Knock knock … join our religion -and btw GDPR doesn’t apply to us!

I just loved this case decision in Finland whereby Jehovah’s Witnesses must comply with GDPR, determined by EU court.  In 2013 Finland’s Data Protection Supervisor prohibited the Jehovah’s Witnesses religious community from collecting or processing personal data in the course of door-to-door preaching by its members unless Finnish data protection legislation was observed.

Jehovah’s Witnesses created maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. In essence they are collecting and processing personal data.

In its judgment, the European Court of Justice considered that the Jehovah’s Witnesses’ door-to-door preaching is not covered by the exceptions laid down by EU Law on the protection of personal data.

  1. There is the fact that the door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union; but this does not,
  2. Confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.

For those newbies here, this is about something called ‘material scope’ in the GDPR. You can liken ‘material scope’ (and there is also ‘territorial scope’) as scoping parameters for the GDPR.

Think about it as a project scope … and it is almost cool to know that even legal documents have a scope just as any project you may have driven or been a part of. What this means is that all the legal text in the GDPR is only relevant if personal data falls within the scope defined in Articles 2 and 3.

Material scope (Article 2)

The GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system.

Now back to the case.

  1. The Jehovah’s Witnesses used ‘household exception’, hence exempt from GDPR. This was overruled, stating that the JW organisation and those knocking on doors collecting personal data were joint controllers.
  2. What material scope also states is that data needs to be part of a ‘filing system’ of some kind, and it was stated that even though data was collected manually, just the ordering, e.g. by address during collection, which made retrieval easier, placed it in scope.

So there you have it… lovely example for the classroom IMHO 🙂

Ready to go – the new EU Data Protection Regulation

It was quite a delightful start to the day to find the news on the agreement of the new EU Data Protection Regulation (GDPR). Clearly it is not complete yet with all the legal text, but end of January 2016 is realistic!

I thought to discuss some of the main points that are getting most publicity in the press…

Fines 4% of global sales

Companies that don’t abide by the rules will potentially face fines up to 4% of global turnover (sales). Clearly from a privacy advocate and privacy professional perspective this is good news.

The new data protection laws are graced with a strong set of teeth.

However putting on my business hat, the how fines are calculated is not fair to those companies that operate on low margins, versus those that operate on high margins because the fine is aligned to sales, not to profits. I am not sure if when it states ‘up to 4%’ of global turnover if that means each company will be treated based upon the nature of their business, i.e. low margins pay 1%. If this is the case a criteria will must be defined over the next 2 years to be able to do this in order to achieve consistency across member states.

Regardless, whichever camp your business is sitting in, a fine of this nature from the data protection commission is going to hurt!

Shared liability

If you are a data processor and not a controller today, you are blessed with immunity. Once the law becomes effective you will have joint liability with the data controller. So if they do their job badly, your business will suffer.

What I see happening is the implementation of a new type of Privacy Level Agreement (PLA) that works in the direction from the processor to the controller. After all, data controllers have already covered their liability in the form of SLAs that include protection of personal data aligned with existing data protection laws by jurisdiction, but there is no protection today to protect processors from incompetence of the data controller.

The right to be forgotten

Now this has been around in the Directive since 1995. The right for data subjects to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information.  So if this is nothing new, why all the fuss? Well I don’t think many member states, if any at all have implemented it in their national data protection laws. This is certainly the case in Sweden.

Hence if they don’t already have the mechanisms, companies will need to have the processes and security mechanisms implemented to be able to deal with requests from data subjects. This includes validating that they are who they say they are when a request is made pertaining to personal data. Those online services giving direct access to personal data, i.e. via a web or app within the service have a clear advantage, e.g. Facebook, Amazon, etc., many are getting to grips with the security of user access, even offering 2-factor authentication.

Parental consent for minors

The new regulation includes extra protections for minors, i.e. children under 16 years old (with option for member states to reduce to 13 yrs). Parental ‘explicit’ consent is required for the collection of personal data of minors. There is some rather bad posts and publicity concerning this new provision which is unfounded. There has been a law in the US protecting personal data of minors (under 13 years) that has been in force since 1998! So why did we in the EU take so long should be the question. Clearly there are some practicalities here, many due to the fact we didn’t do something earlier. In any case we can look to the US for some guidance here.

‘Unambiguous’ consent

This is the one I have the main problem with. My vote was with ‘explicit’ consent required from the data subject on the collection, processing, sharing, of personal data. An example of ‘explicit’ consent is a ‘tick-box’ on a form on a web-page saying you agree to the privacy policy. ‘Implicit’ can be implied by behavior, e.g. continued use of a service.

Now ‘unambiguous’ is in-between ‘implicit’ and ‘explicit’. I can’t actually find a clear definition of what this actually is! So I really don’t like this ‘half-way house’ approach.

Data Protection Officer (DPO)

It has been decided that all large companies must have a DPO. This job has been defined as mandatory, except for small and medium sized companies, unless data processing is core to their business.

In fact when you look at the penalties for non-compliance it is probably prudent to have some form of DPO, even if you are not large. One of the aspects that was in the 2012 version was some form of ‘independent’ function. I expect a new market offering DPO timeshares popping up to fill this market.

Is there more?

Yes loads, so watch this space, I don’t want to overload you with too much in one go 😉

Sweden is going to have fun with the new Data Protection Regulation

There’s starting to be a bit of a flurry here in Sweden with the upcoming new Regulation.

One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. What I find funny (you know the funny, not-so-funny British humour ;-)) is that those I talk to here think this is new in the Regulation, but it’s not. It is included in the Directive of today, just not implemented as law here in Sweden.

This is going to require significant work to get compliance in Sweden, especially the way our personal data is sold with the use of ‘utgivningsbevis’ without the consent of the data subject. In fact it is impossible for data subjects in Sweden to remove their personal data from public viewing!

Hurry up new Regulation so I can get my personal data removed from, and… just to name a few!