How To Continue Lawfully Using Historical Data Under The GDPR
Starting next year, everything companies historically have done with the oceans of data they amass and process each day will become illegal, absent new technical controls.
Editor at Compliance Week
This sentence, from the October edition of Compliance Week, has stirred up a firestorm of questions regarding legal rights to use “Historical Data” when the GDPR goes into effect in May 2018. The above sentence was referred to during the introduction of the webinar – Don't Lose Access to Data Analytics Under the GDPR – featuring Gwendal Le Grand from the French CNIL, Jules Polonetsky from the Future of Privacy Forum (FPF) and me. This blog responds to questions submitted following the event.
FACTS THAT MAY SUPRISE YOU
Personal data that you have lawfully processed for years – even for decades – may soon expose your organization to significant liability.
For purposes of this blog, I use the term Historical Data to mean EU personal data collected up through May 24, 2018 premised on “broad based consent” – i.e., consent that does not satisfy new heightened requirements for specificity and unambiguity under the GDPR. Processing of “Historical Data” is no longer lawful starting May 25, 2018. The GDPR has no “grandfather provision” or “exemptions” allowing use of data collected without GDPR-compliant consent.
The level of enforcement activity by data protection authorities upon effectiveness of the GDPR is uncertain. However, a significant exposure exists from class action lawsuits by data subjects as newly authorized under the GDPR (the success of Max Schrems' claims against Facebook highlight the dramatic impact individuals can have and his cases arise under less rigorous data protection laws than the GDPR). And, potential lost access to data for analytics, artificial intelligence (AI) and machine learning (ML) would materially adversely impact operations for many data-driven organizations.
The prior EU data protection law adopted in 1995 – Directive 95/46/EC – is repealed upon effectiveness of the GDPR. Recital 171 and Articles 94(1) and 99 make it clear that data processing activities going forward must comply with new, more stringent GDPR requirements even if past processing complied with earlier requirements. The purpose of the two-year transition period between adoption of the GDPR in 2016 and effectiveness of the regulation in 2018 was to give data controllers and processors time to align their data processing operations to GDPR requirements. If past grounds for processing do not satisfy new GDPR requirements, processing of Historical Data is unlawful starting on the effective date of the GDPR – May 25, 2018.
THREE OPTIONS FOR HISTORICAL DATA
If your organization has Historical Data, you have 3 options.
- Delete the Historical Data by May 25, 2018;
- Make the Historical Data Unlinkable and devalue the data; or
- Transform the Historical Data to make it legal and increase the ability to use, share, compare and compute the data while keeping it secure and private.
Delete or Unlink Historical Data
Unless you can satisfy new heightened GDPR consent requirements, Article 5(1)(e) requires that you delete or anonymize Historical Data so that it can no longer be used to infer, single out or link to the identity of data subjects making it unlinkable. Unlinkable data has limited value for context-sensitive analytics, AI or ML.
Transform Historical Data
If your organization has a lawful basis to continue using Historical Data under Article 6(1) (see discussion below regarding legitimate interests as a lawful basis), and that use is a compatible purpose comprised of (i) archiving in the public interest, (ii) scientific use, (iii) historical research or (iv) statistical purposes, Article 5(1)(e) permits such use of Historical Data if appropriate technical and organisational measures under Article 89(1) are used to help safeguard the rights and freedoms of data subjects.
Anonos' first-of-its-kind BigPrivacy technology transforms Historical Data to ensure that processing of Historical Data is a compatible use that enables organizations to benefit from data insights while keeping personal data secure and private.
A fundamental EU data protection principle is purpose limitation which must be complied with in addition to requiring a valid legal basis, etc. Article 5(1)(b) requires that personal data must be "collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.” This article is almost identical to Article 6(1)(b) of the current Directive 95/46/EC, which the GDPR replaces. The analysis in Opinion 03/2013 on purpose limitation regarding "further processing" and compatible (or incompatible) purposes under the Directive is therefore relevant under the GDPR. This Article 29 Working Party (“WP29”) opinion identified certain key factors in assessing the compatibility of further processing purposes. One key factor for consideration is safeguards applied by the controller to ensure fair processing and prevent undue impact on data subjects.
Opinion 03/2013 provided that, while all relevant factors must be assessed as a whole, "Appropriate additional measures could thus, in principle, serve as ‘compensation’ for a change of purpose or for the fact that the purposes have not been specified as clearly in the beginning as they should have been.” It further stated that “When trying to identify technical and organisational measures that qualify as appropriate safeguards to compensate for the change of purpose, the focus often lies with the notion of isolation. Examples of the relevant measures may include, among other things, full or partial anonymisation, pseudonymisation, or aggregation of the data, privacy enhancing technologies, as well as other measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals ('functional separation'). These measures are particularly relevant in the context of further use for ‘historical, statistical or scientific purposes’…."
Under Article 5(1)(b), further processing for “statistical purposes” is not considered incompatible with the initial purposes so long as a valid legal basis exists under Article 6(1) and appropriate safeguards under Article 89(1) are provided, which specifically include pseudonymisation. This is similar to the position under the current Directive's Article 6(1)(b) which authorizes "Further processing of data for historical, statistical or scientific purposes…." Pseudonymisation is an explicitly-recognized safeguard under Article 6(4)(e) to help ensure that “further processing" of personal data “is compatible with the purpose for which the personal data are initially collected in compliance with Article 5(1)(b) (‘purpose limitation’) requirements.
Article 6(1)(f) allows the processing of personal data if the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” In conducting this balance of interests test, the WP29 have opined that, while pseudonymisation cannot legitimize illegitimate processing, in the context of this particular legal basis (legitimate interests) pseudonymisation "will play a role with regard to the evaluation of the potential impact of the processing on the data subject, and thus, may in some cases play a role in tipping the balance in favour of the controller."
If an organization has a legitimate interest under Article 6(1)(f) to process Historical Data for statistical purposes, Anonos BigPrivacy technology transforms Historical Data to ensure that processing of Historical Data is a compatible use that enables organizations to benefit from data insights while keeping personal data secure and private.
Anonos' first-of-its-kind BigPrivacy technology uniquely enables pseudonymisation that satisfies requirements under GDPR Article 4(5) and facilitates “functional separation” of data. Functional separation of data involves using technical and organisational measures to ensure that data used for one purpose cannot then be used to “support measures or decisions” about individuals concerned unless specifically authorised by the individuals. In addition to being identified in WP29 Opinion 03/2013, functional separation was also recognized in WP29 Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller Under Article 7 of Directive 95/46/EC as supporting legitimate interest and in EDPS Opinion 7/2015 Meeting the Challenges of Big Data as playing “a role in reducing the impact on the rights of individuals, while at the same time allowing organisations to take advantage of secondary uses of data.”
NOTE: This blog responds to questions asked in follow up to the webinar – Don't lose access to Data Analytics Under the GDPR – featuring Gwendal Le Grand from the French CNIL, Jules Polonetsky from the Future of Privacy Forum (FPF) and Gary LaFever of Anonos. It is not, nor shall it be construed as, providing any legal opinion or conclusion, and is not a substitute for obtaining professional advice from qualified legal counsel.
For access to the summary and copies of slides from the webinar – Don't Lose Access to Data Analytics Under the GDPR – click here.