Warning! This article is a heavy read. Only proceed if you are interested in the detail of GDPR.
One of the central pillars of the GDPR is the requirement for a number of organisations to have a DPO. There are three categories of organisation that are required to have a DPO. Two of the categories are relatively clear (public authorities and those processing sensitive data or conviction data on a large scale) but the third category – large-scale monitoring – is vague at best. It’s also the category which is likely to apply to the largest number of organisations.
Here’s the relevant wording of the GDPR:
…… processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
The GDPR has no definition of large scale and no definition of monitoring. Some help is given by Working Party 29 (the European information commissioners sitting together and forming a kind of advisory body, replaced by the European Data Protection Board by the GDPR). They give the following as examples of large scale:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or Internet service providers
However, even these examples must assume an organisation that’s at least an average size for its sector: a twenty-bed hospital, or a challenger bank that has only just started, is unlikely to be doing anything on a large scale.
Monitoring is an even harder notion to pin down. It is noticeable that the WP29 finds it impossible provide any useful guidance as to what monitoring might mean in practice: the best they can do is refer to Recital 24 and produce the list set out below.
As a starting point, we can say that monitoring is not the same as collecting or processing: all controllers collect and/or process personal data (by definition), but not all controllers are monitoring. Monitoring requires something further.
Recital 24 of the GDPR equates (reasonably enough) monitoring with tracking: “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.
Recital 24 also seems to be putting the emphasis on behaviour. Ie. if sufficient information is gathered to allow the creation of a behavioural profile, then that starts to look like monitoring. What Recital 24 seems to be trying to say (but doesn’t quite say) is that collecting information with a view to creating a behavioural analysis is monitoring. That would mean the intention behind the collection is a determining factor, and therefore that, if you collected exactly the same information, but with a different intent, you would not be monitoring.
Other than referring to Recital 24, the Working Party says very little about what constitutes monitoring, and promptly defaults to the list of examples below.
- operating a telecommunications network
- providing telecommunications services
- email retargeting
- profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering)
- location tracking, for example, by mobile apps
- loyalty programs
- behavioural advertising
- monitoring of wellness, fitness and health data via wearable devices
- closed circuit television
- connected devices e.g. smart meters, smart cars, home automation, etc.
Noticeably missing from this list is “processing of customer data in the regular course of business by an insurance company or a bank”. This omsission makes sense, because it’s hard to see a bank, and more so an insurer, as being an organisation that monitors users, particularly if we add in the intent requirement set out above.
But some of the categories above don’t quite make sense unless you add in the intention to create a behavioural profile. For example, “providing telecommunications services”: if someone provides a landline phone service, and only records usage information for the purpose of billing, is this really monitoring?
In the meantime, we are left to work this out as best we can. The Working Party write, in relation to large scale, but presumably this also applies to monitoring, “This does not exclude the possibility, however, that over time, a standard practice may develop, for specifying in objective, quantitative terms what constitutes ‘large scale’”.
Well, yes, that would be nice.