DATA PROTECTION ACT AND THE DPD
The EU’s Data Protection Directive can be traced to the 1980s. At that time the European Commission decided to formalise ideas on privacy — as a fundamental right — through a single set of data security rules to replace what was then a patchwork of country-by-country rules.
The results were the DPD, which was adopted in 1995. While it did not achieve its goal of unifying data rules — more on that below — it did point the way towards the EU’s approach to data security. Since the new GDPR borrows heavily from DPD — both terminology and principles — let’s take a brief look at some of the more significant aspects of the Directive.
The DPD introduces three important concepts that relate to consumers and their data, and the collection and processing of that data.
While obvious identifiers such as phone numbers, addresses, and account numbers, are encompassed by this, the definition is flexible enough — anything that relates to the person — to also account for data not foreseen by the DPD writers: for example, email and IP addresses, biometric information, and even facial images. The DPD attempted to create a future-proof definition, rather than using a static list of individual identifiers — which was unusual at the time.
Besides defining personal data, the DPD also introduces the important terms data controller and data processor that are used throughout the law.
A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is a company or organization that makes all the decisions about initially accepting data from the data subject.
A data processor is then anyone who processes data for the controller. The DPD specifically includes storage as a processing function, so that takes into account centralized databases owned by third-parties.
CONTROL ACCESS TO CONFIDENTIAL MATERIAL
With that as background, it’s now easier to understand more specific requirements of the Directive. The Directive is based on a foundation of seven principles (see chart) that is reflected in the Directive’s article 6.
1. Fairness – Process data “fairly and lawfully.”
2 Specific purpose – Ensure that data is processed and stored “for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.”
3. Restricted – Ensure that data is “adequate and relevant, and not excessive in relation to” the purposes they are for which they are collected
4. Accurate – Ensure that data is “accurate and, where necessary, kept up-to-date,” so that “every reasonable step [is] taken to ensure” errors are “erased or rectified”
5. Destroyed when obsolete – Maintain personal data “no longer than necessary” for the purposes for which the data were collected and processed
6. Security – Data must be processed with adequate “security” (a “controller must implement appropriate technical and organizational measures to protect personal data against…destruction or…loss, alteration, unauthorised disclosure or access…)
7. Automated processing – The “decision[s]” from data processing cannot be “based solely on automated processing of data” that “evaluate[s] personal aspects”
These should look somewhat familiar as they are related to Privacy by Design (PbD), and both are based on older ideas from the Organisation for Economic Cooperation and Development (OECD) privacy guideline3. In any case, the GDPR still includes these principles but it further extends and expands on them.
These principles are the basis behind specific DPD articles. Let’s look at three very significant ones.
Data subjects are given “the right to obtain from the controller…as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data.
So, under the DPD consumers really have a right to erase (and correct) data — though the rule only applies to controllers. Over the years, there were additional court rulings that extended the erasure rules to processors and more specifically cloud search engines.
The DPD puts additional obligations on the controller by requiring that personal data is “adequate, relevant and not excessive in relation to the purposes for which they are collected” and then erased when the data is no longer necessary.
While securing data should be an essential part of a law that starts with the words “data protection”, the DPD was still vague on this subject.
The DPD acts as a kind of template, and EU countries are supposed to “transpose” the rules into specific legislation. A country’s local data protection authority (DPA) then enforces the law. This opened the problem of diverging interpretations and enforcement patterns, depending on where the data controller was located.