The European Commission’s proposed Data Protection Regulation supports recent thinking in moving away from using consent as a basis for federated access management systems. The consent of the data subject is still one of the legitimate grounds for processing personal data but it cannot be used “where there is a significant imbalance” between the organisation and the individual (Article 7(4)) – for example between employer and employee – or where “the individual has no genuine or free choice and is subsequently not able to refuse or withdraw consent without detriment” (Recital 33, following the Article 29 Working Party’s Opinion).
Instead of consent, access management systems seem better suited to the grounds that either processing is necessary for the performance of a contract to which the individual is party (Art 6(1)(b)) or necessary in the legitimate interests of the service provider (Art 6(1)(f)). As in the current Data Protection Directive, the legitimate interests justification must not be used if this would be contrary to the interests and fundamental rights of the individual, however where processing is necessary to deliver a service the user has requested this seems unlikely to be the case. Although there is a legitimate interests provision in the Directive not all Member States have implemented it, so a Regulation that ensured all countries provided it would make a consistent framework for access management significantly easier to achieve.
The legitimate interests justification has also been extended, for the first time, to cover transfers of personal data outside Europe. Art.44(1)(h) allows such transfers, provided they are not “frequent or massive” so long as the European organisation releasing the personal information – normally the user’s home organisation in a federation – has assessed the risks and taken appropriate measures to protect the user. If transfers are “frequent or massive” then the identity provider and service provider seem likely to enter into a “contract concluded in the interest of the data subject”, making the transfer legitimate under Art.44(1)(c).
At present transfers of personal data to registered commercial organisations in the USA may be done under the US/EU Safe Harbor agreement, however this is not mentioned in the draft Regulation and it has been suggested that the agreement will be reviewed. Replacing it by more general arrangements, based either on the legitimate interests or contracts justifications of Article 44 or a declaration that an organisation provided adequate protection under Article 41(3), might be helpful to international federation agreements since it would no longer be necessary to treat the US commercial sector as a special case. In particular service providers within the US education sector, which cannot register under Safe Harbor, might be able to use these more general arrangements.
Finally, the Regulation seems unlikely to clarify the status of pseudonymous identifiers that are used by service providers to distinguish individual users without being able to determine their real-world identities. The current Directive says that such identifiers are personal data if the person “can be identified” (i.e. if there is any possibility of identification) whereas the draft Regulation narrows this to “can be identified … by means reasonably likely to be used…” (still wider than the definition in the UK’s Data Protection Act 1998, however). Recital 24 confirms that “It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances”, but does not explain the circumstances when such identifiers will, or will not, be personal data.