Thursday 20 April 2017
The General Data Protection Regulation (“GDPR”) is scheduled to come into force on 25 May 2018 and will radically change data protection law. It will introduce the principles of “data protection by design and default” as well as the concept of “accountability” together with significant financial penalties for non-compliance[i]. Unlike the existing data protection regime, the GDPR is a European Regulation, with the result that it will be directly effective across the EU with effect from 25 May 2018, without the need for transposing legislation at national level (although it is expected that the Oireachtas will introduce legislation to provide for certain permitted derogations from the GDPR).
Data-Sharing in the Public Sector in 2017
The issue of data-sharing in the public sector was considered by the Court of Justice of the European Union (“CJEU”) in 2015 in the case of Bara and Others v Preşedintele Casei Naţionale de Asigurări de Sănătate and Others (Case Reference C-201/14, 1 October 2015)[ii]. The case concerned a challenge to the lawfulness of the transfer of personal data by the Romanian national tax authority to the national health authority, for the purposes of enabling the national health authority to determine whether an individual could be categorised as an insured person. The transfer involved the transfer of data, including data as to the individual’s income, notwithstanding the fact that the national health authority did not require details of the individual’s income for the purposes of the assessment. Romanian law provided that these transfers could be carried out by reference to an agreed protocol concluded between the respective public bodies. This protocol was akin to an administrative measure, rather than a primary legislative provision.
Finding in favour of Ms Bara, the CJEU noted that Directive 95/46/EC permitted Member States to restrict the scope of individual obligations and rights provided elsewhere in the Directive when such restriction constitutes
“a necessary measure to safeguard … an important economic or financial interest of a Member State … including monetary, budgetary and taxation matters … [or] … a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority [in certain cases]”.
The Court noted, however, that the Directive expressly requires that any such restriction is imposed by a legislative measure. As the transfer, in this case, took place on foot of a protocol (an administrative measure having no statutory basis) the Court found that the transfer of data between the national tax authority and the national health insurance authority was in breach of the Directive.
While our own Office of the Data Protection Commissioner (“the ODPC”) considered this scenario a number of years previously and reached the same finding (see Case Study 8 of 2002[iii]), it took the opportunity created by the CJEU’s judgment in Bara to restate the importance of adherence to data protection law when sharing data. In its Guidance Note on Data-Sharing in the Public Sector[iv], the ODPC makes it clear that all data-sharing arrangements in the public sector should:
- Have a basis in primary legislation;
- Make it clear to individuals that their data may be shared and for what purpose;
- Be proportionate in terms of their application and the objective to be achieved;
- Have a clear justification;
- Share the minimum amount of data to achieve the stated public service objective;
- Have strict access and security controls; and
- Ensure secure disposal of shared data.
Work has been ongoing for some time with a view to establishing a number of different data-sharing initiatives across the public sector, for example, the HSE’s eHealth Ireland project that envisages the creation of a register of individual health identifiers for every person born or resident in Ireland. So how will these initiatives be affected by the entry into force of the GDPR?
While, at first glance, the obligations provided for by the GDPR appear to be relatively similar to those currently in place, the Recitals to the GDPR (the text that explains the legal basis for the legislation) suggest possible obstacles to the future of data-sharing initiatives.
The first point to note is that the data subject's consent must be explicitly sought and freely given in relation to each processing operation:
“In order to ensure that consent [to processing] is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”[v]
It is clear, from the Recital above that, in the context of public sector data-sharing initiatives, the matter of how consent is sought from, and given by, the data subject will require very careful consideration in order to ensure compliance with the higher standard required by the GDPR.
The second point to note is that, in the context of the underlying basis for the sharing of data, the GDPR suggests that the processing “should have a basis in Union or Member State law”[vi]. While this is nothing new, the Recitals further suggest that;
“It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.”[vii]
Article 6 of the GDPR reflects the above and further requires that “(t)he Union or Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued”[viii]. It therefore appears that the primary legislation forming the basis for any data-sharing initiative must go much further than simply providing for the processing; it must detail how the data-sharing will operate, the limits of any processing, the permitted storage period and other relevant matters. In addition to this, the GDPR requires that any sharing of data must be no more than necessary to meet the public interest aim being pursued by the initiative.
The third point to note is the newly introduced right to object to processing that is being carried out because it is either,
- necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
- necessary for the purposes of the legitimate interests pursued by the data controller.
Article 21 of the GDPR provides that, where a data subject objects to the processing of his/her personal data in the scenarios outlined above, the controller, “shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”[ix]
What might constitute “compelling legitimate grounds” remains to be seen. However, it is clear that this new right to object has the potential to create very significant difficulties for any data-sharing initiatives.
Finally, and potentially of most significance, the GDPR introduces a new right to an effective judicial remedy against a data controller or processor. This right will enable the recovery of “full and effective compensation” for damage suffered, both material and non-material, as a result of a breach of the GDPR. The Recitals suggest that the concept of damages is to be “interpreted broadly” and will include matters such as:
“discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.”[x]
In order to avoid liability, a data controller will need to be in a position to prove that it is not, in any way, responsible “for the event giving rise to the damage”.
In addition to this, where the ODPC finds that a data controller has breached certain obligations, the GDPR permits the levying of financial penalties of up to €20m or 4% of the total worldwide annual turnover of the preceding financial year (whichever is greater), depending on a range of factors, including the nature, gravity and duration of the infringement and the number of data subjects affected.
The entry into force of the GDPR on 25 May 2018 will bring with it enhanced rights for data subjects and more onerous obligations for data controllers and data processors. The potential consequences of non-compliance are so significant that public bodies, as data controllers, cannot afford to be complacent. In these circumstances, public bodies should avoid engaging in data-sharing initiatives without giving due consideration as to how they are going to protect the rights of individual data subjects and adhere to their increased obligations as data controllers under the new regime.
To do otherwise could be a very costly mistake.