Judicial Training on Data Protection and Privacy Rights Special Cases and Exceptions to the Protection of Personal Data: Is this becoming the rule? EJTN Administrative Law Project Judicial Training on Data Protection and Privacy Rights Filipa Calvão - CNPD Lisboa,23.03.2017

1. Justification of the subtitle: is the exception the rule? Significant change in personal data processing (increase of the capacity to collect, store and analyze data; Internet and globalization of data processing) Consequence: growth of personal data processing and greater (worldwide) impact of processing Several sources of personal data available on the Internet: public data bases, social media networks, blogs, search engines; new technologies, such as the wearable devices, provide new types of personal information –> Big Data; profiling

1. Justification of the subtitle: is the exception the rule? Risks of massive processing and profiling [Y. Poullet]: De-contextualization of data (risk of being judged ‘out of context’) and discrimination; Surveillance and Predictive Society: lost of freedom and self-determination; Lost of identity: reducing the person identity and individuality to a profile; Reducing our choices to what the profile determines; Future individual actions conditioned by fear of non-compliance with the ‘normal’ profile

1. Justification of the subtitle: is the exception the rule? And this is becoming the rule of personal data processing… Can the exception to data protection be the rule? Main General Interests invoked to justify massive data processing: security, efficiency and transparency However, apart from the emergency situations recognized by Charter of Fundamental Rights and national Constitutions, there are not, there cannot be, exceptions to protection of personal data

1. Justification of the subtitle: is the exception the rule? All other cases in which security, efficiency or transparency are at stake (and demand data processing) may justify the restriction of data protection right but not its total sacrifice There may be: special cases of data protection restriction, or special data protection cases

2. Special Cases 2.1. Dynamic process of application of data protection law Concrete balancing of interests and rights must be renewed in each case; judgment cannot be crystalized.

2.2. Special data protection cases: sensitive data and prohibition of its processing Sensitive data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, health or sex life (Art. 8 Directive 95/46/CE) AND: sexual orientation; biometric data specifically processed to uniquely identify a person (Art. 9 Regulation (EU) 2016/679); 

Can it be classified as sensitive data? 2.2.Special data protection cases: sensitive data and prohibition of its processing Sensitiveness of data depends on the concrete context of processing; mainly connected to susceptibility of discrimination Increase of data processing that might conduct to a similar result: nationality, place of birth, place of birth of the data subjects’ parents. Can it be classified as sensitive data?

2.3. Special cases of data protection restriction Massive processing of data by commercial companies with legitimate aims imposed by law – but beyond what is adequate or necessary Examples: Data retention; PNR (Passenger Name Record); The case of cities covered by video surveillance systems

2.3. Special cases of data protection restriction Adequacy: most of the times creates a sensation of security, but is not able to ensure security (e.g., video surveillance) Necessity: even if adequate, collection of more data then those needed to achieve the aim (Data Retention: CJUE Digital Rigths Ireland, (C-293/12 e C- 594/12); Tele2 Sverige AB (C-203/2015); PNR vs. API – Advanced Passenger Information: exact information of the identification of passengers send by airline companies to authorities; the extra data are related to food restrictions, means of payment…)

2.3. Special cases of data protection restriction Besides: no precise grounds are invoked to justify restrictive legislative measures; No effective or relevant use of the date collected; Disproportionality of data mining and predictive analysis to prevent crimes.  

3. Analysis of some examples 3.1. Duty of banks to report to Tax Administration all bank transfers over a certain amount (e.g., € 1000,00) Massive communication of data to Financial Intelligence Units; profiling in order to detect a suspicious behavior 3.2. e-Call Massive possessing of data (localization, driving behavior), allowing profiling and monitorization, when the original aim is to provide efficient help in emergency cases 3.3. Wi-fi Networks Wi-fi hotspots provided by companies that collect at least the localization of the user of mobile device, even when it is not on-line - Tracking the users; allowing the combination of data through IMEI (International Mobile Equipment Identification) - - relevance of privacy restriction in public spaces