GDPR credibility undermined by misuse says Dixon
Claire O'Sullivan Greene with DPC Helen Dixon

11 Dec 2018 / data law Print

Misuse undermines GDPR credibility says Dixon

Data Protection Commissioner (DPC) Helen Dixon told Law Society Diploma Centre graduates recently that the implementation of the General Data Protection Regulation (GDPR) had caused many organisations to panic and curtail legitimate data-processing requests. 

Speaking at Blackhall Place on 22 November, the commissioner said that we were rapidly moving into a very new world in terms of our interaction with technology. 

Strange

“We’ve seen some very strange headlines in Ireland over the last number of weeks about what’s no longer, apparently, allowed under GDPR.

“I took a snapshot of some of the headlines in Ireland: ‘CCTV banned for local authorities because of GDPR’; ‘mug shots of criminals can no longer be used to allow victims of crime identify suspects’; ‘blood-test results can’t be provided to a patient in a hospital because of GDPR’; ‘politicians’ pension details can no longer be published because of GDPR’; ‘hair-dye details cannot be given to a customer who calls to a salon and who wants to transfer to another hairdresser’s, because of GDPR’.” 

The commissioner commented that, in the latter instance, all that was required was that a request for the relevant details be submitted in writing only, and sent to the hairdresser’s HQ. 

She revealed that a property-management company had received a bill for a fire brigade call-out to one of their managed apartment blocks.

They called the fire station to establish whether there had actually been a fire, and were told they couldn’t have that information because of GDPR! 

Naughty or nice

“I’m waiting for a headline to confirm Santa Claus is cancelled for this year because his list of who is naughty or nice is not GDPR-compliant – and then we’ll know we’ve hit rock-bottom!” she quipped. 

Some entities didn’t understand GDPR, some were too cautious, and others again were abusing GDPR and using it as a shield, the DPC added. 

The GDPR, as the main EU legal framework governing the processing of personal data, is a high-level, principles-based law that requires analysis and application to any given set of facts and contexts, she said.

The basic principles of the GDPR, however, were the same as those that had existed in law for the last 30 years. She warned of the need to be wary of blanket statements that, suddenly, something could not happen because of the GDPR. 

Common sense

“Therefore, we urgently need people with common sense who’ve studied in this area and understand how to apply the principles and achieve an appropriate balancing of rights,” she said.

“Data protection law is a sensible set of rules, and its credibility is undermined when it is misapplied. We need data protection officers with the necessary skills and expertise and resilience to work in all types of sectors, and to guide organisations in their measurement of risk and accountability measures around data handling. 

Data-fuelled world

We now lived in a data-fuelled world, the commissioner added, and technology and IP law were growing, daily, in relevance and importance. 

“We stand on the cusp of the mainstreaming of many new applications for artificial intelligence and machine learning that will, in some cases, save and prolong lives and, in others, challenge the very essence of what it is to be human,” Dixon declared. 

More and more of our decisions and thinking will be outsourced to technology, she said, as connected driverless cars, smart homes, sensor-based wearables, ingestibles and high-speed facial recognition become ubiquitous. 

“Technology is, after all, increasingly dictating the news we read, the books we choose, the time we spend,” the commissioner pointed out. 

Whole new toolkit

The 2018 General Data Protection Regulation had given her office a whole new toolkit to tackle the data-processing practices of the world’s biggest technology companies, all headquartered here.

“We have investigations underway that will conclude on the objective standards of transparency, quality of consent, data minimisation, and privacy by design and default that must be met by these companies under GDPR,” she revealed.

Human identities

In the meantime, the job for all of us was to make sure we maintained our human identities, and the ability to think for ourselves.

“If Google maps suggests where you go, Amazon tells you what books to read, Netflix finds you the next film to watch, Facebook tells you who to be friends with and what’s in the news – all based on a profile of your previous online activity – you may rather quickly find yourself in an echo chamber of your own biases and limited horizons,” the Dixon cautioned.

We particularly needed to find multiple sources of news for what was going on in the world, she urged, and to actively practise the skills of thinking for ourselves and making our own independent choices. 

Leading roles

Congratulating the graduates, the commissioner concluded: “I have no doubt that, you, the conferees of the Diploma in Technology and IP Law, will play leading roles in bringing legal clarity and certainty to many of the existing and emerging challenges of this digital revolution through which we are now living.” 

 

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland