Your secure server – The sanctions against BBVA and CaixaBank and the principle of obviousness

?Did you think the post was interesting?
+
–

–
Log in into your account
–

17/01/2021 | 12:05

The decade of the 80s served the Spanish judges to find the right balance between respecting the fundamental rights of those accused in criminal cases and the investigation of the alleged crimes committed.

The first steps of the young Constitution of 1978 served as a test for some judges who had to adapt quickly to the new constitutional framework in fear of being branded conservative by the more progressive part of the doctrine.

It is not surprising that the first orders and sentences did not find the desired balance and tipped the balance excessively in favor of the accused, a situation to which we all welcomed after so many years, although little by little we realized that it was not. sustainable over time.

Something similar is happening with data protection.

The decade of the 20s of the 21st century should serve the European control authorities to find the right balance between the rights of the data subject and the rights of the data controller.

The RGPD, like the Spanish Constitution in the 80s, is still beginning to work and it depends on these first steps that data protection becomes one more element of the map of obligations to comply or an obstacle to business activity.

One point of the RGPD in which we must urgently find the right balance is in the quantity and quality of the information on the treatment that must be provided to the interested party.

Article 12 of the RGPD requires that the information be provided in a concise, transparent, intelligible and easily accessible way, with clear and simple language. But the last two resolutions of the AEPD that sanction BBVA and CaixaBank, set the bar for the detail of the information in a position that moves us away from conciseness, intelligibility, accessibility, clarity and simplicity.

Because we can speak with a clear and close language: “We will record the way you use our services to get to know you better, personalize them and adapt them to your preferences” or with a more technical and less accessible language: “We will record in our CRM the parameters generated in the use of financing and investment products in order to determine your financial solvency, the level of risk aversion, scoring, profitability, loyalty and default, in order to ensure a high level of coincidence between these data and the products of financing and investment that we can offer you “.

The quantity and quality of the information to be provided are associated with a concept that I came up with years ago, which I call the principle of obviousness. This principle defends the idea that it is not necessary to report the details of the treatment that are obvious to the interested party.

For example, if a vendor e-mails me regularly with their invoice, I don’t expect to see an informational text at the end of the message saying that they have my e-mail address and that they are using it to send me a message to type on a laptop. , entering my address in an email application, then clicking on a button that will instruct the application to process the email address to send the message. It is also unnecessary to indicate that the message will be fragmented into different IP packets, and that as a result of this conversion, which is also a treatment, each packet will know where it has to go, and go through multiple servers and rters until it reaches my Internet provider. , which will collect the IP packets, recompose the message and leave it in my inbox.

Nor do I inform you that you may print the invoice in which your personal data appears.

This information is not provided because it is obvious that all this is going to happen and the interested party already knows it, senses it or is not interested in having that level of detail.

The closest thing to the principle of obviousness, although it does not fully coincide, is found in articles 13 and 14 of the RGPD, which exonerate the data controller from all their information obligations when the interested party already has the information.

Article 13.4 specifically indicates that the provisions of sections 1, 2 and 3 (the rest of the article) will not be applicable when and to the extent that the interested party already has the information.

Article 4.2 of the RGPD defines the concept of treatment as any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of access enablement, collation or interconnection, limitation, suppression or destruction.

How many contracts, privacy policies, general contracting conditions and informative texts inform exhaustively of all the treatments that will take place during the life cycle of a data?

In any of these texts is it reported, for example, the printing process?

For what reason? Why do we have to be concise, because of an oversight or because it is obvious that we will ever print?

The same happens when reporting the data to be processed. If an interested party fills in a form with 25 fields, is it necessary to inform him twice that we have this data? We will inform you of the purpose and the need to process this data but we will not repeat in detail that we have the data that the interested party has just entered in the form because it is obvious, the interested party already has this information and it would be an insult for your intelligence.

Although for reasons of risk prevention culture it might be possible in the US, in Europe we cannot imagine an elevator in which each numeric button has a legend next to it about its function: “Press this button with the number 1 if you want to go to the Floor 1. Press this button with number 2 if you want to go to floor number 2. ” Who would not feel that they are treating him useless in an elevator like this?

Obviousness, like legitimate interest, responds to subjective criteria, obviously. What is obvious to one is not obvious to another. But there are details of the treatment that are part of the culture and uses of each sector, of the perception threshold created precisely by the data protection by default. And they can be credited.

The time must come when a fair balance is reached between the information that the interested party must receive and the detail that the controller must provide in a concise and clear manner. And the control authorities have an important role in normalizing this process so that it is not an obstacle to business activity.

At the same time, the level of maturity and experience will increase in the person responsible for the treatment and in the interested party, so that the information process will adapt and become natural. As natural as the information provided by the bar that knows perfectly our routines and preferences: “Coffee as usual?”