What makes processing “lawful” under the GDPR? The Information Commissioner (ICO) has stated that the word “lawfulness” has general application, as it did under the previous Data Protection Act (DPA1998).
If my analysis is correct, this view is wrong; I think "lawfulness" is now limited in meaning to "compliance with the GDPR or DPA2018". If so, there is a significant risk that the level of the protection afforded to data subjects in the UK (and in Europe) is much diminished.
First to the ICO’s GDPR Guidance which states that:
"Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations”
My view is that the above statements are incorrect under GDPR & DPA2018 but correct under the Directive 95/46/EC & DPA1998. Understanding why the latter is correct helps understand why the former is incorrect. To assist this understanding, all the emphasis in the following text is my attempt to allow readers follow the logic of the argument.
DPA1998 and Directive 95/46/EC
Under the DPA1998, the key elements of the First Principle states that “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-(a) at least one of the conditions in Schedule 2 is met ….”.
In the Directive 95/46/EC, under the heading “Criteria For Making Data Processing Legitimate”, Article 7 set out that “Member States shall provide that personal data may be processed only if” there was an applicable legitimacy condition (e.g. consent, necessary for a contract with data subject etc etc).
In this way, the Schedule 2 condition of the DPA1998 (which essentially reproduced Article 7) defined when the processing was “legitimate”. If you look at the text of the First Principle (see paragraph above), you can see that the “lawfully” requirement of the First Principle is separate and distinct from the legitimacy requirement set out in the Schedule 2.
In other words, “legitimate” processing needs a Schedule 2 condition whereas “lawful” processing means consideration of the general application to meet all laws including the DPA1998 itself. See the “Solicitors from Hell” judgment (reference below) where the Courts identified the general nature of the lawfulness requirements of the First Principle.
In summary, in the Directive and DPA1998, the concept of “lawful processing” and “legitimate processing” are different. This distinction does not apply in the GDPR as it has replaced the word legitimate with lawful in the relevant Articles.
DPA2018 and the GDPR
Article 6 of the GDPR is titled “Lawfulness of processing” (unlike the corresponding title relating to legitimacy in the Directive) and begins with “Processing shall be lawful only if and to the extent that at least one of the following applies” followed by the familiar list of legal bases in Article 6 (which are almost the same as Schedule 2 of the DPA1998). The first Principle in Article 5 then states that personal data have to be “processed lawfully, fairly and in a transparent manner in relation to the data subject”.
In other words, the first Principle in Article 5 requires lawful processing and is followed in Article 6, by the declaration that processing is lawful only if the processing has a legal basis in Article 6 (e.g. data subject consent, is necessary for a contract with the data subject …. etc etc).
This combination in the GDPR is a declaration of lawfulness, unlike the Directive where it is a declaration of legitimacy. The GDPR wording thus does not leave any room for any external lawfulness requirement; once an Article 6 condition is satisfied then the processing is lawful in terms of the Principle and the GDPR, because that is what Article 5 and 6 clearly state.
Recitals 44 and 46 reinforce a limited scope of lawfulness as they specifically link the concept of lawful processing under the GDPR with a specific Article 6 legal basis (e.g. “Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract” and “The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject…”). These Recitals only make sense if “lawful” is restricted in interpretation in terms of “lawful under the GDPR”.
So what! Are you thinking this is navel gazing to the nth degree? Well read on.
Some problems!
Consider a public authority controller which misuses its powers to process personal data; if its processing of personal data is also necessary for its public task then the processing cannot be unlawful in terms of the first Principle in Article 5 if it is lawful under Article 6 (as there exists a proper legal basis). Similarly, if the unlawful processing had also obtained the consent of the data subject, then the processing is not unlawful in terms of the “lawfulness” Principle.
These two examples are completely different under the DPA1998. For instance, data subject consent would satisfy the Schedule 2 legitimacy requirements but the controller would still not be processing lawfully as required by the First Principle of that Act (as powers have been misused). Consent would be irrelevant. Under the GDPR, however, data subject consent would make that processing lawful as there is an Article 6 legal basis.
Rights are also degraded. For instance, the right to erasure in Article 17(d) applies when “the personal data have been unlawfully processed” by a controller. This does NOT mean any lawful requirement; it means the only unlawful consideration is that the controller has not processed personal data in accordance with an obligation under the GDPR (see Recital 65). In other words, the ICO Guidance with respect to this right is also wrong as it relates to unlawful processing in a general sense (i.e. to a “breach of the lawfulness requirement of the 1st principle” as described at the beginning of this blog).
Consider the DP/FOI interface and a FOI request for your neighbour’s medical records. Under the DPA1998, the argument would likely state that to publish medical records would breach a confidence and therefore constitute unlawful processing. This would breach of the First Principle, so the request would be refused.
Under the DPA2018, that DPA1998 argument (based on a general approach to lawfulness) is unavailable. Perhaps other FOI exemptions could plug the gap (e.g. Section 41 of FOIA) or perhaps an argument based around the fact that there is no condition that permits the publication of special category of personal data is relevant. Who knows?
Finally, data subjects with a complaint that relates to lawful processing in general might find that a data protection redress is not available because the DPA2018 &GDPR is only concerned about lawfulness just in the specific context of data protection.
Concluding comments
All I can say at the moment, is that if above analysis is correct, there is undoubtedly a major change to the UK’s previous general approach to lawfulness. As a result, there is a significant risk that the protection of data subjects are degraded from the DPA1998 standard (which hitherto presumed a broad concept of lawful processing especially in the public sector).
Finally, a scary thought: the change of text (from an emphasis on legitimacy in Directive 95/46/EC to one of lawfulness in the GDPR) can be traced back to the Commission’s original text in COM (2012)0011 published in 2012.
In other words, the issues raised in this blog apply to all data protection regimes in all EU countries.
Upcoming Data Protection qualification courses
- BCS Data Protection Practitioner Upgrade/Conversion (2 days; London Jan 9 & 10)
- BCS Data Protection Foundation (3 days; London, January 29-31)
- BCS Data Protection Practitioner, London, 6 days starts Feb 12
- Details on www.amberhawk.com or by emailing [email protected]
References
Solicitors from Hell judgement states that “lawful processing” means lawfulness in general. https://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html
Comments