Decisions on the GDPR (from supervisory authorities and courts) are still rare and therefore I am always very pleased when such a decision, in which the new European law is applied and interpreted, sees the light of day.
According to Art. 32 para 1 lit. a GDPR, the controller and the processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the pseudonymisation and encryption of personal data.
According to Art. 5 para 1 lit. c GDPR, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
In a current procedure, the Austrian Data Protection Authority (DPA) issued an official decision (German) on 13. September 2018 in response to a complaint regarding these two articles of the GDPR.
On 23 June 2018, the complainant in the proceedings filed two complaints against two respondents, alleging a violation of the fundamental right to data protection (Section 1 of the Data Protection Act in Austria) due to the failure to delete data or pseudonymize it. The respondents to the complaint were public authorities, specifically the Federal Ministry for Europe, Integration and the Exterior and the Federal Chancellery. The facts of the case themselves are somewhat more comprehensive (since at the beginning it was also a question of deletion of data). In the end, however, the subject-matter of the complaint was only the question of whether the respondents had violated the complainant’s right to confidentiality by failing to pseudonymize the complainant’s personal data in their electronic file systems (ELAK).
Decision oft he DPA
First, I believe that DPA correctly points out that the complainant did not, until the conclusion of the proceedings, establish any concrete act which would have violated her fundamental right to secrecy.
Rather, the complainant limited itself to bringing to light events not manifested in the ELAK, such as potential hacker attacks, data leaks or foreseeable technological innovations, in the course of which the complainant could in future suffer damage through the disclosure of her data, due to a “failure to pseudonymise” her data.
However, such a potential violation of rights is not sufficient, why the complaint regarding possible future violations had already been dismissed on this ground. Then the DPA comes to interesting interpretations of the regulations of the GDPR. In the opinion of the DPA, no right can be derived from the GDPR,
“according to which a data subject could demand specific data security measures within the meaning of Art. 32 GDPR from the controller. Nor can a data subject – as requested by the complainant – demand specific measures to minimise data within the meaning of Art. 5 para 1 lit. c GDPR.”
Admittedly, it is in principle possible for a data subject to be violated in its fundamental right to confidentiality due to inadequate data security measures taken by a controller (e.g. because this leads to disclosure to unauthorised third parties). However, even in this case, the data subject would not have the right to choose a specific data security measure.
According to the DPA, it is clear from Art. 32 GDPR that the obligation to ensure the security of the processing of personal data applies to the data controller or the processor,
“which, taking into account the elements referred to in paragraph 1 of this provision, may be provided in a number of ways“.
The DPA also systematically interprets the relevant provisions of the GDPR. The rights of data subjects are expressly regulated in Chapter III. Pseudonymisation can be found as a measure, however, in Chapter IV, which regulates the objective duties of controllers and processors.
“The data protection authority can only investigate this obligation of the controller within the framework of an officially initiated examination procedure (Art. 55 para. 1 in conjunction with Art. 57 para. 1 lit a and h GDPR) and, if necessary, instruct the controller to comply with the regulation (Art. 58 para. 2 lit d GDPR).”