Here’s a Scenario
Two people, Ross and Harvey, meet up to discuss an experimental medical procedure. Ross, the doctor, gives Harvey, the patient, a list of items he needs to review and consent to. Harvey reads them over, signs the document, and hands it back to Ross. This document included references to the articles found in GDPR and highlighted all the procedures Harvey will undergo throughout the experiment. Throughout the procedure timeframe, Harvey is constantly kept up-to-date about the status of himself and the procedure by Ross. The clinic’s data retention schedule is set to two weeks after the conclusion of the experiment. Three weeks later, Harvey requests all his information Ross has to be sent to him. Ross complies and sends Harvey all the data the medical clinic has for Harvey within the appropriate timeframe to fulfill the request. What Ross fails to do is inform Harvey that the data was also sent outside of the Union to one of their partner research labs who aided in the experiment. All data that was sent to the partner lab was pseudonymized to avoid unauthorized personnel tying it back to Harvey and the other volunteers. This is later discovered during a routine audit and Harvey joins a class-action lawsuit against Ross and his medical clinic. So… What was the class-action for? In other words, what area of GDPR was violated, if at all, by Ross’s clinic?
Background
The General Data Protection Regulation (GDPR) consists of 99 articles that involve the definition, handling, and categorizing of personal data. GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (GDPR Article 4).” In other words, this can consist of your name, date of birth, street address, social security umber, national unique identification number, gender, ethnicity, socioeconomic status, and even where you took a dump this morning after you got done showering. You personal data is all the information that can allow someone to identify you. In Harvey’s case, he provided personal health information (PHI) that could identify him, thus making it personal data.
GDPR’s goal is to protect natural persons regarding the processing of personal data and enact rules to allow free movement of personal data (GDPR Article 1). You and I would be considered a “natural person.” In 2016, the European Union (EU, Union) adopted the regulation and replaced the 1995 Data Protection Directive, an old and largely outdated law. As of 2016, the GDPR is recognized across the EU as the de facto data privacy regulation and as of May 2018, all Member States have adopted the regulation as the universal privacy protection law for their sovereign region.
There are 11 chapters that make up the 99 articles in GDPR, and they are as follows:
- General Provisions (1 – 4)
- Principles (5 – 11)
- Rights of the Data Subject (12 – 23)
- Controller and Processor (24 – 43)
- Transfers of Personal Data to Third Countries or International Organizations (44 – 50)
- Independent Supervisory Authorities (51 – 59)
- Cooperation and Consistency (60 – 76)
- Remedies, Liability, and Penalties (77 – 84)
- Provisions Relating to Specific Processing Situations (85 – 91)
- Delegated Acts and Implementing Acts (92 – 93)
- Final Provisions (94 – 99)
Over the next several weeks we will be making our way through each of these chapters and giving examples of how different situations apply to different articles and how they could apply to the everyday person like you and me. I hope that over the next several weeks, you will be able to know exactly who is at fault between Harvey and Ross and what kind of penalties can be levied and if Ross has the option to countersue.
Now back to Harvey and Ross
If we look at their situation, we see that Harvey gave informed consent to Ross when he read the entirety of the consent form, signed it, and was constantly updated on his condition throughout the procedure. Ross’s team had a retention schedule in place that only retained Harvey’s, and other patients’, data for as long as needed, as well as a pseudonymization process in place to protect Harvey’s identity. Additionally, a privacy audit is conducted annually to ensure the clinic is compliant with the latest privacy regulations. However, Ross failed to tell Harvey that data would be transferred outside the Union even though it couldn’t be tied back to Harvey without additional information that Harvey was not required to and did not give. So, is there a case here?
Additional factors would need to be looked into, but at face value, it would appear that Harvey would have a difficult time showing that additional damage had been done outside of Ross failing to fully disclose that data was sent outside the Union. If Harvey cannot show that harm was done, then he would have a difficult time doing anything beyond requesting that his data be provided to him and deleted. Also, the associated research lab would have co abide by GDPR rules because they’re processing data of individuals who are Union citizens. Of course, I’ll let you be the judge as we go through our series over the next several months.
HOW DOES THIS APPLY TO ME AND YOU?
Unless you are a citizen of the Union, such as Harvey, collect data from Union citizens, or conduct business within the EU, domiciled or remotely, GDPR applies directly to you! You should research your rights and requirements of the regulation and assess your individual or business posture accordingly. We will go through the different articles to see exactly how each applies to me and you. And for the record, I am not a Union citizen. However, GDPR is the first of many privacy-related regulations that will come in the next several years. Modern examples are Brazil’s LGDP, India PDPA, and California’s CCPA and CPRA.
Thanks for reading and I’ll talk to you soon!
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.