Proportionality and Data Minimisation are Key to GDPR
Personal data is the hot potato.
One of the six principals of Data Protection is Data minimisation. It goes against the recent tide of mass collection of data. Nevertheless, it is a life saver. By collecting less, keeping accurate, safe and confidential, in an accountable manner in appropriate registers, ideally keeping data and assets mapping, most of the hassle of compliance is resolved.
Little reminder of the six principals :
- Lawfulness, fairness and transparency. …
- Purpose limitation. …
- Data minimisation. …
- Accuracy. …
- Storage limitation. …
- Integrity and confidentiality.
Proportionality comes as a mortar that blends it all together. We recently commented a decision by the French Administratif Court, Conseil d’Etat, on the illegality of Live Facial Recognition technologies in schools. Based on the imbalance of power and the loss of control caused by biometrics data collection disproportionate to the result, the court ordered the cease of the test.
Wherever the same result can be achieved in a less intrusive manner, it has to prevail.
According to the Charter of Fundamental Rights of the European Union, Article 8, data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by the law. Seen in a wider context, the concept of consent allows the data subject concerned to decide for him or herself on the legitimacy of restrictions to on his or her right to the protection of personal data.
On this 4th of March, the Advocate General M. MACIEJ SZPUNAR presented its conclusions in request for a preliminary ruling from the Tribunalul Bucureşti (Regional Court, Bucharest, Romania) stems from a dispute between a provider of telecommunication services and a national data protection authority as to the obligations of the former in the context of contractual negotiations with a customer when it comes to copying and storing the copy of ID cards.
Further clarifying the concept of ‘consent’ given by a data subject, while addressing the question of the burden of proof as to whether or not the data subject has given consent.
What does the EU Regulation 2016/679 says :
Pursuant to Article 4(11) of Regulation (EU) 2016/679, for the purpose of that regulation, ‘“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
The Article 6(1)(a) and (b) of that regulation is worded as follows:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Article 7(1) of the same regulation states that ‘where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’.
The facts of the case were as follows :
The Romanian National Authority for the Supervision of the Processing of Personal Data, ‘the ANSPDCP’ had issued a report which included the imposition of an administrative penalty on Orange România on the ground that copies of the identity documents of its customers had been taken and kept without their express consent.
Orange România had concluded contracts for the provision of mobile telecommunication services with customers requiring copies of their identity documents. In order to do so, customers were required to sign a document declaring they had been informed of and had consented to the collection and storage of a copy of their ID card.
The existence of the customers’ consent had been established by the insertion of crosses in boxes in the written documentation evidencing the contract.
The Court is called upon to specify the conditions under which consent to the processing of personal data may be considered valid.
The decision of the national DPA imposing a fine on Orange Româniawas was adopted prior to the GDPR. However, it required as well to destroy the copies of the identity documents previously collected. This injunction having effect for the future, the regulation appeared to be applicable in so far ratione temporis.
In order to demonstrate consent on an informed choice on the collection and storage of IDs, customers were asked to tick a box. Is this sufficient to constitute a ‘specific and informed’ and ‘freely expressed’ consent within the meaning of Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679, to that undertaking when he or she needs to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and conservation of his or her ID documents ?
Article 6(1)(a) of the directive provides that personal data must be processed fairly and lawfully.
Under the Directive 95/46, Article 2(h), consent is defined as any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.
Under the Regulation 2016/679, Article 4(11), a higher standard of consent is required : consent needs to be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Consent is freely given when the data subject expresses its wishes actively, rather than by passive behaviour. It should be demonstrated that the data subject had enjoyed a high degree of autonomy when choosing whether or not to give consent which for instance as previously ruled, excludes a preselected tick of a checkbox.4
Was the data subject informed of all circumstances surrounding the data processing and its consequences? The customer needed to know :
- which data are to be processed,
- the duration of such processing,
- in what way and for which specific purpose,
- who is processing the data and whether the data are intended to be transferred to third parties,
- be informed of the consequences of refusing consent: is consenting to the data processing a condition for concluding the contract or not?
Who does the burden of proof lie with ?
Looking at the Article 7(1) of Regulation 2016/679, the Advocate General confirms that it is for the controller to demonstrate that the data subject has consented to processing of his or her data, not only to prove that the data subject has given his or her consent, but must also prove that all the conditions for effectiveness have been met.
Although the burden of proof rule is not expressly laid down in the Directive 95/46 the controller has to proof ‘the data subject has unambiguously given his consent’.
Application of the principles on this case
Asking customers to provide some personal data and in particular to prove their identity for the purposes of the conclusion of a contract. To require a customer to consent to the copying and storing of identity documents, however, appears to go beyond what is necessary for the performance of the contract. On the basis of the information available, it appears that the customers of Orange România do not give their free, specific and informed consent under the circumstances described by the referring court.
- There is no freely given consent. Obliging a customer to state in handwritten form that he or she does not consent to the copying and storing of his or her ID card does not permit freely given consent in the sense that the customer is put into a situation in which he or she perceptibly deviates from a regular procedure which leads to the conclusion of a contract. Following the judgment in Planet49, consent is to be expressed by positive opt in act.
- There is no informed consent. It is not made crystal-clear to the customer that a refusal to the copying and storing of his or her ID card does not make the conclusion of a contract impossible. A customer does not choose in an informed manner if he or she is not aware of the consequences.
- There is no indication whatsoever that Orange România has managed to demonstrate that customers consented to processing of their personal data. In this respect, an evident lack of clarity in internal procedures is surely not conducive to furnishing the proof that consent has been given by the customer. Such lack of clarity and conflicting instructions to sales personnel obviously cannot be to the detriment of the customer, in casu the data subject.
In conclusion, the Advocate General opinion is that :
There is no ‘consent’ where the customer does not indicate his or her ‘specific and informed’ and ‘freely given’ wishes, within the meaning of Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and of Article 4(11) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), to that undertaking
==> No free consent when the customer is required to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and storage of his or her ID documents.
The court was asked to answer on the validity of the consent.
The ECJ ruling is soon to be followed. Although the DG opinions are not binding the court tends to rely on them. What are the implications of this analysis on the absence of free, explicite and unambiguous consent when the customer actively produce copy of his or her ID ? Should this view be extended to any case where copy of ID card is requested while not strictly necessary, based on the principle of data minimisation? Additionally, free and explicite consent requires that consent not be detrimental to the access to the service especially where data minimisation calls for minimal data collection. Could there not be better, more appropriate, more proportionate means of ID verification? Could the customer’s ID be verified by other means and was it necessary to retain copy of the ID card and ultimately how identifications are stored, kept secured and for how long?