GDPR Explained: Part Two
Let's continue with Article 6.
Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
This line obviously refers to accepting Terms and Conditions before installing an app on you iPhone or Android phone. It also is significant for accepting cookies on a website. There are obviously many more use-cases for this phrase of the regulation.
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
This requirement enters the realm of implied obligation in contract law. However, instead of the data collection being implied, it now must be specifically asked for by the corporation requiring such data for fulfillment of a contract. Theorectically, if the corporation does not specifically request the data they collect, then the contract would be at risk of become null and void.
There are a number of other specifications for this article of the law, which I encourage you to read, but let's move to the end of the article.
Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
Members of the EU can now utilize this law to make more specific laws protecting the property/privacy rights of its citizens. This is normal practice for organizations with member-states. So when the leaders within the EU claim that this is a foundational document for more specific privacy laws tailored to each member state, this is the first paragraph of the regulation that explicitly gives these powers tot he member states.
The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: Union law; or Member State law to which the controller is subject.
This is the same thing stated in a more structured list, you all know I like lists, so brownie points for this nice list.
The next section of this article that is interesting is a safeguard for the data collectors. It appears to be written for the sake of "giving the benefit of the doubt" so that corporations aren't prosecuted ad arbitrium.
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; d) the possible consequences of the intended further processing for data subjects; e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
This makes it possible for law-makers/enforcers to make judgement calls ad hoc, which will help limit the abuse of the regulation. Unlike what I've been reading online, the GDPR isn't turning out to be such an anti-corporate law, but let's continue reading.
Article 7 is called "Conditions for consent", so it is relatively straightforward, like much of this regulation. This Article basically codifies what has already been in place in US law that written consent must be given before the collection of any data. The collector of data must also keep on record proof of consent. Consent requests also cannot be hidden in other documents. It must be a clear request for data.
Article 8 covers the issue of a child giving consent. It is basically legal for a child to accept the request for private information if they are age 16 or older. If they are age 13-15 they can have their parent/guardian give consent. The data collectors must also be able to prove that they acquired consent from the guardian of the child as well.
Article 9, Article 10, and Article 11 all regard the processing of data of specific demographics such as race, gender, criminal offenses, and etc. Basically, all of these categories must be specifically defined in the request for information. Remember, however, that the request must only ask for data that is necessary for the defined purpose of the request. The collector of data, therefore, can only collect the data it needs. Blind and indiscriminatecollection of data is not allowed, period.
Next, we come to Chapter 3 of the GDPR. This chapter covers the "Rights of the data subject" (read: "your rights"). This is where, I think, it gets interesting. So wake up and read on.
Article 12 outlines the initial rights of the "subject", or rather, the person(s) who owns the data that is being collected. Remember, this applies to anyone over the age of 16 unless otherwise specified by one of the EU member states. This article is setting the stage for the subject's right to find their data and request it. It also sets up the foundation for the subject's right to request removal of their data from a data collector's possession. This is partially why in earlier articles the law was written in such a way that would require that the data collectors keep the data organized so that they can access specific "subject data" in a fashion that will allow them to comply with the law. Now, whether this hyper-organization happens or not remains to be seen. Remember the enforcement of this law is only days old, and people/companies are only just really digging in and modifying -or not- their sites and services.
The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
This paragraph is particularly intriguing because of the mention of "standardised icons" which takes into account the need for "visible, intelligible and clearly legible" documentation.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or b) refuse to act on the request.
Here is one other interesting paragraph from this article. It may seem that the GDPR is beginning to look more like a protection of the data collectors to some of you, but I would like to remind you all of a couple of things before we move on.
First, the GDPR is a foundational regulation for the EU, not a law designed to take into account the specific regulatory needs of every member nation. That is why we saw earlier that much of the legislation is to be left to the individual member nations.
Second, as a whole, the scales still tip in favor of the "subject" rather than the "controller". There are protections written into the regulation to protect the consumers from abuse by the corporations, on the flip side, the authors of this law saw fit to also provide reciprocal protections for the "controllers" because they foresaw potential for abuse.
So let's keep that in mind as we continue in our study of the General Data Protection Regulation.
I will be separating my opinion at the end like this from now on, in order to keep my opinion clearly separate from my analysis and simplification section.
What I have seen so far, considering what we covered in this article and the last one, is that the GDPR is a well-balanced law implementing regulation and protections to both sides of the current strife between the controllers and the subjects. When I started out reading this law, I had gone in with the assumptions that it was just an overbearing regulation by an organization that wants to have a hand in everything, but the more I read the more I realize that the law is actually simple and so far it seems to attempt to expand specifications for and better define property rights. It merely appears to be a clarification of some segment of "Common Law" in that same respect.
I know it's weird, but so far I have quite enjoyed reading through this law. I have begun to understand the law a little better.
I was talking to @brandon today and realized just answering questions and concerns about the law has helped me to reformulate its purpose in my own mind. So please feel free to critique and question me at Mastodon.