Processing personal data fairly is required by Article 5.1. of GDPR.
Anyone who gets other people’s data has to use it fairly. The first rule of using data fairly means using it exactly as the person expects it. Second rule od fair data use means that it doesn’t cause any adverse effects.
To sum it up fairness consists of two major areas:
- person's expectation on what will happen to their data
- person's assumption of no adverse effect coming out personal data sharing
Every data controller should always ask themselves: what does a person (data subject) expect that will happen to their data?
Every data controller should always make a clear differentiation between assumption and presumption of the data subject about their data and always treat that data subjects assume no adverse effect especially in relation to fairness.
Data processing: assumption vs. presumption
The assumption is by definition accepting something is true without having proof, wheres presumption refers to something being true on reasonable grounds or probable evidence. Is it really reasonable that an individual will gather evidence about personal data that they give to the data controller? Is reasonable to expect that an individual will weigh the evidence about data processing and then decide if they would share the data? No. There are several reasons why this is true. Some of the reasons are discussed in this blog post.
Data subjects who willingly share personal data with data controllers:
- are convinced that everything is done by-the-book (expecting what will happen to their data - expecting fairness - that data controllers say what they will do with their data and that they do what they said)
- are convinced that sharing their data will do them no harm, without questioning it (assuming no adverse effects - assuming fairness)
One may argue that because the right to personal data protection is a fundamental right, a natural person should actively monitor if their fundamental right is respected. This might seem like a tautology. Examining it in-depth, it is most certainly not tautology and the author will explain his view why.
In the example when a private person, a customer, downloads a smartphone fitness app that monitors a person's biking route using GPS:
- a user would expect that the GPS data will be gathered by the app only for tracking the biking route
- a user would assume that app provider (seller, controller) will use GPS data only for the purpose of recording and analysing the route
During the process of registering for the app (in this non-exhaustive lists), user:
- gives the application the right to access a smartphone's GPS location
- accept the terms of service
However, what actual proof does the user have that a data controller will not share their real-time GPS data? What actual proof does the user have that their real-time GPS that will not be shared on the deep web, available to home intruders? The user could get that proof only by collecting objective evidence. Objective evidence refers to information based on facts that can be proven by analysis, observations or measurements. How likely is that an average user would even consider gathering such objective evidence? How likely is that an average user would have the knowledge and means to analyse the app? Do users even have the means to do such analysis? The likelihood is zero to none. The author is quite confident that this statement does not need proof.
Therefore, it is safe to infer that data subjects will believe that a data controller will not abuse their trust, but act fairly and do no harm. That is the main reason why it is not reasonable to expect from users to actively take care of their fundamental right to data protection. This is especially true with respect to the fairness of data processing.
Nota bene, this doesn't mean that an individual shouldn't be vigilant. Acting upon findings of a vigilant user is recognised by GDPR and users (data subjects) have six distinctive rights to exercise. However, this blog post will not delve into those rights.
Data controllers should never abuse the trust that data subjects place in them. When a data subject gives their personal data to the data controller, data subject actually demonstrates that it believes that data subject will act exactly as they said.
From the keyword, "belief", comes the clear concept of imbalance of power that GDPR recognises. GDPR puts data controller in a position of greater power than the data subject. Because of the fast-moving modern world, that imbalance of power is so great that an individual's personal data needs formal protection. Formal protection of personal data comes in the form of GDPR, especially as personal data has value.
By doing that, using plain language, users say:
"I believe that my personal data will be used as I expect it and I assume nothing bad will come from it."
So, if the data controller processes the data in any other way than the user expects it, it shouldn't be considered to be fair. Why? GDPR should be understood in the manner that it instructs the data controllers take active steps to provide information to the data subject, not the other way around. Coming from the imbalance of power, GDPR explicitly orders data controllers to take extra care for the personal data they received. That set of complex but explicit orders have the same goal: maintain data subject's fundamental right to personal data protection at all times.
Consequently, when a user shares their personal data to the app provider, the user is liable for providing that data. However, the user's liability is minuscule when compared to the liability of the data controller and their obligation to process it by-the-book. That is only fair. Right?
Data controllers should treat data subjects as partners and fully acknowledge specific rights that GDPR gives them. They shouldn't be tricked into what app does, how the data is used, where is it stored or who will have access to it. Users should never be deceived about any of the important facts. It's only fair. Right? In general, if obtaining the data is a result of deception (e.g. not all purposes are stated), it is highly unlikely that its usage would be fair.
Is the detrimental effect of data processing always unfair?
The simple answer is no. There are cases when processing personal has a detrimental effect on the data subject but doesn't automatically imply a failure to process data fairly.
In an example where a person applies for a yearly apartment lease, with the maximum lease duration of 3 years (renewed yearly), where the owner puts conditions:
- that the lease is co-signed by a guarantor who will pay for the rent in the event that a person does not pay it (because the person has low credit rating).
- that the person provides the proof that the home contents are insured for the whole duration of the 1-year lease period (with specific coverage) and that failure to demonstrate that insurance policy automatically terminates a contract
- that the person provides the proof to have unemployment insurance for the whole duration of the 1-year lease period and that failure to demonstrate unemployment insurance policy automatically terminates a contract - owner only claiming they need to see that policy to mitigate the risk of late rent payments and therefore having the legitimate interest to process all personal data listed in the unemployment insurance policy
In case when a person is paying their rent on time, has the home contents insured, but they have become unemployed and cannot obtain the unemployment insurance the apartment lease should be terminated. Obligation to vacate the premises would obviously be detrimental to the tenant, but not unfair.
In this example, the employment status of the tenant is revealed to the homeowner implicitly by the failure to provide the unemployment insurance.
However, things are rarely black and white. Let's dig a bit deeper and try to assess fairness.
It could be that the person is unemployed by choice because they have inherited a considerable amount of money. It seems unfair that the tenant should vacate the premises just because they've become rich. Doesn't it?
What happens is the tenant offers:
- a bank guarantee instead of unemployment insurance policy to the homeowner with the same coverage as unemployment policy
- to pay the rent for the entire year in advance
If the homeowner becomes safe to receive the rent for the entire additional year, it would seem unfair towards the tenant to lose it's right to extend the lease and lose their home if they provided the equivalent risk mitigation to the homeowner as the unemployment insurance policy does. Depending on the exact language of the lease agreement, the offer of such an equivalent payment protection instrument could mean:
- tenant is safe and can extend the contract,
- tenant has to leave because of the failure to deliver policy,
- that situation is unclear as contract language is ambiguous and the amicably decide to terminate the contract,
- that case ends up before the court to decide
Whatever is the fate of the lease contract, the question arises does the homeowner even have the right to ask the tenant why aren't they able to provide unemployment policy and base their actions/decisions on such information? The answer is unequivocal: No! However, that might not be self-evident. The tenant has not consented to disclose their economic status by accepting the obligation to provide unemployment insurance policy at the time. Even if that consent was not explicit, the homeowner can argue that the consent wasn't necessary as they have a legitimate interest to protect themselves from late payments by having tenants that are employed. The question arises, what another legal basis could the homeowner have to
- offer tenancy only to employed tenants
- ask for unemployment insurance policy
but to protect themselves from uncollected rent from unemployed tenants. In this case, the homeowner would have proved that:
- providing the insurance policy is the major primary obligation of the tenant
- that tenant's offer of cash advance or bank guarantee does not constitute fulfilling the primary obligation of the tenant
If that can be proven, it is most likely that there is a legal basis to ask for employment status and if not, the homeowner wouldn't have the right to ask about the employment status.
The fate of the tenancy agreement depends on standing regulations of each EU Member State and contract language in details. Whether the unemployment insurance policy is condition precedent and prevents extension of the contract, whether failure to present constitutes a breach, or the tenant's offer to replace unemployment insurance policy proof with bank guarantee could be considered as a quid pro quo, is not of material importance to the nature of employment status or economic identity of a tenant (here data subject).
Whatever is the fate of above-described tenancy status, it seems unfair that just because an individual has become wealthy that they need to disclose additional personal data (as employment status or inheritance being the economic identity) just in order to keep their home.
It is obvious that tenant has to disclose personal information (as employment status implicitly by providing unemployment insurance policy), but if the purpose of that disclosure is not explicitly specified as regulated in Article 5.1.b of GDPR clearly stating why does the homeowner need unemployment insurance policy as a condition precedent for tenancy contract extension it is only reasonable to search for the purpose in the personal data itself.
- If a homeowner claims that required unemployment insurance policy proves that the tenant is employed. The tenant being employed implies but does not prove with certainty they can pay rent, thus mitigating the risk of default payments. Asking for an unemployment insurance policy just to prove that someone is employed should be considered excessive data processing (collection) and a direct infraction against Article 6.1.c of GDPR. as the same purpose can be obtained with significantly fewer data: tenant submitting a letter from the employer confirming that they are employed and not facing employment contract termination.
- However, if a homeowner claims that required unemployment insurance policy proves with certainty that the tenant will be able to pay rent, even if they lose their job, therefore mitigating the risk of default payments. The purpose of presenting such policy is not the policy itself but proving the ability to pay rent.
Examples of two hypothetical purposes of processing unemployment insurance policy are here to depict how important is to understand Article 5.1.c. that reads "Personal data shall be adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed ('data minimisation')" in conjunction to fairness principle as described in Article 5.1.a. of GDPR and how important it is to be clear why some data is being processed.
Lack of clarity could either mean an infraction against GDPR or can even change the nature of a contract. If example 1 would be true, the homeowner would clearly demonstrate that it is of great importance for them that tenants are employed (but would also mean infraction against GDPR), and in the example 2 homeowner would demonstrate that ability to pay rent is of great importance (without infringing on tenants rights if the purpose is clearly stated in the tenancy contract). Avoiding that legal vacuum is the main reason why Article 6.1.b clearly says that data processing purpose should be specified, explicit and legitimate.
However, being specific in the purpose of data processing also clarifies the nature of the entire contract. If the tenancy contract clearly said that the tenant should present the unemployment policy for the purpose of proving the to the homeowner the ability to pay the rent, conditions by GDPR about the purpose would be met. Such a precise contractual language would actually weaken the case of unemployed tenant that offers 1-year cash advance payment or a bank guarantee, as they would serve the same purpose. Moreover, in terms of GDPR cash advance or a bank guarantee would disclose less personal information to the homeowner, while retaining the same purpose, going more in line with data minimisation principle as set out in Article 6.1.c. Cash advance and bank guarantee disclose less personal information about the tenant than an unemployment insurance policy.
Beware, there can be a plethora of other valid reasons why the homeowner may legitimately want to see the unemployment insurance policy as having reputable tenants with a highly paid job because:
- keeping the rent up as an apartment is in an expensive neighbourhood where rents depend on appearances
- they tend to spend less time in the apartment lessening the possibility for damages
- higher the policy premium, higher the guaranteed income in case of job loss and lesser risk of default
- professionals tend to invest in the property and not be petty for low-cost repairs
- professionals tend to produce less noise
- professionals tend to be diligent in recycling
These might prove to be extremely important factors on which homeowner bases which tenant to choose. Not clearly stating these factors as contributing to choosing or assessing a tenant, but processing that data and basing decisions on them goest against Article 6.1.b of GDPR.
Those examples serve as depictions of reasons why the clarity and enforceability clauses of the main contract as important and equally crucial as privacy clauses regulated by GDPR. Clarity contributes to fairness - a cornerstone of the fundamental right to personal data protection.
Fairness and deception of stating the purpose of data processing
An example of a negative (detrimental) effect of using the data is described in the following example. When someone signs up for an online photography contest, they enter their email address in a form that is preceded by the following message.
"Please fill out this form to enter our photography contest. After posting your photo, it will be published on our website. Only other contestants will see your photo and vote for it if they like it. Ten photos with most votes will enter the finals. The jury will choose the winner between 10 finalists."
A person entering the contest expects that their email address will be used only for the contest and that enrolling will cause them no harm. That someone expects their data to be used for only one clearly and plainly explained the purpose. No small print. Ho hidden agendas.
What happens if the organizer has an ulterior motive behind gathering the email addresses and wishes to sell them? Such ulterior motive means that there are two real data usage purposes. The first purpose would be to organize the contest. The second purpose would be to get the data with the possibility to sell it. It is only natural to conclude that concealing a purpose is unfair and is a result of deceit.
Drawing the conclusion from the example, it is safe to say that the contest organizer has failed to use personal data fairly. Failure to use data fairly is a violation of a fundamental right to personal data protection guaranteed to everybody by Article 1.1. of the GDPR.
This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com