Published on April 15, 2018
The old Data Protection Directive of 1995 was outdated. It
failed to cover for example, social networking sites, cloud
computing, location-based services, smart cards and biometric
data, and in 2012 the European Commission proposed a
comprehensive reform of the EU’s data protection rules to
strengthen privacy rights and boost Europe’s digital economy.
Unlike directives, the GDPR does not require national
governments to pass any enabling legislation. It is directly
binding and applicable.
All seven principles governing the OECD’s
recommendations for protection of personal data are
incorporated into the new EU regulation.
Article 4(1) defines “personal data” as follows: ‘personal
data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification number,
location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that
This definition is broad and fairly all-encompassing. It
includes any information relating to an identified individual
(which makes such information personal to that individual), or
any information relating to someone who could be identified
based on a variety of identifiers.
Article 4 defines data controllers and data processors as
follows: (7) ‘controller’ means the natural or legal
person, public authority, agency or other body which, alone
or jointly with others, determines the purposes and means of
the processing of personal data; where the purposes and
means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its
nomination may be provided for by Union or Member State law;
and (8) ‘processor’ means a natural or legal person,
public authority, agency or other body which processes
personal data on behalf of the controller;
Data processing must be “lawful”, meaning it must be
justified by a legitimate purpose in order to be permissible.
For “legitimate interests” the interests that are important to
a business or organisation are not enough. These conditions
Note that this condition is not available to processing
carried out by public authorities in the performance of their
It defines biometric data as special categories of personal
data and prohibits its processing, thereby protecting people
from having their information shared with third parties
without their consent.
Biometric data are: _“personal data resulting from specific
technical processing relating to the physical, physiological
or behavioural characteristics of a natural person, which
allows or confirms the unique identification of that natural
person, such as facial images or dactyloscopic data”. _
Processing of special categories of data for the purpose of
"uniquely identifying a natural person" is prohibited, but it
contains some exceptions.
The Regulation states that consent must be explicit before
the collection of the data. As in, users must be opted-out by
default and be provided with an opt-in, instead of default be
opted-in (often without their knowledge) and then have to
search for an opt-out. Also, “the data subject shall have the
right to withdraw his or her consent at any time”.
Data breaches must be notified within 72 hours
If a company or organisation discovers a data breach, then
processors must inform the authorities within 72 hours of
discovery. Companies managing biometric information can be hit
with penalties if they do not make efforts to secure that
data. Big penalties.
The Article 25 Data Protection by Design (DPbD) seeks to
embed privacy protection at every level from conception to
deployment. DPbD is not only about technological design. It
extends to IT systems, accountable business practices, and
physical design and networked infrastructure. This integrated
approach is “an important factor in avoiding falling into
techno-centric solutions to a sociotechnical problem.”
In usual engineering practice, legal issues are considered
obstacles to be overcome after a novel IT solution has been
built and is to be rolled out. DPbD uses a reversed approach,
whereby systems and processes are conceived and developed with
privacy protection at their core.
Under the old directive that aimed to regulate data
correlation, not just data collection, it was illegal to
process personal data without a “legitimate interest”, and
that legal basis was unavailable to data brokers (Opinion
06/2014 on the notion of legitimate interests of the data
controller under Article 7 of Directive 95/46/EC). Now,
Recital 47 - General Data Protection Regulation (GDPR) -
Overriding legitimate interest* states: ”[t]he processing
of personal data for direct marketing purposes may be
regarded as carried out for a legitimate interest“.
Can the data industry rely on legitimate interests or is it
required to obtain consent despite the absence of a
relationship with the data subjects? Under the GDPR, the legal
basis for processing personal data requires that the
processing to be described with specificity in advance.
Without it, using that data for Big Data Analytics & AI
produces unlawful results exposing organisations, their
partners and their customers to legal liability.
Recital 26 - General Data Protection Regulation (GDPR) - Not
applicable to anonymous data* explicitly states that ”The
principles of data protection should apply to any
information concerning an identified or identifiable natural
person. Personal data which have undergone pseudonymisation
[...] should be considered to be information on an
identifiable natural person.“
Recital 26 also states that data that has been truly
anonymised lies outside the scope of the regulation: ”The
principles of data protection should therefore not apply to
anonymous information, namely information which does not
relate to an identified or identifiable natural person or to
personal data rendered anonymous in such a manner that the
data subject is not or no longer identifiable. This
Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research
This means that anonymisation not only offers a more powerful
means of securing personal data, but also enables the use of
data for, for example, marketing or analysis purposes without
violating an individual's data privacy. That is to say, if it
adequately protects the data.
Article 80 of the GDPR allows civil-liberties or
consumer-protection representatives to advocate on behalf of
the community or public interest.
Non-EU established organisations will be subject to the GDPR
where they process personal data about EU data subjects.
Raw magic crackled from their spines, earthing itself harmlessly in the copper rails nailed to every shelf for
that very purpose. Faint traceries of blue fire crawled across the bookcases and there was a sound, a
papery whispering, such as might come from a colony of roosting starlings. In the silence of the night the
books talked to one another. A student