Does the GDPR really say that?

It’s rare that a new law provokes so much interest and debate, right across the general public; but, as it turns out, in both the run up to 25^th May 2018 as well as in the months since then, the General Data Protection Regulation (the GDPR) has been the talk of the proverbial town, and everyone seems to have a great story about what activity they’ve heard that the GDPR now bans. Stories range from the bizarre – such as the incident where a hairdresser refused to tell a customer who asked what hair dye had been used on her – to the worrying – such as suggestions that paramedics and other healthcare professionals are finding it difficult to do their jobs, supposedly because of the GDPR (more on these later on.)

Whilst these stories often make for good headlines or conversation-starters, an important part of the DPC’s role is awareness-raising about what data protection law says – and this includes clarifying what it doesn’t actually say! In this series of blog posts, we’ll try to shed some light on some recent rumours, myths, and misunderstandings about the GDPR, and data protection in general, which we’ve come across.

This blog isn’t meant to give a thorough, technical analysis of the examples that we try to myth-bust below, and, if needed, readers can find more information on data protection law under the ‘For Individuals’, ‘For Organisations’, and ‘Guidance’ sections of the DPC website, which we are adding to on an ongoing basis.

It’s important to remember that the principles found in the GDPR aren’t an entirely new or unexpected development, in fact the basic rules of the GDPR are, by and large, the same as those that have existed in data protection law for the last 30 years, especially the legal justifications under the GDPR which allow for the processing (such as using and sharing) of personal data.

What does the GDPR actually say, in general? Why does it seem to ban so many things?

First and foremost, the GDPR is not intended to stop or hamper the legitimate, lawful use and sharing of personal data (in technical terms, the ‘processing’ of personal data). In fact, the GDPR underlines that processing personal data must be “designed to serve mankind” – in other words, that it serves important purposes – and that the free flow of personal data within in the EU is a critical objective of the GDPR. Rumours of the GDPR making sweeping changes by outright banning certain practices and business models are (for the most part) greatly exaggerated.

The GDPR is what’s known as a ‘principles-based’ piece of legislation. This means that the GDPR really doesn’t focus on specific uses of personal data or particular contexts. Instead, it sets out certain high-level rules, consisting of limitations and obligations, addressed to those who process personal data (data controllers). It also gives individuals whose personal data are processed (data subjects) a range of rights to help them control how their personal data is used, and ensure that these uses are both lawful and transparent.

Data protection law is, in our view, a sensible set of rules, but its credibility is undermined when it is misapplied. Some confusion has arisen, primarily where data controllers don’t understand the GDPR or have been given bad advice, or even in cases where the GDPR is being used by some as a shield or an excuse to not bother figuring out how to comply with the law and assist their customers, clients, or colleagues, etc..

So, it’s generally inaccurate to say that “the GDPR bans X activity” or “the GDPR makes it impossible to do Y activity”, because in the majority of cases where that is said, the analysis simply hasn’t been done to see whether, in fact, there is a legal impediment under the GDPR to the processing activities in question.

Does the GDPR really prevent my hairdresser from telling me what hair-dye has been used on me?

This was a particularly memorable ‘What has the GDPR done this time?’ story, where a customer phoned her hairdresser to ask what type of hair dye they used, because she had to go to another hairdresser (as she needed her hair done in a rush and her usual hairdresser couldn’t give her an appointment) and wanted to make sure the other hairdresser used the same one. Her usual hairdresser apparently refused to give the information to the customer “because of GDPR”, and told her that she’d have to submit a formal request in writing to the headquarters of the hairdresser’s business.

To our minds, this was a simple request for information by a customer and it could have been dealt with by the hairdresser simply checking the container of the hair dye and telling the customer the brand and colour, or maybe they might even have known off the top of their head (no pun intended) what the answer to the customer’s query was.

It is important to remember that not every request for information is an access request for personal data under the GDPR, especially where the customer clearly didn’t intend to or indicate that they wanted to make such a request – in this case the customer had even indicated that they didn’t want this to be treated as an access request! Organisations need to be sensible and ensure that they don’t mistakenly interpret every request for information or assistance as an access request by a data subject for personal data, particularly where there is no indication from the individual that this was what they wanted.

Does the GDPR prevent the fire brigade from telling a management company if an apartment has gone on fire?

We also recently heard about the case of a property-management company who received a bill for a fire brigade call-out to one of their apartment blocks, but when they called the fire station to check whether there had actually been a fire, they were informed that the information couldn’t be shared with them, again “because of GDPR”.

In this case, the company simply wanted to establish whether the bills they were receiving for fire brigade call-outs were as a result of frequent fires in their apartments, or instead due to false alarms. They were not seeking any information directly or indirectly relating to the tenants or occupants of these properties.

What was being sought wasn’t actually personal data, but instead was just factual information about whether a call-out was based on a real fire or a false alarm. No information was sought which related to any individual, it was simply a request for clarification about an event. The GDPR only applies to personal data – which is information relating to a living individual.

Personal data clearly wasn’t what was being sought here, so whilst there may have been some other reason which the fire brigade had for refusing to confirm whether or not a fire had taken place – is wasn’t because of the GDPR! This is an example of where the GDPR may have been mistakenly thought to ban something, where in fact the GDPR didn’t apply at all – data protection law only applies to personal data, not to non-personal information.

Does the GDPR interfere with paramedics doing their jobs?

One of the most worrying trends we have come across at the DPC involves the GDPR being cited as a reason why paramedics and other healthcare professionals are finding it difficult to do their jobs. Obviously, the goal of the GDPR and other data protection laws is to protect individuals’ fundamental right to protection of their personal data, but the GDPR also makes it very clear that this is not an absolute right and it must be considered in relation to its function in society and be balanced with other rights. The rules around data protection do not interfere with the legitimate use of personal data, including medical or health data, in the provision of healthcare or medical treatment.

In fact one of the justifications (‘legal bases’) for processing personal data under the GDPR is to protect the vital interests (in other words, the life, health, and wellbeing) of individuals. It’s also important to point out that, similar to the law which applied before the GDPR, special protections apply to the processing of sensitive ‘special categories’ of personal data, including data concerning health, such as medical records. Processing these categories of data require a further level of legal justification, as to why it’s necessary to process the specific health-related personal data in the circumstances. One such justification is, again, where the processing is necessary to protect the individual’s vital interests and they are incapable of giving consent.

These issues were relevant in a scenario which recently came to the attention of the DPC, in a case where a paramedic was called to a nursing home to attend to a resident who was unconscious and needed medical assistance. Upon seeking access to the resident’s medical history, there were concerns about sharing it with the paramedic due to the GDPR. Such cases are cause for worry at the DPC, because there was a clear legal justification for disclosing the health-related personal data to the paramedic, namely in order to protect the unconscious individual’s health and life – their vital interests. Data protection law requirements and the GDPR are never be an impediment to administering such necessary and urgent medical treatment.

It’s really important to understand that the GDPR does not ban or impede the sharing of medical or health data, but what it does do is require that organisations consider – in advance, at a policy level – how to carry on such practices while still ensuring personal data are adequately protected. This means organisations must do their homework and work out what arrangements, systems, or policies they need to put in place in order to comply with the rules in the GDPR, whilst not compromising patient safety.

Did the GDPR put a stop to community-based CCTV schemes?

This was an issue which attracted a lot of attention over the last year and there was a widespread concern that the new rules and obligations under the GDPR were going to prevent the continued and future operation of community-based CCTV schemes. As we’ve said above, the DPC does not ban specific activities and it certainly does not ban the community-based CCTV schemes.

We recently issued guidance on community-based CCTV schemes to explain that the GDPR did not introduce new barriers to the installation of such schemes and that the requirement to have a legal justification for such schemes has been in place in Ireland for almost thirty years.

Data protection legislation does not stand in the way of the roll-out of community-based CCTV schemes that have been authorised by the Garda Commissioner. Once the local authority in the administrative area concerned is willing to take on and deliver on its responsibilities as a data controller for the schemes concerned, there is no legal impediment under data protection legislation to the scheme commencing.

A community-based CCTV scheme can have many benefits, but like all forms of surveillance, it is crucially important that it is done in a fair and lawful way, which protects the fundamental rights and freedoms of individuals.