. This week, it was Mr. Peter Wright, Managing Director at Digital Law UK and Chair of the Law Society & Law Reference Group, who led the webinar session. Mr. Wright started his presentation by providing a quick introduction to the context of the General Data Protection Regulation (GDPR), so that attendees who had missed out on the first webinar of the series could quickly catch up.

The presenter then provided a brief summary of the increased obligations that the GDPR poses on Data Processors, some of which had only rested on the Data Controllers prior to the new regulation. For instance, technical measures, organisational measures and data breach notification mechanisms need to be put in place by the Data Processors as well. In addition, it will be mandatory for Data Processors to appoint a Data Protection Officer in case they are working in the public sector or in case they are handling Big Data. These actors are therefore becoming more accountable under the new GDPR than they were according to the previous laws. An increased responsibility can be seen for Data Controllers as well, for instance in Article 26 of the GDPR, that imposes fresh obligations on Data Controllers who appoint Processors. For example, Data Controllers will be under an obligation to review contracts with 3rd party service providers engaged by their appointed Processors.

Mr. Wright noted that the original Data Protection Directive, dating from 1995, was referring to a world that is now outdated and seems very far back from a technological perspective. At the time, Big Data was not such a widespread issue and the means and scope of data collection were more restricted. It was therefore high time for a modernisation of the legal environment, with modifications that would address the reality of the world we live in.

The speaker then addressed the changes surrounding the data breach notification, which has always been a requirement for Data Controllers, but now extends to Data Processors as well, who must notify the Controllers. The time frame for reporting a breach to the appropriate supervisory authority is 72 hours and notifications must be made “without undue delay”. Mr. Wright mentioned that a representative of the ICO (n.ed. Information Commissioner’s Office, the UK Data Protection Authority) revealed, in an informal discussion, that the ICO is already looking at implementing the infrastructure necessary to cope with the notification volume, which they predict will be “exponentially higher.”

The webinar then proceeded with the analysis of Art. 6 of the new GDPR. Whilst there were no groundbreaking changes from the previous legislation, the speaker noted that “consent” was interpreted more restrictively in the GDPR: for instance, 6(1)(a) requires that the data subject has given consent to the processing of their personal data for one or more specific purposes. Art. 6(1)(b) established that processing can be allowed where the data subject is party to a contract, or in the steps leading up to the formation of a contract. Art. 6(1)(c) allows processing where “it is necessary for compliance with a legal obligation to which the controller is subject” – the speaker points out that the legal obligation, whilst it does not have to be statutory (and can therefore derive from common law), must be a “clear and precise” obligation deriving from the legislation of a Member State or from an EU legislation. Mr. Wright noted that the “clear and precise” test indicates a high threshold. Art. 6(1)(d) allows the processing of data where such processing is necessary for the vital interest of the data subject but, as the speaker pointed out, this article only applies where no othe processing ground is available (i.e. consent). Art. 6(1)(e) allows the processing where it “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” – this can only occur where it has been clearly codified, pointed out the speaker.

Finally, Art. 6(1)(f) relates to the processing carried out for legitimate interests pursued by a controller. However, the application of this article would require a balancing exercise between the legitimate interests of the controller and other rights or interests of the data subject, especially when the data subject is a child. Therefore, this balancing exercise is likely to limit the application of art. 6(1)(f) as a sort of “blanket permission to process”, as has sometimes been the case so far.

The concept of “legitimate interest” also shows up in Recital 47 of the GDPR, where direct marketing purposes of fraud prevention are indicated as good grounds for constituting legitimate interest – always, of course, subject to the balancing exercise with other fundamental rights of the data subject. Data Controllers should therefore carefully consider the expectations of the data subjects. The speaker noted that one result of the GDPR could be that some companies will change the way in which they process data, for reasons of efficiency and security. They may ask themselves: “Can we operate in a safe and secure manner when processing personal data?” If the answer is not a clear “yes”, then they may wish to question whether some data actually needs to be processed. This approach clearly shows that the intention of the GDPR is to make Data Controllers and Data Processors more mindful about the amount of data they process and the infrastructure they have in place.

The webinar ended with a very interesting consideration of the potential implications of a “Brexit” (i.e. Great Britain exiting the European Union). The upcoming vote that will be held on the 23rd of June may lead to a Brexit, and in that case, the post-exit settlement will be key to ensure data transfers to and from Great Britain can proceed smoothly. If a Brexit would mean not only the exit from the EU, but also from the European Economic Area (which is not unlikely), then Britain may end up as an unapproved third country and contractual clauses will need to be used for every data transfer. In any case, whilst awaiting the outcome of the vote, companies are advised to review their procedures, put a clear data breach notification plan in place and review the basis on which they make international data transfers.