Lesson 4The GDPR principles of data protection
- Notion 26 - The importance of the personal data processing principles
- Notion 27 - First GDPR principe: lawfulness, fairness, transparency
- Notion 28 - Second GDPR principle: purpose limitation
- Notion 29 - Third GDPR principle: data minimization
- Notion 30 - Fourth GDPR principle: accuracy
- Notion 31 - Fifth GDPR principle: storage limitation
- Notion 32 - Sixth GDPR principle: integrity and confidentiality.
- Notion 33 - Seventh GDPR principle: accountability
- Notion 34 - Review of the main concepts.
Notion 27
First GDPR principe: lawfulness, fairness, transparency
Target skills
The core of the General Data Protection Regulation consists of 7 principles, which you have briefly introduced to in previous lesson, Notion 18. In this lesson we will explain in more detaileach of the principles. Here we will introduce you to principle No. 1 (lawfulness, transparency and fairness) of the GDPR
What is lawfulness?
When an organisation processes personal data, it must always do so in accordance with the law (GDRP). In other words, there must be a legitimate legal basis (grounds) for processing personal data
The specific grounds for processing data must be identified and at least one of the following must apply:
- a) The data subject has consented to the processing of his/her personal data for one or more specific purposes.
- b) The collection of the data is necessary for the future processing of a contract in which the data subject is an interest.
- c) The person in the organisation who is responsible for processing the data is legally obliged to do so.
- d) The data must be processed in order to protect the vital interests of the data subject.
- e) The processing is necessary for the performance of a task carried out by the "data controller" (see Notion 26) in the public interest or in the exercise of official authority (the data controller).
- f) The organisation (or another party) has a legitimate interest in processing the data. Unless the interests or fundamental rights of the data subject override this interest.
In summary, the processing of data is 'lawful' or legitimate if at least one of the above grounds is met. Again, it all depends on the intention and the relationship between the parties involved.
What is fairness?
When data is processed, it must be done in a way that people would expect and not in a way that has an unjustified negative impact on them. So when you process data, you need to ask yourself two things:
1) Will the processing have a negative impact on an individual or group?
2) Is the processing of data justified?
If it is not, then you are in breach of this principle. "If any aspect of your processing is unfair, you are in breach of this principle - even if you can show that you have a lawful basis for the processing." (ICO, s.a.).
What is transparency?
Transparency means being clear, honest and open. When it comes to privacy and data protection, this means that individuals should know from the outset how and why their personal data is being collected and processed. Therefore, an organisation needs to communicate this in simple language so that everyone can understand. When individuals have this information, they can exercise their rights
To help you understand these concepts, here is a real-life example:
In March 2018, two of the world's biggest newspapers (The Guardian and the NY Times) published stories about "how the personal data of over 50 million Facebook users ended up in the hands of Cambridge Analytica" (Privacy International, 2019). The consulting and data analytics company (Cambridge Analytica) illegally obtained data from Facebook through a third-party app (a personality test), without users' consent and without a legal basis. This scandal was a catalytic event in terms of data protection laws and regulations. In fact, 2 months after this event, the GDRP came into force.
Therefore, it is fair to say that there was a complete breach of Principle No. 1 of the GDRP and we will explain why:
The personality test mentioned earlier ("This Is Your Digital Life') was developed by a Cambridge Analytica employee. The test created a psychological profile of the person answering the questions, which the company used to target individual voters with the aim of predicting and influencing people's voting decisions and increasing support for the 2016 Trump presidential campaign (Privacy International, 2019). For the test, there was an informed consent process for the research, with thousands of Facebook users agreeing to complete it for academic purposes only. However, Facebook allowed this application to collect personal data not only from respondents but also from their Facebook contacts.
Facebook's sharing of the data and Cambridge Analytica's use of the personal data without people's consent was completely illegal (lawfulness). People's fundamental rights and freedoms were violated, not to mention the potential negative impact on people on a collective level (powerlessness). Furthermore, the questionable way of asking people for their consent and then using their personal data as a strategy to target them and influence an election (transparency).
References:
- Privacy International (2019, April 30). Cambridge Analytica, GDPR - 1 year on - a lot of words and some action. Retrieved from: https://privacyinternational.org/news-analysis/2857/cambridge-analytica-gdpr-1-year-lot-words-and-some-action
- ICO (s.a.) Principle (a): Lawfulness, fairness and transparency. ICO, Information Commissioner's Office. Retrieved from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/