Balancing in the GDPR: legitimate interests v. right to object

[Note: This post was originally published on the CiTiP Blog]

Balancing exercises permeate data protection law. This post investigates the interaction between two core manifestations of such balancing in the GDPR: the last lawful ground (Art.6(1)f) and the right to object (Art.21(1)).

Balancing in Article 6(1): From lawfulness to guiding principle?

Balancing exercises play a pivotal role in the General Data Protection Regulation (GDPR). They are implied in concepts such as fairness and proportionality that permeate the GDPR. The centrepiece of balancing exercises within the Regulation is to be found in Article 6(1)f. This last lawful ground permits processing of personal data whenever ‘necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject’. In other words, this provision puts the legitimate interests of the controller and those of third parties against the interests, fundamental rights and freedoms of the data subject.

The balancing exercise put forward in Article 6(1)f arguably transcends merely being one lawful ground among the others. Indeed, the previous four grounds (necessary for (b) performance of a contract, (c) compliance with a legal obligation, (d) protect the data subject’s vital interests, (e) tasks carried out in the public interest), could be qualified as variations on a theme. They are simply situations where the interest in processing prevails by default. In light of the fairness principle, one may even claim that the first lawful ground on consent is subject to some level of balancing in light of Article 6(1)f. The very act of consenting can be qualified as a strong indicator that there is a balance. This is particularly true in light of the new Article 7, inter aliaputting forward the unconditional ability to withdraw one’s consent as well as guarding against all-or-nothing clauses.

The practical relevance of this consideration is that the lawfulness of any processing operation, regardless of its lawful ground, will have to be assessed in light of Article 6(1)f’s balancing exercise. The Art. 6(1)f balancing test will inform – not determine – the validity of the other lawful grounds. In sum, the balancing test in Article 6(1)f is the manifestation of the fairness principle (Article 5(1)a) in the form of a lawful ground. As such it can be used as a proxy for evaluating the validity of any of the lawful grounds.

Balancing and the right to object

The balancing exercise in Article 6(1)f can be qualified as an ex ante obligation. It needs to be complied with before the processing operation initiates. In practice, this balancing exercise will unilaterally be defined by the controller. Enter data subject rights. The rights to object and to erasure install ex post rights, effectively empowering data subjects to challenge the balance put forward by the controller. The right to object (Art.21) is particularly interesting in this regard, because it defines its very own balancing exercise. When a data subject objects ‘on grounds relating to his or her particular situation, […] the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interest, rights and freedoms of the data subject […]’. As such, the right to object may be one of the clearest manifestations of the fairness principle in the shape of a data subject right.

Despite the striking resemblance between the balancing exercises in Articles 6(1)f and 21(1), there are some key differences. The right to object explicitly requires the data subject to put forward grounds relating to his/her particular situation, but at the same time puts the onus on the controller to establish overriding ‘compelling legitimate grounds’. The shift in burden of proof when compared to its predecessor (Art.14) in Directive 95/46, seems to have settled halfway. Both controller and data subject have one, though the controller’s is more onerous. In light of the accountability principle in Article 5(2), the burden of proof for establishing a balance under Art.6(1)f a priori lies with the controller alone. But, to all intents and purposes, when a data subject wishes to effectively challenge this balance, he/she will have to substantiate that claim.

Importantly, Art.21(1) does not include a reference to third party interests, which makes it seem more narrow than Art.6(1)f’s balance. Reading more closely, however, the provision merely requires the controller to demonstrate overriding ‘compelling legitimate grounds’. The language does not constrain these grounds to be of the controller alone and could therefore encompass much more than only ‘the interests pursued by the controller or by a third party’ in Art.6(1)f. This would render it harder for data subjects to exercise their right to object than to challenge the lawfulness of the processing operation(s) itself. This puzzling conclusion might partially be countered by the fact that Article 21(1) does not require the rights and freedoms of the data subject to be fundamental (contrary to Art.6(1)f).

Things get even more confusing when reading recital 69, which conflicts with Art.21(1) on three occasions, referring to (a) the controller’s own legitimate interests only; (b) ‘interests’ instead of ‘grounds’, the former being narrower; and (c) data subjects’ fundamental rights and freedoms. The end-result is that it is unclear how the balancing exercise under Art.21(1) should be performed exactly, leaving data subjects less empowered.

In conclusion, one may wonder what the added value of Article 21(1)’s balancing exercise is in the first place. Firstly, data subjects are free – at least in theory – to challenge lawful grounds (including Art.6(1)f) already anyway. Secondly, a closer look at Art.21(1) suggests that its balancing exercise is less likely to benefit data subjects than the one in Article 6(1)f. In light of data protection law’s rationale – routinely confirmed by the CJEU – the right to object should be interpret from the perspective of ensuring a high and effective level of protection. Such a systematic reading implies the right to object’s balancing exercise should be mirrored against (not equated to) the one in Art.6(1)f. The right to object can still be successful even though the processing is lawful stricto sensu under Article 6(1)f. The main added value of Art.21(1) therefore appears to be (a) allocating the burden of proof; and (b) empowering data subjects to challenge the status quo.

Advertisements

The Personal Data Equaliser

[Note: This post was originally published on the CiTiP Blog]

The concept of personal data – key in determining data protection law’s material scope of application – may seem pretty straightforward in the abstract. In practice, particularly when assessing the applicability of specific data subject rights, things get a lot murkier.

 Personal Data – a Disharmonious Concept

It is a truism to say that Personal Data constitutes data protection law’s central building block. Indeed, personal data is the key factor in determining the framework’s applicability. Directive 95/46 – as well as the upcoming General Data Protection Regulation (GDPR) – are pretty concise in defining the concept: “any information relating to an identified or identifiable natural person.” No a priori distinction is made between different sources, types, formats, and so on. Only the contentious sub-category of ‘sensitive data’ explicitly enjoys special status. Personal data’s incredibly wide definition has been documented and criticised widely. Data protection law’s ‘information-agnosticism’ is also an important element separating it from the general right to privacy. The latter primarily covering more intimate data (or elements/activities) affecting an individuals’ private sphere.

In reality, not all (personal) data are equal. Many legal texts specify or differentiate particular kinds of personal data because of the heightened risk to the individuals’ rights, interests or freedoms. Even though the data protection framework explicitly refers to some sub-categories of data – sensitive data, (online) identifiers, pseudonyms, traffic and location data – it appears unfeasible to devise an overall taxonomy for personal data. The many attempts that have been made – in privacy policies, by consultants and academics in different fields – fail to offer a satisfactory and comprehensive overview.

The few data categories explicitly/implicitly appearing throughout the GDPR are useful indicators for assessing the extent of rights and obligations. However, the applicability of data subject rights – and the right to erasure in particular – cannot be reduced to a mere qualification of the underlying data in one of these categories. Google’s and Facebook’s privacy policies differentiate personal data on the basis of its origin, its form and/or its function. But data can also be differentiated on the basis of its nature, sensitivity or visibility/obscurity. To complicate things even more, predefined categories often overlap in practice, further rendering nonsensical any attempts at straightjacketing personal data into predefined categories.

Still, the category of data will often impact the exercise of data subject rights. The rights to erasure and to object illustrate this quite well. Different data-types will have a different impact on the data subject and the balancing exercise generally accompanying a request to erase/object. Sensitive data may be the most obvious example of a data category that will generally tip the balance in favour of the data subject. In short, there is clearly some merit in qualifying the relevant personal data in one way or another. In light of the concept’s incredible heterogeneity however, attempts at developing a comprehensive ‘personal data taxonomy’ are doomed from the start.

 Personal Data Equaliser

Instead of trying to come up with a data taxonomy – or even a more modest list of specific data categories – an alternative can be envisaged. From the perspective of exercising one’s data subject rights, it makes more sense to identify relevant variables on a case-by-case basis. These may relate to the data itself (e.g. accuracy, public interest, sensitivity, format), the source (e.g. voluntarily shared, inferred), the data subject (e.g. role in public life, child), time, context, etc. Each of these ‘variables’ – some of which correspond with categories in obsolete data taxonomies – should be seen as non-binary continuums.

By analogy, one could think of an audio equaliser, ubiquitous in eighties’ stereo sound-systems. Every slider represents a variable, impacting – to a greater or lesser extent – what comes out of the speakers. Similarly to its audio-counterpart, the ‘personal data equaliser’, comes with certain pre-sets. For certain situations or ‘data types’, there will be pre-defined defaults. Depending on the circumstances, certain sliders will be hardwired (e.g. format of the data, controller), whereas others might still be tweakable (e.g. visibility/obscurity). Crucially, determining the configuration of parameters is only possible a posteriori, when evaluating the applicability of data subjects’ rights in a particular case.

The Data Equaliser acknowledges the complexity of today’s information processing landscape. It recognises the impossibility of a priori determining the potential implications on an individual of one type of personal data or another. Today’s vast – and quickly expanding – data processing eco-system transforms seemingly trivial and/or anonymous data into personal data and vice versa. Unsurprisingly, determining the reach of data protection rights (notably, the right to erasure) is a tough exercise in the abstract. Though helpful indicators, the personal data categories defined by the legislator do not offer quick-and-easy answers either. The idea behind the ‘personal data equaliser’ recognises the messiness of data and the importance of looking at the particular circumstances of each individual case. It acknowledges the fluidity of ‘personal data’, depending on time and context.

Looking ahead, attempts at bringing more structure to the concept of personal data should focus on identifying potential variables rather than types of personal data. Such a functional approach will be much more valuable to the interpretation of data subject rights in practice.

CJEU is asked to rule on the ‘Right to be Forgotten’ again

The Italian Supreme Court recently asked the CJEU for a preliminary ruling on two questions regarding the ‘right to be forgotten’.

[Disclaimer: this information is loosely translated from official documents published by the Dutch Ministry of Foreign Affairs. The original request can be found here [it]. The CJEU’s documents folder (still empty at the time of writing) can be found here.]

Facts & Procedure (Case C-398/15 – Manni)

The original plaintiff (Salvatore Manni)’s business had gone bankrupt in 1992. This was added to a public Company Register, managed by the defendant (Camera di commercio di Lecce). Plaintiff argued he (his business of selling houses in particular) suffers damages and requested defendant to anonymise his name or restrict access to the register. Defendant stated that the ‘Companies Register’ is a public database with the primary function of informing (on request) about relevant information of companies. The case escalated all the way to the Italian Supreme Court (Corte Suprema di Cassazione), which referred to questions to the CJEU.

Questions referred

The Italian Court essentially wonders whether information legally consigned to (and made public by) the defendant, can be erased, anonymised or access-restricted after a certain time. The Court does point out the importance of the public Register (for legal certainty). Referring to the Google Spain Case (C-131/12), the Court asks not whether the information should be erased from the Register, but whether limits should be put as to the (further) use of this public information by third parties.

  1. Does Article 6(1)(e) of the Data Protection Directive supersede the making public through the company register as commended by Directive 68/151/EEG and corresponding national legislation, to the extent that the latter requires that anyone should have have access to the personal data in the register without restrictions?
  2. Does Article 3 of Directive 68/151/EEG allow, in contrast with the rule that the Company Register saves public information for an indeterminate time and can be consulted by anyone, the information to be made no longer ‘public’, though still available to a specific group, and this to be decided on a case-by-case basis by the Register’s manager?

Relevance

The underlying facts in this ‘Manni’ Case, are strikingly similar to the ones in the Google Spain Case. Instead of focusing on the third-party, however, the CJEU is now asked to evaluate the obligations of the original publisher. In Google Spain, it was already decided (by the national DPA) that the original publication could not be touched before even reaching the CJEU. In the Manni Case, the original source also has a legal obligation to publish. Yet, it is not asked to remove personal data from the source altogether. Only whether the source can be asked to make it less accessible. This raises very interesting questions – left unanswered in Google Spain – as to the obligations on the shoulders of the original publishers and different degrees of publicity.

To be continued…!

The Right to be Forgotten – It’s about time, or is it?

[Brief summary of my presentation at the CPDP 2014 panel on “Timing the Right to be Forgotten”. Slides: See Below]

The panel took a really refreshing perspective on the Right to be Forgotten debate. So I was glad to take this opportunity to look more closely at what role ‘time’ actually plays in the legal framework relevant to the so-called ‘Right to be Forgotten’.

In short, the presentation aimed to identify some of the relevant legislations and case-law, with a particular focus on the general right to privacy and the data protection framework.

Terminlogical Issue – Over the past few years, the so-called ‘Right to be Forgotten’ seems to have been used as some sort of umbrella term to refer to different situations and different legal regimes (general right to privacy, right to personal portrayal, data protection, defamation, etc).

General Right to Privacy – When looked at in the context of the general right to privacy (8 ECHR), it is usually applied to shield individuals from being confronted with certain aspects of their past in a disproportionate, unfair or unreasonable way (classic example: ex-convict who is confronted with his/her past in the media, years after the facts). Because it is primarily invoked in situations where an individual’s personal life is publicly exposed, usually by the media, a careful balancing exercise with other fundamental rights will be imperative. One of the key criteria in making this balance will often be to look at how much time has passed. In the Österreichischer Rundfunk v Austria Case, for example, the ECtHR specified that the lapse of time since a conviction and release constitutes an important element in weighing an individual’s privacy interests over the public’s interest in publication. But, in another case, concerning the publication of a book by the private doctor of former French President Mitterand, the Court held that the lapse of time was an argument in favour of the public’s interests over the privacy and medical confidentiality protections of the ex-President.

Data Protection Law – When based on the data protection framework, the right to be forgotten – or rather right to erasure – seems to be more mechanical and straight-forward. At least in theory. Under the current Directive, the right can be invoked when the data processing “does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data” (art.12). In other words, it looks like the data subject could invoke his/her right to erasure when the controller fails to fulfil its obligations or ignores data subjects’ rights. Keeping mind the concept of ‘Time’, three of the most relevant elements, probably are (1) the purpose specification and use limitation principle, (2) the need for a legitimate ground and (3) the data subject’s right to object.

The purpose specification principle actually constitutes some sort of benchmark against which the processing of personal data will be assessed over time. Besides having to be be specific and explicit, the purpose also has to be legitimate. It goes without saying that the legitimacy of the purpose of processing can evolve over time, depending on a variety of factors. On top of that, over time the personal data might become unnecessary, irrelevant or inadequate to achieve the original (or a compatible) purpose (for more information, check the Article 29WP Opinion 2/2013 on Purpose Limitation).

Secondly, the processing activities will permanently have to be tested against the legitimacy grounds in article 7 of the Directive. This is particularly relevant when the processing is based on the last legitimacy ground, which requires a careful balance to be made between all rights and interests at stake. These might, of course, evolve over time as well.

Thirdly, in principle the right to erasure can also be invoked when the data subject has successfully exercised his/her right to object. In order to exercise one’s right to object, it is necessary to put forward compelling and legitimate grounds (relating to one’s particular situation). It goes without saying that these grounds can include a variety of factors, among which time is one.

In the currently still pending Google Spain Case before the Court of Justice of the EU, for example, one of the primary arguments of the original plaintiff was the passing of time.The  National Court  explained that today, it is possible to create very detailed personal profiles in just a couple of clicks, with information that used to be difficult to find. The lack of territorial and temporal limitations to the dissemination of information constitutes a danger to the protection of personal data. The Court further specified that originally lawful and accurate personal data may become outdated overtime in the face of new events. Some of this information might actually generate social/professional/personal harm to the individual.

Finally, a few words about the draft Data Protection Regulation.  Article 17 on the Right to be Forgotten and to Erasure – already rebranded to the pre-existing right to erasure – specifically aims to give (back) some control to data subjects over their data. Without wanting to go into detail on this provision (which does not add that much to the existing regime, but rather emphasises existing rights and obligations), it is worth highlighting that the article does refer to the concept of ‘Time’ in paragraph 7. This provision stipulates that the controller should “implement mechanisms to ensure that the time limits established for the erasure of personal data […] are observed. The Regulation also requires these time limits are to be specified in the information provided to data subjects (art.14(1)(c).

Concluding. First of all, technology makes it ever more more easy to store and find old information. Just think of the digitisation of old archives, facial recognition, geo-tagging, etc. This trend evidently upsets an increasing amount of individuals. Depending on the relevant facts in each case, a number of legal frameworks might be used to request certain information to be removed. The general right to privacy seems to be particularly used in situations where private information is made public (again) by the media. From ECtHR (and national) case-law it can be deduced that the time-factor can either play in favour of removing the information (when deemed irrelevant, see Österreichischer Rundfunk v Austria Case) or in favour of keeping the information available (when entered in the public domain or when the information is of particular relevance in light of current events, see Aleksey Ovchinnikov v. Russia and Editions Plon v. France). In any case, it seems that from all legal frameworks that might be applicable, data protection law in particular constitutes an increasingly attractive route to take. Not only does it have a broad scope of application, but unlike most other regimes, it does not require falsehood, malicious intent or even widespread publicity

Regardless of what legal regime is used, it seems that in virtually all of these cases, a balance of interests and rights will have to be made. And in quite a few situations time will be a relevant factor to take into account. To give yet another recent example, it is worth referring to the Advocate General’s opinion in the DRI & Seitlinger Case before the Court of Justice (C‑293/12; C‑594/12), released just last month. In this Opinion, the AG explicitly claimed that the Data Retention Directive is incompatible with the Charter of Fundamental Rights. One of the reasons he put forward was that the Directive does not respect the principle of proportionality, in requiring data retention for up to two years. Although the Directive’s ultimate objective is perfectly legitimate, the AG argued, there is no justification for extending the data retention period anything beyond one year.

So, in short, it seems that the passing of time can be used to argue both ways – for or against removal. The importance of ‘time’ in determining the merits of removing information will be different in each individual case, but should not be overestimated either. Eventually, time will just be another factor in assessing the balance of rights and interests.

According to the Advocate General, Mr Cruz Villalón, the Data Retention Directive is incompatible with the Charter of Fundamental Rights

“In his Opinion delivered today, Advocate General Pedro Cruz Villalón, takes the view that the Data Retention Directive1 is as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law.”

Press Release