Call Me by My Name, but You Need Permission First
A recent ruling by the CJEU regarding the handling of personal data is setting a concerning precedent.
By Zsuzsa Detrekoi
The creation of the General Data Protection Regulation (GDPR) was intended to enhance the protection of privacy in response to the widespread use of personal data in the digital age. This increased the vulnerability of internet users to online companies, particularly major digital platforms. The GDPR establishes requirements for organizations that offer services in Europe regarding the collection, storage, and processing of personal information.
One of the fundamental requirements for data processing to be permissible is the presence of a valid legal basis, which may stem from a legal obligation, legitimate interest, the protection of vital interests or the public interest, the performance of a contract, or consent.
Processing of personal data refers to any operation or series of operations carried out on personal data, whether automated or not. This includes activities such as collecting, recording, organizing, storing, adapting, altering, retrieving, consulting, using, transmitting, disseminating, aligning, combining, restricting, erasing, or destroying the data.
The Court of Justice of the European Union (CJEU) recently made a decision in a case brought by Finland. Endemol Shine Finland, one of the largest entertainment production companies in this Nordic country, had issued a tender and, instead of requiring a clean record as a condition for the application, sought to check the criminal records of the applicants at the District Court.
The District Court denied the request, stating that using legitimate interest as a legal basis for processing criminal records was not acceptable in Finland. Endemol Shine Finland appealed this decision, arguing that an oral disclosure of personal data would not constitute processing under the definition provided by the GDPR. The Court of Appeal then referred the case to the CJEU for a preliminary ruling, including the question of whether an oral transfer of personal data should be considered processing under the GDPR.
In its recent ruling, the CJEU emphasized that the concept of ‘processing’ in the GDPR should be interpreted broadly, as indicated by the term ‘any operation’ and the non-exhaustive list of operations provided in the regulation. The court further stated that allowing the circumvention of the regulation by disclosing personal data orally instead of in writing would go against the intended purpose of the GDPR. Therefore, the court concluded that the oral disclosure of personal data is also considered as ‘processing’ under Article 4(2) of the GDPR.
The broad definition and interpretation of the GDPR’s data processing have already led to counterproductive results. As users, we are bombarded with lengthy privacy policies that no one reads, and we often give consent without fully understanding its implications. But the recent decision by the CJEU has opened a Pandora’s box, as even simple interactions with others could potentially be considered data processing under this broad definition.
If we follow this logic, something as innocent as using someone’s name in conversation could also be seen as data processing. This raises concerns about the extreme outcomes that could result from such a broad interpretation. For example, if we consider calling someone by their name as data processing, we would need a legal basis for doing so. Since it is not a legal obligation, public interest, vital interest, or part of a contract, the only remaining legal basis would be consent.
Therefore, in order to comply with the GDPR, we would need to ask for consent before using someone’s name in conversation. This seems absurd and impractical, highlighting the challenges and complexities that arise from the GDPR’s data processing rules.
Everyone can comprehend the reasoning behind the tighter regulations in the digital era. No one wants to be completely exposed to large platforms or fall prey to data breaches. However, with this overly broad interpretation, we have swung to the opposite extreme.
The Finnish court could have classified a criminal record as sensitive personal data, as is the case in other countries, and denied access to it, without distinguishing between oral or written forms of processing. The CJEU could have set a precedent by not considering oral processing as an operation under the GDPR. By not doing so, with this broad interpretation, there is now no limit to the extent to which compliance with the GDPR may be required. Looking ahead, it is possible that even simply thinking about someone’s name or picture could be considered as “any operation” and therefore qualify as data processing under the GDPR.
This could potentially create absurd scenarios where even simple, everyday conversations could be subject to GDPR, based on the recent CJEU ruling. This would significantly impact social interactions and the way people share information, which was not the original intent of the GDPR.
