There has been a lot of talk about the extended rights of the new General Data Protection Regulation (“GDPR”) for individuals and the possibility to better control personal data. But no right without exceptions and in some cases it is possible to derogate from these rights. This post describes some of the derogations and what they may imply in practice.
The balancing act
Generally speaking, all legislation originates from a balancing act between various considerations. The same applies for legislation on protection of personal data.
As a matter of fact, the legislation on personal data originates from a balancing act between the consideration for safeguarding privacy on the one hand and on the other hand, the consideration for other fundamental rights, including freedom of expression and information and freedom to conduct business etc. Depending on the nature of the personal data, and what it is to be used for, the access to processing the data is restricted.
The right not to be forgotten
The consideration for the freedoms of expression and information is particularly important among the opposite considerations, and it is mentioned several times in the GPDR, e.g. in connection with the right to be forgotten.
An example could be an artist who, as part of his new political provocative work of art, uses old newspaper clippings in which several individuals are named. The individuals strongly disapprove of the work of art as they do not identify with its political statement and consequently they want to exercise their right to be forgotten. In this case, enforcing the right will imply that the names of the individuals were to be erased or blurred which would reduce the artistic merit considerably and consequently limit the freedom of expression of the artist. It is impossible to clearly foresee outcome of such balancing act because it is subject to a concrete judgement that must consider all the facts of the case. Sometimes the consideration for the freedom of expression of the artist outweighs the right of privacy of the individuals and sometimes it is vice versa.
Similar derogations include that the right to access can be derogated from if the right could violate the rights or freedom of other individuals e.g. in a situation where the right to access would imply propounding a patented invention of a third party.
More potential derogations
Moreover, the GPDR prescribes a general access to derogate from the rights of the individuals for the member states if it is necessary for the purposes of public safety, investigating criminal offences and safeguarding general public interests (e.g. budgetary and taxation matters, public health and social security). However, the possibility to introduce broad derogations is subject to strict criteria with regard to the protection of the rights and freedom of the individuals and may not be more extensive than required to fulfil the purpose.
Furthermore, the GDPR allows the member states to introduce national derogations from the rights of the individuals specifically with the purpose of protection the right of freedom of expression and information, including particularly in relation to journalistic, academic, artistic and literary activity.
The balancing by member states with respect to freedom of expression and information may very well result in varying legal status within the member states. This in particular could lead to challenges for international companies with regard to cross-border processing of personal data, e.g. via the internet.
Unpredictable legal status
On a general level, it may be difficult for individuals to predict their legal status in consequence of the derogations. First of all because it will always rely on a concrete balancing of relevant considerations and secondly because it often is unclear where your data may end up and in which contexts it is used (particularly via the internet) and thirdly because the derogations may vary from member state to member state.