The application of data protection rules to big data technologies raises a number of legal and compliance issues, some of which I highlighted in my recent post about the latest comments from the Information Commissioner’s Office (ICO) in this area. The most vocalised of these issues is around consent and how it can be obtained on a meaningful basis where personal data is processed and aggregated on a massive scale. In other words, where organisations are relying on consent in the big data context, how can they get people to understand how they will use their personal data, such that they can provide clear indications about what it is, in fact, data subjects are being asked to consent to? Also, how can they ensure that they have the right mechanisms in place, as organisations, for evidencing individuals’ freely given, specific and informed consent to the intended use of their personal data?
However, while consent is the ground most often relied upon in the context of big data analytics, less discussed and yet equally important are the other grounds that can be relied upon by controllers to ensure the data protection compliance of their big data activities.
As a reminder, under the first data protection principle, the processing of personal data must be fair and lawful. This requires it to satisfy one of the conditions in Schedule 2 of the Data Protection Act (DPA) (mirrored in Article 7 of the Data Protection Directive). In other words, there is a general prohibition on processing personal data unless a particular condition or ‘gateway’ exists as a pre-requisite to legitimate processing. (Separate conditions apply for the processing of ‘sensitive’ personal data in Schedule 3 of the DPA).
Other than obtaining a data subject’s consent to the processing activity, legal grounds that can be relied upon by a data controller include satisfying one or more of the following conditions:
- The processing is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract.
- The processing is necessary to comply with a legal obligation of the data controller (other than a contractual obligation).
- The processing is necessary to protect the vital interests of the individual (e.g., to protect the life of the data subject).
- The processing is necessary for the administration of justice, or for the exercise of any function conferred by statute.
- The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
It is this last, so-called ‘legitimate interests’, ground that has captured the recent attention of data protection agencies (such as the ICO), as well as the EU Institutions in informing the relevant provisions that will be adopted as part of the new Data Protection Regulation. It is useful here to examine the requirements more closely.
Under existing law, two elements are relevant. First, businesses can only rely on this provision if the processing is necessary for the legitimate interests of the data controller (or, in the case of disclosure to a third party, their legitimate interests). An organisation may have a number of legitimate interests that could be relevant, including, e.g. profiling customers in order to target its marketing, or preventing fraud or the misuse of its services. However, not all processing may be necessary for (as opposed to just being desirable to) achieving such interests in a big data processing context.
Second, if it can establish that it has necessary legitimate interests for carrying out a processing activity, the controller must also ensure that such activity would not unduly prejudice the rights and freedoms of individuals. How exactly should data controllers carry out a ‘balance of interests’ test between their interests and the interests of the data subject? The extrapolated questions to be asked here are: How should organisations judge the point at which the achievement of their legitimate interests becomes unwarranted as they are outweighed in importance? Moreover, how does one generalise from specific circumstances to organisations at large, with regard to the myriad – and sometimes very difficult to predict – consequences of personal data processing to the legitimate interests of data subjects in a big data processing context?
The 2014 EU Article 29 Working Party (WP) opinion on legitimate interests provides useful guidance in setting out in detail the factors to be considered when carrying out the balance of interests test. (It also includes a useful list of practical examples designed to illustrate the application of the test). Yet interpretation of the legitimate interest condition currently differs widely between EU Member States (e.g. page 5 of the opinion refers to Commission studies showing a “lack of harmonised interpretation of Article 7(f) of the Directive, which has led to divergent applications in the Member States”) resulting in legal uncertainty in this area and litigation.
Under the reform discussions, the European Commission’s draft General Data Protection Regulation continues the approach under the existing regime whereby a data controller is required to justify the processing of personal data before it will be considered lawful. Article 6 of the Regulation sets out the criteria for lawful processing, which are further specified as regards compliance with legal obligations, the public interest, as well as a balance of interests criterion. These essentially remain unchanged from Article 7 of the Directive, but there are some slight proposals for amendments in the detail to note.
For example, under Article 6(1)(f), the European Commission text formulates the condition as follows: “processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.” It then states at draft Article 6(5), ”The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child”.
This language has received mixed reactions, in particular in the face of concerns that data controllers will not be up to the task of appreciating and providing the necessary safeguards to the interests of individuals (whether intentionally or not), together with the potential continuing lack of harmonisation between Member States’ interpretation of the provision.
The European Parliament, for example, proposes adding more specificity to the condition. Under its 2014 legislative resolution on the Regulation, processing based on the legitimate interests pursued by the controller (or , in case of disclosure, by the third party to whom the data is disclosed), must “meet the reasonable expectations of the data subject based on his or her relationship with the controller” (Amendment 100, Article 6(f)). However, if processing is limited to pseudonymous data, the European Parliament’s resolution states that it should be presumed to meet the reasonable expectations of the data subject (Amendment 15, recital 38). This does not mean, however, that the interests and fundamental rights of the data subject will never be overriding.
For the ICO, while it is possible that proposed Article 6(5) will not be included in the final text of the Regulation, it has previously expressed concern in 2013 about the delegation of powers to the European Commission to adopt non-legislative acts of general application, including, specifically, on the important issue of deciding what are an organisation’s legitimate interests. This concern may be understood more clearly in light of the ICO’s comments in its 2014 discussion paper on big data and data protection that organisations seeking to rely on the legitimate interest condition “have to pay particular attention to the impact of [big data] analytics on people’s privacy”, which “can be a complex assessment involving a number of factors”. The ICO would prefer to see the criteria underlying such assessments being specified in the Regulation to provide as much legal certainty as soon as possible.
More recently, the ICO has recognised in its summary of the responses to its discussion paper, that the legitimate interests condition places a firm emphasis on organisational accountability. This point is an important one that has also been picked up by the WP. In its aforementioned opinion, the WP emphasises that the ‘legitimate interests’ condition should not be treated as an “open door” to legitimise data processing to which other grounds for legitimate processing may not apply. To this end, the WP specifically recommends incorporating two new recitals into the Regulation. First, it suggests that the key factors to consider when applying the balancing test, and a requirement for data controllers to document their assessment in the interests of greater accountability, should be included. Second, the WP supports a new substantive provision requiring controllers to explain to data subjects when and why they believe the data subject’s interests, fundamental rights and freedoms would not override their own interests.
While draft Article 19 of the Regulation grants data subjects a right to object to processing under the Article 6(1)(f) ground, it is clear that the importance of the ‘legitimate interests’ condition should not be underestimated, in particular regarding situations where big data analytics are being used in a commercial context. On the other hand, another ‘fly in the ointment’ is the extent to which businesses can rely on this condition when they identify a new use for data other than for an original purpose previously consented to. This issue is worthy of a separate post as the ‘waters’ of legal analysis become considerably murkier, as exemplified by the fervent debate surrounding the wording of the new Regulation in this area. More to come soon!