The European Data Protection Board (‘EDPB’) has published its opinions on the 22 draft lists submitted by the supervisory authorities of the Member States earlier in the year and which will have to be adopted by those supervisory authorities as required by article 35(4) of the GDPR. In Ireland, the supervisory authority is the Data Protection Commission. This commentary only deals with the Irish list submitted by the Data Protection Commission (‘DPC’) and the published opinion for Ireland which was adopted recently on the 25th of September last. However, some general comments made by the EDPB are relevant to Ireland for example the EDPB noted that each member state supervisory authority had a ‘margin of discretion with regard to the national or regional context and should take into account their local legislation’. It went on to comment that its purpose was not to provide a single EU list ‘but rather to avoid significant inconsistencies that may affect the equivalent protection of the data subjects’. For this reason the EDPB noted that the lists of the Member States don’t have to be identical. To what level of difference will be permissible we will have to wait and see.
The EDPB opinions cover a wide range of activities involving processing in particular large scale processing; biometric, genetic and location data; data collected from third parties; employee monitoring; exceptions to information to be provided to the data subject; processing for scientific and historical purposes; and processing using new/innovative technology.
The EDPB made some further general suggestions about amendments to the draft lists submitted by the 22 Member States which included that none of the lists should be considered exhaustive and that each list should include an explicit statement to that effect. Only the lists of Belgium, Hungary, Greece, the Netherlands, Portugal, Sweden and the UK had such a statement. The Board also reiterated the importance of the Working Party 29 Guidelines WP248 which was critical to ensuring consistency across the EU. The EDPB asked that each supervisory authority state that their list is ‘based on these guidelines’. The WP248 Guidelines set out he nine criteria which if met will make it more probable that processing will require a DPIA. In general the EDPB commented that for the processing of certain types of data for example genetic or biometric data there should only be a DPIA when at least one of the other 9 criteria are met. The 9 criteria are: scoring or evaluation for example creating a behavioural or marketing profile of a website user; automated-decision making which could lead to exclusion or discrimination; systematic monitoring; sensitive data or data of a highly personal nature for example medical records; data processed on a large scale; matching or combining data sets; data concerning vulnerable data subjects for example children or the elderly or employees; innovative use or applying technological or organisational solutions for example fingerprints or facial recognition and where processing in itself prevents data subjects from exercising a right or using a service or a contract e.g. where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.
So what does this mean for companies based in Ireland that process these types of personal data?
Large Scale Data Processing
In providing opinions to the Czech, Estonian and Greek Supervisory Authorities the EDPB advised that no reference to explicit figures should be on their lists rather in understanding ‘large scale’ this should be guided by the WP29 guidelines on Data Protection Officers (WP 243) and DPIAs (WP 248) which takes into account various factors.
The EDPB found that the processing of biometric data on its own is not necessarily likely to represent a high risk to the rights and freedoms of natural persons and require a DPIA. Consequently it advised the Irish DPC to amend its list to show that the processing of biometric data to uniquely identify a natural person in conjunction with at least one other criterion would require a DPIA to be carried out.
The Irish DPC stated that the processing of genetic data falls under the obligation to perform a DPIA on its own without any other criterion. The EDPB did not agree and felt that the processing of genetic data on its own is not necessarily likely to represent a high risk and requested that the Irish list be amended so that another criterion be added in conjunction with the processing of genetic data in order for a DPIA to be carried out.
The Irish DPC submitted that the processing of location data on its own would require a DPIA. The EDPB in contrast was of the view that processing of such personal data on its own was not necessarily likely to represent a high risk. If such processing was carried out in conjunction with at least one other criterion a DPIA would have to be required stated the EDPB. The EDPB therefore asked that the Irish list be amended to take this into account.
Processing for Scientific or Historical Purposes without Consent
The EDPB and the Irish DPC did both agree that the processing of personal data for scientific or historical purposes on its own is not necessarily likely to represent a high risk but if it was done in conjunction with at least one other criterion that this would require a DPIA to be carried out. The Irish DPC therefore did not need to amend its list.
Interestingly, the EDPB was of the view that there was no need to carry out a DPIA where there was further processing of personal data either on its own or in conjunction with any other criteria. In contrast, the Irish DPC was of the view that further processing either on its own or in conjunction with other criterion would require a DPIA. The Irish DPC was asked to amend its list by removing this criterion.
The EDPB was of the view that the ‘systematic processing of vulnerable data subjects’ which could include employees does meet two criteria as set out in the WP29 Guidelines WP248 (guidelines relating to on DPIA and whether processing is likely to result in a high risk) and so would require a DPIA. The Irish DPC was of the same view so no amendment to the list was required. The Board asked that explicit reference to the two criteria in the WP29 Guidelines WP248 be made in the Irish DPC list and it re-affirmed the validity of the WP29 Guidelines WP249 on data processing at work.
Processing Data using new/innovative Technology
Ireland did not submit any comment on this. However, as regards comments from other national authorities which were divergent the EDPB concluded that in its opinion stated its belief that the processing of personal data using innovative technology ‘on its own is not necessarily likely to represent a high risk’ and so a DPIA is only required to be carried out when such technology is used in conjunction with at least one other of the listed criterion.
Exemptions to information to be provided to the data subject according to Article 14.5 GDPR
This article contains several exemptions to the requirement for a data controller to provide information to data subjects. If such processing occurs where information is subject to an exemption it could still require a DPIA to be carried out but only in conjunction with at least one other criterion.
The purpose of the EDPB’s opinion on the 22 Member State lists submitted to them is to ‘ensure consistent application in the European Union of the GDPR’. The opinions aim to harmonise, clarify and bring greater consistency to the application of the GDPR. By virtue of article 64(7) and (8) the Irish DPC had two weeks to reply to this opinion and whether it would amend and maintain its list. If it decides not to follow the EDPB’s opinion it must set the relevant grounds for such a divergence. If there was a divergence this could potentially hinder the consistent application of the GDPR within the EU.