Last updated: 
1 month 2 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Article 29 WP draft on Automated Processing

Friday, December 8, 2017 - 11:12

The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I've found. GDPR Article 22 is one of several that begin "The data subject shall have the right", in this case:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This had been widely understood (including by the Working Party when they proposed this wording in 2014!) as meaning that individuals could request that any such decisions be reviewed by a human, in line with all the other Articles creating rights. The Information Commissioner says that "You must ensure that individuals are able to obtain human intervention". However the Working Party is now stating, without explanation, that the Article actually bans such decisions being made in the first place.

Our response points out how this will make many decision-making processes – including in network security, personalisation and prioritisation – both slower and more privacy-invasive. We hope this persuades them to revert to their earlier interpretation.