Tag Archives: directive 95/46/EC

A look at political psychological targeting, EU data protection law and the US elections

Cambridge Analytica, a company that uses “data modeling and psychographic profiling” (according to its website), is credited with having decisively contributed to the outcome of the presidential election in the U.S.. They did so by using “a hyper-targeted psychological approach” allowing them to see trends among voters that no one else saw and thus to model the speech of the candidate to resonate with those trends. According to Mashable, the same company also assisted the Leave. EU campaign that leaded to Brexit.

How do they do it?

“We collect up to 5,000 data points on over 220 million Americans, and use more than 100 data variables to model target audience groups and predict the behavior of like-minded people” (my emphasis), states their website (for comparison, the US has a 324 million population). They further explain that “when you go beneath the surface and learn what people really care about you can create fully integrated engagement strategies that connect with every person at the individual level” (my emphasis).

According to Mashable, the company “uses a psychological approach to polling, harvesting billions of data from social media, credit card histories, voting records, consumer data, purchase history, supermarket loyalty schemes, phone calls, field operatives, Facebook surveys and TV watching habits“. This data “is bought or licensed from brokers or sourced from social media”.

(For a person who dedicated their professional life to personal data protection this sounds chilling.)

Legal implications

Under US privacy law this kind of practice seems to have no legal implications, as it doesn’t involve processing by any authority of the state, it’s not a matter of consumer protection and it doesn’t seem to fall, prima facie, under any piece of the piecemeal legislation dealing with personal data in the U.S. (please correct me if I’m wrong).

Under EU data protection law, this practice would raise a series of serious questions (see below), without even getting into the debate of whether this sort of intimate profiling would also breach the right to private life as protected by Article 7 of the EU Charter of Fundamental Rights and Article 8 of the European Convention of Human Rights (the right to personal data protection and the right to private life are protected separately in the EU legal order). Put it simple, the right to data protection enshrines the “rules of the road” (safeguards) for data that is being processed on a lawful ground, while the right to private life protects the inner private sphere of a person altogether, meaning that it can prohibit the unjustified interferences in the person’s private life. This post will only look at mass psychological profiling from the data protection perspective.

Does EU data protection law apply to the political profilers targeting US voters?

But why would EU data protection law even be applicable to a company creating profiles of 220 million Americans? Surprisingly, EU data protection law could indeed be relevant in this case, if it turns out that the company carrying out the profiling is based in the UK (London-based), as several websites claim in their articles (here, here and here).

Under Article 4(1)(a) of Directive 95/46, the national provisions adopted pursuant to the directive shall apply “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State“. Therefore, the territorial application of Directive 95/46 is triggered by the place of establishment of the controller.  Moreover, Recital 18 of the Directive’s Preamble explains that “in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community (EU – n.) must be carried out in accordance with the law of one of the Member States” and that “in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State” (see also CJEU Case C-230/14 Weltimmo, paras. 24, 25, 26).

There are, therefore, no exceptions to applying EU data protection rules to any processing of personal data that is carried out under the responsibility of a controller established in a Member State. Is it relevant here whether the data subjects are not European citizens, and whether they would not even be physically located within Europe? The answer is probably in the negative. Directive 95/46 provides that the data subjects it protects are “identified or identifiable natural persons“, without differentiating them based on their nationality. Neither does the Directive link its application to any territorial factor concerning the data subjects. Moreover, according to Article 8 of the EU Charter of Fundamental Rights, “everyone has the right to the protection of personal data concerning him or her”.

I must emphasise here that the Court of Justice of the EU is the only authority that can interpret EU law in a binding manner and that until the Court decides how to interpret EU law in a specific case, we can only engage in argumentative exercises. If the interpretation proposed above would be found to have some merit, it would indeed be somewhat ironic to have the data of 220 million Americans protected by EU data protection rules.

What safeguards do persons have against psychological profiling for political purposes?

This kind of psychological profiling for political purposes would raise a number of serious questions. First of all, there is the question of whether this processing operation involves processing of “special categories of data”. According to Article 8(1) of Directive 95/46, “Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” There are several exceptions to this prohibition, of which only two would conceivably be applicable to this kind of profiling:

  • if the data subject has given his explicit consent to the processing of those data (letter a) or
  • the processing relates to data which are manifestly made public by the data subject (letter e).

In order for this kind of psychological profiling to be lawful, the controller must obtain explicit consent to process all the points of data used for every person profiled. Or the controller must only use those data points that were manifestly made public by a person.

Moreover, under Article 15(1) of Directive 95/46, the person has the right “not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”. It is of course to be interpreted to what extent psychological profiling for political purposes produces legal effects or significantly affects the person.

Another problem concerns the obligation of the controller to inform every person concerned that this kind of profiling is taking place (Articles 10 and 11 of Directive 95/46) and to give them details about the identity of the controller, the purposes of the processing and all the personal data that is being processed. In addition, the person should be informed that he or she has the right to ask for a copy of the data the controller holds about him or her and the right to ask for the erasure of that data if it was processed unlawfully (Article 12 of Directive 95/46).

Significantly, the person has the right to opt-out of a processing operation, at any time, without giving reasons, if that data is being processed for the purposes of direct marketing (Article 14(b) of Directive 95/46). For instance, in the UK, the supervisory authority – the Information Commissioner’s Office, issued Guidance for political campaigns in 2014 and gave the example of “a telephone call which seeks an individual’s opinions in order to use that data to identify those people likely to support the political party or referendum campaign at a future date in order to target them with marketing” as constituting direct marketing.

Some thoughts

  • The analysis of how EU data protection law is relevant for this kind of profiling would be more poignant if it would be made under the General Data Protection Regulation, which will become applicable on 25 May 2018 and which has a special provision for profiling.
  • The biggest ever fine issued by the supervisory authority in the UK is 350.000 pounds, this year. Under the GDPR, breaches of data protection rules will lead to fines up to 20 million euro or 4% of the controller’s global annual turnover for the previous year, whichever is higher.
  • If any company based in the UK used this kind of psychological profiling and micro-targeting for the Brexit campaign, that processing operation would undoubtedly fall under the rules of EU data protection law. This stands true of any analytics company that provides these services to political parties anywhere in the EU using personal data of EU persons. Perhaps this is a good time to revisit the discussion we had at CPDP2016 on political behavioural targeting (who would have thought the topic will gain so much momentum this year?)
  • I wonder if data protection rules should be the only “wall (?)” between this sort of targeted-political-message-generating campaign profiling and the outcome of democratic elections.
  • Talking about ethics, data protection and big data together is becoming more urgent everyday.

***

Find what you’re reading useful? Consider supporting pdpecho.

Advertisements

AG Sharpston: legal analysis regarding a person’s situation is not personal data

Advocate General Sharpston delivered her Opinion on December 12, 2013, in Joined Cases C-141/12 and C-372/12, Y.S. v. Minister voor Immigratie, in which she analyzed the content of the right to access personal data in a minute created during an administrative procedure. The case is interesting, as it interprets both Article 12 of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the EU.

According to the summary of the case drafted by AG Sharpston in her decision (see para 1), “Y.S., M. and S. are third country nationals who have applied for lawful residence in the Netherlands. Y.S.’s application was refused. Those of M. and S. were granted. Each relies on EU law in order to obtain access to a document (‘the minute’) drafted by an official of the relevant authority and containing a legal analysis in the form of internal advice on whether to grant residence status. They argue that the legal analysis is personal data and thus, as a matter of EU law, they have the right to access the minute.”

In the case of Y.S., following the applicant’s request for access to the minute drafted for the decision, the Minister refused to provide access, on the ground that the minute contained, apart from personal data, a legal analysis. The Minister did provide, in so far as necessary, an overview of the data contained in the minute, the origin of that data and the authorities which had access to the data. Y.S. challenged the decision, and the court of appeals referred several questions to CJEU.

In the case of M and S, the Ministry rejected their requests, but two Dutch courts annulled the decision of rejection and obliged the Ministry to give the applicants a copy of the respective minutes. The Ministry challenged these court decisions to the Raad von State court, which has sent several questions to the Court of Justice of the European Union, following the preliminary ruling procedure.

Main referred questions

The questions are relevant in the correct application of the right to access personal data.

The first question asks whether the second indent of Article 12(a) of [Directive 95/46] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned is provided?

The second question asks whether the words “right of access” in Article 8(2) of [the Charter] should be interpreted to mean that there is a right to a copy of documents in which personal data have been processed, or is it sufficient if there is provision of a full summary, in an intelligible form, of the personal data that have undergone processing in the documents concerned within the meaning of the second indent of Article 12(a) of [Directive 95/46]?

Another question asked by the Dutch court is whether a legal analysis, as set out in a minute, could be regarded as personal data within the meaning of Article 2(a) of [Directive 95/46].

The referred questions also cover the realm of the exceptions of the right to access personal data, as enshrined in Directive 95/46. In this regard, question 6 of the Raad von State asks whether the protection of the rights and freedoms of others, within the meaning of Article 13(1)(g) of [Directive 95/46] …, also cover the interest in an internal undisturbed exchange of views within the public authority concerned. Also, if the answer to that is in the negative, can that interest then be covered by Article 13(1)(d) or (f) of that directive?

AG Sharpston: “only information relating to facts about an individual can be personal data”

AG Sharpston acknowledges that “personal data is a broad concept” (para. 44) and “It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life)” (para. 45).

As such, “information included in the minute relating to facts such as the name, date of birth, nationality, gender, ethnicity, religion and language of an applicant is ‘personal data’ within the meaning of Article 2(a) of Directive 95/46″ (para. 46).

However, the Advocate General does not consider that legal analysis is personal data. And as a consequence, access should not be granted to the part of the minute which enshrines the legal analysis regarding the asylum request of the applicants, using as legal ground the right to access personal data.

To justify her view, AG Sharpston argues that “only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not” (para. 56).

Further, the Advocate General explains that “facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data” (para. 57). “However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is” (para. 58).

In my opinion, the most convincing legal argument which could justify that legal analysis regarding facts about an identified person is not personal data, is the one stating that “legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared” (para. 60).

In other words, access to legal analysis would not serve the purpose of exercising the other rights of the data subject: the right to erasure, the right to rectification etc. So perhaps another question one could ask is whether the only purpose of the right to access personal data is the possibility for the data subject to exercise the other rights she has regarding the processing of her data.

The other question one could ask is how can a person require an independent judicial authority to review the decision for which that legal analysis was prepared, if she doesn’t know the content of the decision? Nevertheless, the answer to this last question is more substantially linked to the right to an effective judicial remedy.

The form in which access should be granted to personal data

AG Sharpston also addresses in her Opinion the question of the form in which access to personal data must be granted, having regard to the fact that the referring courts asked whether a copy of the minute has to be provided to the applicants.

First, the Advocate General establishes that the right to access as provided in Article 8(2) of the EU Charter “does not articulate a separate standard governing the form in which access must be made available” (para. 70) than Article 12 of Directive 95/46.

When read together with the principle of proportionality and legal certainty, I interpret Article 8(2) of the Charter to mean that access need not go beyond what is necessary in order to achieve its objectives and to give the data subject full knowledge of the personal data that are protected under that provision. The requirement set out in Article 12 of Directive 95/46 corresponds to those principles. For that reason, I do not consider that a separate inquiry into the form of access under Article 8 of the Charter is necessary” (para. 70).

AG Sharpston further considers that “Depending on the circumstances, a copy might be neither necessary nor sufficient” (para 73). She explains that “Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible” (para 74).

The Advocate General adds that “In making that assessment, a Member State should take account of, in particular:

(i) the material form(s) in which that information exists and can be made available to the data subject,

(ii) the type of personal data and

(iii) the objectives of the right of access.” (para. 75).

The conclusion is that “the fact that personal data are contained in a document such as a minute does not imply that the data subject automatically has the right to that material form, that is to say, a copy or extract of that document” (para 79).

The second indent of Article 12(a) of Directive 95/46 states that the data subject has the right to obtain from the controller “- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source”. Hence, all the data undergoing processing must be communicated to the data subject “in an intelligible form”.

In my view, there are two possible variations of personal data undergoing processing that can be the object of an access request: 1. data processed in an intelligible form for the data subject and 2. data processed in a non-intelligible form for the data subject (such as binary language, code, foreign alphabet etc.). Whenever data is processed in a language (understood lato sensu) which is accessible to the data subject,  she is entitled to receive a copy of that data – be it an extract of a larger material form in which the data is processed. If the data is processed in a non-intelligible form for the data subject, she is entitled to receive the processed data, in a specific material form, translated into an intelligible language for the data subject.

In fact, as the online Oxford dictionary reveals, the origin of the noun “copy” ultimately rests in Latin: copia ‘abundance’ (in medieval Latin ‘transcript’, from such phrases as copiam describendi facere – ‘give permission to transcribe’). So a copy of personal data can be understood not only as an identical specimen to the original data, but also as a transcription of the original data.

Regarding the case at hand, I consider that as long as the facts of the case of the applicants are considered “personal data”, the applicants are entitled to receive a copy of the personal data enshrined in the minute, in the form of a photocopy of the minute in which all the information which is not considered to be personal data can be erased/covered with a black/blank line etc. I do not see why would it be disproportionate to communicate the personal data contained in the minute in this manner. Moreover, I consider that such a copy is the only one which ensures the effectiveness of the exercise of the other rights of the data subject – especially the right to rectification.

Exceptions of the right to access – “the protection of rights and freedoms of others cannot be read as including rights and freedoms of the authority processing personal data” 

Finally, AG Sharpston argues that, if the legal analysis could be considered personal data, then the data controller cannot invoke Article 13 subparagraph g as a justification for not offering access to the processed data: “the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest” (para. 84.)

One last observation: what would the ECHR say?

In 2012 (22 May), the European Court of Human Rights gave its decision in a case which presents certain similarities with the case at hand – Trăilescu v. Romania (5666/04 and 14664/05; only available in French and Romanian). The applicant considered his right to private life, as enshrined in Article 8 of the European Convention of Human Rights was breached because the Ministry of Justice refused him access to his evaluation file – which was created in a decision process with regard to his admission in the body of magistrates. The applicant passed the exam to become a magistrate, but he was informed by the procureur général that he would not be appointed as a magistrate because he does not have a good reputation, a condition imposed by Law no. 92/1992. According to the Court, “pour rendre cette décision, le ministère public se fonda sur plusieurs faits, tels qu’ils résultaient du dossier « personnel » (dosarul de personal) établi par le parquet près le tribunal départemental de Mehedinţi à la suite des recherches effectuées quant à la personne du requérant en 2000 et 2001. Il ressort de la décision du ministère que le dossier « personnel » était constitué de renseignements fournis par les anciens employeurs du requérant, par ses connaissances et par la police d’Orşova, des recommandations et d’autres documents.”

The applicant contested that decision in court and during the proceedings he also asked to be granted access to his file. However, he did so by invoking the right to access information of public interest. His request was rejected by the national courts, which argued that the information contained in the file is personal and not of public interest.

The ECHR considered in its decision that the applicant did not exhaust all the remedies in the national judicial system, because he did not ask for access to his file pursuant to Law 677/2001 for the protection of individuals with regard to the processing of personal data (which transposes Directive 95/46 in Romania).

ECHR stated in its decision that “La loi no 677/2001 décrit également la procédure à suivre par toute personne intéressée pour avoir accès aux données à caractère personnel classifiées et l’accès au tribunal est prévu par l’article 18 de cette loi (paragraphe 39 ci-dessus). Rien n’indique que le contrôle exercé par le tribunal est limité d’une quelconque manière, pour pouvoir douter d’emblée de l’efficacité d’un tel recours. Dans ces circonstances, la Cour considère que rien ne permet de penser que les dispositions de la loi no 677/2001 n’offraient pas au requérant la possibilité de faire redresser son grief, ou qu’il ne présentait aucune perspective raisonnable de succès” (para. 70).

In other words, the Court in Strasbourg expressed its expectation that a request as the one in the main proceedings grounded in the right to access personal data presents “a reasonable perspective of success.”

NOTES:

‘ I would like to thank Mihaela Mazilu-Babel for pointing out this AG Opinion.

” CJEU is expected to deliver its decision in 2014.

Good news for privacy specialists: EU will oblige big companies and public institutions to name data protection officers!

The data protection reform in the EU is serious. So serious, the European Union actually imposes through the new regulation a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is an entire section (Section 4 of Chapter IV) in the proposed regulation dedicated to the “data protection officer”. It builds on Article 18(2) of Directive 95/46/EC which provided the possibility for Member States to introduce such requirement as a surrogate of a general notification requirement.

According to Article 35 of the proposed regulation, a data protection officer shall be designated in the following cases:

– when the processing is carried out by a public authority or body;

– when the processing is carried out by an enterprise employing 250 persons or more;

– the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

The Regulation, at Article 35(5) also imposes strict characteristics for the person who will be designated data protection officer, as he or she must be appointed “on the basis of “professional qualities and, in particular, expert knowledge of data protection”. By which we understand that companies and public institutions are not allowed to simply name one of their current employees in such a position, unless the current employee receives adequate qualifications in the data protection field.

Article 35(7) establishes a minimum period of employment to 2 years, while Article 35(10) states that data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.

A quite independent position

The data protection officer will enjoy as much independence as possible in the context of an employment relationship. As such, Article 36(2) imposes to the controller or processor to “ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor”.

These developments are huge in the data protection field and they show that EU takes as serious as possible the threats of intruding in individuals’ private life by a weak protection of their personal data.

Tomorrow I’ll write about the specific tasks a data protection officer will have, according to the proposed regulation.

The Publication of the New EU Data Protection Directive, Delayed

The details of the reform of the Directive 95/46/EC was supposed to be published in November. But a representative of the European Commission announced last week that the publication will be delayed.

Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, told the IAPP Europe Data Protection Digest that “this is a comprehensive reform” and the timing for publication is “within 20 weeks.” 

In a speech in May, Reding boiled down the reform to “four important changes,” including making the directive enforceable for countries outside the EU that “target” EU citizens; including “data protection by design;” revising the rules on adequacy as well as streamlining and strengthening “procedures for international data transfers,” and the creation of a “mechanism” for third-country providers–possibly an “EU Safe Harbour system.”

Read more about the reform HERE.

 

Opinion of the European Data Protection Supervisor on the Proposal for a Directive of Credit Agreements Relating to Residential Property

On 31 March 2011, the Commission adopted a proposal for a Directive of the European Parliament and of the Council on credit agreements relating to residential property.

The proposal involves a limited number of activities which have relevance under the EU data protection regime. These are mainly related to the consultation by creditors and credit intermediaries of the so-called “credit database” with the purpose of assessing the creditworthiness of consumers and to the release of information by the consumers to the creditors or credit intermediaries.

The European Data Protection Supervisor provided at the end of July an official opinion regarding this directive proposal. EDPS suggests some modifications in the original text, in the following directions:

1. The introduction of a new article which will reflect that national laws implementing directive 95/46/EC are the appropriate references and emphasize that any data processing operation must be carried out in accordance with those implementing laws.

2. The text of the proposal could specify in a more detailed way the sources from which information on the creditors’ creditworthiness can be obtained.

3. The text of the proposal should include the definition of criteria for the possibility to consult the database and the obligations to communicate the data subjects’ rights before any access to the database, thereby ensuring concrete and effective possibilities for data subjects to exercise their rights.

Those interested can find the EDPS opinion HERE.