Data Protection and Privacy: Legal Solutions to Technical Problems

In the second video of this series (you can watch the first video here), David Fagan discusses the legal solutions to technical problems in the area of data protection and privacy, including the data processor, the data controller, lawful data processing and legal devices that can help you.

* Want to know how you can train everyone in your organisation on Data Protection, in just a few simple steps? Legal-Island offer a Data Protection Elearning training solution, specific to organisations in Ireland. Please contact a member of our eLearning team on 01 4013874 or elearning@legal-island.com to find out more.

Although data protection and privacy are often seen in technical terms, in terms of IT and so on and so forth, in fact, privacy is a legal construct. In essence, it's a legal problem rather than a technical one. There are a number of technical issues that arise but, ultimately, most of these have a legal solution. Sometimes it's easier to think of things in a holistic legal sense rather than in detail technically.

Who is a data processor? And who is a data controller?

For instance, some of the issues that arise in the privacy space are: Who's a data processor? And who is a data controller? This is important because a data controller has lots of obligations whereas a processor has very limited obligations. This is simply solved, in terms of contractual arrangements, designating one party as a controller and designating another party as a processor. Of course, there are certain requirements that must be met for the actual situation to be true. That is to say, a processor should not be controlling data, in the sense that they should not be deciding how that data is to be processed, only operating to the instructions of the data controller.

Once that arrangement is put in place, that one party controls how the data is to be used and the other party simply implements that processing, and there's a written agreement in place. It is often open to companies, particularly group companies, to decide which of them will be a controller and which one of them will be a processor. This often solves issues with different jurisdictions having different requirements as between processor and controller.

Lawful data processing

One of the other issues that sometimes arises is the issue of whether the processing of data is, in fact, lawful. It may be technically feasible but it may not be lawful. And again, the lawfulness of the processing is a legal issue and that can be solved by putting in place appropriate arrangements contractually. Or sometimes it could be solved by tactical solutions such as anonymisation of data etc.

To give a practical example, if matters are done correctly and data is correctly gathered at the start, with the correct consents in place, then there is very little impediment to the processing of that data thereafter. As long as it is generally processed in accordance with the data protection rules.

However, if the data is unlawfully gathered, it becomes impossible, technically, to retrofit that data because what is required will be consent, and consent is very difficult to obtain retrospectively. Even worse is mixed data where some data is gathered by consent and some data is gathered without any other legitimiser.

There are several different legitimisers but if there is no legitimiser ‘legitimising’ the use of the data, then it is unlawful. It becomes a technical nightmare to try and cleanse a database which has some lawfully gathered data and some unlawfully gathered, or unlawfully processed data.

Some legal devices that can help

Sometimes, it's possible to transfer personal data between EU countries in order to get the most favourable regulator. Perhaps you would prefer to be regulated not by the German regulator who could be quite harsh but, perhaps, you might prefer to be regulated by the Spanish regulator, sometimes transferring the data to the Spanish regulator before you perform the processing that you are concerned about, for instance transferring data to a country that is not considered safe by the European Union. Perhaps you might wish to make the internal transfer from Germany to Spain first. Or, as I've mentioned, deciding not to be a data controller but rather to be a data processor because, in the jurisdiction in which you're based, that's easier for you.

Sometimes the solution is as simple as having the first capture of data outside of the European Union. Data captured outside the European Union of European Union residents is currently not necessarily personal data because it's not being processed in Europe.

There may be some changes to this with the new GDPR.

Transferring data lawfully, perhaps to a non-EU-based controller and then transferring it back again so that the processing which might not be lawful in the EU, can be carried out. The processed data can then be re-exported back to the EU. Again, these are legal solutions rather than technical solutions, to what might otherwise be difficult problems.