Privacy and protection of our personal data is governed by the European General Data Protection Regulation
“No data can be collected for the purpose of advertising in general, the type of advertising must be specified”
There are some situations in which personal data can be processed without the explicit consent of the individual involved
Some of the clearest examples of personal data would be basic information such as your name, surname, address, telephone number or bank details. However, the term personal data actually covers much more than that. “Calling a certain person at a certain time also constitutes personal data, as does your geolocation. This is important information from which other issues can be inferred, for example, visiting a place where your ideology or religious beliefs can be deduced,” says Mònica Vilasau, professor of law and political science at the UOC open university and an expert in the protection of privacy and personal data.
Privacy and protection of our personal data is governed by a European regulation from 2016, the General Data Protection Regulation or GDPR, which came into full force in 2018, and which provides the foundation for a much wider set of rules. “The regulations are very complex and it depends on the specific data being assessed. It’s not the same to process data about your home as it is to process health data, which is considered more sensitive, or electronic communications data, which have their own specific regulations,” adds Vilasau. The digital trail each of us leaves due to our use of new technology is huge, and so the European regulation establishes a series of principles that must be respected with the aim of protecting all this data that is being continuously generated.
One of these principles is purpose limitation. This is a situation that when personal information is collected and processed, it must be for a specific and limited reason. “No data can be collected just for the purpose of advertising in general, what type of advertising will be carried out must be specified. The data must also be treated in a lawful, transparent, fair and appropriate manner,” says Vilasau, who also stresses that only the data that are strictly necessary for the specific stated purpose can be collected.
In addition, the regulation states that the collection and treatment of the personal data must be accurate and must have a specific duration, for example, just for the length of a school year or during a specific advertising campaign. Another basic principle is integrity and confidentiality, in other words ensuring that personal data is secure, properly stored, and never leaked. And this not only applies to digital security. Just last year, the Spanish Data Protection Agency sanctioned – with a serious warning but not with a fine – a law firm in the Canary Islands that had thrown away two rubbish bags that were full of personal documents such as wills and deeds. Another case was a breach in the security system of the health ministry in Madrid last summer that exposed the health data of more than 100,000 people.
Another basic principle of the regulation is what is known as proactive responsibility. “The person responsible for processing the data must anticipate any problems that may well arise. For example, when designing an application or a website, they must ensure that the user will have to provide as little personal data as possible,” says Vilasau.
This expert on data privacy also points out that technology is far from neutral and that when the architecture of a system is designed, then decisions that can affect privacy have to be made. She gives an example from the point of view of the public authorities, which have a duty to be transparent but depending on how they build their databases aimed at sharing public information they could end up unwittingly providing access to other sensitive data that should remain private. “When designing these types of databases, it’s extremely important that the information can be partially extracted from them,” she adds.
The thirst for data
“Many people want our data. Especially the big tech and e-commerce companies, in order to profile us and sell us products. But there are also other actors who are interested in our personal data, such as security agencies and governments,” says Jordi Soria, the head of technology and information security at the Catalan Data Protection Authority.
In Europe, the GDPR states that personal data can only be processed in six cases. The first and most important is only when the person in question has given his or her explicit consent. “We’re becoming more aware that our consent is required but in this society we’re bombarded with constant information, and so we’re saturated and we tend to click on “accept” too quickly without stopping to consider the implications of the request,” Vilasau points out.
There are some situations in which personal data can be processed without the explicit consent of the individual involved. In these cases, at least one of the following conditions must be met: if it is to protect the vital interests of the individual (such as in the event of disasters, humanitarian crises or even pandemics); if it is in the public interest (such as when requesting data from sex offender registries when hiring someone to work with children); when there is a contractual need in business, labour or administrative relations (such as accessing the data of an identity card of a company employee); if it is to comply with legal obligations (such as with billing data), and if it can be shown that it is in the legitimate interest of the data controller, or the party wanting to process the data. This latter condition is the least well defined and all the experts insist that it should be studied on a case-by-case basis. “It’s about finding the right balance between the interests of the person affected and the general interest of the company, the school, the foundation, or whoever it is requesting to process the information. For example, in certain marketing situations, if I want to process personal data in order to send you advertising, the first thing to consider is whether the use of the data is legitimate. Another example would be whether appropriate measures will be taken to protect privacy if minors are involved. In short, the context of the processing of the personal data needs to be studied in order to determine if the interest under consideration is truly legitimate,” says Vilasau.
All of these aspects must be taken into account by companies, institutions, administrations and even self-employed workers who have to process this type of data. Of course, at the same time, European law also protects the rights of individuals with regard to the use that may be made of their personal information. “Data protection authorities ensure that these rights are respected. Those affected may request intervention or judicial protection if they consider that their rights have not been respected,” adds the expert.
One of the main rights is transparency of information: at all times the organisations or companies that process personal data must explain to those affected why they have it and under what conditions. Another right is to have erroneous data corrected. For example, in the case of an insurer who identifies a certain customer as a smoker when in fact they are not. Failing to correct information like this could be prejudicial if that person takes out medical insurance.
This access to your own personal data must also be made simple and must be free. “We receive many inquiries from people who want to know what personal information of theirs may be circulating on the Internet. But it is not us they should ask but rather the companies to whom they have given consent to access and process their data,” says Soria.
In general, says the head of the Catalan Data Protection Authority, we’re largely unaware of the value of our personal data, and also of who has it. “We click “accept” without really knowing what we’re doing, and without reading anything. It’s very difficult not to do this as it takes a lot of effort to stop and really consider what we’re consenting to with this simple gesture,” he insists.
And the data protection head adds that it is also extremely important for us to be aware of the personal material that we ourselves may make public online. “Whenever you post some personal data on the Internet, this information is very often not limited just to the place where you posted it. This means that we have to be aware not only of the authorisations concerning data that we give others, but we also have to think twice before posting anything ourselves on social media. Once it’s on the internet, you no longer control where it might end up,” concludes Vilasau.
feature online privacy
feature online privacy
Pandemic thermometers and health information
The pandemic raised a number of doubts regarding the processing of health data, a type of personal information that is considered especially sensitive. It was clear from the outset that, according to the regulations, data protection could not be used as an argument for “obstructing or limiting the effectiveness of the measures adopted by the authorities, especially the health authorities, in the fight against the pandemic,” as the Spanish Data Protection Agency (AEPD) stated at the time. Thus, measures such as the Covid passport have had all the necessary legal protection to be able to be implemented
A separate issue, however, was the taking of temperature when people were accessing establishments and services once the lockdown was over. First, there was some debate about whether or not temperature-related information should be considered personal data. The AEPD considered that it should be, that body temperature is data in itself that obviously allows us to know if a person is ill or not. Then there was the issue of checking temperatures in a public space, with the risk that third parties could unjustifiably obtain this information. Questions like these meant that following the lockdown, with thermometer guns proliferating everywhere, the health authorities were asked to establish clear criteria. In the end, the authorities said that it was in the general interest to ensure the preservation of public health and that if the temperature was simply taken without collecting the data, then no rights were being violated. In the case of workplaces or schools, it was also considered necessary to take people’s temperatures as a safety measure for the whole group, as long as the official health recommendations were followed and the data was not used for any other purpose.
Health data are considered a special category in European regulations, and have special protection. As an example, at the end of last year, the 2007 Catalan law on social services had to be amended to make it possible for social services and health services to share information from people cared for in both areas, in order to improve their integrated care.