Processing sensitive personal data

The new harmonised EU General Data Protection Regulation entered into force on 24 May 2016 and must be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their place of business, are already subject to the legislation. Legal enforcement in Switzerland is already in progress. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.

Particularly sensitive personal data

Data is the resource of the future. One could say, it is the oil of the digital age. An increasing number of decisions in our lives are left to be handled by algorithms and this is usually to our great advantage. We are happy to have our car navigation system record the location and speed of our vehicles and transmit them, if this makes the route guidance even more reliable, leading us past traffic jams and construction sites to our destination.

Article 9 of the General Data Protection Regulation (GDPR) prohibits the processing of information that is deemed to be particularly critical, but grants a few exceptions. This sensitive information is referred to as special categories of personal data. These categories include:

  • racial and ethnic origin
  • political views
  • religious and philosophical beliefs
  • union memberships
  • genetic data
  • biometric data for the unambiguous identification of persons
  • health data
  • Data on sexual orientation

The final point applies to countries where marital status is considered as a special category of data. For example, when a legal distinction is made between marriage and civil partnership for same-sex couples.

In most cases – but not necessarily always – it should be possible to remove this restriction by obtaining the explicit consent of the person in question. If this is not possible, there are some exceptions, which could be applied given that certain guarantees are provided. This could be the case when the use of this data is required, for example in the context of preventive health care.

Is the selective protection of individual features still up-to-date?

From a legal point of view, it may seem that information particularly worthy of protection can be identified and prohibited relatively easily on the basis of the criteria mentioned. We unconsciously and indirectly disclose a great amount of personal data. In a study conducted by Standford University for example, based on only 10 Facebook likes, an algorithm was able to determine a data subject’s five basic personality traits better than his work colleagues. 70 Facebook likes and the algorithm performed better than good friends or roommates. On average, it took 150 likes to outperform the family in identifying personality traits. 300 likes were needed to beat partners and spouses. With a probability of 88%, an algorithm could determine a person’s sexual orientation, solely on the basis of their position in a Facebook friendship network. It could also determine (with a probability of 85%) whether Americans participating in the study vote democrat or republican.

It is becoming more and more apparent that the focus is less on the processed data and more on what is done with it. (i.e. checking the algorithms used rather than the data stored and processed).This aspect is now addressed by the General Data Protection Regulation.

These algorithms – very useful in practice, but feared by data protectors – are summarised under the term profiling. Profiling is defined in Article 4 as follows:

“For the purposes of this Regulation, the term “profiling” refers to any automated processing of personal data  to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects relating to the their performance at work, economic situation, health, personal preferences, interests, reliability, conduct, place of residence or transfer”.

Difficult to meet profiling requirements

Firstly, special rules apply to profiling with regards to the right to information and disclosure and the right to object. In particular, at various stages of the process there are certain information obligations that must not be forgotten. This seems feasible.

Secondly, at any time, a review and correction may be requested. This is much more complicated. Because of the nature of modern machine learning algorithms, similar to our biological thought processes, we often cannot clearly determine how they came to their conclusion. A person would say it like this: “It felt right”. We have to come to terms with the uncomfortable thought that computers today also draw their conclusions with a good pinch of intuition. These are so accurate, however, it makes it worth relying on algorithms.

The most restrictive article is Article 22(1): “The data subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or significantly affects him or her in a similar manner”.

It is therefore a matter of not allowing fully automatic decisions to be taken. The rationale behind this is that any profiling process can only include a limited context of information that may not include all relevant facts. The authors therefore hope that a person may know and consider further information. To what extent this hope is justified in certain cases, we leave open at this point. However, it is doubtful that an average insurance clerk, for example, has considerably more information available when he checks the hundredth medical statement of an insured person on that day.

The challengeability of decisions as a solution approach

Profiling and automated decisions in individual cases are permitted if this is necessary to fulfil a contract with the data subject or if the data subject has given their express consent. First and foremost, it must be ensured that the data subject can effectively contest the automatic decision. From an IT point of view, one of the more dubious aspects of the basic regulation is that it is based on the increasingly outdated notion that people can make better decisions.

“It’s never going to be perfect. … But if the car is unlikely to crash in a hundred lifetimes, or a thousand lifetimes then it is probably ok. … There is some chance that anytime a human driver gets in the car that they will have an accident that is their fault. It’s never zero. … The key threshold for autonomy is: how much better does autonomy need to be than a person before you can rely on it.”
– Elon Musk, Ted 2017

To create a universal, artificial intelligence that performs better than a human being in every situation is probably not feasible for a long time yet. However, it is possible today to develop artificial intelligence that outperforms humans in a few specific tasks. The question today is therefore how much better, for example, a computer must be able to drive a car until it is felt to be on a par with a human in terms of safety.

“We operate internally with the assumption that an autonomous car needs to be 100 times better than a human.”
– Axel Nix, senior engineer in Harman International’s autonomous vehicle team, The Observer

The combination of profiling and particularly sensitive data categories is especially demanding in the General Data Protection Regulation (GDPR). Sometimes additional, massive restrictions lurk here. But an in-depth discussion can only take place in very specific individual cases, which is why we have to do without it here. Thorough clarification is absolutely essential.

For legitimate interests, however, a solution can almost always be found. It simply requires a thorough conception and an iterative approach with regular cooperation and compliance with data protection. As a small consolation, it is possible that once you have overcome these hurdles, you will have a certain advantage over the competition, which would otherwise be only possible by investing a considerable amount of time.

Our articles series on the subject

About the author

Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities with risk analysis in projects, the conception and implementation of compliance requirements in software solutions as well as with the creation of IT security and authorization concepts. He holds a certification in Risk Management and has carried out numerous security audits on the basis of the ISO 27001 standard as an internal auditor for more than 10 years.
Do you have any questions about implementation in your company? | +41 78 746 51 16