People that work in data protection & privacy often fall into 2 types of people (and apologies for ‘bucketing’ people here). You have your ‘legal-ees’ as they are known – people whom are either lawyers or trained to the same standard as one. And you have your ‘DPOs’, who are people who work with DP and have to wrestle with it in everyday life (and not just a data processing contract).
I’ve often found it interesting to look at both types of people and see how they approach the same situation or scenario. To a legal-ee, unless the law says I can I will assume that I cannot, but to a DPO it’s often a case of if the law says I can’t then I can and I will if I need to. Now the world needs both kinds of people, as we need contracts but we also need a pragmatic, practical knowledge and awareness of DP otherwise it lives up to its reputation.
For anyone that has looked in detail at the proposed European Data Protection Regulation that is being fought over in Brussels you will notice that a fair few of these clauses have been written by the ‘legal-ees’ and some of the provisions and sections don’t appear to take into account the real world at all.
Currently, section 6 of the regulation looks to redefine the lawfulness of processing personal data and gives 6 conditions for doing so (some of which you may recognise). These are as follows;
(a) Consent of the data subject
(b) Performance of a contract
(c) Legal obligation of controller
(d) Vital interests of data subject
(e) Public interest
(f) Legitimate interests of controller where doesn’t harm interests of subject.
Stay with me, section 7 redefines the conditions for consent stating that 1, Data Controllers need to provide specific proof that a specific consent has been given for that processing. 2, Consent must be given in a clear, free and explicit format. 3, the Data Subject can withdraw consent at any time. 4, Consent is purpose specific therefore if the purpose ends then the consent ends.
Now, if you’re a legal-ee looking to stop nasty telephone sales companies from selling and buying your data, or even stop the ever-growing march of ‘big data’ then the above seems to go some of the way to achieving that. You’d hard pressed to say that consent to share details of your weekly supermarket shop with a 3rd party entity in the US for marketing was in any way in the Data Subjects ‘legitimate interests’ or consent can be informed or freely given. The privacy notice would be too long for one!
However, the above has the problem of also impacting all other Data Controllers and data processing as DP law isn’t sector specific. Therefore, if you are a private enterprise (such as a credit bureau) and you can now only process personal data with the expressed and informed consent of the Data Subject, you would be facing a full stop on your business surely? Historically you have been able to rely on the ‘Legitimate interests of the Data Controller’ clause to process such data. But now that’s gone, what are you left with?
Consent; Well good luck explaining clearly and freely to Data Subjects that their data will be shared with the bureau, where it will be store, the purposes and how to object. The collecting Data Controller’s notification is going to be long and complicated enough without adding the Bureaus as well…
Performance of a contract; Credit Bureaus don’t have contracts with the Data Subject, so that rules that one out.
Legal obligation of controller; well that won’t work either as it isn’t a legal obligation for Data Subjects to provide data to the Bureau, or for Data Controllers to do the same. It’s done because it benefits Data Controllers offering such credit or financial related services and helps a data subject manage their credit rating.
Vital interests of data subject; well that won’t work here either. ‘Vital interests’ are limited further under the new regulation to relate to an urgent or pressing interest that can overwrite a right to privacy. Finical wellbeing has never been seen as a “pressing interest” in this regard and that position doesn’t seem to be changing here. Perhaps we will put this on the maybe pile?
Public interest; as per the vital interests condition above, the financial wellbeing of the public purse (of which the Bureaus are not a part) is rarely seen as a legitimate condition for overriding privacy, especially outside of Freedom of Information related information and covered entities. Unless the government buys all banks and credit bureaus I can’t see this holding much ground either.
Legitimate interests of controller where doesn’t harm interests of subject; finally something that looks like it could do the trick? Well, no not really. Legitimate interests of Data Controllers still exist but it has been locked down in such a way that the legitimate interests of the data controller don’t contravene or harm the rights and freedoms of the Data Subject. Now if you’re a data subject, with a default recorded on your credit record that is stopping you from getting your mortgage for your new house, you’re going to remove your consent for that data to sit on that record (as it’s causing you harm) so that the record is removed and your credit file becomes shiny once more. The credit bureau can only then state that it is in their interest to collect this data in order to help other Data Controllers and their obligations to lend responsibly. In other words, I want to collect this so I can sell access to it. As the regulation doesn’t differentiate between “good and bad” purposes selling access is selling access, it doesn’t matter if it’s a marketing database or credit file.
Now the above doesn’t just highlight a problem with ‘wording’ of legislation it also highlights a problem that, for the UK at least, a law is being written by someone who comes from a very different economy and culture. Germany, such as, has a national law that ensures Data Subjects financial data is recorded on such registers. Therefore you have your clear condition for processing and this is a ‘non-issue’ for those in Germany. But for the UK and some other locations, this is a major issue. Once size fits all is a good idea, but it has to take into account a diverse legal landscape.
The regulation is still being drafted and re-drafted based on the usual political toing and froing so this may well change. However, given the overall theme and direction of the regulation I highly doubt it. This regulation seems to be taking us down the path of long-winded notifications and explanations for your consent and even more long-winded contracts as Data Controller try to protect themselves from the threat of audits and large fines.
Being a DPO I’m not one for legal language as you can go round and round in circles with it and come out at a different scenario than where you started. If everyone followed the UK laws to the letter, given the state of our legislature, they would quite literally go round and round in circles (or get lost in a sea of acts and bills).
For those that have not read the current regulation yet I recommend that you do so (see link below). Even if the regulation takes another 2 years to be adopted people need to know the direction in which this is going and raise issues accordingly. The UK has always been seen as the outside ‘miserable sod’ of European Legislation but in this instance the UK really does have a point. This was written with European Countries laws and economies in mind therefore some consideration needs to be made for other economies and laws otherwise it gives Nigel Farage something else to moan about and actually changes more than just an understanding Data Protection law.
To make you laugh, a friend sent this to me as an example of a clause that has been found in signed finance contracts in the US. Proof, that no one actually reads contracts!
END OF WORLD. In the event that the world as known to mankind shall come to an end, whether through natural forces (including, without limitation, plague, drought, earthquakes, hurricanes, and floods), manmade forces (including, without limitation, nuclear or biological war, pollution and global warming), or divine forces (including, without limitation, the Second Coming, the Mayan Cataclysm, and the Rapture, regardless of religious affiliation of Bank or Borrower), all as may then be determined by Bank in its sole discretion, then, in such event, all outstanding principal, interest, fees and charges remaining under the Loan Documents shall immediately become due and payable to Bank at Bank’s offices or designated shelter, without notice of any kind of character, all such notice being hereby waived by Borrower, and Borrower agrees that the end of the world shall not be deemed or construed to constitute a valid excuse or defence to payment; provided further, that in the event that the end of the world shall be divinely inspired, then, in such event, Borrower further agrees that Bank shall be aligned with forces of goodness and light, and Borrower shall be aligned with the forces of evil and darkness, and that Borrower shall be cast into a pit of fire, and shall deliver unto Bank as an indentured servant Borrower’s first born, until all sums owing under the Loan Documents, including attorney fees, shall be fully paid; provided further, that in the event that Borrower should be reincarnated subsequent to the end of the world, whether as an animal, vegetable or mineral, then, in such event, Bank shall have and possess, in addition to the collateral stated in the Loan Documents, a security interest in all of Borrower’s useful products, including, without limitation, any and all fur, hide, meat, edible portions, medicinal properties, and mineral rights, to further secure the prompt payment of all sums owing under the Loan Documents. Borrower acknowledges and agrees that it assumes all risk of the end of the world, and that Bank makes no representation or warranty as to when or who such world may come to such end. For the sake of clarification, in no event shall Bank have any liability or other responsibility of any kind for the end of the world, or any part of it, the risk of which having been intentionally and knowingly allocated to and undertaken by the Borrower.
Unofficial version of DP regulation issued by Jan Albrecht – http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=10&cad=rja&ved=0CHEQFjAJ&url=http%3A%2F%2Fwww.janalbrecht.eu%2Ffileadmin%2Fmaterial%2FDokumente%2FDPR-Regulation-inofficial-consolidated-LIBE.pdf&ei=KYfNUvzwAeOy7AaL_YHIAw&usg=AFQjCNFMUhzRtvVVLprYI4x_4CHtK9xgOg