22 February, 2016
The new European General Data Protection Regulation (GDPR – pdf) offers some interesting opportunities to develop case law on the interplay of law, technology, and organisations. For example, the use of ‘appropriate safeguards’ may allow further uses of personal data to create more value. Recital 40 of the GDPR explains the substantive “multi-factor assessment” for a data controller when it states:
“[…] In order to ascertain whether a purpose of further processing is compatible with the purpose for which the data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account inter alia any link between those purposes and the purposes of the intended further processing, the context in which the data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use, the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in both the original and intended further processing operations.”
Summarised, a data controller must assess to what extent a further use would be considered inappropriate or ‘creepy’ by data subjects in their particular context, and should employ safeguards to “ensure fair processing and to prevent any undue impact on the data subjects.” The European data protection regulators assembled in the Article 29 Working Group explain (pdf) the value of safeguards to compensate for “deficiencies at certain points […] by a better performance on other aspects.” Safeguards are thus technical, legal, and organisational measures that, acting as an ontological friction, oppose the information flow in the infospehere (to paraphrase Luciano Floridi).
Technical safeguards include anonymisation techniques, aggregation of the data (e.g. k-anonymity), statistical techniques (differential privacy), or privacy enhancing technologies. Legal safeguards would include non-disclosure agreements, compliance with safe harbour (or data shield!) provisions, and transparency in informed consent procedures. Organisational safeguards consider access to data, external privacy audits and confidentiality agreements for employees.
It will be fascinating to keep track of how regulators and courts reason about the use of complex and sophisticated combinations of safeguards to enable more further uses of personal data. A case-by-case assessment of safeguards will require in-depth knowledge of – or solid expert advice about – the interplay of technical, statistical, and organisational measures to protect personal data. This is, however, a move in the right direction, where the EU shows that privacy is not just a legal matter, but requires full contextual and social analysis of information systems.
Academic Liaison at Princeton University