Practical guidance on how to process mixed datasets

The European Commission has published guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR.

One year after the GDPR started to apply, most controllers are (or at least they should) well aware of the security and privacy requirements that should govern the datasets which contain personal data. However, what happens when those datasets include not only personal data but also non-personal information?

There is a new Regulation(Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union), applicable as of 28 May 2019, that sets up the conditions for the processing and transfer of non-personal data in the European Union and aims at removing obstacles to the free movement of non-personal data across Member States and IT systems in Europe. Accordingly, when it comes to mixed datasets, one should consider not only the GDPR, but also this new one.

The European Commission has published guidancein order to clarify the interaction between the Free Flow of Non-Personal Data regulation and the GDPR.

For the purposes of the Free Flow of Non-Personal Data Regulation, non-personal data means:

  • data which originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors.
  • data which were initially personal data but were later made anonymous.

It is defined just as the opposite of the personal data concept of the GDPR.

The Free Flow of Non-Personal Data Regulation has three notable features:

  • It prohibits, as a rule, Member States imposing requirements on where data should be localised.
  • It establishes a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that are being processed in another Member State.
  • It provides incentives for industry, with the support of the Commission, to develop self-regulatory codes of conduct on the switching of service providers and the porting of data. ´

Datasets containing the names and contact details of legal persons are in principle non-personal data, except for some cases, as for when the name of the legal person is the same as that of a natural person who owns it or if the information relates to an identified or identifiable natural person.

In the case of a dataset composed of both personal and non-personal data:

  • The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the dataset;
  • The GDPR free flow provision applies to the personal data part of the dataset; and
  • If the non-personal data part and the personal data parts are ‘inextricably linked’, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset.

What does ‘inextricably linked’ mean?

The concept of ‘inextricably linked’ is not defined by either of the two Regulations. For practical purposes, it can refer to a situation whereby a dataset contains personal data as well as non-personal data and separating the two would either be impossible or considered by the controller to be economically inefficient or not technically feasible. For example, when buying CRM and sales reporting systems, the company would have to duplicate its cost on software by purchasing separate software for CRM (personal data) and sales reporting systems (aggregated/non-personal data) based on the CRM data. Separating the dataset is also likely to decrease the value of the dataset significantly. In addition, the changing nature of data makes it more difficult to clearly differentiate and thus separate between different categories of data.

What is the conclusion then?

Whenever personal data is involved, GDPR applies. However, the Free Flow of Non-Personal Data Regulation provides the controllers with a chance of managing personal and non-personal data different where they are suitable separated.

This new Regulation, combined with the GDPR, provides the EU with the most stable legal framework for the free movement of all data within the European Union.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

What data should a controller disclose under a data subject access request?

A recent decision from the Cologne Regional Court addresses whether individuals are entitled to receive emails and personal notes as part of a DSAR.

“I want access to all personal data you handle about me”. What should you do as the controller if you receive an email like this? According to GDPR, individuals have the right to obtain:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information, which largely corresponds to the information that you should provide in the privacy policy.

What does “personal data” means in terms of a DSAR? Even though this concept is clear for some data categories like contact data, for some others it may be tricky, especially when it comes to information that might affect other people’s rights and freedoms.

GDPR states that the right of access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, expert opinions vary as to the data that should be actually considered to affect third-parties. The Data Protection Act 2018 settle this criterion on the likelihood that another individual could be identified from the information disclosed. On a related note, Cologne Regional Court has recently reached a decision where they assert that the right of access does not include all internal processes, such as notes. Moreover, they claim that the data subject is not entitled to receive all exchanged correspondence. Legal evaluations or analyses are also not considered personal data in these terms. This means that information as ratings and private notes about employees’ performance or appraisals should not necessarily be disclosed under a DSAR.

We think this is an accurate criterion that properly solves the data subject access request plus protects the controller’s interests. However, although this is a binding decision from the Cologne Regional Court, it does not generally apply to other countries that are subject to the GDPR, so it remains to be seen if this rule becomes a standard.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Workplace collection of Biometric Data

Does the collection of biometric data by employer violate privacy?

For the first time in Australian history, an employee was fired for refusing to submit biometric finger scanning data required by his employer.

The employee believes that he had been wrongfully terminated. After he was denied an unfair dismissal claim by an Australia’s Fair Work commissioner, the employee appealed to the ​Australia’s Fair Work Commission (FWC) full bench. He argued that the FWC failed to consider whether the request to comply with the fingerprint scanning policy was lawful and reasonable, particularly when the employee refused to consent to the disclosure of his biometric data. The employee was concerned about the collection of sensitive data and a potential violation of the Australian Privacy Act.

The Fair Work Commission Full Bench granted permission to appeal, as it was satisfied that the matter raises “important, novel and emerging issues,” which the full bench has not previously considered. The FWC will consider current technology and privacy rights in its ruling, which could lead to future standoffs  between employers and employees over the collection of biometric information.

What if this happened in Europe?

According to EU GDPR, the processing of employees’ biometric data by an employer would normally require consent. “For consent to be valid, it must be freely given. Where the employer threatens to fire the employee if they do not give consent to process their biometric data, such consent is unlikely to be freely given,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Google’s Huawei ban

Google blocks Huawei access to Android after blacklisting due to some security and privacy concerns

The Trump administration adds Huawei to the U.S. Department of Commerce’s Entity List via executive order, thereby blacklisting the company as far as U.S. corporations are concerned.  The world’s second biggest smartphone maker, Huawei, has been barred by Google from some updates to the Android operating system. The US tech firm is suspending all business activity with Huawei related to “non-public” transfers of hardware, software and technical services.

Huawei CEO Ren Zhengfei had told reporters “we have already been preparing for this. It is expected that Huawei’s growth may slow, but only slightly. Policies that threaten trading partners one after another rob companies of risk-taking attitudes and the U.S. will lose credibility.”

Huawei’s phones are unavailable to buy in the US following concerns by the US government of the company’s links to the Chinese government, so a ban of this nature won’t really affect US consumers. Instead, it’s more likely to have an effect in the UK and Europe, some of Huawei’s biggest phone markets.

What does this mean for existing Huawei users?

Existing Huawei smartphone users will be able to update apps and push through security fixes, as well as update Google Play services. Unfortunately, when Google launches the next version of Android, it may not be available on Huawei devices. Alongside that, YouTube and Maps are some of the few apps that won’t be on any of the Huawei devices.

Why has this happened?

The Chinese tech giant has been accused of spying by the US Government. This is the reason why they have been banned, as part of the escalating cold war between the two countries.

When will the ban apply?

Even thought the ban has already come into force, the Trump administration has issued a licence that will allow US companies to keep doing business with Huawei for the next three months.

Huawei claims there is no spy software nor hardware. If this was confirmed, not only US ban would apply, but Huawei’s smartphones would also breach the GDPR privacy requirements.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.