TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | 11 drafting flaws for the European Commission to address in its upcoming GDPR review Related reading: GDPR conundrums: Processing special categories of data

rss_feed

""

In May 2020, the European Commission is scheduled to deliver its first review report on the EU General Data Protection Regulation. The preparations are well underway, but rumor has it the commission does not intend to draft proposals to reform the GDPR and does not even intend to repair apparent flaws in the drafting.

The limited appetite for a substantial reform is understandable, but I find it harder to justify the commission would not be willing to remedy apparent flaws. In my opinion, there are quite a few inconsistencies in various provisions, though there is always a risk the wish is the father of the thought.

I will start with some obvious issues, but they will get more intricate as the list goes on. I am really interested to hear whether any of you has spotted other issues or inconsistencies and would welcome any additions to the list. I will subsequently make sure this crowd-sourced list is provided to the commission for consideration. Here we go!

Criminal data

Issue 1: The fining clause of Article 83 of the GDPR lists the provisions whose infringements qualify for a 2% fine and those whose infringements qualify for a 4% fine. Article 10 GDPR on criminal data is missing in both, an apparent oversight. Consequently, the supervisory authorities cannot impose an administrative fine if they conclude that an infringement of Article 10 has taken place.

Archiving and research exemption

Issue 2: As to the exemption of processing of special categories of data for archiving and research, there seems to be a contradiction between Article 9(2) Subsection (j) and Article 89. Article 9(2) Subsection (j) provides for a legal basis for processing of special categories of data when necessary for archiving in the public interest and scientific or historical research or statistical purposes in accordance with Article 89(1) based on member state law.  

Article 89(1), however, provides for the conditions for processing data for these purposes but does not require that the processing takes place based on a member state law. Rather, Article 89(2) and (3) specifies in respect of which rights of individuals the member states may provide for specific derogations subject to the safeguards in Article 89(1).

Processors

Three other shortcomings relate to the provisions relating to processors.  

Issue 3: Article 28 requires the processor and controller enter into a data processor agreement and provides for a number of mandatory clauses. In the last sentence of Article 28(3), a reference is made to “point (h),” and I think many of us have wondered what on earth this actually means. This provision requires the processor to inform the controller if an instruction of the controller is infringing on the GDPR. This makes sense, but the requirement only applies “with regard to point (h),” which refers to the obligation of the processor to make available to the controller all information to demonstrate compliance under Article 28 and allow for audits. It is likely that instead of “point (h),” a reference to point (a) was intended, which provides for the obligation of the processor to act on the instructions of the controller, in which case the obligation of the processor to inform the controller if such instruction is infringing does make sense. 

Issue 4: Pursuant to Article 28(8), a supervisory authority may adopt standard contractual clauses for processor agreements in accordance with the consistency mechanism (see Articles 63–67, which require that prior to adoption, the standard processor clauses have to be first submitted to the European Data Protection Board for an opinion). However, Recital 81 of the GDPR provides that such standard processor clauses will, in addition, require adoption by the commission.

Issue 5: The data transfer provisions of Articles 44–50 apply directly to processors. Article 46 requires the exporting processor to provide for appropriate safeguards when transferring data to a non-adequate country (i.e., a country that does not provide adequate data protection). This provision, therefore, applies regardless of whether the importing party is a controller or a processor.

This seems to be a mistake.

The provision should only apply if the importing party is a sub-processor in a non-adequate country and not if the importing party is the controller. This can be explained as follows: The EU legislators made the choice that the GDPR only triggers the limited processor obligations when a controller in a non-adequate country (not subject to the GDPR) involves an EU processor rather than imposing the full scope of the GDPR upon such non-EU controller. They clearly rejected the alternative (as applicable under the previous directive) whereby any data that are transferred by a non-EU controller to the EU processor and subsequently transferred back to the non-EU country would attract the full scope of the GDPR.

With this background, an interpretation of the transfer rules that would require EU processors to impose the full scope of protection of the GDPR on the non-EU controller when transferring data back to such controller would be in contradiction with the choices made by EU legislators when drafting the GDPR. This would mean that, via the backdoor of the transfer requirements, the full scope of the GDPR would be imposed on such controllers, which was clearly not the intention of the EU regulators. For a full explanation, see my IAPP op-ed.

Compliance with legal obligation

Processing of data is, in most cases, allowed if necessary to comply with EU or member state law. The manner in which the relevant legal bases are drafted, however, differs in certain provisions, which seems to be an oversight rather than intentional.

Issue 6: Article 6(1) Subsection (c) provides a legal basis for processing “where this is necessary for compliance with a legal obligation to which the controller is subject.” Legal provisions of the EU or member states may impose duties but may also grant rights by allowing processing in certain instances. Granting rights may require the processing of personal data, but such processing is not covered by Article 6(1) Subsection (c). This is properly regulated in, for example, Article 9(2) Subsection (b), which covers both compliance with legal obligations and exercising rights in the fields of employment law, and social security and protection law of the member states.

Issue 7: A similar issue presents itself where Article 10 (processing of criminal data) provides that processing of criminal data is only allowed when authorized by EU or member state law. Though this seems to be on purpose (to strengthen the requirement), such processing is not always explicitly authorized; an example would be European anti-monitoring laws that impose duties that may require processing criminal data but do not specifically authorize such processing. In the U.K., this is solved by explicitly providing in their GDPR implementation law that wherever there is a legal duty that may involve the processing of criminal data (e.g., anti-money laundering), this processing is considered to be authorized for purposes of Article 10.

Issue 8: The requirement that the processing of criminal data must always be authorized by law poses another issue. Regular contracts, especially online contracts, may involve incidental processing of criminal data where required for the prevention of fraud or for security and integrity of a service. Recital 47 of the GDPR explicitly states that processing of personal data for fraud prevention can be considered a legitimate interest of the controller under Article 6(1) Subsection (f), but this legal basis is not provided for in Article 10. In isolated cases, member state law may provide for the processing of criminal data for fraud prevention (e.g., for e-payments), but this does not cover fraud prevention in the context of regular contracts.

Issue 9: A similar issue arises for criminal data under Article 22 on automated decision-making. Recital 71 of the GDPR explicitly provides that automated decision-making for purposes of fraud prevention as authorized under Member State law is allowed, as well as for purposes of “ensuring security and integrity of a services.” Article 22(2), however, provides that the prohibition for automated decision-making does not apply in case of (i) contractual necessity; (ii) when authorized by member state law; and (iii) based on explicit consent.

For criminal data, the only relevant exemption is where authorized by law, as Article 10 does not provide for the legal bases of contractual necessity and consent. The latter is understandable, as requesting consent would not be practically viable as potential fraudsters will not likely provide consent for fraud prevention purposes. As to the requirement authorized by law, the same issues apply as listed under Issues 8 and 9. The consequence is that for fraud prevention and security and integrity purposes, no exemption is available, while these purposes are exactly what automated decision-making (with appropriate safeguards) is most useful for.

Special categories of data

More complicated drafting shortcomings are due to the fact that Article 9 does not provide for “contractual necessity” as a legal basis for the processing of special categories of data (Article 9 does not have an equivalent of Article 6(1) Subsection (b)). Article 9(2), however, provides for specific purposes for processing as authorized by EU or member state law, for example, where necessary in the field of employment (Subsection (b)) and health care (Subsection (h)). The relevant laws of the member states, in many cases, authorize the processing of special categories of data as necessary for specific types of contracts, such as necessary for insurance, health care and employment.

The lack of a separate legal basis for contractual necessity in Article 9 leads to a number of issues.

Issue 10: Regular contracts, which, in principle, do not require the processing of special categories of data, may still require the processing of health-related data to accommodate, for example, for disabilities (when a controller provides support services for persons with disabilities, such as wheelchairs). In these cases, the controller needs to rely on consent for the processing of their personal data concerning health as Article 9 does not allow for processing based on contractual necessity. That makes this privileged service conditional on providing consent, which is open to challenge under Article 7(4) as the provision of the entire service is made conditional on providing consent.

There are many other types of regular contracts that may involve the incidental processing of special categories of data, for example, services that may require disclosure of health conditions (massage services, flying and diving instructions). Other examples are headhunters or staffing companies that potentially process data from which special categories of data can be inferred (e.g., attendance of a religious school, member of the board of a patient association or LGBT society). Also, in these cases, the service is made conditional on consent, which could be challenged under Article 7(4).

Issue 11: A further consequence of the lack of a separate legal basis for the contractual necessity for processing of special categories is that the right of individuals to data portability is unnecessarily limited. The right to data portability in Article 20 applies in cases where the processing takes place based on consent or based on contractual necessity. As the contractual necessity basis does not apply to special categories of data, the right to data portability only applies if the processing is based on consent. As indicated above, Article 9 allows the member states to authorize the processing of special categories of data, which, in many cases, will be for specific types of contracts, such as insurance, health care and employment. It seems logical that individuals should in any event also have the right to data portability where processing is based on a contract as authorized by such member state law.

As I mentioned in my introduction, I am really interested to hear whether any of you have spotted other issues or inconsistencies in the GDPR and would welcome any additions to the list.

Photo by João Silas on Unsplash

7 Comments

If you want to comment on this post, you need to login.

  • comment Mark Little • Feb 25, 2020
    One issue we have been seeing come up is present in your Issue 2, and also your discussion above regarding Special Categories  (and thus your Issues 10 and 11) is the relationship between Article 9 and Article 6. One view apparently holds they be viewed cumulatively (i.e. Art 9(2) enumerates exceptions, with heightened requirements that must be met, to the blanket prohibition on special categories, but does not eliminate the need for a qualifying legal basis under Article 6. This seems to be supported by the explicitness of the language in 6(1) and the absence of any reference by Article 9 to Article 6. In that view, Article 9 does not "provide" a legal basis for processing in the Article 6 sense, but exceptions to the prohibition of processing in 9(1).
    
    The second view I understand sees Article 9 as lex specialis, providing a different set of legal bases for processing special categories of data, and draw for the close, but not perfect as you note, parallelism between the 9(2) exceptions, and the 6(1) legal bases.
    
    As you no doubt know this was discussed as early as WP 29 06.2014 ("on the notion of the legitimate interests") in III.1.2. It seems there could have been an opportunity to clarity the relationship in drafting the GDPR.
    
    ======================
    
    [Side note: in this excerpt from your article, "(Article 9 does not have an equivalent of Article 6(1) Subsection (a))", did you mean to refer to 6(1)(b) ("necessary for performance of a contract") rather than (a) ("consent")?]
  • comment Jeroen Terstegge • Feb 25, 2020
    Here are my additions:
    1) The mentioning of the processor in art. 3(2) makes no sense whatsoever. In case of an EU controller, the non-EU processor should be covered by Chapter 5 (Note: art. 3 and Chapter 5 are mutually exclusive). In case of a non-EU controller, including its processors in the scope of the GDPR seems legislative overreach (or at least it has no enforcement priority).
    2) the fact that art. 5.1.b has been deleted from art. 23 (compared to art. 13 D95/46) and inserted in art. 6(4) poses serious problems for internal investigations into unethical or illegal behavior, unless Member State law specifically allows it.
    3) The exemption in art. 30(5) is utterly useless because of the use of the word "or" instead of "and".
    4) Art. 32(4) is superfluous given art. 29.
    5) It is not logical that art. 24 only applies to controllers. Although the GDPR has a limited set of obligations for processors, also processor should take organizational and technical measures to ensure compliance that do apply to processors.
    6) Non-compliance with art. 28(3) is punishable by fine, but an addressee of the obligation is missing from the clause. It would be logical to put the obligation to ensure a DPA is in place on the controller (although the DPA may consist of T&C's of the processor).
    7) the definition of health data is confusing. The definition uses 'related to' instead of 'about'. Also, the second comma should be deleted as "reveal" should only refer to the health care services, not to physical or mental health.
  • comment Lyn Boxall • Feb 25, 2020
    I'm working in Singapore, which does not have adequacy status.  We often see cases where the extra-territorial provisions apply to bring organisations within the scope of the GDPR to at least some extent.  As a jurisdiction hosting the regional HQ of many European organisations we also see many instances where the European organisation has adopted a policy of requiring all of their worldwide group members to comply with the GDPR.  The GDPR does not seem to have been well thought-through as regards its application extra-territorially - it often simply does not work.
  • comment Paul Breitbarth • Feb 26, 2020
    Another oversight in my view is the fact that there is no obligation to include the legal basis for processing in the Article 30 Processing Activities Register. Given that having one or more legal bases for a processing operation is mandatory AND that the legal basis is part of the transparency requirements, it would make sense to also include it in the register.
  • comment Lokke Moerel • Feb 26, 2020
    Thanks already for the reactions, very helpful! 
    Mark, as to your side note about the drafting mistake: you are absolutely right and I have asked IAPP to correct it.
    Some thoughts on the comments:
    Mark: as to the relationship between Article 6 and Article 9, you are right that this should have been clarified in the GDPR. I read the opinion of the WP29 (06/2014) as not really chosing between the 2 views (see for citation at the end). The central issue in all of this is that the regime for the use of special categories of data does not include a check on whether there is a legitimate interest for that use. Reviewing the legal grounds of Article 9 shows that none of them require a contextual balancing of interests, which would include an assessment of the measures taken by the  controller to mitigate any adverse effects on the privacy of the individuals concerned. This assessment is deemed to have been made by EU/MS legislators during the determination of the appropriate legal grounds. In this respect, the legitimate interest ground, contrary to what is often thought, can actually provide greater data protection for individuals (see also WP29 Opinion 06/2014, pp. 9-10).  The WP29 has attempted to overcome this problem by taking the position that as the overall policy objective of the privacy rules is to provide higer protection to special categories of data, the protection of such data under Article 9 should not be less if the processing had been based on Article 6. The WP29 then applies the legitimate interest test for data processing on top of the regime for special categories of data. Though the position of the WP29 is understandable from a protection perspective, it is equally clear that the manner in which this is achieved is not optimal (and this issue is still the same under GDPR). First, the legitimate interest ground of Article 6(f) does not always apply to the processing at hand. This is because some of the grounds in Articles 6 and 9 of the GDPR are the same. For example, one of the grounds in Article 6 is 'compliance with law'. The grounds for processing special categories of data under Article 9 require mostly a legal basis in Member State law.  In this case, the legitimate interest test of Artcile 6(f) would not be applied. Both provisions also include the ground of “consent.” For special data, this is often the ground used to justify data processing, while such processing would not pass the legitimate interest test. I flagged this issue (and also how this issue is to a certain extent solved in practice by the DPIA requirement) in my IAPP Op-ed GDPR Condundrums: the regime for processing sepcial categories of data has not changed, or has it?  
     
    See Opinion 06/2014, pp. 15-16:
     
    “…it is clear that the policy objective is to provide additional protection for special categories of data. Therefore, the final outcome of the analysis should be equally clear: the application of Article 8 [now: 9 GDPR] , whether in itself or in a cumulative way with Article 7 [now: 6 GDPR], aims at providing for a higher level of protection to special categories of data. 
    In practice, while in some cases Article 8 [now: 9 GDPR] brings stricter requirements…this is not true for all provisions. Some exceptions foreseen by Article 8 do not appear equivalent or stricter than the grounds listed in Article 7. It would be inappropriate to conclude for instance that the fact that someone has made special categories of data manifestly public under Article 8(2)(e) [now: 9(2)(2)] would be—always and in and of itself—a sufficient condition to allow any type of data processing, without an assessment of the balance of interests and rights at stake as required in Article 7(f) [now: 6(f)].…"
  • comment Lokke Moerel • Feb 26, 2020
    As to addition 1 of Jeroen: I fuly agree that the reference to processors in Artcile 3(2) GDPR does not not make sense and should be deleted. See on this in more detail my GDPR Conundrum: The GDPR Applicability Regime - Part 2 Processors (see below under Related Articles). I have to say, however, that the EDPB in its Opinion on the GDPR applicability regime gives a different interpretation (which I find inconsistent with the legislative history, but there you go).
  • comment Aleksandrs Zimecs • Feb 27, 2020
    In my opinion, 
    (1) Article 13 shall be supplemented with additional exemptions from notifying data subjects, if the legal basis is a legal obligation (6.1.c) or if the controller processes data solely to establish, exercise or protect legal claims (6.1.f).
    (2) Article 6.1.f shall have an exemption from balancing test, if the minimum personal data is used SOLELY to establish, exercise or protect legal claims of the controller.
    (3) "Processor" shall have a right to store minimum data in order to comply with legal obligation (6.1.c), ensure security (metadata - legitimate interests) and to establish, exercise or protect legal claims of the controller. Here GDPR shall follow CCPA, where "service provider" has more capacity over data provided bu "business" (controller in GDPR).