Czech Data Protection Association comments on the draft of the EDPB Guidelines 09/2020

Dec 2, 2020

i

Download PDF

The Czech Data Protection Association sent the following comments on the draft of the EDPB “Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679”:

Comments on the EDPB’s proposal of “Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679Version 1.0

We welcome the opportunity to present our comments to the recently published EDPB draft Guidance on relevant and reasoned objection.

As a general comment we believe that the draft guidance generally accurately reflects the existing situation with regards to the consistency mechanism and concept of relevant and reasoned objection. It usefully clarifies the main principles of this objection.

In detail we hope that the following specific comments are helpful to further improve this important guidance:

First of all, we consider it appropriate to mention that in our opinion, relevant and reasoned objection cannot be assessed as an isolated concept. On the contrary, within the consistency mechanism it is only a partial institute used for unified decision-making.

We would like to emphasize that an objection under Article 4 (24) must satisfy the requirement that this objection is based on the existence of risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects, and eventually the free flow of personal data within the Union (for an interpretation of these requirements see below). Only such objections, which will concern these two topics, will be objections within the meaning of Article 60 (4) of the GDPR, and in the event of their non-acceptance, the matter will have to be referred to the EDPB. However, this does not mean, that other objections cannot be raised by the CSA, eg objections justified by an interference with other fundamental rights of controllers or processors (see also the broad reference to fundamental rights in Article 1 (2) and the text of rec. 4 GDPR). Although such objections do not “trigger” proceedings before EDPB within the meaning of Article 60 (4), they must be appropriately addressed according to Article 60 (3). We consider it important to emphasise that such reasoned objections cannot be considered less important or relevant than objections based on Article 4 (24). Moreover, we believe that the LSA should in the context of Article 60 (3) GDPR also take into account any objections under Article 4 (24) provided after the deadline set forth by Article 60 (4) of the GDPR (compare example in point 21 of the Guidelines).

Point 9 of the Guidelines states that: “Whilst acknowledging that raising an objection is not the most preferable tool to remedy an insufficient degree of cooperation in the preceding stages of the OSS proceeding, the EDPB nevertheless acknowledges that it is an option open to CSAs.” Although we generally agree that cooperation should take place (already) at all stages of the proceedings, we would like to point out that this sentence could also be interpreted as discouraging CSAs from objecting when their submission could be interpreted as a failure in previous stages of cooperation. Such an interpretation would, of course, be hardly acceptable.

Regarding paragraph 14, we would like to point out that, although we fully agree with the view that Raising only abstract or broad comments or objections cannot be considered relevant in this context”, adding specific reservations by taking into account a broader context may be very appropriate. We know many decisions of public bodies or court cases where the lack of a broader view of the case led to the fact that the decision, focused on a very specific case, was subsequently used for other cases, where, however, it was completely inappropriate in terms of context.

Point 30 of the Guidelines states that: It is possible for a relevant and reasoned objection to raise issues concerning procedural aspects to the extent that they amount to situations in which the LSA allegedly disregarded procedural requirements imposed by the GDPR and this affects the conclusion reached in the draft decision.“ However, we consider that, in reality, an objection may concern all procedural aspects, including those based on the law of a Member State, if non-compliance could give rise to risks for the fundamental rights and freedoms of data subjects and the free flow of personal data within the Union. We therefore believe that an objection doesn’t need to be based only on situations in which the LSA allegedly disregarded procedural requirements imposed by the GDPR. See also point 20 of the Guidelines.

If referred to point 44 of the opinion: „…objection demonstrating risks posed to the free flow of personal data, but not to the rights and freedoms of data subjects, will not be considered as meeting the threshold set by Article 4(24) GDPR.“, we acknowledge that the text of the English version of the GDPR may give this impression. However, for example, the Czech text of Article 4, point 24 is far from that clear. Given that the free movement of personal data in the EU is one of the two fundamental objectives of the GDPR, we believe that the protection of the fulfilment of this objective should be given the same meaning in the context of an objection based on Article 4 (24) as infringements of rights and freedoms of data subjects. We therefore consider that, even if the word ‘and’ is used, it should be sufficient for the objection to be justified solely by an interest in respecting the principle of free movement of personal data or at least the necessity of infringements of rights and freedoms of data subjects shouldn’t be overemphasised. After all, a breach of the principle of free flow of personal data can often be, albeit indirectly, an interference with the rights of data subjects (eg because the cross-border supply of services will be limited, etc.).

We are grateful for the opportunity to provide the above-mentioned comments on the Guidelines.

Prague, 24 November 2020

JUDr. Vladan Rámiš, Ph.D.

Chairman of the Committee
Spolek pro ochranu osobních údajů

…Read the whole text

We believe that the last sentence above (“As part of the analysis, they should consider all the available input and output data.) is an interpretation which is too extensive and which deviates unreasonably from the original wording of Article 22 GDPR.

We fully agree with the interpretation of WP 29 that the controller cannot avoid the provisions of Article 22 of the GDPR by fabricating human involvement, and that the supervision over an automated decision should not be only symbolic or simulated. However, if the Guidelines state that all inputs and outputs that are available should be considered, it will further increase the level of quality of the required human supervision. Taking into account all inputs and outputs available asks for expert assessment of all the circumstances of the case. Contrary, routine human decision-making in everyday situations may not always be based on an assessment of all inputs and outputs that are available, rather on assessment of limited scope of inputs and outputs that is normally used under similar circumstances and that is in practice considered as sufficiently relevant. The processing of all inputs and outputs available would be further in contradiction to the principle of data minimization.

The interpretation of the “general prohibition” in Article 22

WP29 considers Article 22/1 as a general prohibition on solely automated individual decision with a significant effect. This means that the controller should not undertake the processing described in Article 22/1 unless one of the exceptions according to Article 22/2 applies. However, the text of Article 22/1 and the “prohibition” is unclear, especially when compared to other provisions of the GDPR, such as Article 9/1. We believe that the “general prohibition” under Article 22 is not as strict as interpreted by WP29. Therefore, an interpretation should be considered which takes into account the real position of Article 22. The outcome of automated processing and the resulting decision will in practice be very often in line with the real situation, and neither the subsequent review by a human will alter this. It is therefore unreasonable to insist that the human interference should always be included in the decision- making process, especially where the decision is not definitive and delay in issuing the opposite decision after a human involvement based on the objection of the data subject would not have any significant impact on the data subject.

Definition of “a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”

Examples of such processing are given in the Guidelines of some situations from the marketing and advertising world. The Guidelines state that there can be an obvious impact on particular social groups in such cases. We respectfully propose to remove these examples from the Guidelines due to their inappropriateness. We believe that this interpretation interferes with specific regulation of the advertising industry in both consumer protection law and in national law. E.g. Exposing people in financial difficulties to adverts for online gambling should be addressed through consumer protection law rather than personal data protection law, since such profiling does not deviate from common advertising profiling and there is no reason to apply Art. 22 restrictions in such cases.

The Guidelines also contain some other unclear and controversial examples. E.g. on page 10 there is an example of automatic decision-making in the form of automatic disconnection from mobile phone service for breach of contract because the data subject has forgotten to pay their bill before going on holiday. We would suggest to reconsider this example whether it is an example of automatic decision-making or not, as it is based primarily on the acting/omission of the data subject and the decision made by the controller is strictly determined by the behavior of the data subject. In addition, there could be interference with private law (i.e. whether and under what circumstances a fulfillment of the contract may be refused/suspended, which is primarily a question solved by civil law) and therefore the use of such examples should be carefully chosen and reconsidered in order to respect the principle of the coherence of the of law rules.

Necessity for entering into, or performance of, a contract

Although the wording of Article 22/2/a of GDPR is almost identical to Article 6/1/b) or f) we believe that the “necessity” under Article 22 should be assessed less strict and separately just from the point of view of automated decision-making under this Article. Consideration should therefore be given to real economic practice, especially in large enterprises with many thousands of (potential) customers and many running contracts, where customer rights in the process of negotiation/performance of a contract would be sufficiently protected by the mere possibility of an objection of data subjects and human intervention under Article 22/3.

We are really grateful for the opportunity to provide the above mentioned comments on the Guidelines.

Yours sincerely

JUDr. Vladan Rámiš, Ph.D.                            
Chairman of the Committee                          

Ing. Václav Mach
Vice Chairman of the Committee