What is considered “disproportionate effort” under GDPR?

by
Hand over envelopes

Under Article 13 of GDPR you must give data subjects information about your data processing practices, this is commonly known as the “Right to be informed”. This information includes but is not limited to what types of data you process about them, under what legal basis you process the data and where the processing takes place (if it is processed within third countries).

Typically you do this at the point of data collection and typically this information takes the form of short written notices and a much longer privacy policy which covers your data privacy practices in detail. 

However, when you are acquiring data indirectly instead of collecting data directly from individuals, things are different. Article 14 of GDPR elaborates that in this situation you should provide information about your data processing practices no later than one month after acquiring the personal data in question.

Whether this will be an easy task or not depends on how you collected the data and what data you collected.

Thankfully there are some exceptions. But whether you can legally apply them is of course a different matter…

The possible exceptions are:

  • the individual already has the information;
  • providing the information to the individual would be impossible
  • providing the information to the individual would involve a disproportionate effort
  • providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing
  • you are required by law to obtain or disclose the personal data
  •  or
  • you are subject to an obligation of professional secrecy regulated by law that covers the personal data
  • you are covered by a freedom of expression GDPR exemption – for example you are processing the data for journalistic purposes or for artistic purposes.

In this article we’ll look more into the the exemptions:

  • providing the information to the individual would be impossible
  • providing the information to the individual would involve a disproportionate effort

Because these are probably the most appropriate exemptions for people reading this article.

We’ll look at a few case studies and the EDPB and ICO’s guidance in order to help you figure out what they mean. And propose how you should approach a DPIA/balancing test to figure out if you can apply these exemptions or not.

What does “impossible” and “disproportionate effort” mean?

Impossible is straightforward. 

Impossibility applies when the task is literally impossible. For example if you have no contact details for the subjects and there are no other reasonable ways to contact them and make them aware of your privacy information.

The ICO provides guidelines:

“If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA“ 

DPIA – Data Protection Impact Assessment.

Remember, when using this exemption it should not be only inconvenient for you to provide information, but truly impossible.

What about disproportionate effort?

Disproportionate effort is more ambiguous. 

Let’s look at some cases to help us understand some different interpretations.

Disproportionate effort in the eyes of the Polish DPA

A highly debated and referenced case on this matter comes from the first GDPR fine issued by the Polish DPA (UODO).

On the 15th March 2019 The Polish DPA ruled that a company called “Bisnode” –  a data analytics company which aggregates personal and other data from publicly available sources – had breached Article 14 of the GDPR. The initial fine was proposed at 220,000 euros.

Background

Bisnode held the personal data of over 7.5 million people. The company had identified 682,439 people that it could contact and provide with privacy information – because for these individuals it had their email address. There were almost 200,000 people where Bisnode only had a mobile telephone number as contact information and for around 6.5 million people only a mailing address. 

The company made an assessment of its obligations under Article 14 and decided that it would not contact those individuals of whom it did not have an email address because doing so could be exempted as a  “disproportionate effort”.

The company decided to publish privacy information on its website in order to fulfil the rest of the requirements under Article 14 in the event that the data subjects cannot be directly informed.

In the case the company explained to the Polish DPA how they arrived at this decision. To support their claim they stated that they had calculated the cost of contacting the affected data subjects using direct mail. It would be almost PLN 34 million (just under EUR 40million euros). This sum, the company argued, would be more than the company’s turnover from 2018 and therefore it would not be practical to complete this.

The UODO disagreed with Bisnode’s interpretation of Article 14

They found that:

  • Simply placing the privacy information required under Article 14 on the company’s website cannot be considered as sufficiently fulfilling the obligations of  Art. 14 GDPR.
  • Sending out information required under Art. 14 GDPR by direct mail to the address of a data subject or transmitting it via telephone, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort.

What happened next?

Bisnode subsequently appealed this case. The case went to the Voivodeship Administrative Court, who overturned the fine of 220,000 because they did not agree with how the number of data subjects affected was counted by the UODO. Interestingly, the court upheld that:

  • The data subjects that are “active” (actively running businesses) should be contacted and provided with information as required under Article 14. 

And ruled that the fine should be recalculated based on the number of active data subjects – essentially instructing them to remove the data subjects whose businesses are not active from the original list that they collected from public sources.

Summary

This case has been the subject of intense debate. The restrictive interpretation of Article 14 has an impact for many businesses, particularly businesses which scrape public sources of information for data.

Do you have to follow this judgement?

This really depends on where you are located and your appetite for risk. The lowest risk approach would be to adopt this judgement – and do whatever it takes to communicate to your data subjects, otherwise do not collect the data at all.

If you are based on Poland it would be wise to follow this judgement as they may take the same position again.

If you are based outside of Poland within the EU or UK then you may decide to take a less restrictive interpretation of Article 14. Just because the Polish DPA ruled this way in this case, it does not mean that your local DPA may take the same stance. 

However, this is a risky approach – and you should remember that whatever you decide you should still document your decision making process and make privacy information publicly available.

Disproportionate effort in the eyes of the ICO

On applying the “disproportionate effort” exemption the ICO says…

“To rely on this exception, you must make (and document) an assessment of whether there is a proportionate balance between the effort involved for you to provide individuals with privacy information and the effect that your use of their personal data will have on them. The more significant the effect, the less likely you will be able to rely on this exception.

This is an exception to the general obligation of transparency, and should be treated as the exception, not the rule. You should not use it to routinely escape your obligations to inform individuals about your use of their data. If you want to rely on disproportionate effort, you need to be confident you can justify why contacting individuals is genuinely disproportionate in the particular circumstances.”

They illustrate when “disproportionate effort” may apply with an example of a School which is collecting Emergency Contact information, for example the name, relationship to a student and phone number of an individual who can be contacted in the case of an emergency. 

In their example the ICO elaborate:

“The school assesses that the effort involved for it to write to every emergency contact to provide them with privacy information is disproportionate in relation to the effect that the use of their personal data will have on them (contacting them in the event of an emergency). As such, the school does not actively provide privacy information to each emergency contact, however it does publish information on the use of emergency contact details on its website. It also carries out a DPIA and decides that to further mitigate any risks, it will put a policy in place to specify the strict limited use of emergency contact details, and places restrictions on its computer system so that only authorised members of staff have access to these details.”

As you can see this example from the ICO appears to contradict the ruling from the Polish DPA. The practice of calling every contact to let them know that their information is being processed would arguably take a long time and require a lot of effort, perhaps a full week for a list of 400 students. But it is still possible.

So what should you do? – A DPIA

‘Disproportionate effort’ assessment requires a balancing exercise, this is best completed in the form of a DPIA.

This is required because the processing is arguably risky.

As the ICO state:

“Invisible processing results in a risk to the individual’s interests as they cannot exercise any control over your use of their data. In particular, they are unable to use their data protection rights if they are unaware of the processing. This is true even if the processing itself is unlikely to have any negative effect.”

And is also recommended because supervisory authorities such as the ICO and the EDPB suggest or instruct you to complete a DPIA in their published guidance on UK GDPR and EU GDPR.

As EDPB Transparency guidelines illustrates: 

“you should carry out a balancing exercise to assess the effort involved for the data controller to provide the information to the data subject against the impact and effects on the data subject if he or she was not provided with the information.”

If you are not sure what a DPIA is we recommend that you consult the ICO’s website where you can find out more information and get a free template (Word .doc format).

While carrying out this balancing exercise, data controllers should consider factors such as:

  • How old is the data?
  • How many data subjects are affected?
  • What appropriate safeguards are or will be implemented?

If you conclude that you should inform data subjects then…

  • Make sure that you inform them no later than one month after the data was acquired.

Popular posts on Measured Collective

  1. GDPR & Google Workspace: How to stay compliant with GDPR
  2. Can an individual get a GDPR fine?
  3. Is Google Forms GDPR compliant?
  4. Does GDPR apply to b2b data?
  5. Mailchimp & GDPR: What you need to know to improve GDPR & PECR compliance
Measured Collective Logo in White on Transparent