Under Article 11 of the EU General Data Protection Regulation, the provisions governing processing that does not require identification might be considered one of the embodiments of the data minimization principle, i.e., requirement that personal data are adequate, relevant and limited to what is necessary with the purposes for which they are processed.
Article 11 limits some of the data controllers’ obligations and, at the same time, aims to emphasize how the GDPR requirements may not be used as an excuse to collect more data than otherwise would be needed. If a purpose for which a controller processes personal data does not or no longer require them to identify a data subject, then they are not obliged to maintain, acquire or process additional information to identify the data subject for the sole purpose of complying with the GDPR, such as with the obligation to enable data subjects’ rights.
However, it seems the provisions limiting some of the data controller’s obligations under Article 11 are open to misinterpretation — in the way they are used as an argument for rejecting data subjects from exercising their rights. Also, the processing in question does not require identification and therefore, a data controller is not obligated themselves to identify data subjects by collecting additional data for the purpose of enabling their rights.
This misinterpretation stems from the “oversight” in the second paragraph of Article 11, which states Articles 15 through 20 of the GDPR shall not apply if the controller can demonstrate that it is not in a position to identify the data subject, except where data subjects provide additional information enabling identification. Recital 57 of the GDPR provides additional guidance, stating that the data controller should not refuse to take additional information provided by the data subject to support the exercise of their rights.
Misconception and the Stop COVID-19 app
A good illustration of both the practical application and the above-mentioned misconception of Article 11 is the privacy policy of Stop COVID-19, the Croatian contact-tracing application released July 27, 2020. The purpose of the app is to alert individuals if they have come in contact with someone who has COVID-19. The Croatian Ministry of Health is the data controller for the app, and APIS IT, the app developer, is the data processor.
The app is decentralized (as opposed to a centralized approach where all relevant data are stored in the central server), operates on the Bluetooth Low Energy technology, and is based on the Google and Apple exposure notification system. It collects and processes only randomly generated keys, which change several times every hour, proximity data and the date and duration of the contact between users. These should be treated as pseudonymized data, even though it is claimed the data is anonymized.
How does misconception apply to the application? According to the app’s privacy policy, users have the right, under Articles 15 through 21 of the GDPR, to contact the ministry’s data protection officer and right to file a complaint with the Croatian Personal Data Protection Agency. However, when responding to a complaint, the ministry can reference Article 11 and say they are not obliged to collect data since the app does not possess information that could be clearly assigned to the user. They could not enable users to exercise their GDPR rights.
Considering the data being processed via the app, it is evident the main purpose is not to identify data subjects nor does it require identification, irrespective of whether it is possible to do so. The ministry would indeed need additional information from users to assign the above-mentioned pseudonymized data to them to, for example, enable the right of access.
It is important to stress Article 11 presumes the controller is not obliged to collect additional data just to enable exercising the rights — not that the controller can reject data subjects’ requests by reference to the inexistence of such an obligation — if they are willing and able to provide such additional data. However, the respective provisions of Article 11 seem misinterpreted exactly as exemplified above — the privacy policy virtually states that the ministry as a data controller does not have an obligation to collect additional data even when data subjects would provide such data.
Additionally, the privacy policy also claims that collecting additional data would be contrary to the aim of collecting the smallest amount of data as possible via the app — which is, undoubtfully, in line with the data minimization principle — thus “exceeding” the processing purpose. What the ministry is missing is that the purpose would not be the same. Collecting additional data should not be assessed from the perspective “if it is necessary or intended” to collect additional data for the purposes of contact tracing but from the perspective of enabling data subjects to exercise their rights.
To clarify, establishing that rights cannot be exercised — due to the inability to identify data subject even with additionally provided data — is one thing, but to exclude any possibility of doing so in advance is another. It is uncertain if that was the intention or if this is a result of the puzzling wording of the app’s privacy policy, but it could be concluded that users cannot exercise rights according to Articles 15 through 21 of the GDPR against the ministry as the data controller.
It is, of course, possible the ministry or any other data controller in the same or similar situation would be unable to identify data subjects to enable them to exercise their rights with regards to the respective processing activity even after they provide additional data. However, the GDPR provisions, including the full text of Article 11, should be duly followed. If a controller is unable to identify a data subject requesting their rights, they should first inform the data subject of that inability clearly and transparently. Further, if a data subject is willing to provide additional data to enable their identification, and such data would still not be enough for identification, then Article 11 would be fully embodied.
Photo by Joshua Sortino on Unsplash
European Data Protection, Second Edition
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.