It has been a significant few weeks for data protection with the latest ruling from the European Court of Justice. After seven years of debate and legal action (Hannah Kuchler, “Max Schrems: the man who took on Facebook — and won”, Financial Times), Max Schrems’ position has gained legal recognition, which has highlighted the real implications of the rights to privacy and data protection. The case demonstrated that just having an agreement or contract does not mean that the rights of data subjects are being protected. On the contrary, real due diligence is required alongside an understanding of the risks data processing poses to the rights of individuals. Sometimes, these rights are discussed in ways that make them seem confusing, hard to implement, costly or burdensome, but, in reality, these rights and the processes for safeguarding them can be relatively straightforward with sufficient organisational buy-in and the right support.
From where do rights emanate?
Privacy rights stem from several sources. On a European basis the European Convention of Human Rights from 1950 sets out plainly the right to privacy:
ARTICLE 8: Right to respect for private and family life
- Everyone has the right to respect for his private and family life, his home and his correspondence.
In Ireland, the Constitution does not specifically set out the right to privacy but the courts have recognised that the enshrined personal rights in the Constitution imply the right to privacy – sometimes called an unenumerated right. Privacy is seen as an enabler of other rights. The first example of this was in 1973 where the Supreme Court held that “In my view, Article 41 of the Constitution guarantees the husband and wife against any such invasion of their privacy by the State.”
When the General Data Protection Regulation (EU) 2016/679 was written it was seen as building on the Article 8 mentioned above by setting out rights in terms of data protection. When the Irish Data Protection Act was written in 2018, reflecting the GDPR, it made explicit the right to privacy in terms of our personal data.
What are these rights?
While the principles are set out in the GDPR quite clearly, in training to individuals we tend to summarise them as follows:
- Data that can be used to identify a person belongs to them and always belongs to them while they are alive.
- In most cases, the courts and / or the Data Protection Commission will enforce my rights because compliance is NOT optional even when expensive to achieve.
In the Schrems II case, the Court held that when personal data is being processed in the US, EU residents’ fundamental rights, which even governments must respect, were not being adequately upheld. Because of that view one Supervisory Authority, in Berlin, has requested the transfer of any personal data to the US, and its processing, to cease. How other Supervisory Authorities will react is not yet known.
Why is there still confusion?
There are several reasons for continued confusion and gaps in compliance among organisations that use personal data.
- Lack of knowledge. Given that the GDPR is now just over two years old, the clearly enumerated rights of data subjects are still unknown to some people. This is likely a result of a lack of awareness raising, training and open discussion.
- Legacy systems. Many IT systems were not built to handle data subject rights as outlined in current legislation. So many institutions, often with older systems, either cannot or do not want to invest in the changes necessary to support your rights.
- Reliance on suppliers. Organisations often rely on others to build in compliance into the systems they use. Regrettably, the average website developer or coder is not well-informed about what is required and, unless it is specified in the contractual requirements, they are unlikely to proactively take responsibility for ensuring privacy is built in by default.
- Security equated with data protection. Security is often confused with data protection and some organisations confuse the two. While security, in all its forms, underpins data protection, it is not sufficient on its own to ensure data privacy rights. In other words, a person’s data can be encrypted but it may still be used for purposes that are not lawful.
- Conflicting obligations. This is a common misunderstanding when organisations are managing multiple compliance demands. For example, in the financial crime sector, some stakeholders are under the impression that Anti-Money Laundering (AML) ‘trumps’ data protection. In fact, all processing is subject to our fundamental right to data protection and must be proportionate and explained before processing of personal data begins. The need for risk management and crime prevention does not support unbridled access to personal data even when in the public domain.
- New technology. With the further development of big data and voluntary sharing of personal data on social media there can exist a temptation to hoover up personal data with ever more powerful and autonomous technologies.
What can be done?
A multitude of measures must be combined to raise the understanding of data protection rights and obligations. Public service messaging, training for those who design the tools and processes of the future and support for SMEs in particular would be good early steps. A range of early initiatives have been introduced by the European, Irish and UK governments and regulators to support these, but more sustained campaigns would be of further significant benefit.
Furthermore, additional enforcement, in the form of monitoring of compliance and the imposition of fines where instructions from a Supervisory Authority are not followed would create more urgency for organisations to adopt more compliant practices. Nevertheless, regulators’ position as supportive institutions does encourage engagement and exchange among organisations actively tackling these issues.
In the provision of Data Protection Services to our clients, our focus on training and empowering staff to understand their own rights as individuals tries to pre-empt a ‘them and us’ approach. This encourages employees to view their organisation’s systems and processes with a perspective that safeguards rights alongside delivering organisational value.
If you think we might be able to assist your efforts to enhance your policies and procedures on supporting data subject rights or would like to access our staff training in the areas of data protection and security, please feel free to make contact with one of our teams.