Last weekend, an amended draft of the Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was published by the British organization statewatch. The proposed changes regard Articles 1-10, 80 (a), 83 and several recitals. While some of them simply clarify the first draft, others – as for example the definition of the term “personal data” in Article 4 Subsection 1 – will have great effects on data protection in Germany.
A. Clarifications
For a start, Recital 3 accentuates that – in accordance with the European Court of Justice’s (ECJ) jurisdiction – the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other fundamental rights in accordance with the principle of proportionality.
The regulation’s material scope is outlined and further clarified in Recitals 14 and 18 and in Articles 2 and 80 (a). Article 2 and Recital 14 exempt the application of the regulation, if Member States are processing personal data with regard to common foreign and security policies, public security, defense or State security. Recital 18 takes the principle of public access to official documents into account. Disclosure of documents held by a public authority or a public body cannot be denied by referring to the regulation. It does not preclude the disclosure, if such disclosure is provided for by Union or Member State laws and the data subjects legitimate interests or fundamental rights and freedoms are not prejudiced. Article 80 (a) has newly been added. It regulates the processing activities regarding national identification numbers or any other identifier of general application. Their conditions may be determined by the Member States.
Immediate amendments to Article 3, which regulates the territorial scope, concern the processing of personal data of data subjects residing in the European Union by a controller not established in the Union. The offering of goods and services in such a relationship falls within the regulation’s scope, irrespective of whether they are offered free of charge or a payment of the data subject is required, Article 3 (2) (a). Article 3 (2) (b) holds the regulation to be applicable to any monitoring of behavior of data subjects residing in the Union as far as their behavior takes place within the EU. The term “monitoring” does not only cover tracking a subject on the internet, but also applies to the activities of some foreign public authorities, such as the US ESTA programme. However, Recital 21 limits the activities that can be considered as monitoring the behavior of data subjects to the tracking “on the internet with data processing techniques which consist of applying a “profile” to an individual, particularly in order to take decisions concerning her or him for analyzing or predicting her or his personal preferences, behavior and attitudes.
B. Changes
I. Definition of the term “personal data”
“Personal data” is defined as any information relating to an identified or identifiable natural person (data subject) by Article 2 (a) of the EU Data Protection Directive 95/46/EG. The General Data Protection – that would replace the directive – continues to use this definition, Article 4 (1). Under which circumstances an individual can be considered as identifiable is highly controversial.
Basically, two questions need to be answered:
1. Is data personal data, because it is theoretically possible that someone identifies the data subject? In other words: Does the identification of the data subject have to be objectively and absolutely impossible (so-called absolute impossibility)? Or is it sufficient, that it is so highly improbable that anyone will successfully identify the data subject that the risk can be neglected (so-called virtual or practical impossibility)?
2. Is data personal data, because someone can identify the data subject? Or is it necessary that the data controller or processor can identify the data subject to make data personal data. In German, this question is being discussed under the keyword of “Relativität des Personenbezugs”, which can roughly be translated as relativity of personal data.
The newly published draft now answers both these questions.
On the one hand, according to the regulation data is not personal data, because it is theoretically possible someone identifies the data subject: “If identification requires a disproportionate amount of time, effort or material resources the natural living person shall not be considered identifiable.” The proportionality has to be assessed by weighing the value of knowing who the data subject is against the measures that would need to be taken to identify the data subject. If they are unlikely to be taken by anyone to identify the natural person, the data subject is not identifiable.
On the other hand, the regulation clarifies that the qualification of data as personal data is not an attribute of the data, but rather varies from one data controller/ processor to the other depending on their possibilities to identify the data subject (relativity of personal data). According to footnote 46, to the original data controller, identification will most likely never be disproportionate. But it can be disproportionate for a third party that for example only sees an ID-number or some other “abstract identifier”, which they cannot use to identify the data subject. Given these pre-conditions, IP-addresses can no longer generally be qualified as personal data. It has to be differentiated between the telecommunications provider, who can (easily) identify the person using the IP-address at a certain time and others, who cannot relate the IP-address to a data subject themselves. While IP-addresses are personal data in the first case, they are not in the second, so that they fall out of the regulation’s scope.
II. The data subject’s consent
As with the Data Protection Directive 95/46/EG, the General Data Protection Regulation forbids any activity to process personal data, unless the data subject consents or the activity is allowed by law (ban with permit reservation). Article 7 lays down the conditions that need to be fulfilled for the consent to be considered valid. According to Article 7 (3) the data subject can revoke their consent at any time. The revocation, however, neither makes the processing based on the consent before its withdrawal unlawful, nor does it affect the lawfulness of the processing of data based on other grounds. Thereby, the regulation dries up the springs for those, not allowing to base the same data processing activity on more than one legal ground
Article 7 (4) holds consent not to provide legal basis for the processing of personal data, where there is a significant imbalance between the position of the data subject and the controller, if this imbalance makes it unlikely that consent was given freely. Recital 34 finds that to be the case in any situation, where the data subject is dependent on the data controller. The relationship between employer and employee is given as an example. However, the term “dependence” is open to interpretation, so that in a variety of cases consent may not provide legal grounds for the processing of personal data.
C. Summary
The Council of the European Union’s amendments to the Commission’s draft of a General Data Protection Regulation have mostly just clarified the first draft. The amendment to the definition of the term “personal data” answers questions that have been controversially discussed for a long time. While the amendments to the conditions, under which consent is validly given by a data subject raise new questions. Other articles, such as the Right to be Forgotten in Article 17 have not been subject to changes, although they had been heavily criticized.
The amendments now have to be coordinated with the EU Parliament.