Article 5 of the EU General Data Protection Regulation outlines the processing requirements for personal data. A recent fine imposed by the Danish DPA gives some guidance on how these Article 5 principles could be enforced going forward.
In fall 2018, Denmark’s data protection authority, Datatilsynet, performed an audit of taxi company Taxa 4x35. Authorities found that Taxa had implemented a data retention policy but had failed to follow it. Investigators found that personal data relating to about 9 million individual taxi rides was being preserved beyond the lawful two-year retention policy. Specifically, Taxa erased the name and address of each customer but retained their phone number. Taxa claimed the phone number was used as an “account number” and so the company had a legitimate purpose to retain it. Taxa admitted that the phone number itself was not required — an anonymized number would fulfill the purpose. However, its computer systems were unable to convert the phone number into a new unique ID that would not be classified as personal data. The Danish DPA said, “[O]ne cannot set a deletion deadline which is three years longer than necessary simply because the company's system makes it difficult to comply with the rules.” In March, the Danish DPA fined Taxa 1.2 million kroner (US$180,000), its first fine under the GDPR.
In its ruling, the Danish DPA found that Taxa had violated Article 5 of the GDPR in three ways: purpose limitation, data minimization and storage limitation.
Article 5(1)(b) requires that data be collected for a legitimate purpose and not be further processed in a matter that is incompatible with that purpose. Taxa violated this principle when it transformed the phone numbers of customers into “anonymous” account numbers. Taxa admitted that the phone number was not necessary; only an account number to be associated with taxi ride data was needed.
This enforcement seems to be the opposite of what we may interpret as the intent behind purpose limitation to be. Purpose limitation is usually meant to stop personal data from being used in a different way, where it retains its value precisely because it is personal information. Here, the opposite is true. Taxa did not treat the phone number as personal data and apparently had no intention of using the phone number to contact or personally identify the individual customer. Instead, it intended it to be an anonymous way to track data to meet a business purpose. The Danish DPA clearly found that personal data must be processed in compliance with the GDPR, regardless of how the company intends to treat the data.
Article 5(1)(c) requires personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Taxa argued that it had met minimization requirements by removing the names associated with the phone numbers and that its systems were not capable of transferring the anonymous data about the taxi ride from a phone number to a unique ID. The Danish DPA did not care that the computer systems made it difficult to create new account numbers and stated, in no uncertain terms, that costs associated with migrating personal data to a new anonymous data structure do not justify continued use of the phone number beyond the retention policy.
Article 5(1)(e) requires that personal data is kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the personal data is processed. Taxa had a retention policy in place that stated data collected during a taxi ride is only necessary for two years. However, at the end of the two years, Taxa only deleted the name associated with the ride but kept all the taxi-ride data relating to the ride (date, GPS coordinates of starting and ending location, distance, payment) and associated with the customer’s phone number for an additional three years.
Retention schedules are only as good as long as they are followed. Privacy professionals need to ensure that the timetable of retention is no longer than is necessary and that once time has expired that all personal data is removed or anonymized. The data relating to the taxi ride could have been retained if it hadn’t been linked to personal data. Ensure that any data that is retained at the end of a retention schedule has all personal data removed from it.
As of this writing, GDPR fines have been scattered but seem to have some things in common. They all seem to relate to basic things and activities that were already problematic previously under the directive. Purpose limitation, minimization and storage limits are not new principles from the GDPR. They are all things that privacy professionals have been dealing with for years. The difference now and the lessons we learn from cases like Taxa are ensuring that we don’t let new, perhaps overwhelming projects like Article 30 compliance, prevent us from putting in the time and effort where it has always been needed.
If you want to comment on this post, you need to login.