This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
This issue focuses on the general data processing principles and explores whether they are suited to current technological developments. Skip to the end for a quick overview of the main takeaways and to do's.
Data processing principles under the GDPR: an overview
The GDPR contains a number of basic principles that must be respected when processing personal data. These principles are largely similar to those set out in Directive 95/46. Please find below an overview, with new points introduced by the GDPR marked in bold.
Compliance with data processing principles in practice
In practice, compliance with the abovementioned data protection principles requires a thorough and systematic analysis of all data processing activities. Pursuant to the accountability principle, this analysis must be documented.
Issues related to application of the data processing principles to new technologies
The data processing principles are a cornerstone of the GDPR and aim to protect data subjects. Indeed, by requiring that each personal data processing activity complies with these principles, the GDPR wishes to ensure that personal data are adequately protected.
Although we generally prefer principle-based legislation to overly prescriptive legislation, we have serious doubts as to the compatibility of the data protection principles with a number of technological developments and their usefulness in today's digital society. Take for example the blockchain. Two main features of the blockchain are: (i) information transiting through the blockchain is visible to every node and (ii) information cannot be removed from the blockchain. These features clearly conflict with the principle of data minimization and the storage limitation. Indeed, making data visible to every node could be considered excessive while perpetual storage of the data on the blockchain is clearly difficult to reconcile with the storage limitation rules.
Similar issues arise with big data. Big data is at odds with the purpose limitation. This principle consists of two parts: (i) personal data may only be collected for specified, explicit and legitimate purposes and (ii) personal data may not be further processed in a manner that is incompatible with these purposes. Under the purpose limitation, the purposes for processing personal data must be established upfront whereas the added value of big data lies in its potential to discover new correlations and processing purposes, which may have nothing to do with the original purposes for which the data were collected. Personal data may also be collected for the mere sake of finding correlations and processing purposes. Big data also conflicts with the principle of data minimization. Indeed, big data is by definition excessive and disproportionate.
For big data, there are of course a number of escape routes or workarounds, but these are not entirely satisfactory. Firstly, anonymization of the data sets may be considered so that the data fall outside the scope of the GDPR. However, in this case the question arises as to whether true anonymization is possible. In addition, for many organizations, anonymization is not an option if they wish to use big data analytics to learn about a certain individual. Secondly, in certain cases, further processing will be considered compatible with the initial purpose, such as further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. While certain big data analytics could be considered to fall within one of these categories, it is clear that many will not.
It remains to be seen whether and how these issues will be addressed in practice. It is in any case unfortunate that the EU legislature stuck to the old principles.
Takeaways and to do's
Recitals 39, 50, 58, 60 and 156
Articles 5 and 89