GDPR: A Guide to Sweet Spots?

I keep coming back to the idea that Data Protection law (at least as expressed in the GDPR) has two explicit objectives: to “protect natural persons” and to enable “free movement of data”. And those are presented as compatible, not conflicting. In the case of a couple of the Article 6 lawful bases for processing that’s fairly obvious: if I enter into a contract with you then I want you to process the data that’s necessary to deliver that contract; if a life is at risk then society wants the processing of data that’s necessary to save it.

But can we view the other lawful bases, with their associated conditions and safeguards, as guides to finding similar sweet spots? If you want to do this kind of thing, under these conditions and with these safeguards can we (either as individuals whose data are processed, or as members of society whose data might be processed in future if we experience particular situations) reach consensus that the processing benefits both?

If all the conditions of the other four bases are genuinely met – notably fully-informed free consent, laws (whether permissive or mandatory) that include appropriate safeguards, other interests that are both legitimate and not overridden by rights and freedoms – then it seems plausible.

And this is increasingly important, because these win-win situations are stable. Alternatives, where one party wins at the expense of the other, probably aren’t. There are an increasing number of options for those who want to resist, frustrate or corrupt the processing of their data. Long ago I got fed up waiting for a consensus resolution to the targeted advertising debate, so I adjusted my browsers and behaviour to exclude that ecosystem as far as I could. That does make some websites practically unusable, and every now and then a volunteer site reminds me that I am a lousy freeloader depriving them of income.

But that’s the point: the alternative to win-win is lose-lose, where both personal protection and data availability are diminished. If we can use data protection law as a guide to how to avoid those conflicts, it has to be a good thing.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *