Fairness under the GDPR
The first data protection principle contained within Article 5 of the GDPR is that of ‘lawfulness, fairness and transparency’. The ‘lawfulness’ and ‘transparency’ components of this principle have been well discussed and are explained in more detail within the GDPR itself (both in Article 6 relating to the lawfulness of processing and Article 13 relating to a data subject’s right to be informed). However, the concept of ‘fairness’ under the GDPR has not been given the same level of attention and is often misunderstood. This blog post seeks to shine a light on this forgotten and important principle of data protection.
The simplest definition of the fairness principle consists of two parts:
- The processing of personal data must not cause detriment or an unjustified adverse effect on the individual.
- The processing of personal data should be in line with the individual’s reasonable expectations.
Achieving a defensible position with the fairness principle involves looking at both aspects in conjunction and considering not just ‘how’ you should process the personal data, but more importantly – ‘why’. If individuals are misled or deceived when the data is collected, then this would not meet the fairness standard. Similarly, if the collection of data adversely affects some of the individuals concerned but not everyone, then this would also be noncompliant.
There are a few specific areas of the GDPR where fairness should be considered. These are shown in the table below:
How the fairness principle should be applied
Using the ‘legitimate interests’ lawful basis for processing
The GDPR states six different lawful bases for processing personal data, one of which is ‘processing being necessary for the purposes of the legitimate interests pursued by the controller or by a third party’. This can only be applied if the legitimate interests do not override the fundamental rights and freedoms of the data subject. Consequently, the data controller would need to perform a balancing test to identify whether the individual’s interests outweigh the legitimate interest and whether the individual would reasonably expect their personal data to be used in this way. If it would cause them an unjustified adverse effect, then it is likely that the rights and freedoms of the individual would take precedence. The principle of fairness is therefore a deciding factor when considering whether to use the legitimate interests lawful basis.
Using the ‘performance of a contract’ lawful basis for processing
Where the ‘performance of a contract’ lawful basis for processing is used and the contract consists of several separate services that can reasonably be performed independently of one another, the question arises as to whether this lawful basis can in fact be applied. In line with the fairness principle, the applicability of this lawful basis should be assessed in the context of each of those services separately, looking at what is objectively necessary to perform each of the individual services which the data subject has signed up for. This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the data controller’s wider business model. In that case, the ‘performance of a contract’ will not be a suitable lawful basis for those activities.
Determining purpose compatibility
The GDPR allows for personal data to be used for a new purpose, without seeking an alternative lawful basis to processing, only if it is compatible with the old purpose. A factor determining purpose compatibility is the context in which the data controller originally collected the personal data – in particular, their relationship with the individual and what they would reasonably expect. This aligns with the principle of fairness.
Identifying the source of control
When determining who is the data controller, the reasonable expectations of the data subject should be considered. In most cases, the data subject can correctly judge who is the data controller and who may be the data processor. For example, an employee would expect their employer to be the controller of their personal data and for the provider of the online HR platform that is used to store the information to be a data processor.
Non-repetitive data transfers to third countries
When transferring personal data to a third country that has not been considered as providing an adequate level of data protection as the UK or the EU and appropriate safeguards such as Standard Contractual Clauses cannot be pursued as an alternative, then the data can continue to be transferred as a one-off exercise only following consultation with the relevant Data Protection Authority. A deciding factor will be the data subject’s reasonable expectations for their personal data to be transferred in this ‘insecure’ manner.
Some processing activities may be beneficial to the individual but not necessarily within their reasonable expectations. The sharing of health data on a large scale for the clinical testing of a new app/service provided by a third party was considered as not matching with the patient’s reasonable expectations in a recent case involving the Royal Free London NHS Foundation Trust. Indeed, for those of you working within the health and care space – the concept of ‘reasonable expectations’ should not be a novel one. The newly introduced eighth Caldicott Principle (guidelines that are applied widely across the field of health and social care information governance to ensure that people’s data is kept safe and used appropriately) states that “a range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this”. Clearly, the need to inform individuals about what is being done with their personal data is crucial to ensure the processing is done fairly.
If you require advice and support on how to comply with the principles for processing personal data under the GDPR, please contact our Data Protection Team at Xcina Consulting. We provide our clients with pragmatic advice and guidance to ensure they achieve a robust and defensible position. For more information contact us at firstname.lastname@example.org.