I wasn’t going to publish this blog until I saw the above headline from the European Data Protection Supervisor (EDPS) recommendations for the Data Protection Regulation (see references). This headline reads: “All data processing must be both lawful and justified”.
This issue has been a concern of mine for sometime but I had convinced myself that my concerns were misplaced. However as the EDPS has raised them, I think it is worth resurrecting the point for consumption by the data protection community.
Translated into current UK data protection terms, the EDPS is saying that any processing of personal data has to be lawful in general (e.g. lawful under other legislation), and has to possess a Schedule 2 grounds as a further justification.
"And what is the problem", I hear you say – isn’t that an obvious statement of most of the First Principle? Well, actually, “no”!
About a decade ago, there was a legal argument that “lawful processing” in the First Principle should mean “lawful just under the DPA”; for instance if there was a Schedule 2 grounds for the processing, then the processing was lawful in data protection terms.
This argument arose in the context of a report “Personal data for public good: using health information in medical research. A Report from the Academy of Medical Sciences, January 2006”. This stated (under the heading “Lawful processing”):
“The prevailing view is that for data processing to be lawful, it must not contravene laws external to the DPA, such as the common law of confidentiality, the Human Rights Act or administrative law. An alternative view submitted to the Working Group has argued that the statutory phrase ‘lawful processing’ means no more than compliance with a condition in Schedule 2 and 3, for instance, the public interest condition of Schedule 2 or the medical purposes condition of Schedule 3” (see paragraph 2.2.1, page 24).
I was concerned whether the Regulation text could be interpreted in a way that “lawful” processing meant “lawful just under the DPA” and that this view might prevail. If this were the case, it would be a very serious degradation in the level of data protection.
The argument for this proposition
All three versions of Article 6(1) of the Regulation text now in Triolog says something like: “Processing of personal data shall be lawful only if and to the extent that at least one of the following applies……..”. This is followed by a choice from a revised list of grounds similar to that found in Schedule 2 of the DPA (e.g. processing is made lawful with data subject consent or necessary for the vital interests of the data subject or necessary for a legal obligation other than a contractual one).
Recital 31 (Council of Minister’s text) confirms that “In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate legal basis laid down by law…” (a link to Article 8 Treaty of Lisbon right to data protection).
If you then look at Article 5(a), there is a requirement for any processing of personal data “to be processed lawfully, fairly and in a transparent manner in relation to the data subject” and of course means the data controller needs an Article 6 ground.
Could these provisions be interpreted to mean that if a data controller has a grounds for the processing in Article 6, then the processing of personal data is lawful in terms of Article 5? If so, a ground for the processing would make the processing “lawful” and the much diminished level of data protection would result.
The counter argument to the above proposition
This relies on a Court concluding that the Article 5 reference to lawful processing is wider than the Article 6 reference to lawful processing. For example, if the proposition is that the argument about lawful processing is limited to the equivalent of an Article 6 ground, then there is no need for Article 5 to refer to “lawful" processing at all.
However, because both Articles 5 and 6 refer to lawful processing, it follows that the proposition is incorrect. It follows that the A.5 reference to lawful processing involves general lawful processing and includes A.6 reference but is not limited to it.
So logically, I don’t have a concern! The only problem is whether European judges follow suit. Lord Denning, that famous Master of the Rolls, in the latter part of the last century is reported as having said that the public can always “trust the judges”; so that is what I was doing.
This was the position until the EDPS recommendations. Comments such as “. We recommend avoiding any conflation and thereby weakening of these principles” have resurrected some concerns. What lawful processing means should be explicit on the face of the Regulation.
Over to you: which side of the argument are you on? On a different point: the EDPS has a "Regulation App" which allows navigation of the various forms of the text (see references).
References
A 15 page summary of the EDPS recommendations: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-07-27_GDPR_Recommendations_EN.pdf
Annex: Comparative table of GDPR texts with EDPS recommendations (a mere 520 pages): https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package
The EDPS has produced an APP to navigate the various versions of the Regulation; downloadable from https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package
Liddell K (2005) “The Mythical Connection Between Data Protection Law and Confidentiality: Processing Data “Lawfully”. Bio-science Law Review 6, 215–22.
Our next Data Protection regulation workshop is in London is on Sept 29th-1st October: http://www.amberhawk.com/DPFoundation.asp
Thank you for posting this. It's an interesting argument. For what it's worth, I think it's also pretty clear that the GDPR's notion of lawfulness is not confined to compliance with its own provisions. However, I think EDPS' concerns are not really about this issue in any case (probably I suspect because it agrees with the broader interpretation I just gave) but rather concerns whether if processing under certain legitimating justifications this should disable independent application of other (legal) aspects of the data protection regime, notably the duty to not to process data incompatibility with the purpose for which it was initially collected. This is the suggestion of the current Council of the EU text and I think that the EDPS wants to signal that it strongly disagrees with it!
Posted by: David Erdos | 27/07/2015 at 03:04 PM
But surely at least one prerequisite for processing to be lawful must be that is not unlawful. Processing might be unlawful for all sorts of reasons which don't fall under the DPA, as outlined in your blog. I'm not sure that we (or the EDPS) are any further forward!
Posted by: Tim Wright | 28/07/2015 at 03:31 PM