View on GitHub


What does ‘fairness’ mean in (data protection) law?’

Fairness is a core principle of the EU data protection framework. The principle is included in both Article 8(2) of the Charter of Fundamental Rights of the European Union and Article 5(1)(a) of the General Data Protection Regulation (GDPR). However, the data protection fairness principle is often dealt with in somewhat of a shorthand manner notwithstanding the fact that it is positioned as a core principle. Despite the absence of an extensive body of literature dealing specifically with this principle both an explicit and implicit role for fairness in data protection can be distilled. In particular, explicitly fairness has been coupled with the notion of transparency and data collection whereas, implicitly fairness is linked to the protection from controller abuse and the concept of ‘fair balancing’.

In brief, implicit fairness relates to the fact that in order to achieve a ‘fair balance’ in the application of the requirements contained in the GDPR, personal data must not be processed in a way which unreasonably infringes the fundamental rights and freedoms of data subjects and in particular, their right to the protection of personal data. In this vein, fairness manifests itself in the form of both ex ante and ex post micro fair balancing mechanisms. In an ex ante sense the conditions for lawful processing in Article 6(1) GDPR (e.g. consent (Article 6(1)(a)), contract (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) are a clear example and in an ex post sense fairness manifests itself perhaps most clearly in the operation of key data subject rights.

The purpose of this tutorial is to analyse the fairness principle in the GDPR as manifested in both ex ante and ex post rights and requirements. More specifically, the session will explore the role of the conditions for lawful processing and key data subject rights such as the right to object. References will also be made to the overlaps with other overlapping areas (e.g. consumer protection law, constitutional theory etc.)

Hypothetical case study:

IoEverything is the manufacturer of devices for smart homes. It is about to launch a range of new products. Afraid of the much hyped GDPR and the potential consequences for their products, IoEverything approaches you for legal advice. In particular, IoEverything asks you for advice on two products which are almost ready for production, (1) a virtual assistant deployed through a small box intended to be kept in the user’s home that will be activated through voice commands and; (2) a smart fridge which tracks the household’s food consumption and sends messages to the user (both through a display on the fridge but also through an app installed on the user’s phone) about the best dietary food options in order to ensure well-balanced nutrition.

The processing of personal data is inherent to the functionality of both devices. IoEverything is particularly concerned with this as it is aware of the compliance burden associated with achieving consent as a condition for lawful processing in Article 6(1)(a) GDPR and as further specified in Article 7 GDPR. With this in mind, IoEverything is curious as to whether an alternative condition for lawful processing may be utilised in order to legitimise the processing and thus whether contract or legitimate interests as provided for in Article 6(1)(b) or (f) GDPR may be sufficient.

However, you spot a number of additional issues that potentially raise concerns and first ask yourself whether both devices can treated similarly, and hence if the conditions for lawful processing mentioned are appropriate in both instances. In particular, you start to consider the potential consequences of having a voice activated virtual assistant deployed in a home. To clarify, in order for the voice activation feature to function the device must ‘listen’ out for the triggering word at all times. What potential challenges does this raise regarding the conditions for lawful processing keeping in mind that in the home people may often have conversations on sensitive topics? What about the practical difficulties associated with hosting visitors in a house with such a smart assistant? You also wonder how the application of ex post data subject rights will work in such contexts as the recordings may contain the personal data of others.

For the smart fridge, although at first sight you see less of a problem satisfying the conditions for lawful processing, you start to wonder about the potential challenges associated with allowing the smart fridge determine what is necessary for a balanced diet. This is fuelled by the fact that IoEverything informs you that they want to link the data regarding the user’s food consumption with advertising and an automated food ordering service so as to bring down the cost of the product and expand their target market to lower, medium and higher income households. In its current stage of development, the smart fridge is designed to predict and populate a shopping list for its users to confirm.

Moreover, IoEverything wishes to link their insights into users’ activity with promotions from supermarkets sent directly to the smart fridge and the users’ phone with IoEverything busy negotiating a deal with the leading high-end organic supermarket chain, WoolHowMuchAreYouWorths. By calculating usage patterns and requesting location data through the connected phone app, IoEverything can accurately predict when users are most likely to purchase and believes that well-timed advertisements integrated into the automated shopping lists (i.e. indicating special deals from WoolHowMuchAreYouWorths) could be persuasive. In time IoEverything also aims to take the user out of the loop as much as possible to ensure “seamless and convenient integration” of its product.

In addition, while developing their leads the IoEverything marketing team was approached by HealthTrendFollower, the largest health insurance provider across the EU market. HealthTrendFollower is interested in exploiting the insights provided by the smart fridge into the food consumption of users (i.e. and therefore diets) so as to further refine the personalisation of the insurance premiums it offers. HealthTrendFollower aims to target those who consume foods high in fat with higher insurance costs and reward those who consume premium quality organic products on offer at supermarkets such as WoolHowMuchAreYouWorths. You are concerned about the potential implications for lower income families as WoolHowMuchAreYouWorths charges exorbitant prices and are only located in affluent neighbourhoods. You also wonder about the appropriate condition for lawful processing for these applications, especially as IoEverything wants to add both as non-optional features. You wonder how this will align with Articles 6 and 7 GDPR but also the ex post right to object provided for in Article 21 GDPR.


Who will be delivering this tutorial?


Slides for the tutorial available here.