If I were an academic lawyer, steeped in the minutia
of European data protection laws, I would probably savour the latest 70 page opinion
from the Article 29 Working Party. Packed with commentaries on legal oddities,
surely this is the stuff that keeps the academic community salivating.
If, on the other hand, I were a busy data
protection professional, trying my best to develop privacy notices in a
language that resonated with customers, I would despair at some of the examples
presented in the paper on how to ensure that personal data collected for one
business purpose can legitimately be used for another purpose.
Finally, if I were a member of the public, I
wouldn’t waste my time reading any of this stuff.
Members of the public hardly read privacy
notices at present, and I fear that even fewer of them are likely to attempt
the far more comprehensive notices that are considered necessary if they are
dealing with a data controller that has a complex business model and wants to
change it.
For what it’s worth, I took the opinion with
me to tonight’s meeting of the Crouch End Chapter of the Institute for Data Protection,
and we all had a good laugh.
Why? Well, as colleagues opined:
Unfortunately, it suffers from
the same problems as most Article 29 opinions in that they do not fully
understand the areas they opine on. Most of the scenarios are clearly imagined
rather than what companies actually do or want to do – which would have been more
helpful. Their continued refusal to consult with experts in the area they are
writing about only increases their lack of credibility.
Some of their conclusions of incompatibility in the scenarios are absurd (see 13 on page 35 - are we really going to let people continue to live in unsafe buildings and possibly die in fires because of data protection?!), and some conflate issues (see 14 on page 66 - conflates incompatibility with doing crime mapping properly).
Some of their conclusions of incompatibility in the scenarios are absurd (see 13 on page 35 - are we really going to let people continue to live in unsafe buildings and possibly die in fires because of data protection?!), and some conflate issues (see 14 on page 66 - conflates incompatibility with doing crime mapping properly).
It goes beyond the law in some places, such as saying that the ‘decisional criteria’ (algorithm) for profiling must be disclosed in a privacy policy. This is not the case and only has to be disclosed if an individual requests this information when making a subject access request.
It is also inconsistent. In one
example of a bank saying it processes the data to provide financial services
and also to “prevent fraud and abuse of the financial system, and to comply
with legal obligations requiring that certain information is reported to the
competent public authorities”, it suggests that the fraud and legal obligations
uses while compatible are too vague to be a specified purpose. Another scenario
involves an energy company using smart meter data to detect fraud and abuse,
however, there are no concerns about this and the safeguards in place merely
include “transparency towards data subjects”. There is no suggestion about what
level of detail an organisation is supposed to provide in relation to uses of
data for fraud purposes. Too much information here would allow people to
circumvent the fraud detection processes!
Another example highlights how
they see the rights of individuals taking precedence over a business being
profitable in that a fictional garden and DIY company is so transparent about
how its loyalty card customer discounts are calculated that the customers are
already swapping tips on forums about how to game the system and get bigger
discounts – which is apparently of no issue at all.
The opinion also goes too far in promoting the Napoleonic
code approach: in one scenario where a car manufacturer has a legal obligation
to inform buyers of defects in a car that needs to be recalled, and does so by
using a database of car owners from another source. Despite the (general)
obligation being in law and the public health and safety reasons, they still
argue that, although there is a strong indication of compatibility, the law
should really be updated to explicitly provide for the disclosure to the car
manufacturer.
Example 16 on page 67 suggests
that crawling the web and using information individuals have made publicly
available for other uses such as marketing, is likely to be an incompatible
use. However, the example is so specific as to be useless – people vouching for
an alternative medical practitioner by putting up their illness details and how
they were helped, and this being crawled by an online vitamin supplement
organisation to market their products. In
any event, this example does not work under UK law, as the example is of
individuals voluntarily putting their information online and a different
company collecting and using the data for marketing. The relevant data
protection principle says: "Personal data shall be obtained only for one
or more specified and lawful purposes, and shall not be further processed in
any manner incompatible with that purpose or those purposes." The vitamin
company obtained it for the purpose of marketing and used it for that purpose. Its
lawful basis is legitimate interests (schedule 2) and that it was made publicly
available (schedule 3).
In summary, the Article 29 Working
Party has done it again.
What a missed opportunity. Had they have published the opinion a day earlier, on
April 1, we could all have enjoyed it as a joke.
Source:
Article 29 Working Paper 203 [00569/13/EN]
Article 29 Working Paper 203 [00569/13/EN]
Posts
