The GDPR
The various assumptions of lawfulness of processing provided by the Directive are listed and sometimes specified in Article 6 of the Regulation or some of its recitals.
Thus, the consent must relate to one or more specific purposes, which excludes any purpose expressed in general. It is also necessary to remember that the consent is defined in Article 4, 11) as meaning the expression of will, free, specific and informed.
These characteristics have to be specified and are exemplified in recitals 42 and following, and in Article 7 of the Regulation. In these recitals, special attention is paid to the free nature of the consent that should be excluded if the data subject has no real freedom of choice and is not able to refuse or withdraw without suffering damages. The consent can not either constitute a valid legal basis where there is a clear imbalance between the data subject and the controller and that imbalance gives rise to doubt on whether the consent has been given freely in all cases of this particular situation.
Recital 47 provides details regarding the consideration of the legitimate interest of the controller in its opposition to the rights and freedoms of the data subject. A legitimate interest may exist in particular when there is a relevant and appropriate link between the data subject and the controller, for example if the data subject is a client of or if is at service to the controller. In any case, the data subject must be entitled to expect, when and as part of data collection, that they are subject to processing for this purpose.
It should be noted that the latest version of the Regulation excludes the criterion of the legitimate interests of the data subject (Art. 6, f)) for the processing by public authorities in carrying out their tasks , imposing a return to a strict lawfulness of the processing in question.
Still according to recital 47 the data subject should be able to object to the respective processing of data, for reasons relating to his or her personal situation, and it's free to do so. To ensure transparency, the controller should be required to explicitly inform the data subject with respect to their legitimate interests pursued and to justify them as well as on the right of the data subject to object to the processing.
The Regulation also gives an important clarification regarding the processing that is justified by a law imposing proceedings in the cases referred to in Article 6, paragraph 1, c) (processing necessary for compliance with a legal obligation) and Article 6, paragraph 1, , subparagraph e) (processing necessary for the performance of a task carried out in the public interest). In both cases, the legal basis of the processing should be defined in accordance with the Union law or the national law of the Member State to which the controller data is subject (see Art. 6, paragraph 3).
Contrary to the idea of the Regulation unifying the rules on the matter, the 3rd paragraph, b) of Article 6 explicitly states that this legal basis can contain specific provisions to adapt the application of the rules in the Regulation (e.g., the general conditions of lawfulness of the processing, the categories of data that being the subject of the treatment, the entities to which the data can be communicated and the purposes for which they can be communicated, the purpose limitation, etc.). The final version of the Regulation states that the law of the Union or the Member States must meet the objective of public interest and be proportionate to the legitimate interests pursued.
The final provision no longer opens the conditions in which a purpose can be changed, in case that the latter is incompatible with the initial purpose. The evolution of the text shows a real debate: the original text contained no rule while the second version introduced a specific paragraph (§ 4). If the data were collected by the same controller, subsequent processing would have been allowed despite the incompatibility of the purposes, as far as such incompatibility could be justified by any of the general assumptions of legality provided for in paragraph 1 of the provision. In other words, the controller could always find a solution to an incompatibility between the initial purpose and the subsequent purposes of processing by identifying a new basis for lawfulness of the processing.
The latest version of the Regulation has purely and simply removed this paragraph. The Group Article 29 had strongly criticized this provision, which would harm and empty the principle of purpose of its substance (cfr. ). G29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 36 and 37).
The basic principle is therefore that of the requirement of compatibility of the new purposes with the initial purposes, except by consent of the data subject or where a specific legal text so allows on the same reasons justifying a limitation of the rights and obligations provided for by the Regulation (see article 23 (1). In case of incompatibility, the pursuit of the incompatible purpose is prescribed.
The text of the Regulation (Art. 6, 4) provides some criteria to assess this compatibility. For example, the existence of a link between the purpose, for which the data were collected and the purposes of the proposed future processing, the nature of the personal data which will be processed, the possible consequences of further processing envisaged for the data subjects, or even the existence of appropriate measures, which may include encryption and pseudonymisation.
Finally, the final version of the Regulation introduces a new paragraph 3 allowing the Member States to adapt the provisions of the Regulation in view of the conformity of processing with Article 6, paragraph 1, under c) (legal obligation) and e) (task of public interest), by determining more precisely the obligations for processing and other measures to ensure the legality and lawfulness, also with regard to the special situations of processing referred to in chapter IV.
The Directive
Article 7 of the Directive provides that data processing can be performed only if one of the hypotheses under the provision is met:
The unambiguous consent of the data subject (consent);
- the need for the performance of the contract with the data subject (contract) or
- the need for compliance with a legal obligation to which the controller is subject (legal obligation) or
- the need for safeguarding the vital interest of the data subject (vital interest) or
- the need for the performance of a task of public interest or in the exercise of public authority (task of public interest) vested in the controller or a third party the data communicated to whom are part of these assumptions.
A final hypothesis, the search for a balance of interests, imposes an evaluation that is more difficult in practice. The processing must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject (legitimate interest).
Potential issues
The clarifications provided by the Regulation often endorse the interpretations of the former texts advocated by the National Commissions and the Group. Article 29
The possibility left to the states to adapt the rules applicable to the processing imposed by national legislation, however, is more problematic. It is significant of the willingness of states to reserve part of their sovereignty as there is a relationship between the state or one of its entities and the controller/citizen. Being so understandable, this opportunity to continue to regulate a large number of processing cases on a specific and national basis opens a significant breach in the supposed acquis brought by the Regulation: the unification of the rules at European level.
The biggest disappointment comes from the refusal to make the principle of compatibility of the purposes more flexible. The prohibition of processing in case of incompatibility of the purposes is opposed to the evolution of processing that is somehow “frozen” by its actual initial purpose. If data have been processed for the purposes of performance of a contract, they cannot be communicated to a third party for feeding a big data profiling process, except with the data subject's consent or legal authorization.
Let's be clear: the case could be to admit it without guarantees, but the data subject would have been perfectly protected if we had departed from the principle - as the second version of the text specified - that the second purpose would give rise to new processing, which should be subject to compliance with all the provisions of the law (new information regarding the data subjects, identification of a new lawfulness criterion, etc.).
The solution of the Regulations is different: no purpose can be changed without data subject’s prior consent. In practice - we think for example of Big Data projects – this strict rule may illegalize a large number of projects. Not to count the data provision services, in particular in the area of marketing, which often do not have the data subject’s prior consent.
Group 29
Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.
Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.
Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.
The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.
Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:
- increased efficiencies; and
- resource savings.
They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.
However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.
These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.
Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.
The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.
This document covers:
- Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
- General provisions on profiling and automated decision-making – Chapter III
- Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
- Children and profiling – Chapter V
- Data protection impact assessments and data protection officers– Chapter VI
The Annexes provide best practice recommendations, building on the experience gained in EU Member States.
The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.
Link
Guidelines on Consent under Regulation 2016/679 (10 April 2018)
(Endorsed by the EDPB)
These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.
Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.
The existing Article 29 Working Party (WP29) Opinions on consent remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, WP29 expands upon and completes earlier Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.
As stated in Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent. The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data which is not necessary in relation to a specified purpose of processing and be fundamentally unfair.
Meanwhile, WP29 is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR. Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. WP29 has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.
With regard to the existing e-Privacy Directive, WP29 notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR. This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. WP29 notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.
Link
CJEU caselaw
C-465/00 ; C-138/01 ; C-139/01 (20 May 2003)
1. Articles 6(1)(c) and 7(c) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data do not preclude national legislation such as that at issue in the main proceedings, provided that it is shown that the wide disclosure not merely of the amounts of the annual income above a certain threshold of persons employed by the bodies subject to control by the Rechnungshof but also of the names of the recipients of that income is necessary for and appropriate to the objective of proper management of public funds pursued by the legislature, that being for the national courts to ascertain.
2. Articles 6(1)(c) and 7(c) and (e) of Directive 95/46 are directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.
Opinion of Advocate general
Judgment of the Court
C-524/06 (16 December 2008)
1. A system for processing personal data relating to Union citizens who are not nationals of the Member State concerned, such as that put in place by the Law on the central register of foreign nationals (Gesetz über das Ausländerzentralregister) of 2 September 1994, as amended by the Law of 21 June 2005, and having as its object the provision of support to the national authorities responsible for the application of the law relating to the right of residence does not satisfy the requirement of necessity laid down by Article 7(e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, interpreted in the light of the prohibition on any discrimination on grounds of nationality, unless:
– it contains only the data which are necessary for the application by those authorities of that legislation, and
– its centralised nature enables the legislation relating to the right of residence to be more effectively applied as regards Union citizens who are not nationals of that Member State.
It is for the national court to ascertain whether those conditions are satisfied in the main proceedings.
The storage and processing of personal data containing individualised personal information in a register such as the Central Register of Foreign Nationals for statistical purposes cannot, on any basis, be considered to be necessary within the meaning of Article 7(e) of Directive 95/46.
2. Article 12(1) EC must be interpreted as meaning that it precludes the putting in place by a Member State, for the purpose of fighting crime, of a system for processing personal data specific to Union citizens who are not nationals of that Member State.
Opinion of Advocate general
Judgment of the Court
C-468/10 ; C-469/10 (24 November 2011)
1. Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that the data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources.
2. Article 7(f) of Directive 95/46 has direct effect.
Judgment of the Court
C-342/12 (30 May 2013)
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’, within the meaning of that provision.
2. Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 do not preclude national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.
Judgment of the Court
C-683/13 (19 June 2014)
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is covered by the concept of ‘personal data’ as referred to in that provision.
2. Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.
3. It is for the referring court to determine whether the employer’s obligation to provide the national authority responsible for monitoring working conditions access to the record of working time so as to allow its immediate consultation may be considered necessary for the purposes of the performance by that authority of its monitoring task, by contributing to the more effective application of the legislation relating to working conditions, in particular as regards working time, and, if so, whether the penalties imposed with a view to ensuring the effective application of the requirements laid down by Directive 2003/88/EC of the European Parliament and of the Council of 4 November 2003, concerning certain aspects of the organisation of working time, are consistent with the principle of proportionality.
Judgment of the Court
C-582/14 (19 October 2016)
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
2. Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State, pursuant to which an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that the collection and use of that data are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after a consultation period of those websites.
Opinion of Advocate general
Judgment of the Court
C-13/16 (4 May 2017)
Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data. However, Article 7(f) of that directive does not preclude such disclosure on the basis of national law.
Opinion of Advocate general
Judgment of the Court
C-73/16 (27 September 2017)
1. Article 47 of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that it does not preclude national legislation, which makes the exercise of a judicial remedy by a person stating that his right to protection of personal data guaranteed by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, has been infringed, subject to the prior exhaustion of the remedies available to him before the national administrative authorities, provided that the practical arrangements for the exercise of such remedies do not disproportionately affect the right to an effective remedy before a court referred to in that article. It is important, in particular, that the prior exhaustion of the available remedies before the national administrative authorities does not lead to a substantial delay in bringing a legal action, that it involves the suspension of the limitation period of the rights concerned and that it does not involve excessive costs.
2. Article 47 of the Charter of Fundamental Rights of the European Union must be interpreted as precluding that a national court rejects, as evidence of an infringement of the protection of personal data conferred by Directive 95/46, a list, such as the contested list, submitted by the data subject and containing personal data relating to him, if that person had obtained that list without the consent, legally required, of the person responsible for processing that data, unless such rejection is laid down by national legislation and respects both the essential content of the right to an effective remedy and the principle of proportionality.
3. Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up of a list of persons such as that at issue in the main proceedings, without the consent of the data subjects, provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of that article, that the drawing-up of that list and the inclusion on it of the names of the data subjects in fact be adequate and necessary for the attainment of the objectives pursued and that there be sufficient indications to assume that the data subjects are rightly included in that list and, second, that all of the conditions for the lawfulness of that processing of personal data imposed by Directive 95/46 be satisfied.
Opinion of Advocate general
Judgment of the Court
C-496/17 (16 January 2019)
The second subparagraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code, read in the light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the customs authorities may require an applicant for AEO status to send to them the tax identification numbers, allocated for the purposes of collection income tax, concerning solely the natural persons who are in charge of the applicant or who exercise control over its management and those who are in charge of the applicant’s customs matters, and the details of the tax offices responsible for the taxation of all those persons, to the extent that that data enables those authorities to obtain information on serious or repeated infringements of customs legislation or taxation rules or on serious criminal offences, committed by those natural persons and relating to their economic activity.
Opinion of Advocate general
Judgment of the Court