Newsletter - March 2019

AN INTERESTING PRECEDENT CONCERNING THE GDPR’S RIGHT TO ERASURE

In the Netherlands, a civil court has recently rendered an interesting decision that could create a precedent regarding the GDPR.

The facts: a Dutch surgeon was dealt sanctions by a disciplinary court. A website that publishes black lists of professionals has posted the surgeon’s personal data: name, professional registration number, and a link to the disciplinary decision. Google’s search engine showed a link to that website as a result of relevant searches. It is to be noted that the facts, as well as the disciplinary court’s decision date back to before the GDPR became effective.

The surgeon requested Google to stop showing the link to the blacklist website in search results, saying that the blacklist was not official and showing that the surgeon’s name appeared on the list damaged the surgeon’s private as well as professional life. Google refused. The surgeon went to the Dutch data protection authority, but the latter refused to back the surgeon because the personal data shown were not false nor obsolete (i.e., the probationary period imposed on the surgeon in the disciplinary decision had not elapsed), while the right of the public to information had to be protection.

The surgeon then sued Google before a civil court and in the course of the proceedings referred to articles 10 (special protection of personal data relative to criminal convictions) and 17 (right to erasure, or “right to be forgotten”) of the GDPR which had then come into force. The court decided that Google must delete this search result, even though the GDPR was not effective at the time the surgeon had started the civil action suit. The reasoning of the court is interesting:

  • First, the court considered that data relative to disciplinary sanctions are not equivalent to personal data relative to criminal convictions as per article 10 GDPR, so this argument by the surgeon was rejected.

  • However, the court considered that the right of the natural personal to a private life overrules the commercial interests of the operator of a search engine, as well as the right of the general public to information, even though the posted data are exact. In order to reach this conclusion, the court took into account a number of factual aspects of the case which we will not quote here, and more importantly decided that the GDPR right to erasure granted to data subjects did apply as soon as the search engine continued to list the website as a result of searches after 25 May 2018, the day GDPR became effective.

BLOCKCHAIN AND GDPR

Blockchain technology is trendy so does that mean it could or should be used in relation to the GDPR?

The blockchain is a technology that allows to link blocks of data and to replicate them many times on various computers. Furthermore, each block is marked in such a way that the tiniest change in a block would modify the mark. Let’s take an example with two blocks describing the sell of a piece of art:

[(00000)Litho S. Dali #123456 sold on 2015-02-01 USD 770 (ac23x)] - [(ac23x)Litho S. Dali #123456 sold on 2019-03-15 USD 870 (jk09y)]

Each block starts with the mark of the previous block (or “00000” in case of the first block) and ends with a mark computed from the content of the block.

The mark ensures that a change in the first block would give a different mark and then the “chain” with the next block would not be correct. One should ten modify the second block but its new mark would be different (as the mark of a block takes into account the mark of the previous block!). Let’s try modifying the selling price in the first block and let’s see the impacts:

[(00000)Litho S. Dali #123456 sold on 2015-02-01 USD 470 (4tg87)] - [(4tg87)Litho S. Dali #123456 sold on 2019-03-15 USD 870 (0ku77)]

By changing the price from 770 to 470, the mark of the first block is now completely different, so the hacker has to modify this reference in the second block which will modify the mark of this second block and so on. Furthermore, as each block is replicated hundreds of times, it is virtually impossible to modify a block, its successors on all the computers. The blockchain technology is therefore very good at maintaining the data integrity.

What about data confidentiality? We only want a limited and identifiable group of persons to have access to the information. If personal data were stored in a block, as each block is visible by everyone who has a copy of it, one must encrypt the personal data which is perfectly possible. We would distribute the encryption key to only those who are allowed to see the personal data and that’s it.

The person’s right to correct its personal data could be easily implemented by creating a new block with the modified, encrypted data.

But there are several rights granted by the GDPR that the blockchain technology will never be able to solve: the “right to be forgotten”, personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable and the complete purge of personal data. Indeed, by design, no block of a chain can be modified nor permanently deleted and even if data were encrypted, those who possessed the ky could still access the information at any time.

Based on the above, we don’t recommend the use of the blockchain technology to store personal data because you will never be compliant with the GDPR.

FOOTBALL LEAKS: WHEN CAN HACKING BE ETHICAL?

An interesting scandal has recently burst out in Portugal: Football Leaks. A Portuguese individual has publicized what he says are frequent, illegal actions carried out by some of the greatest European football clubs and world-renowned players… but he did this by breaching legislation on the protection of privacy, laws on personal data protection, and by perpetrating acts of computer hacking.

On the one hand, this individual claims that he should be protected by the European whistleblower legislation, because his discoveries justify the hacking he has been guilty of when breaking into computers to retrieve the evidence of illegal activities that he was looking for. On the other hand, the legal obligation to respect the confidentiality of private life and private property has been violated and this makes this individual a criminal.

So, this case apparently creates a new dilemma: how seriously can one breach laws to uncover other breaches of laws? In other words, does the end justify the means for a private individual, whereas in most countries, police authorities must resort only to legal means to obtain the evidence they are looking for, otherwise such evidence is disregarded, whatever the importance of the crime it would contribute to prove? And what would be the judgment when the only means to uncover criminal activities is to breach the security and confidentiality of personal data?

The GDPR legislation does not by itself solve this dilemma of course. Still, the general progress of technology will create more and more situations where one may have to weigh ethical behavior vs legality of actions. Do the principles of protection of the personal data of natural persons overcome the right to uncover crimes, even if the proof of the crimes lie within such personal data, and if so, how long will this hold true?

WHO WE ARE

LegIT-Team is composed of legal and IT experts and specializes in providing GDPR compliance services to organizations. Services include:

  • Organizational review
  • Identification of the processes and procedures to improve or create
  • Identification of the short and long term priorities and resources to implement
  • Full management and implementation of the GDPR compliance requirements

Please contact us at info.legit-team.com to see how we can help you navigate and maintain your organization in compliance with the new Regulation.