Lecture 2 Week 2 notes - Dr Orla Lynskey The scope of Data Protection Law PDF

Preview

Summary

Dr Orla Lynskey
The scope of Data Protection Law...

Description

LL4S4: Digital Rights Lecture 2 (Week 2) The Scope of EU Data Protection Law Personal Scope  To whom do the rules apply, who benefits from the rules, who is subject to obligations under the legal framework?

Personal Scope 



Data Subject: 

The ostensible beneficiary of the GDPR regime is called the data subject. This definition links back to the definition of personal data: o An identified or identifiable individual (Art 4(1) GDPR)  Linked to the definition of personal data (any information relating to an identified or identifiable individual). o The data subject is the beneficiary of the regime because individuals as data subjects are given rights by the framework and are subject to the protective scope of the framework. o What is more controversial is the data controller.

Defining ‘Data Controller’  This is the entity (public authority, private enterprise) which either themselves or jointly determines the purposes and means of the personal data processing.  The brains behind the data processing operation.  The data controller is differentiated from the data processor (who carries out the personal data processing on behalf of the controller). Often a controller will contract with a third party to do their data processing on their behalf. For example, the LSE might contract with the Student Hub to provide certain services – e.g. booking office hours – when the Student Hub processes that personal data then it acts as a processor on behalf of LSE as a data controller. The data controller is relevant as a concept because most of the responsibilities under the data protection framework are imposed on the controller (e.g. Article 5). It is also the data controller that the individual needs to approach when they want to exercise their rights and the concept of data controller can also determine jurisdictional issues – who oversees personal data processing operations – which regulator might be determined for instance on the place of establishment of the data controller. In Europe, a lot of the big tech firms have their primary place of establishment in Ireland and this means that the Irish Data protection commissioner is responsible for oversight of their GDPR compliance.  There is a lot of work that the data controller is doing. As such we might expect that the way in which this concept is being interpreted and applied should be clear cut and in particular, what has emerged as a difficulty is to separate out the role of processors from controllers.  Relevance of concept: o Determines actor responsible for compliance o Identifies actor in respect of whom subjects exercise rights  Determines jurisdictional issues





Data ‘controller’: The ‘natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data’. Data processor: ‘A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller’

Distinguishing Controllers from Processors  Article 29 Working Party: for instance, the way in which a contract is drawn up which might explicitly say that an entity is a data processor rather than a data controller, this will not be decisive. We are looking at the actual factual influence that an entity has over the data process in order to determine who is responsible for personal data processing. One way in which these two concepts are melded, is that decisions about how personal data is processed. The why or the how of data processing, the means used to process personal data might not be something that the data controller is an expert in. e.g. The LSE might be able to say to the Student Hub to process the data of the students for the purposes of ensuring interaction with faculty for the purposes of enabling students to book facilities. We can determine those purposes, but it will not likely provide much input on how specifically it wants those operations to be undertaken.  The CoJ tends to solely focus really on who is determining the purposes of processing with a lot less emphasis put on how the processing takes place. But generally, in the digital environment, a complicated contractual chains of personal data processing – this binary distinction comes under pressure.  Functional assessment of ‘data controller’ o Explicit legal competence o Implicit competence o Factual Influence  Based on the level of influence over the ‘how’ and ‘why’ of data processing activities as distinct from organisational and technical decisions

Google Spain: Data Controller  Where the Court considered this issue in detail.  Right to be forgotten judgement  Could Google be classified as a ‘data controller’? o When Google provides the service of providing links to a content in response to a search query, in those circumstances, should Google be classified as data controller? o Google argued that it couldn’t be a data controller because it simply provided links to online content that was made available by others. So, in that sense, it wasn’t determining the purposes of data processing and in many instances, when you enter a search term into Google search engine, it treats the search term equally, whether or not the results are not personal data. So, it is oblivious as to whether it is providing access to personal data. o The court rejected this defence and worked on a literal and teleological interpretation of the legislative framework at the time.  Literal and teleological interpretation of the Directive: a search engine should not be excluded from the definition of controller. o Court said that taking this literally, Google determines the purposes of processing, so it determines whether a given link is made available in response to a given search

 

 

query. And it determines to whom this information is made available. And in this sense, it has control over the purposes of processing and hence controls the how (logistics) of processing. On this basis, it considered that Google was a data controller. But it did acknowledge that we might distinguish between different data controllers in this context, so the primary publisher which would be the Guardian and Google as secondary publisher, or exercising a distinct role. So, both publishers act as data controllers. This has started to have interesting consequences, because once you label Google as data controller in its search engine capacity then the whole of GDPR applies to it. Acknowledged the distinct role of search engines and website publishers Emphasised that search engines could make data accessible on the basis of an individual’s name and could aggregate information into profiles in a manner that could affect the fundamental rights of individuals significantly It did not matter that website publishers could ask Google to exclude certain data from its search results ‘The internet search engine service provider has no relationship with the content of thirdparty source web pages on the internet where personal data may appear. Moreover, as the search engine works on the basis of copies of the source web pages (…), the service provider does not have any means of changing the information in the host servers. Provision of an information location tool does not imply any control over the content. It does not even enable the internet search engine service provider to distinguish between personal data, in the sense of the Directive, that relates to an identifiable living natural person, and other data.’ Advocate General,[86]

Facebook Fanpages  Three cases which started to consider the notion of joint controllership over personal data processing.  When Facebook Fanpage administrators create a Facebook Fanpage, they enter into a contract allowing Facebook to process information about visitors to their Fanpage for data analytics purposes. They can influence this process by choosing which parameters/information about their visitors they would like to receive (eg. Data on gender; age; education etc). o German Educational institute, which had a Fanpage on the Facebook platform. The query was whether or not a fanpage operator should be considered a data controller or joint data controller in relation to its visitors to the fanpage. When individuals visited the fanpage, they were asked to consent to data processing via a cookie and the consent was inadequate. When they visited non-Facebook webpages, information was transmitted about those individuals back to the Facebook platform. So, the query was, who should be responsible for that type of processing. When a fanpage administrator creates a Facebook page, they enter into contract with Facebook, which allows Facebook to process this information about visitors to the fanpage. They also are engaged in this process in so far as they can choose to find more information about the demographics of those visiting the fanpage (average age, where they come from geographically, were they predominantly highly educated). The question the CoJ was asked to consider, was who should be classified as data controller.  Who is/are the data controller(s) in these circumstances?





‘…the administrator of a fan page hosted on Facebook (...) must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page.’ (para 39) o The Court found that the Fanpage was co-responsible with Facebook for the personal data processing – it was a joint controller. The reasoning was that the administrator of a fanpage takes part in the personal data process by defining the parameters depending on its target audience, the objectives for promoting its activities and for luring individuals to visit its page. o The fanpage operator enters into this contract with Facebook (it is the fanpage operator that signs up to Facebook’s cookie policy, whereas individuals where given adequate opportunity to consent. This in turn gives Facebook the platform to place cookies for profiling purposes on the devices of non-Facebook users and it designates what categories of information it is interested in for these data analytics purposes. In all of these ways, the Facebook operators were also involved and therefore were responsible for GDPR compliance. This was very controversial judgement. Fanpage operators: o Agree to contract with Facebook, including Facebook’s ‘cookie’ policy (para 31) o Gives Facebook the opportunity to place cookies on the devices of non-users of Facebook (para 35) o Designate filters to define the categories of individuals whose personal data are to be processed and the criteria for this processing (para 36)

Fashion-ID  Confirmed the above.  Fashion-ID was a website that had the Facebook thumbs up signal on their page. But every time an individual clicked on the thumbs up, then information about that individual was sent back to the Facebook platform. And Fashion-ID didn’t get any information analytics from Facebook like the Fanpage above. Simply by having the thumbs up embedded in its website, should Fashion-ID be looked at as a data controller? The court here says that it can but it recognizes that fashion-ID is only responsible to a certain extent:  A natural or legal person may be a joint controller only in respect of processing operations ‘for which it jointly determines the purposes and means’. However, a natural or legal person cannot be a controller of preceding or subsequent data processing operations in the overall chain of processing. Fashion ID, [74].

Discuss  In the context of joint controllership, do you think that the ECJ is getting it right by casting the net wide in terms of responsibility or whether it would be preferable to have more narrowly defined responsibilities imposed on controllers which are more narrowly defined. Is it better to have everyone responsible or should we focus on some controllers?  ‘In the current setting, the broad definitions of personal data, processing of personal data and controller are likely to cover an unprecedented wide range of new factual situations due to technological development.  The scope of EU data protection law is therefore too broad and should have been limited in the data protection reform process.’...