Core principles in data protection framework
These principles are basically the same in Directive 1995 and the GDPR. There are many data
applications but it’s important to make a distinction between developing an application and using
that application once its built. You have a large bag of data and once you have found the patterns,
then you can build a little decision making model that you can then apply to cases.
I. Development, there is a lot of uncertainty because you don’t know yet what the model will
be like, which factors are relevant. Here, there is a low impact on individuals as you’re not
making decisions about individuals. You’re trying to find the commonalities and regulations.
II. Runtime, once you have a decision model there is certainty, you know what it looks like and
you can apply it to cases. This is aimed at making individua decisions and therefore there is
an impact on individuals. You’re using the commonalities and regulations that you found to
decide about individual cases. Traditionally they were very stable but with all data sources
being connected it’s no longer about static decision models but constantly being updated.
They are dynamic, they are changing all the time and the models will learn whether society
become healthier.
The GDPR or DPD don’t differentiate between these which is relevant because the risks are totally
different. The regulation should apply to the runtime description and less to the development stage,
but the rules apply equally to both cases and this is where you can have tensions.
In legitimate processing, the main used grounds are:
I. Consent, should be given unambiguously. You don’t know what you consent to, there is a
privacy policy that nobody wants to spend time on reading as you have to consent to it
anyway. If consent is withdrawn, does google have an obligation to throw away data?
II. Necessary for performance of contract, this ground often is connected to the first one and
it’s not always entirely clear whether it is this ground or the consent ground.
III. Legitimate interest of the controller, as long as Google’s interest don’t outweigh yours then it
would be a valid ground. Produce better services, make money with advertisements are
legitimate grounds.
However, it’s not always clear where observed data fits in. If you produce data yourself, it is probably
consent.
Legitimate purposes
The cornerstone is that you want a fair relation between controller and subject and therefore the
purposes must be put forward, then the data subject might decide that he doesn’t want to enter into
relations with controller. The GDPR states that data should be collected for specific explicit legitimate
purposes and must not be further processed in a manner incompatible with that purposes. According
to the professor, this provision is targeted against the classical IT systems (e.g. Bol.com). The purpose
for collection data is they want to know where you live to deliver packages. But what is the purpose
of knowing your birthday? Michael: “To give you a happy birthday wish and a voucher every year.” If
bol.com says that this is the purpose, then there is nothing that can be done about it (not by the DPA
either) as it’s a legitimate purpose. Is this the real purpose? Probably not, there is much more to it.
They want your birthday to divide customers into group as to target them for selling for example
Chicklits. They can ask basically anything as long as they can argue why they need it. Thus, the
purposes for collecting this data are entirely different but at least you can specify the purposes and
have it clarified.
These principles are basically the same in Directive 1995 and the GDPR. There are many data
applications but it’s important to make a distinction between developing an application and using
that application once its built. You have a large bag of data and once you have found the patterns,
then you can build a little decision making model that you can then apply to cases.
I. Development, there is a lot of uncertainty because you don’t know yet what the model will
be like, which factors are relevant. Here, there is a low impact on individuals as you’re not
making decisions about individuals. You’re trying to find the commonalities and regulations.
II. Runtime, once you have a decision model there is certainty, you know what it looks like and
you can apply it to cases. This is aimed at making individua decisions and therefore there is
an impact on individuals. You’re using the commonalities and regulations that you found to
decide about individual cases. Traditionally they were very stable but with all data sources
being connected it’s no longer about static decision models but constantly being updated.
They are dynamic, they are changing all the time and the models will learn whether society
become healthier.
The GDPR or DPD don’t differentiate between these which is relevant because the risks are totally
different. The regulation should apply to the runtime description and less to the development stage,
but the rules apply equally to both cases and this is where you can have tensions.
In legitimate processing, the main used grounds are:
I. Consent, should be given unambiguously. You don’t know what you consent to, there is a
privacy policy that nobody wants to spend time on reading as you have to consent to it
anyway. If consent is withdrawn, does google have an obligation to throw away data?
II. Necessary for performance of contract, this ground often is connected to the first one and
it’s not always entirely clear whether it is this ground or the consent ground.
III. Legitimate interest of the controller, as long as Google’s interest don’t outweigh yours then it
would be a valid ground. Produce better services, make money with advertisements are
legitimate grounds.
However, it’s not always clear where observed data fits in. If you produce data yourself, it is probably
consent.
Legitimate purposes
The cornerstone is that you want a fair relation between controller and subject and therefore the
purposes must be put forward, then the data subject might decide that he doesn’t want to enter into
relations with controller. The GDPR states that data should be collected for specific explicit legitimate
purposes and must not be further processed in a manner incompatible with that purposes. According
to the professor, this provision is targeted against the classical IT systems (e.g. Bol.com). The purpose
for collection data is they want to know where you live to deliver packages. But what is the purpose
of knowing your birthday? Michael: “To give you a happy birthday wish and a voucher every year.” If
bol.com says that this is the purpose, then there is nothing that can be done about it (not by the DPA
either) as it’s a legitimate purpose. Is this the real purpose? Probably not, there is much more to it.
They want your birthday to divide customers into group as to target them for selling for example
Chicklits. They can ask basically anything as long as they can argue why they need it. Thus, the
purposes for collecting this data are entirely different but at least you can specify the purposes and
have it clarified.
