Overview of the Data Protection framework
by Pawel Kamocki
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (art. 2 a) of the Personal Data Directive). WP29 in its Opinion on the concept of personal data analysed this definition into four elements:
- any information regardless of its nature (facts, opinions, even untrue or unproven information) and of its form (textual data, sound, image, digital or analogue);
- relating to; an information relates to a person if it tells something about a person, i.e. his identity, characteristics or behaviour, or if it can be used to evaluate the situation of an individual. Information can relate to an individual directly (‘Peter is six feet tall’) or indirectly, e.g. via an object (‘This extravagant limousine belongs to Peter’ tells something about Peter’s economic situation, i.e. that he is well-off);
- identified or identifiable; a person is identified if he or she is singled out directly (via a name, unless it’s very common (e.g. Smith)) or indirectly (e.g. via a phone number). A person is identifiable if he or she can be identified by any means likely reasonably to be used (see recital 26 of the Personal Data Directive). In assessing whether means are likely reasonably to be used, one should take into account the costs, the relevant interests of the data subject (i.e. the person that the information relates to), the potential benefits for the data controller (i.e. the person who is processing data) and the risk of dysfunctions. For example, while it is rather unlikely that someone would employ a costly high-end technology in order to learn that Mr. X is a plumber, or that he drives a Honda, when it comes to more sensitive information (Mr. X’s genetic predisposition to lung cancer or his social security number) the probability is higher. In short, the more sensitive the information, the higher standards for identifiability should apply;
- natural person; Personal Data Directive protects only living natural persons. However, information about dead persons or legal persons may indirectly relate to identified or identifiable natural persons (e.g. ‘The man who died of a rare genetic disease at age 42 was Peter’s father’).
The definition of personal data is therefore extremely broad and covers all sorts of information that relate to a person, including not only the person’s name, phone number and address, but also various facts about the person’s past, opinions about the person, his or her social security number, IP address, voice, biometric information (way of walking or speaking), DNA sequences etc. This has to be kept in mind while processing all sorts of language resources, especially those containing interviews, images or voice recordings.
For further information, see WP29 opinion on the concept of personal data.
Are there any special categories of personal data? Are all the data equally sensitive?
Certain categories of personal data are particularly sensitive and as such benefit from a stronger protection (art. 8 of the Personal Data Directive). These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. Processing of these categories of data is in principle prohibited, unless the data subject has given his explicit consent (see below).
What is anonymisation / anonymised data?
Anonymised data, i.e. data that no longer contain any information that can be related to an identified or identifiable natural person, are no longer regarded as personal data and therefore can be freely processed. In assessing whether data are properly anonymized, account should be taken of all means likely reasonably to be used to identify the data subject (including cross-reference with another dataset).
Some anonymization techniques include randomization (noise addition, permutation, differential privacy) and generalization (aggregation, k-anonymity, l-diversity, t-closeness).
The WP29’s opinion on anonymisation sets a very high standard for anonymisation, especially by pointing out the possibility of identification of data subject via cross-reference with other available datasets (e.g. social media). If you want to anonymise your dataset, contacting the Data Protection Officer at your institution may be a good first step.
Please note that anonymisation is NOT equivalent to pseudonymisation, which consists of separating identifying elements from the dataset and keeping it in separation. Pseudonymised data are still personal data. Pseudonymisation is, however, expressly recognized by the new Regulation as one of the safeguards for the data subject’s interests.
What qualifies as processing of personal data?
Processing is a legal notion that covers all sorts of operations that can be performed upon data regardless of its purpose, including (but not limited to): collection, storage, consultation, use, dissemination (or making available otherwise), erasure or destruction (see art. 2 b) of the Personal Data Directive).
What conditions need to be met in order for personal data processing to be lawful?
In order to be lawful, processing has to meet a series of requirements: (a) it has to be legitimate, (b) data have to comply with certain quality standards, and (c) -- to the extent required by applicable national law -- some formalities may need to be accomplished.
Making processing legitimate
Data processing is legitimate if the data subject (i.e. the person that the data relate to) has unambiguously given his consent. As a general rule, one should always obtain the data subject’s consent before undertaking any processing of personal data; nevertheless, some alternatives to consent remain available.
The data subject’s consent
The Personal Data Directive defines consent as “any freely given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed” (art. 2 h)).
Even though the Directive does not require that consent be in writing (but some national laws may do so), it is always preferable to obtain written consent, be it only for the purpose of proof.
On the other hand, the definition requires that consent must be specific — therefore, it cannot be too general (arguably, consent for processing ‘for the purposes of scientific research’ is too general and therefore invalid; instead, the consent should probably specify the domain of the research, the name of the organisation that carries it out or the name of the research project).
Consent also has to be informed, which means that a certain number of information about the processing has to be provided to the data subject before he can validly consent to the processing. These include: the identity of the data controller (the person who processes the data) and the data recipient (the person that the data are to be transferred to — if applicable), the purpose of the processing (which itself has to be explicit, legitimate and specific) and the data subject’s right to access (see below).
For more information about consent, see WP29’s opinion
The drafting of a consent form is a delicate task that should be performed by a trained lawyer and take into account the specificity of local law. If you want to have a consent form drafted for your project, contact a lawyer or a Data Protection Officer in your institution.
Alternatives to consent
In practice, it is not always possible to obtain the data subject’s consent. This is why the Directive enumerates a number of situations in which processing may still be legitimate without consent (so-called: alternative grounds for legitimacy). These include:
- when processing is necessary for the performance of a contract to which the data subject is party (e.g. buying or selling a house, or even a car, would require some processing of personal data; in such a case, the contract ‘replaces’ consent and a separate consent for processing is no longer necessary),
- when processing is necessary in order to protect vital interests of the data subject (e.g. if the data subject is unconscious and needs a quick blood transfusion there is, obviously, no need for a written consent), but also
- when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed”.
Arguably, research (at least in domains like medicine or pharmacology) can be such a legitimate interest. This is why certain national legislators could adopt a research exception in their national laws (see below) based on this ground. Some degree of harmonisation as far as the interpretation of this ground is concerned has been recently provided by WP29 in its opinion. Nevertheless, it shall remain a ‘security valve’ which is only used when it is practically impossible to obtain the data subject’s consent.
Data quality standards
According to the Directive, personal data should be collected for specific, explicit and legitimate purpose (which the data subject should be informed of, e.g. in a consent form). The data should be adequate, relevant and not excessive in relation to this purpose; they should be accurate and, where necessary, kept up to date; and finally, they should be kept for no longer than necessary to achieve the specific purpose. Some exceptions concerning scientific research may exist in the Member States (see 3.7 below).
Moreover, the person who processes the data must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Formalities
As a general rule, before processing is carried out, the data controller should notify the national supervisory authority (a list of which can be found here) about the processing and its purposes. The details of this obligation, as well as possible exemptions, are specified in national laws. If you want to know about them, please contact the Data Protection Officer in your institution, or your national supervisory authority.
What are the rights of the data subject?
Even if the data subject (i.e. the person that the data relate to) consented to processing, he or she retains certain rights with regards to his personal data. The most important of these rights is to be informed about the purpose of processing, the identity of the data controller etc. (cf. above about consent) -- this information should be provided in a consent form.
But the data subject also has a right to access the data in order to rectify them, erase inaccurate data or block their further unlawful processing. Following his request, the data subject should be granted access to his data without excessive delay or expense.
A particular instance of this right, concerning erasure of personal data from an Internet search engine, is commonly referred to as ‘the right to be forgotten’ (see CJEU case C-131/12 Google Spain).
Finally, the data subject has a right to object to the processing of his data for direct marketing purposes (this is why if you are receiving a commercial newsletter, you should be given a possibility to unsubscribe at every moment).
Are there any specials rules related to research?
According to the Personal Data Directive, personal data have to be processed for a specific purpose and no further processed in a way incompatible with this purpose. This means that — a contrario — data can be further processed for purposes compatible with the original purpose (the so-called ‘purpose extension’). The text of the Personal Data Directive, as well as the WP29 opinion suggest that scientific research (especially historical and statistical) may often be regarded as a compatible purpose, therefore allowing to process data which were originally collected for a different purpose, for scientific purposes. However, before you rely on this principle, consult your national law or contact the Data Protection Officer in your institution.
The Personal Data Directive contains no explicit exceptions for research; however, some of the principles of the Directive (processing for pursuit of legitimate interests of the data controller, further processing for compatible purposes) allow a degree of flexibility here. Therefore, research exceptions can be found in national laws (most importantly: s. 33 of the UK Data Protection Act; LDSGs in German states), but they will often be formulated in a narrow and imprecise way. For the sake of clarity and legal security it is always better to obtain the data subject’s written consent. However, if you want to know more about research exceptions in your jurisdiction, contact the Data Protection Officer in your institution.
Can personal data be transferred abroad?
Within the European Union (and the EEA) personal data can be transferred freely. This is also the case when data are transferred towards a third country that ensures an adequate level of data protection. The adequacy of the level of protection is officially assessed by the European Commission; the relevant decisions can be found here: http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm. Most importantly, according to the EC, the United States does not ensure an adequate level of protection (although transatlantic data transfers are facilitated by the Privacy Shield agreement which has replaced the recently invalidated Safe Harbour agreement).
Data can be transferred towards the countries that do not ensure an adequate level of data protection in a limited number of cases, e.g. if the data subject has given his unambiguous consent for the transfer. Therefore, if you want to share a dataset containing personal data with a research team from the US, you should modify your consent form accordingly.