It’s interesting to read the Information Commissioner’s comments on the draft European Data Protection Regulation, which have just been published. A number of the comments address issues we’ve been struggling with in providing Internet services such as incident response and federated access management. These are widely recognised as benefitting privacy, but they don’t fit easily into a privacy regime that thinks in terms of individuals having pre-existing relationships (or at least chains of relationships) with all those who process their personal data.
The Information Commissioner seems to recognise the problems
Article 4: … there is clearly considerable debate about whether certain forms of information are personal data or not. This is particularly the case with individual-level but non-identifiable – or not obviously identifiable data – such as is found in a pseudonymised database. We prefer a wide definition of personal data, including pseudonymised data, provided the rules of data protection are applied realistically, for example security requirements but not subject access. If there is to be a narrower definition it is important that it does not exclude information from which an individual can be identified from its scope. However, it is important to be clear that a wide definition plus all the associated rules in full would not work in practice. This is a real issue in contexts as diverse as medical research and online content delivery.
On-line content delivery can often be done using pseudonyms, thus protecting the privacy of individual users. Ironically defining those pseudonyms as personal data and on the full range of data protection controls may well mean that a service provider has to collect more personal data than they would otherwise need, thus increasing the risk to privacy.
Article 6: There is a danger that processing which is necessary for public authorities but not provided for by law will be prevented. We would like to see explicit recognition that processing may take place where it is clearly in the data subject’s interests and does not override his or her fundamental rights and freedoms.
The draft Regulation would prevent public authorities from using the “legitimate interests” justification for processing personal data. The European Parliament’s amendments would restrict that justification even further for all types of data controller. Both access management and incident response could be affected by those changes – telling someone that their computer or Twitter account has been compromised is indeed in their interests, but restricting legitimate interests too much could make it illegal.
Article 7: We are in favour of a high standard of consent. We do need to be mindful of the implications of paragraph (2) though. This would mean that if consent is relied on when you buy a book online, for example, there would have to be separate consent to use your details to despatch the book and take payment. Consent could not be implied from the customer’s decision to buy the book. This could be onerous and in many cases pointless. Again, in cases like this the ‘legitimate interests’ condition could be important as an alternative to consent.
Despite some slogans, consent isn’t the only way to legitimise processing of personal data. The ICO points out that using it when it’s not appropriate can produce unusable interfaces. It can also be dangerous for privacy because provided you can persuade the data subject to consent then there is no limit on what you can do. A recent article suggesting that informed consent should be scrapped explains the problems but, I think, comes up with the wrong solution. As with suggestions that overuse of legitimate interests means that justification should be scrapped, it seems to me that the right approach is instead to enforce the law’s existing controls – that consent must be freely given, and that legitimate interest cannot override the interests of the individual. That way the justifications can each be used in the situations where they are the right way to protect privacy, rather than forcing use of an inappropriate justification which may well present a greater privacy threat.