Marte van Graafeiland and Nina Bontje, privacy law attorneys at Pels Rijcken, gave a workshop during the conference Insight into Digitization on the legal consequences that the General Data Protection Regulation (AVG) has for new technological developments and innovations. The AVG has been applicable since May 25, 2018, and its main purpose is to further harmonize the rules on the protection of personal data of the European member states. In doing so, member states are given room to regulate certain parts themselves, which in the Netherlands has resulted in the AVG Implementation Act.
Authors: Marte van Graafeiland, Nina Bontje
The personal data concept is very broad, so the AVG and Implementation Act will soon apply to processing operations in the context of innovations. The workshop's audience was therefore drawn from both the private and public domains. Van Graafeiland and Bontje first briefly discussed the substantive principles of data processing. These principles are largely the same under the AVG as under the previous Personal Data Protection Act (Wbp). It is important to always observe the principles when processing personal data. Only if the principles are met can compliance with the regulations under the AVG be achieved.
The principle of transparency was discussed, as the AVG creates new obligations for the controller and processor, as well as expanded rights for the data subject. For example, the controller and processor of personal data must keep a processing register, which must include information about all processing activities. The idea behind this obligation is that organizations should make it clear to themselves how data processing operations are regulated internally, so that they can check for themselves whether the organization is compliant with the AVG. The supervisory authority, in the Netherlands the Autoriteit Persoonsgegevens, can also ask for this processing register. In addition, the controller and processor must inform data subjects about, among other things, what happens to personal data and how long it is kept. This can be done in a privacy statement. Furthermore, the data subject has, in principle, the right to access the personal data processed about him or her, although there are some exceptions to this right. For example, the AVG contains an anti-abuse provision. The idea behind the right of inspection is, among other things, that the data subject can see whether personal data are correct or relevant to the specific processing. This also ties in with the fact that the data subject has a right to correct, delete and restrict under the AVG. Those rights can be effectuated with the right of inspection. The Article 29 Working Party of European regulators recently issued another publication on how to comply with the transparency principle(Guidelines on transparency under Regulation 2016/679, WP260).
Using a number of specific innovative practical examples, the requirement for transparency was further discussed. For example, on behalf of the Ministries of the Interior and Kingdom Relations and Economic Affairs and Climate, the program 'Regie op Gegevens' (Control of Data) is underway, which addresses the question of how citizens can be central to data processing and exercise control over their own data. Another example is My Care Log, where the person in need of care is given access via a blockchain to their care administration and to what personal data are processed in the process and who can view them. The person in need of care can change the authorizations himself. This application of privacy by design fits well with the guarantees that the AVG aims to provide in terms of transparency.
When developing new technologies, a Private Impact Assessment (PIA) will often need to be conducted. A PIA is mandatory for so-called risk processing operations. A PIA involves a description of the characteristics of the data processing operations, after which the processing operations are successively assessed for lawfulness and risks. The purpose of a PIA is to take measures to mitigate the risks. During the workshop, it was brought up from the audience that it can sometimes be difficult to conduct a PIA at a specific time because innovation is often a process. Wouldn't it be better to incorporate PIAs into the processes? Van Graafeiland and Bontje emphasize that, also in light of privacy by design and default, measures to reduce privacy risks should indeed always be considered (at the front end). The PIA is also a good tool for this.
Next, Van Graafeiland and Bontje address the AVG's legal requirements for innovations involving automated individual decision-making (GIB). GIB with legal consequences or significant effects on a data subject is not allowed unless there is a ground for exception. The attendees gave many examples of GIB use from practice, such as profiling, certain forms of smart contracts, as well as new developments in the pension and insurance industry and in the area of surcharging. The discussion among attendees focused on the question of when and in what way human intervention should be built in to ensure that automated decision-making (with legal or significant consequences) no longer occurs. Van Graafeiland and Bontje reiterated how important it is for lawyers and techies to think about these kinds of questions together in the early stages, i.e., when developing an innovation or new technology, so that an innovation can be developed compliant with the AVG. This also prevents the lawyer from becoming a showstopper at the end of the process, when adjustments are already no longer possible properly.
Finally, the relationship between WiFi tracking and privacy was discussed: WiFi tracking usually involves the processing of personal data. This means, for example, that a basis is required, the necessity must be properly justified, data subjects must be informed about WiFi tracking, and proper privacy safeguards must be provided. The Autoriteit Persoonsgegevens and the Article 29 Working Party of European regulators offer various guidance on this(Letter from Autoriteit Persoonsgegevens 15 June 2016 to the VNG, reference z2016-00087, Opinion 01/2017 4 April 2017 on the Privacy Regulation by Article 29 Working Party).
Discussions during the workshop revealed that the AVG is a good development because it helps to focus on protecting the privacy interests of data subjects. Van Graafeiland and Bontje emphasized that innovation is about creativity, which is not limited by the AVG in itself. The trick, as they say, is to think at the front end about how the legal AVG requirements can be integrated into a new technology. For this, cooperation between techies and lawyers is key.
This article can also be found in the AVG file
More articles by Pels Rijcken
