Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Processing personal data for third party interests

An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer. The Directive contains a number of different reasons justifying processing of personal data (gathered together as Schedule 2 of the UK Data Protection Act 1998), including consent, necessity to fulfil a contract with the data subject or to satisfy a legal duty, etc. A recent ECJ case has looked at the last of these: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.” (Article 7f of the Directive, transposed as s6 of Schedule 2 of the UK Act).

This turns out to be useful in a number of situations where there isn’t a direct link between the person doing the processing and the data subject, but where the processing has benefits to both of them. For example when a university wants to confirm to an on-line journal that a particular user is covered by a site licence it would be cumbersome to require a contract between the journal and each user, while consent cannot be freely given if the journal is something a member of staff has to read as part of their job. Similarly if an incident response team identifies that a particular computer is a member of a botnet they would often like to warn the responsible ISP of this even though there is clearly no possibility of obtaining the user’s consent or contract. In both the federated authorisation and incident response situations, Article 7f fits the bill, while still protecting the data subject by insisting that only “necessary” data are processed.

Unfortunately it turns out that many member states haven’t fully implemented Article 7f. In Spain, for example, there’s an additional restriction that Article 7f can only be used for “data … in sources accessible to the public”. While the ECJ accepts that data from non-public sources will often represent a greater threat to the privacy – something that will need to be taken into account when balancing the risks and benefits of any particular processing – it considers that the current blanket restriction “constitutes a barrier to the free movement of personal data” and is therefore not compatible with the Directive. This should result in more consistent implementations of Article 7f and fewer problems when trying to arrange the transfer of personal data between European countries.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *