In the previous part of the blog series, we discussed what the Wgs regulates. In this blog, we elaborate on the safeguards provided by the Wgs to prevent unlimited data sharing.
There is a need for both public and private organizations to exchange data, for example to tackle fraud and undermining. Based on privacy regulations (AVG), this is not allowed just like that. The Data Processing by Collaborative Organizations Act (Wgs) will, in certain cases, provide an opportunity for data processing by collaborative ventures with the aim of combating fraud, crime and/or undermining.
The consequences for an individual, a "data subject," whose data are processed under the Wgs can be far-reaching. This is one of the reasons why the bill for the Wgs has led to a large amount of reactions from, for example, the Personal Data Authority (AP), the Council of State and the Human Rights Board has led. Critics question whether the Wgs fits within the preconditions of the AVG. The AP advised the Senate even not to adopt the Wgs. To address these concerns, the government has included in the Wgs and the draft Decree on Data Processing by Collaborative Groups (Bgs) included a number of important safeguards. Some of these safeguards, incidentally, already follow (implicitly) from existing legislation such as the AVG.
The main safeguards in the Wgs, which we will explain below, are:
Substantial reasons for data sharing;
Lawful processing;
Designate point of contact;
Reliability authorized persons.
The Wgs provides opportunities to share data within the partnership. This is on the condition that it is necessary for the purpose of the partnership. The purpose of the partnership is designated by AMvB. To a certain extent, this seems to correspond to the necessity requirement under the AVG. Under the AVG, and this will still apply after the Wgs comes into force, a processing of personal data may only take place when an appropriate basis can be invoked. Article 6 AVG contains an exhaustive list of bases. Every basis except 'consent' (Art. 6(1)(a) AVG) has an explicit necessity requirement. If a party wants to invoke one of these bases, it must therefore be assessed whether that requirement can be met. This is done by testing whether the invasion of privacy is proportionate to the goals (proportionality) and whether other, less intrusive methods cannot be used (subsidiarity).
The Wgs also provides as a safeguard that if a participant is of the opinion that there are compelling reasons against it, no provision or processing will be made (Article 1.5 of the Wgs). Based on the current legal text and explanatory notes, it is not immediately clear to us what is meant by "compelling reasons" and who assesses this. Indeed, this is not defined or explained in the Wgs. In our opinion, it is therefore relevant that clear agreements are made about this within the partnership and that these are laid down in, for example, a covenant.
Article 1.5 of the draft Bgs requires that participants may only provide data to a collaborative for lawful processing. In addition, Articles 1.6 and 1.8 of the draft Bgs guarantee that a participant may only report a signal, request or case to a collaborative network after it has been factually checked for the accuracy and quality of the data to be provided. This is in line with the principle of legality (Art. 5(1)(a) AVG) and the principle of correctness (Art. 5(1)(d) AVG). The participant who submits the data is responsible for this. Agreements are also recommended in this context, such as what such a quality test should include.
During the consideration of the Wgs, unintended effects of automated processing of personal data, such as discrimination, were also discussed at length. Artificial intelligence, including self-learning algorithms, is not permitted under the Wgs. Automated processing of personal data is permitted under the Wgs only with respect to iCOV theme reports that allow for the display of a development or trend in the area of money laundering. Furthermore, the Wgs and the draft Bgs contain the following additional safeguards in this area:
Article 1.9, sixth paragraph, of the Wgs stipulates that algorithms may only be used insofar as the results are traceable and verifiable. It is recommended that this be actively monitored, for example by a multidisciplinary team;
Article 1.9 draft Bgs regulates that data on nationality may also not be processed unless it is unavoidable for the identification of the data subject;
A legitimacy advisory committee is created within each cooperative association in which attention must be paid to countering risks of unequal treatment and discrimination (article 1.13 draft Bgs). A legality advisory committee advises a cooperative on, for example, new processing methods and changes to them;
Employees deployed in the partnership must receive training to promote their knowledge and skills in the careful handling of personal data and data ethics (Article 1.17 draft Bgs). Anti-discrimination is a mandatory topic in this;
In addition, every two years a partnership must have an audit conducted into the extent to which it complies with applicable laws and regulations including the AVG ("privacy audit") (article 1.18 draft Bgs).
Article 1.1 of the Bgs regulates that every cooperative must have a contact point to which a data subject can address a request for inspection, for example. Thus, Article 1.1 provides that the mayor of a participating municipality acts as the contact point within the RIEC. Within a Care and Safety House, the mayor and aldermen of the municipality involved act as contact point. A request to a contact point must be regarded as a request to all data controllers within the partnership, all insofar as there is joint responsibility and unless not otherwise specified. An AVG request from a data subject need not be handled by the contact point itself. If another participant is better able to do so, this participant agrees to take over the processing and the contact point notifies the data subject of this takeover (Article 1.2, fourth paragraph, draft Bgs). It is important that this is properly recorded among themselves and that the data subjects are informed of this pursuant to Articles 13 and 14 AVG.
Incidentally, it should be noted that under the AVG, a data subject is in principle entitled to submit an AVG request to any joint controller, despite the fact that parties may mutually agree on a different division of roles. In other words, the fact that - for example - the college is designated as the contact point does not alter the fact that the data subject cannot address her request to another party within the partnership.
Article 1.11 of the draft Bgs also sets out requirements for the reliability of authorized persons who have access to data within a collaboration. For example, they must possess a Certificate of Good Conduct (VOG) and be screened. There are also requirements for the education and training of employees (article 1.17 draft Bgs). The Wgs also regulates a duty of confidentiality for participants in the partnership. They are obliged to maintain confidentiality about the data processed within the collaborative and the results obtained from it. In this regard, we note that there are currently no sanctions for failure to comply with the duty of confidentiality.
The aim is for the Wgs to come into effect on January 1, 2025. Have you already read the other parts of the blog series on what exactly the Wgs entails (part 1)? In the next part of the blog series, we will update you on exactly what the regulation of RIECs and Care and Safety Homes will look like.
