Lecture 1 Week 2notes - Dr Orla Lynskey The scope of Data Protection Law PDF

Preview

Summary

Dr Orla Lynskey
The scope of Data Protection Law...

Description

LL4S4: Digital Rights Lecture 1 (Week 2) The Scope of EU Data Protection Law Material Scope  The first lecture covers the material scope of the application of data protection rules. The second covers the personal scope of application and the third lecture looks at its territorial reach and at the exceptions.

Objectives  

To define and interpret the key concepts determining when and to whom the EU data protection rules apply. To analyse critically whether a broad scope of application of GDPR is desirable o Purtova Article – non-essential reading- she suggests that data protection law is endangered to becoming the law of everything – its reach extends to all datatised processing and this might not be desirable.

Defining data processing  GDPR applies to processing of personal data. Processing is defined incredibly broadly.  ‘Processing’ is ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means’ o It is very difficult to imagine any operation that wouldn’t classify as processing. So, this is subject to two limited caveats. The processing has to be wholly or partly automated (anything that involves digitised data will be at least partly automated as a process. So, everything that we think in the online environment is automated processing. So, the caveat here is physical files as opposed to digitised files. The GDPR applies to manual processing when the relevant information forms part of a filing system.  Processing must be: ‘wholly or partly by automatic means’ or manual processing of data forming ‘part of a filing system’  A ‘filing system’ is ‘any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis’. o This might be what is chronologically structured, or student identification. When it is easy to retrieve data from a filing system, then it will be processed for the purposes of GDPR. o Any of the files that contain personal data wouldn’t be processed within the meaning of GDPR because it wouldn’t be easily to access that data if the files are all over the place. o But processing has a broad interpretation. Data Processing: Filing System 

‘…the personal data collected in the course of the door-to-door preaching at issue in the main proceedings are structured according to criteria chosen in accordance with the objective pursued by that collection, which is to prepare for subsequent visits and to keep

lists of persons who no longer wish to be contacted. Thus, (…) those criteria, among which are the name and address of persons contacted, their beliefs or their wish not to receive further visits, are chosen so that they enable data relating to specific persons to be easily retrieved.’ C-25/17, Tietosuojavaltuutettu (10 July 2018) o This case interprets the concept of data processing – involving the Jehovah witness organisation which asked local witnesses to engage in preaching and to collect information about those to whom they made visits. The way in which those local agents of the organisation collected data was left to them, there was no mandated structure in which the information was collected. Could the way in which these local agents collecting the information constitute data processing? Did it involve processing in a sufficiently structured way? Here the courts said that it did because it said that the information was structured according to information chose with the objective of the collection in mind. The objective of the collection was to compile a list of individuals who did not want to be further contacted or receive furth3er visits and further separated those who did want to be contacted. The way in which the information was stored enabled data of those people to be easily retrieved. So, the information was being stored in a way which allowed the easy identification of those who wanted further visits. This mean that it was sufficiently structured to be a ‘filing system’. The concept of processing is broad indeed.

Defining ‘Personal Data’  

‘Personal data’ is ‘any information relating to any identified or identifiable natural person’ Art 4(1) GDPR 3 Key Elements: 1. Any information 2. Relating to 3. Identifiable person

1. Any Information 



 

Covers objective and subjective information o The court hasn’t dwelled on what we mean by ‘information’. It said though that the concept covers both objective and subjective information. Personal data could be an opinion of an individual. The information can be incorrect o It extends to information that is inaccurate or incorrect. o One query is whether this goes beyond private information that might fall within the scope of private life. Information that would not fall within the scope of Article 8 ECHR? Format of the information is not relevant

2. ‘Relating to’  More discussion around the idea that the information ‘relates to’ someone. In the EU there is advisory body which has now been given more extensive regulatory powers but an advisory body – enforcement authority that is made of representatives of each of the national data protection authority and one of its functions is to provide opinion on how the law should be interpreted on data protection.





  

‘Information can be considered to ‘relate’ to an individual when it is about that individual’. (A29 WP, Opinion 4/2007) o It can be about you when the content of information is about a particular person. This might be your dress. But it can also be information that relates to you when the purpose of processing that information is to evaluate you or to treat you in a certain way or to influence the way in which you behave. Here we are looking at the reason why the information is processed. We look at the impact of the information processed can have an impact on the person’s rights and interests - This could relate to an individual. Content: ‘Information is given about a particular person, regardless of any purpose on the side of the data controller or of a third party, or the impact of that information on the data subject’ Purpose: When data are used or likely to be used ‘with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual’. Result: Data ‘is likely to have an impact on a certain person’s rights and interests, taking into account all the circumstances surrounding the precise case’ ‘…it is not necessary that the data ‘focuses’ on someone in order to consider that it relates to him’ o At national level, in the UK, we had early judgements which indicated that information wouldn’t be relating to someone unless it affected their private life or unless it was biographical, so the content of the information was about a particular person. So, we have ha broader interpretation given by the Article 29 Working Party – A29 WP). This was considered by the CJEU in two cases:

‘Relating to’: YS and MS THE APPLICATION Data provided by the applicant in the immigration application

THE MINUTE

THE DECISION

- Data about applicant

- May contain data provided by the applicant - Outcome of legal analysis

- Legal Analysis

 What is interesting about these two cases – is the way in which the court interpreted the concept of ‘relating to’ seems to be slightly different.  The first case if YS and MS – involved individuals immigrants in the Netherlands who were seeking leave to remain, who had initially had their applications rejected and who subsequently had their applications accepted. Following the recognition of immigration status, the individuals concerned asked to have access to the administrative document that set out the reasoning for giving them the immigration status. Under Data protection law you have a right of access to your personal data. So, the question that the court asked to consider was whether that document constituted the personal data of these individuals. The approach of the Article 29 Working Party (A29 WP) then the answer is yes – the immigration status has an impact on them. The court in this case seems to distinguish between the application which the individuals made to the immigration authorities which contains their personal data (date of birth, country of origin), the document which would apply the law to

 

the facts of the individual, and then the final decision (whether you are granted immigration status and which may contain personal data of the applicant). The court reasoned that the document could not relate to the applicants – they did this by suggesting that you needed to consider the objective and general scheme of the legislative framework and suggested that individuals are given a right to access their personal data in order to check whether it is correct and to rectify it if it is incorrect. The court here reasoned that the applicants couldn’t amend the document of the administrative authority and hence it would not make sense to treat it as their personal data. So, in this way the court said that it doesn’t relate to them hence there is no right of access to this information. Applying this logic to algorithmic decision making, if the application is the input to an algorithmic decision making system and the decision is the output of an algorithmic decision making system, does this mean that they could never access to the way in which an algorithm is applied to their particular instance. So, what happens in the black box. You can see that this reasoning from the CJEU could limit the concept of personal data. There was concern with this in the digital system. Do you agree with the logical reasoning process of the court in this case? What factors given the context that we are talking about might have motivated the court to decide the case in this way? Come ready to discuss this at the seminar. Court considers the ‘objective and general scheme of the Directive’ (the ‘accuracy check’ and the Directive’s privacy aims) How does this apply to algorithmic profiling online?

‘Relating to’: Nowak  The court was given the opportunity to consider the definition of ‘personal data’ here.  Mr Nowak was an individual based in Ireland who was sitting his accountancy exams, he made numerous attempts at these exams and in the end, he sought access to his exam papers on the basis of data protection law. So, he argued that his exam answers were his personal data and even if he didn’t have a right of access through the normal procedures, he could get access to this through data protection law. The CJEU considered whether or not:  Do the written answers provided by a candidate in a professional examination and comments made by the examiner constitute his personal data?  The written answers provided by a candidate in a professional examination and comments made by the examiner constitute information ‘relating to’ him as by reason of its content, purpose or effect it is linked to him.  The court endorses A21 WP. o Content: Reflect his knowledge and competence o Purpose: Purpose of data collection is to evaluate the candidate o Effect: The use of that information is likely to have an effect on his rights  Will have an impact on his future career.  The court therefore considered, even though he doesn’t have a right to rectify it, this constitutes his personal data as it relates to him.  What do you think about this finding? What are we trying to protect by treating our exam as personal data, and bringing it within the realm of what is an illustrative framework designed to protect fundamental rights?  The court didn’t very clearly explain how this judgement relates to its judgement in YS and MS.  The CJEU rarely admits that it got it wrong.





The Court must hold that to give a candidate a right of access to those answers and to those comments (…) serves the purpose of that directive of guaranteeing the protection of that candidate’s right to privacy with regard to the processing of data relating to him (see, a contrario YS and Others paragraphs 45 and 46), irrespective of whether that candidate does or does not also have such a right of access under the national legislation applicable to the examination procedure. o The court holds on to is YS and MS reasoning, that you need to take into account the objectives of the legal framework in determining what is personal data. But it seems to distinguish YS and MS here. Is this a convincing distinction and should we interpret the concept of personal data in light of the overarching objectives of the data protection framework? Again, we we’ve gone from in Nowak, the kind of broader interpretation of ‘relating to’. Is YS and MS still good law? Does this distinguish it or overrule it?

3.’Identifiability’ Criterion  Information is considered to be personal data when someone has been identified directly based on their name for instance (if you have an unusual name). but when you cannot identify an individual, the GDPR also applies when the individual is identifiable. This applies both when the individual can be identified both directly and indirectly and really here, we are asking ourselves, if you took two or more pieces of information about a particular person and coupled them together, will you be able to link this back to a particular identity? If so, then the information is considered as personal data. In the context of Covid-19 contact tracing apps, the argument was made that this didn’t involve personal data processing because the data collected by your device, as initially envisaged would be simply the location of your device in some circumstances but also those contacts that you had, the identifiers of other phones that you were in proxy to.  Because this information will be stored in a central data base, there was always a possibility that numbers would be added to these (phone numbers belong to this person) so you can reverse engineer who the information pertained to once you started to add more information to the data set. This discussion can be quite technical – literature seems to indicate that it is very difficult to anonymize a data set – so to make it impossible for additional information to it and for it to be linked back to a real person. So, what the GDPR is saying is that when trying to put this benchmark of identifiability, we should take account of all the means that will be reasonably used either by the entity that is doing the processing or by any other person.  ‘Identifiable person’ is ‘one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.  Recital 26: ‘account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person’. Identifiability: Issues 



Likelihood of identification  Fact specific assessment: o Cost of conducting identification o Intended purpose of data processing o The advantage expected to the controller etc Art 29 WP, Opinion 4/2007

Emphasises that this is contextual assessment and you need to take into account what purpose would identification serve, what would the advantage be to the controller, what would the cost be of bringing together information to link it back to an individual. There has been a German case referred to the CJEU. Breyer (C-582/14): o An IP address as personal data if German State could get identifying information from ISP in event of cybercrime.  Mr Breyer was a visitor to a government website and he noted that when he visited particular government websites, that his IP address which can be linked back to the device that he was visiting the webpage from, was being collected by the webpages concerned. So, when you log on to the internet, the internet service provider provides you with an IP address and this IP address changes frequently. The internet service provider provides this for you and whenever you visit a website or a platform, your IP address would be used to enable you to get access to that webpage or platform. Mr Breyer was arguing that this constituted personal data processing that was not compatible with the EU data protection framework. So, his claim was that the IP address was personal data, which could be linked back to him as an identifiable individual. The court said in those circumstances that the German government could connect the IP address to his real-world identity by going to court to seek an injunction against his internet service provider who would be able to provide his name to them. So, in principle, the controller of the operation, the German Government could combine the existing data it had with other data held by a third party (the internet service provider) in order to link the information back to someone who was identifiable and hence this fulfilled the criteria of ‘personal data’. What is striking is that it was possible to link the IP address back to Mr. Breyer but the steps you needed to take to get there were costly. The fact that this was legally possible meant that the court considered the information to relate to someone who was identifiable.  So, you take these 3 conditions: information that relates to someone who is identified or identifiable, each of which have individually been interpreted expansively and what you get is a concept of personal data that is incredibly broad. This is why Purtova suggests that data protection could be looked at the law of everything. o



Personal Data?  We will look at these in the Seminar. Do you think that in each of these scenarios, the information concerned would constitute personal data?  Minutes of a DG Competition meeting attended by Commission officials and industry lobbyists in which the name of a lobbyist appears.  Video footage of a journalist being filmed outside Westminster with passers-by in the background  Contact details taken from a CV posted online by a College of Europe academic with a publicly available Facebook page  Data generated by a tracking cookie linked to a particular IP address and sold as part of a package of aggregate data to advertisers

The Content of Article 8 EUCFR?

 Information that is classified as personal data may not necessarily overall with information that is classified as private data. What is the difference between data protection and privacy in the digital space?  Think of examples that might constitute personal data but that might not be looked at as private....