Tuesday 9 April 2013

Another daft opinion from the Article 29 Working Party

If I were an academic lawyer, steeped in the minutia of European data protection laws, I would probably savour the latest 70 page opinion from the Article 29 Working Party. Packed with commentaries on legal oddities, surely this is the stuff that keeps the academic community salivating.

If, on the other hand, I were a busy data protection professional, trying my best to develop privacy notices in a language that resonated with customers, I would despair at some of the examples presented in the paper on how to ensure that personal data collected for one business purpose can legitimately be used for another purpose.

Finally, if I were a member of the public, I wouldn’t waste my time reading any of this stuff.  

Members of the public hardly read privacy notices at present, and I fear that even fewer of them are likely to attempt the far more comprehensive notices that are considered necessary if they are dealing with a data controller that has a complex business model and wants to change it.

For what it’s worth, I took the opinion with me to tonight’s meeting of the Crouch End Chapter of the Institute for Data Protection, and we all had a good laugh.

Why? Well, as colleagues opined:

Unfortunately, it suffers from the same problems as most Article 29 opinions in that they do not fully understand the areas they opine on. Most of the scenarios are clearly imagined rather than what companies actually do or want to do – which would have been more helpful. Their continued refusal to consult with experts in the area they are writing about only increases their lack of credibility.

Some of their conclusions of incompatibility in the scenarios are absurd (see 13 on page 35 - are we really going to let people continue to live in unsafe buildings and possibly die in fires because of data protection?!), and some conflate issues (see 14 on page 66 - conflates incompatibility with doing crime mapping properly). 

It goes beyond the law in some places, such as saying that the ‘decisional criteria’ (algorithm) for profiling must be disclosed in a privacy policy. This is not the case and only has to be disclosed if an individual requests this information when making a subject access request.

It is also inconsistent. In one example of a bank saying it processes the data to provide financial services and also to “prevent fraud and abuse of the financial system, and to comply with legal obligations requiring that certain information is reported to the competent public authorities”, it suggests that the fraud and legal obligations uses while compatible are too vague to be a specified purpose. Another scenario involves an energy company using smart meter data to detect fraud and abuse, however, there are no concerns about this and the safeguards in place merely include “transparency towards data subjects”. There is no suggestion about what level of detail an organisation is supposed to provide in relation to uses of data for fraud purposes. Too much information here would allow people to circumvent the fraud detection processes!

Another example highlights how they see the rights of individuals taking precedence over a business being profitable in that a fictional garden and DIY company is so transparent about how its loyalty card customer discounts are calculated that the customers are already swapping tips on forums about how to game the system and get bigger discounts – which is apparently of no issue at all.

The opinion  also goes too far in promoting the Napoleonic code approach: in one scenario where a car manufacturer has a legal obligation to inform buyers of defects in a car that needs to be recalled, and does so by using a database of car owners from another source. Despite the (general) obligation being in law and the public health and safety reasons, they still argue that, although there is a strong indication of compatibility, the law should really be updated to explicitly provide for the disclosure to the car manufacturer.

Example 16 on page 67 suggests that crawling the web and using information individuals have made publicly available for other uses such as marketing, is likely to be an incompatible use. However, the example is so specific as to be useless – people vouching for an alternative medical practitioner by putting up their illness details and how they were helped, and this being crawled by an online vitamin supplement organisation to market their products.  In any event, this example does not work under UK law, as the example is of individuals voluntarily putting their information online and a different company collecting and using the data for marketing. The relevant data protection principle says: "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes." The vitamin company obtained it for the purpose of marketing and used it for that purpose. Its lawful basis is legitimate interests (schedule 2) and that it was made publicly available (schedule 3).

In summary, the Article 29 Working Party has done it again.

What a missed opportunity. Had they have published the opinion a day earlier, on April 1, we could all have enjoyed it as a joke.

Article 29 Working Paper
 203 [00569/13/EN]