D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity

Title: BASIC PRINCIPLES IN DATA PROCESSING

Basic Principles in Data Processing

Both EU Directives refer to basic principles for data the processing of data. These principles are intended to be good practices that data controllers should comply with in order to protect the data they hold, reflecting both their interests and those of the data subjects (Walden 2003, p. 432). It should be kept in mind that the given set of principles must be applied, as such, in every case where personal data are collected and processed; for this reason, the fact that the collection of data is realised through an electronic medium, such as a mobile electronic communications network is of secondary importance. Indeed, this was one of the main goals of the legislation: to apply a sound and effective data protection framework, applied evenly across the business and industry sectors. 

Fair and lawful processing

The first of these principles requires fair and lawful processing. In determining whether any processing of personal data is ‘fair’ particular regard must be paid to the method by which data were obtained. For example, personal data are to be regarded as having been obtained unfairly unless, at the time of the obtaining, or very soon afterwards, the relevant data subject is provided with certain information, mainly those mentioned in article 10 of the Data Protection Directive (Carey, 2002, p.54). On the other hand, ‘lawful processing’ means that the data controllers should comply and uphold their legal obligations, general and specific, statutory and contractual, regarding the processing of personal data. Of particular relevance will be the laws regarding the building of a trusted relationship (especially the confidence that should exist between the data subject and the data controller), as well as article 8 of the European Convention on Human Rights (the requirement for respect for the private life of the individual).

Finality principle

Under the finality principle, data controllers must obtain data only for specified and legitimate purposes, and must not carry out any further processing which is incompatible with those purposes. For example, a contravention of this principle would be for a company to notify the storage of customers’ personal data for billing purposes, and use it additionally for marketing purposes. This principle has thus two components:

1. The data controller must specifically inform the data subject of the purposes for which data has been collected and  

2. Once data has been properly collected, they must not be used for further purposes incompatible with the original purposes.  

As regards the question whether personal data have been collected ‘legitimately’, it goes without saying that it would be illegal to collect personal data without having a clear legal basis to do so. A clear violation of this principle would be the use of ‘spyware’, which acts by definition without informing the user, and therefore constitutes ‘a form of invisible and not legitimate processing’. However the further processing of data is allowed without other reasoning if the data are further processed in a way compatible with the initial specified, explicit and legitimate purposes. There are great divergences in the way the national Data Protection Authorities construe a term as ‘compatible’ or ‘incompatible’. Therefore the companies shall have in mind that they must inform the data subjects about the further processing of the data, so that they can avoid the characterisation of their processing as not compatible with the initial purposes.

Data minimisation principle

The third principle requires a data controller to hold only personal data that are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’. Data controllers are therefore obliged to store only a bare minimum of data, which suffice for the running of their services. In the same context, the design and technical devices of the data processing systems must be oriented towards collecting processing and using either no personal data or as little as possible (‘data avoidance’) (Holznagel, Sonntag, 2003). For this purpose, it is advised that privacy issues and in particular the processing of personal data (with the further implications regarding identity management) be taken into account at the earliest stage of the organisation of the network infrastructure (‘privacy by design’ – Dumortier, Goemans, 2004, p. 193). However, this principle tends to be commonly disregarded by commercial entrepreneurs.

Data quality principle

According to the data quality principle all personal data ‘shall be accurate and, where necessary, kept up to date’. The specific legislative provision creates an obligation for the data controllers to take every reasonable step to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected, are either erased or rectified. In practice, a data subject is likely to complain of a breach of this principle in cases where there has been some detriment to the individual as the result of the information being incorrect. It is therefore advised that the data controllers set up a mechanism whereby the data subjects are able to update their personal data or notify the data controller about the inaccuracies of the present information. This mechanism could be set up either within the network platform (by using the network’s interface) or outside the platform (e.g. by the use of a ‘hotline’).

Conservation principle

The fifth principle stipulates that personal data shall not be kept for longer than is necessary for the purposes for which this data was collected. It implies that data should be destroyed or rendered anonymous when the specified purpose for which they were collected has been achieved. On a literal interpretation of the Data Protection Directive, the processing of personal data for the purpose of anonymisation clearly falls within the scope of the Directive (since the definition of the term ‘processing’ is so broad that it encompasses the process of anonymisation). However, a purposive approach to the interpretation would look to the object of the Directive, the protection of the individual’s right of privacy, and may conclude that to impose compliance obligations in respect of the process of anonymisation would be counter, or at least neutral, in respect of achieving the Directive’s achievement. This latter approach would also take into consideration the recital 26 of the Data Protection Directive, whereby ‘the principles of data protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.’

Data processed in line with the rights of the data subject

The sixth principle requires processing to be carried out in accordance with the rights of the data subjects. More precisely, article 12 of the Data Protection Directive grants data subjects the right to obtain certain basic information from the data controller about the processing of their personal data. While article 12 explicitly requires only that exercise of the rights contained in subparagraph (a) be ‘without constraint at reasonable intervals and without excessive delay or expense’, it is generally accepted that these conditions apply to the exercise of the rights contained in sections subparagraphs (b) and (c) as well (Dammann, Simitis, 1997, p. 199).

Confidentiality and security

The seventh principle addresses the issue of data security, requiring data controllers to take ‘appropriate technical and organisational measures’ against unauthorised or unlawful processing, and accidental loss, destruction or damage to the data. To the extent that this principle covers the security requirements and robustness of the network itself, this principle overlaps with the security and confidentiality requirements laid down in articles 4 and 5 of the e-Privacy Directive. Taken as a whole, this principle imposes a statutory obligation on data controllers to ensure that personal data are processed in a secure environment. This means that the data controllers must consider the state of technological development and the cost of the implementation of any security measures. Bearing in mind these factors, the security measures that are adopted by the data controllers must ensure a level of security that is appropriate to both the nature of data to be protected and the likely harm that would result from a breach of this principle (Carey, 2002, p.58). It follows that, the more sensitive the data, the more adverse the consequences of a security breach would be for the data subject, and therefore more stringent security requirements should be put in place. This is specially the case as regards the processing of health-related data. In any case, the data controllers should implement appropriate security measures to ensure that non-authorised personnel are not able to gain access to personal data. In addition, security precautions would suggest making back-up copies.

Data transfer to countries with adequate protection

Finally the last principle is the Notification to the Supervisory Authority in order to ensure the supervision of the data processing. The data controller must notify the supervisory authority about the processing, mentioning among others the name of the controller, the purpose of the processing, the categories of data subjects, the categories of data processed as well as the recipients to whom the data might be disclosed. The notification must take place before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes, with limited exceptions.