Revised Data Protection Regulations Draft Leaked

In the last few months, the different EU member states have been sending their feedback to the European Commission on the proposed new Data Protection Regulation, designed to replace current EU Data Protection legislation.

Civil liberties website Statewatch first got hold of a copy of the summary feedback report, and has now also published a draft revision of the regulations, based on that feedback.

There are some significant changes.

In particular there have been some important changes to the definition of what constitutes personal data.  The regulations are designed to protect personal data, and in particular require that explicit consent be obtained for processing of such data.

Therefore what is in or out of scope of this definition will determine what impact the regulations will have – particularly on the automated processing of data from cookies and other website technologies for activities like behavioural marketing.

So here is the current definition:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources the natural living person shall not be considered identifiable.

There is a critical point to be made here:

The definition of personal data is contextual.  It is not about the data itself, but what the data controller is economically capable or likely to do with that data. 

So data can be personal in one context, if a controller can connect it to an identifiable individual, but not in another, where the same piece of data cannot be connected to an individual.

Clear as mud?  Let’s consider some examples:

I login to a website using a unique identifier, my email address.  My activity on the website involves providing some personal information, my name, photograph, my phone number.  I also use the website to store information on books I have read and like, so that I can tell other people I know what I think of these books.

This is clearly personal data – it is connected to me.  I have authorised the website (data controller) to share this information with my friends (who also have to login to see this).  This therefore would be lawful processing.

The data controller sells ad space on the website to a publisher.  The publisher pays the data controller, if I have read book A, to show me an advert for book B – in the hope I will click on the advert to buy it.

I have not given my consent to the website owner that my data can be used in this way.  Would this be lawful processing?  It is the same data, same controller, but different use of the data.

If I do decide to buy the book – I click on the advert and go to the publisher’s website.  I provide the publisher with sufficient information about me to purchase the book and post it to me.  However, they also now know that I respond well to their adverts, and where I saw that advert.  They can connect the data I gave them, with the data held about me by the original site.  They could use this information to target me with even more adverts for other products, back on the original site.  In order to do that, they are effectively telling the original site that I made a purchase of their product.

This is another piece data about me being used, which I have not given my explicit permission for.  Is this lawful processing? 

Here is another example:

I am the only person that uses my computer.  I browse the web and pick up a cookie from a new advertising company.  This cookie contains a number which is unique to my browser, although it is essentially a random number that has been allocated to me. Lots of websites I visit have a piece of code in them that can detect this cookie. This code alerts the advertiser to tell them which website I was visiting.

The advertising company is able to build up a history of websites I visit, as a result of which I start to see adverts on some sites which are based on a profile generated by that history.

No one has asked me for my consent.  The cookie and my profile is unique to me – but does that make me identifiable?  Is this lawful processing?

What if I go to a website where I provide my email address and agree to receive emails about products from that company and its partners?  What I don’t know at the time is that one of those partners is the advertising company that has a profile of me.  They might now be able to connect my profile to my email address. 

Now they are able to send me emails (which I have given my permission for) about products based on my profile (which has been collected without my permission).  Is this also lawful processing?  Would it make a difference if my email address contained my name, or was something less directly connected to me? 

These are every day events.  They are pretty harmless in themselves, and I could quickly break the links between these two types of data to become anonymous again.

However, the reality is that there are many more individual and paired data points that are collected all the time and by many different organisations.  This data is bought and sold all the time by businesses most people will never know about or come into direct contact with.

When all these data points are brought together, powerful algorithms can potentially see patterns that enable data about me to be linked together from these sources with a high degree of accuracy.

At what point does this aggregated data become personally identifiable to me? And therefore at what point does my explicit consent need to be sought? Most aggregators are not consumer facing – so how are they going to obtain consent?  Or does data aggregation become effectively outlawed?

These are questions that will need to be tested against this proposed legislation.  However it is clear that in many different cases it will be extremely difficult to determine the point at which data becomes personal.

That is not to say that consent can’t and shouldn’t be sought for processing of data about me.  However it does mean that the consequences of this new Regulation could be widespread – which means it is likely to be a rough ride for big data over the next few years – which may make implementation of the cookie law look like a walk in the park.