The General Data Protection Regulation (“GDPR”) is a new regulation that will apply from 25th May 2018. It brings into being new legal institutions in order to provide more protection for the personal data rights of individuals in the European Union. Data protection is further interpreted by Article 29 Data Protection Working Party (“WP 29”). Its purpose is to provide expert advice, promote consistent application, give opinions to the European Commission, and make recommendations to the public on matters related to personal data protection. The WP 29 adopted two new guidelines on 3rd October 2017.
Guidelines on personal data breach notification (No. WP250)
The first of the mentioned guidelines are called “Guidelines on personal data breach notification under Regulation 2016/267”, and explain the mandatory breach notification and communication requirements of the GDPR, and some of the steps controllers and processors can take to meet these new obligations. The GDPR requires a controller and a processor, in order to ensure the appropriate security of the personal data to prevent a personal data breach. A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored, or otherwise processed” (“a breach”). In the event that such a breach happens, the situation may require notification to a supervisory authority, or even communication to affected individuals. Notification responsibility may arise, depending on the likeliness and intensity of a risk, to the rights and freedoms of natural persons, which will need to be assessed on a case-by-case basis.
This notification is to be carried out within 72 hours of the controller becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Exceptionally, there may be a delay, in such a case, the notification shall be accompanied by an explanation of the reasons for said delay. The WP 29 further explains that a controller “becomes aware” when he has a reasonable degree of certainty that a security incident has occurred, and which has led to personal data being compromised. Controllers, therefore, should have internal processes in place to be able to detect and address any such breach. If there are signs of a breach, a responsible person(s) needs to be contacted. The responsible person(s) will investigate if such a breach has occurred, and if personal data has been compromised. This period of investigation must be short, and must commence as soon as possible. It is appropriate to note that the controller sometimes may not have to be regarded as being “aware” during this period. After this period, the risk to the individuals has to be assessed, so that the controller knows if such notification is required. Moreover, the likeliness of risk is further diminished or excluded by encrypting the data, so that it is unintelligible to unauthorized parties. There must also be a backup or a copy of such data, so that it is still available. All of these steps must be taken while acting to contain and recover said breach.
When the controller and processor are not the same person, there may arise some discrepancies. The WP 29 explains that processors must assist controllers in ensuring compliance with these obligations. The processor must notify the controller without undue delay, because the controller should be considered to be “aware” once the processor has become aware of the breach. The WP 29 also recommends an immediate notification by the processor to the controller, since further notifications may be carried out later, in phases. It is possible that the processor carries out the notification on behalf of the controller, but the legal responsibility still remains with the controller. All of these above-mentioned details should be laid down in some formal arrangements or contract, concluded between the processor and the controller.
The notification for the supervisory authority should, at minimum, describe categories of data subjects (such as children, employees, customers, or people with disabilities). It is further suggested by the WP 29 to notify in phases, which means adding additional information later on, and not waiting for it before commencing with the notification process. If the breach of cross-border processing of personal data occurs, then the controller may notify only the lead supervisory authority. However, it is recommended that the controller indicates which establishments and data subjects in other member states are likely to have been affected by such a breach. The lead supervisory authority is the supervisory authority of the controllers main establishment. When in doubt as to the identity of the lead supervisory authority, the controller should, as a bare minimum, notify the local supervisory authority.
If the breach is likely to result in high risk to the rights and freedoms of natural persons, they need to be notified, as well as the supervisory authority. The notification must be carried out in clear and plain language, and needs to comprise: a description of the nature of the breach, the name and contact details of contact point (primarily, the data protection officer), a description of the likely consequences, and a description of the measures taken to address said breach. The breach should be also communicated to the affected data subjects directly, unless doing so would require a disproportionate effort. Controllers might consult with the supervisory authority to determine the most appropriate contact channel. The assessment of the risk is to be carried out by the controller, but the supervisory authority may also require the controller to notify the individual, even if he himself decides not to.
Assessment of the risk to the rights and freedoms of data subjects should be objective, and should take into account the following criteria: (i) type of breach; (ii) the nature, sensitivity, and volume of personal data (combinations of personal data are more sensitive, because they enables easier identification);(iii) ease of identification of individuals; (iv) severity of consequences for individuals; (v) special characteristics and the number of individuals; (vi) special characteristics of the data controller; and (vii) general assessment.
All breaches need to be documented, and the WP 29 recommends documenting the controller’s reasoning, as well as any decisions taken. The supervisory authority may request further details in any event, and fine the controller if they fail to properly document any such breach. If the controller fails to notify properly, they could be fined up to EUR 10,000,000 or up to 2 % of the total worldwide annual turnover of the undertaking in question.
Guidelines on automated individual decision-making and profiling (No. WP251)
The other guidelines adopted were guidelines called “Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679”. These guidelines address profiling and automated decision-making, which can pose significant risks for individuals’ rights and freedoms. The definition of profiling is “an automated form of processing carried out on personal data with its objective to evaluate a personal aspect about a natural person”. It basically means collecting data, analyzing it automatically, and applying the correlation to any individual to identify characteristics of their present or future behaviour (interest, ability, or likely behaviour). Any assessment or classification of individuals based on characteristics such as their age, sex, or height could be considered profiling, regardless of any predictive purpose. Automated decision-making may partially overlap with profiling, and may work with or without profiling. It is the ability to make a decision by technological means, with or without restricted human involvement.
In particular, “solely automated processing”, is strictly regulated, which means that there is no human involvement in the decision-making process. Human involvement needs to be ensured, at least in the form of meaningful oversight carried out by someone with the authority and competence to change a decision, so that the processing is not solely automated. Solely automated processing is prohibited if it produces legal effects (an impact on legal rights) concerning a data subject, or similarly significantly affects him or her (potential to significantly influence their circumstances, behaviour, or choices). There are some exceptions to the above-mentioned prohibition. It may be admissible if it is necessary for the performance of or entering into a contract; or authorized by Union or Member State law, to which the controller is subject, and which also lays down suitable measures to safeguard the individuals’ rights, freedoms, and legitimate interests; or based on the individuals’ explicit consent. These exceptions should, however, not be used for the processing of the personal data of children. Personal data of children may also be processed, but under certain circumstances (e.g. to protect their welfare).
Procedures and measures for checking for any bias, inaccuracies, or discrimination are also required. These procedures should be used continuously, and fed back into the system design. Preventing errors or bias are not the only matters to focus on. The decision-making processes must be in accordance with the general provisions of the GDPR. These are data protection principles (e.g. they need to be lawful, fair, and transparent), lawful bases for processing (e.g. they need to be necessary for the performance of a contract or for compliance with legal obligation), and the rights of the data subjects (e.g. right to access).
The WP 29 mainly focuses on explaining a few of those provisions, relating them to the matter at hand. A data subject has the right to be informed and have access to data on specific information about automated decision-making (including profiling), that produces legal or similarly significant effects. Providing sufficient information and rationale behind the processing or criteria relied on in reaching the decision in a meaningful way of the individual is the key element of this provision. The WP 29 further notes that another provision allows automated decision-making which involves a special category of personal data only with the explicit consent of the data subject, or for reasons of substantial public interest.
In order to set up a proper framework, “data protection impact assessments” are recommended, which are to be used to assess the risks involved, address them, and to demonstrate compliance with the GDPR.