Contributed By Vondst Advocaten N V
The GDPR does not specifically address the use of Big Data analytics, and neither has the AP provided any guidance on this topic. The general principles that apply to the processing of personal data pursuant to the GDPR, such as purpose limitation and data minimisation, should be complied with when processing personal data in the context of Big Data analytics, as well as the other requirements laid down in the GDPR, such as to provide adequate information on the use of Big Data analytics to data subjects and to keep data up to date.
In the Netherlands, automated decision-making is governed by the GDPR and the Implementation Act. The EDPB has also provided useful guidance on this topic.
The GDPR specifically addresses automated individual decision-making, including profiling, in Article 22. The starting point is that data subjects have the right not to be subject to automated decision-making, including profiling, where such automated decision-making produces legal or similarly significant effects concerning him or her, or unless one of the exceptions laid down in the GDPR or national data protection law applies. A controller who wishes to rely on an exception for automated individual decision-making based on special categories of data should take additional safeguards.
For the Netherlands, Article 40 of the Implementation Act contains an additional exception in situations where the automated individual decision-making, other than based on profiling, is necessary for compliance with a legal obligation to which the controller is subject, or the performance of a task carried out for reasons of public interest. In order to be able to rely on this exemption, the controller should take suitable measures to safeguard the data. For this purpose, private entities should safeguard the right to obtain human intervention, the data subject’s right to express his or her point of view, and the right to contest the decision over the data subject’s rights, freedoms and legitimate interests.
The controller should provide information to the subject on the automated decision-making, including profiling, as part of its information requirement and the data subject’s access right (Articles 13-15 of the GDPR). Moreover, the controller should make a DPIA in the case of automated individual decision-making, including profiling (Article 35 of the GDPR).
The EDPB has issued guidance on automated individual decision-making and profiling for the purposes of the GDPR (WP 251 rev 01). The ArtWP29 has issued guidance on automated individual decision-making and profiling in the context of law enforcement data processing.
Profiling is subject to the rules of the GDPR, including the legal grounds for processing or data protection principles. Profiling in the context of automated individual decision-making is specifically addressed in Article 22. To the extent that cookies are used for the purpose of profiling, the requirements relating to the provision of information and consent as laid down in the e-Commerce Directive and the Dutch Telecommunications Act should also be complied with.
The EDPB has issued guidance on profiling in the 2018 Guidelines on automated individual decision-making and profiling for the purposes of the GDPR (WP 251 rev 01).
Artificial intelligence is not specifically addressed in the GDPR or national law, and neither has the EDPB or the AP issued any guidance on this topic.
The Internet of Things is not specifically addressed in the GDPR or national Dutch law, but general data protection principles apply. The ArtWP29, issued guidance on this topic in 2014 (WP 223), which can be useful as a starting point for IoT-related matters although it is not endorsed by the EDPB.
The upcoming e-Privacy Regulation will likely affect the IoT. Considering the current proposal for the e-Privacy Regulation, machine-to-machine communication could be qualified as providing an electronic communications service. Consequently, IoT manufacturers would be providing electronic communications services, and hence would need to comply with the rules laid down in the upcoming Regulation (eg, they must obtain the user’s consent for the transmission of data from one IoT device to another).
Autonomous decision-making (including autonomous vehicles) is not specifically addressed in the GDPR or national law, and neither has the AP issued any guidance on this topic. However, the ArtWP29 issued a 2017 opinion on processing personal data in the context of Co-operative Intelligent Transport Systems (C-ITS) (WP 252), which is still relevant in daily practice. In this opinion, the ArtWP29 considers that the principles of privacy by design and default should be implemented in any C-ITS applications in line with the GDPR, that adequate security measures and retention periods should be adopted, and that special categories of data and data relating to criminal convictions and offences should not be broadcasted.
Facial recognition is not addressed in the GDPR or the Implementation Act, other than in the context of biometrical data. However, both the AP and the ArtWP29 have issued guidance on facial recognition.
Pursuant to the definition of biometric data, facial images are considered biometric data when processed through a specific technical means allowing the unique identification or authentication of a natural person. Therefore, it is likely that the rules applying to the processing of biometric data should be complied with when using facial recognition techniques (eg, the general prohibition on the processing of such data set forth in Article 9 of the GDPR and the exceptions to this prohibition laid down in Articles 22 and 28 of the Implementation Act).
The AP addressed facial recognition in its policy rules and dos and don’ts on camera surveillance in 2016. It considers that the digital images recorded by smart cameras qualify as personal data, more specifically as special data revealing racial or ethnic origin. Where facial recognition will be used for automated individual decision-making, including profiling, the rules set forth in Article 22 of the GDPR should be adhered to. Where smart cameras are used for facial recognition, data subjects should be informed about the use prior to recording, eg, by means of signs. In addition, the AP published advice on the usage of facial recognition in 2004.
The EDPB’s predecessor published an opinion on facial recognition in online and mobile services in 2012. In this opinion, the ArtWP29 considers, inter alia, that facial recognition may involve processing of sensitive data, that a legal basis (eg, consent) is required to process images, that appropriate measures should be taken to secure the data transit, and that the principle of data mineralisation should be adhered to. Although this opinion is not endorsed by the EDPB, it can still be useful as guidance on this matter.
Processing of biometric data is governed by the GDPR and the Implementation Act. Biometric data is defined in Article 4(14) of the GDPR.
Pursuant to Article 9 of the GDPR, the use of biometric data for the purpose of uniquely identifying a natural person is prohibited, unless one of the exceptions listed in the Article or national law applies, such as explicit consent of the data subject (unless this exception is prohibited by national law).
Article 22 of the Implementation Act contains additional general exceptions that apply to any special categories of personal data (including biometric data). Article 29 contains an additional exception that applies specially to the processing of biometric data for the purpose of uniquely identifying a natural person, if such processing is necessary for authentication or security purposes.
Geolocation data is primarily governed by the GDPR, as well as the Dutch Telecommunications Act where the processing of location data concerns location data relating to subscribers or users of public electronic communication networks or public electronic communication services.
Pursuant to the definition of personal data in the GDPR, location data should be considered as personal data. The AP even qualifies location data as data of a sensitive nature.
The AP has conducted various investigations in which the processing of geolocation data played an important role, including:
The use of drones is not specifically addressed in the GDPR or the Implementation Act. However, the AP addressed drones in its policy rules and dos and don’ts on camera surveillance in 2016. It considers drones more privacy-infringing than static cameras, as drones can follow people and make recordings from places where people do not expect to be recorded.
The subject of drones is also addressed by the ArtWP29, in its 2015 opinion on privacy and data protection issues relating to the utilisation of drones (WP 231). This opinion may be useful as a starting point when dealing with drone-related matters, although it is not endorsed by the EDPB.
A permit or exemption of the ILT is required for the commercial use of drones. Individuals do not need a permit for non-commercial use of drones, but need to adhere to applicable legislation.