The General Data Protection Regulation: a change in data processing.
The European Union's policy on open data aims at generating value through re-use of public sector information, such as mapping data. Open data policies should be applied in full compliance with the principles relating to the protection of personal data of the EU Data Protection Directive.
Increased computer power, advancing data mining techniques and the increasing amount of publicly available big data extend the reach of the EU Data Protection Directive to much more data than currently assumed and acted upon. Especially mapping data are a key factor to identify individual data subjects and consequently subject to the EU Data Protection Directive and the recently approved EU General Data Protection Regulation.
This could in effect obstruct the implementation of open data policies in the EU. The very hungry data protection legislation results in a need to rethink either the concept of personal data or the conditions for use of mapping data that are considered personal data.
Van Loenen, B., Kulk, S. en Ploeger, H. (2016). Data protection legislation: A very hungry caterpillar: The case of mapping data in the European Union. Elsevier, Government Information Quarterly. http://www.sciencedirect.com/science/article/pii/S0740624X16300326
Expert opinion Matthijs Colthoff
The results of the research are, -given the scope of card data, relevant to both the public sector and the profit sector where card data is processed. Think of the cadastre, utilities of providers like Google, other streaming services, automotive industry, navigation systems, etc. The results are, in my view, not directly applicable, but provide insight into the complexity of the matter and the importance of action.
On 25 May 2018 the General Data Protection Regulation (GDPR) applies. This means that, from the same date, the same privacy laws apply throughout the European Union: more responsibilities and duties for the controller (the data controller) and broadening and enhancing the rights of the individual or the ones involved.
Continuing in the current way is not sustainable, organizations are (among others) obliged to adhere to article 6., GDPR well-defined, pre-explicitly described and justified purposes. Individuals, for example, exercise their rights, such as the right to forgetfulness (article 17 GDPR). If organizations do not cooperate or respond in time, this may lead to a complaint with the supervisor. The supervisor can institute an investigation with a possible fine. Doing nothing is not an option.
The General Data Protection Regulation has big consequences for the use of freely accessible open data (like card data). The scope of the regulation is continuing to grow, caused by technological progress, advanced datamining techniques and the increasing publicly available data. More and more “normal” data becomes personal data. In that the European regulation is just like the very hungry caterpillar.
Card data in particular is a key factor in identifying personal data covered by the European Regulation. And that personal data may only be collected for specific, pre-explicit and justified purposes and thereafter only further processed for compatible purposes. This, according to the researchers, disrupts the implementation of the "open data" policy within Europe. As far as I am concerned, this is correct nowadays, the outlined developments have absolutely far-reaching consequences for data processing, including card data. But in my view, it does not mean that in general hardly any or no personal data is allowed to be processed anymore. However, the way in which data is processed will have to change and corresponding business-models/organizations will as a result also have to transform.
In addition, as far as I am concerned, the European Regulation does not conflict (as the researchers suggested) on the further implementation of the European Digital Agenda & Open Data Policy, which focuses on the broad application of ICT in society and stimulating innovation, including a contribution to economic growth. As stated in the survey, "developments in information technology have brought many new opportunities, but also new threats. These threats can, among other things, undermine citizens' trust in online markets, affecting economies." The purpose of the Regulation is, in particular, to ensure even better protection of personal data and to ensure the free movement of personal data within the Union. The regulation is an important precondition for further development and maintaining trust. The solution is not as the researchers suggest in reconsidering the concept of personal data, but more in terms of conditions and mode of use.
The solutions shown in the research, including the last two, are hardly useful in my opinion. The first "solution", -restricting the operation of the GDPR, is turning back time and closing the eyes for reality. The second solution in the conclusion of the research: "Moving part of data protection obligations from the data provider to the data user" is more an attempt to safeguard the responsible person and also does not provide any grievance. My conclusion is that both solutions override the main challenge and the required solution, namely: how can we ensure that the individual (drawee) can now get (back) control over the access and use of his personal information? A new approach is needed to solve the experienced limitations and problems.
In my solution, I am very optimistic about the future, it’s only a matter of time. The solution in which the individual really gets control over the access and use of his personal data can, for example, come from what Gartner (2016) calls "The New Civilization Infrastructure". Within this new digital world, in which both individuals and organizations interact with each other, privacy by design will form an inseparable part. Privacy by Design means that systems and procedures are designed from the outset with privacy as a guide. The innovative aspect is the position of the individual who is able to exercise his rights, plus he/she is supported by systems (along with a number of other preconditions) such as "Personal Data Stores".
Using Personal Data Stores creates an architecture data model where websites or organizations can get the data they need, other than collecting and storing data within the systems of these organizations. This method supports the principles such as: limiting data acquisition, no longer capturing data other than the legitimate purpose and it allows individuals to manage personal data and to exercise rights. The individual can always decide who can see his or her data, rather than the fact that this choice lies with organizations. Because the individual is able to exercise his rights, the problem of data storage longer than necessary, has been solved. Individuals play an active role in how they deal with their data in the outlined situation. Within this outlined method, there is a more leveled playing field between individual and organization. The end situation is a win-win for all parties, both for the protection of our rights, for innovation (big data) and for economic growth. The future will show how the above will be realized and what is successful in terms of action!