The EU Council’s Conclusions On Revising EU Data Protection Law — Why Did They Bother?
The super tanker that is the European Union legislative process is currently trying to turn itself round with a view to revising data protection law.
The current Data Protection Directive (95/46/EC) dates back to 1995. It was, of course, prepared much earlier and reflects the state of technology in the late 1980s and the dawn of the 1990s, rather than today’s Facebook and cloud computing world. The Privacy and Electronic Communications Directive (2002/58/EC) is, of course, more recent, but its effect is that data protection legislation is becoming gradually fragmented.
The implementation of the 1995 Directive has followed very different paths in different EU Member States. Some regimes, for instance, the United Kingdom’s, are fairly relaxed, while others, such as the French and German regimes, are much more prescriptive.
The review process kicked off in November 2010 with a Communication from the European Commission to the European Parliament and the Council entitled ‘‘A comprehensive approach on personal data protection in the European Union’’. At the end of February 2011, the Justice and Home Affairs Council (meeting for the 3,071st time) adopted a short six page paper (apparently a press release) setting out its ‘‘conclusions’’ in response to the Commission’s Communication. The Council paper is not an easy read, consisting of 17 paragraphs of rather disjointed preamble followed by a further 26 paragraphs of what essentially amount to the Council’s suggestions to the Commission about the next stage of the process.
It is interesting to note that the data protection principles enshrined in the UK Data Protection Act 1998 are now considered ‘‘time honoured’’.
It is, however, not easy to summarise the Council’s recitals, although they serve to emphasise that processing of personal data should be undertaken only when it is necessary and reasonable.
A lot of consideration is given to use of personal data in the area of police and judicial cooperation. The recitals specifically say there is no need to choose between being free and being safe, and indeed it appears that necessary and appropriate processing of personal data is vital to keeping the public safe. There then follows, predictably, effectively a call for a special data protection regime for areas of judicial and police cooperation.
The importance of data subjects being aware of what processing of their data takes place is highlighted and ‘‘transparency of processing’’ is to be encouraged. Two of the recitals deplore the fact that the harmonisation of the 1995 Directive was only partial and that the Directive was implemented in significantly different ways in different Member States. Better harmonisation for high level data protection is said to be good for both data subjects and data controllers. There follows a call for increased powers for data protection authorities, who are to produce a well-regulated legal framework providing the same level of protection in all Member States.
Naturally the internet gets a look in, as does cloud computing, as new technologies that need to be accounted for when considering changes to the rules.
The general level of chaos brought about by the eighth data protection principle is also recognised, and the Council puts in a bid for the understatement of 2011 when it says, ‘‘The current legal instruments have not been successful in dealing with these issues relating to transfers to third countries...."
Having made all of these disjointed preliminary observations, the Council then gets to the meat and drink of its opinion, but this is equally disjointed.
Naturally enough, the Commission’s Communication is welcomed and the aim of having ‘‘appropriate protection assured for all individuals in all circumstances’’ is supported. The Council’s most bizarre statement is that ‘‘data protection is by its very nature horizontal in character’’. What this means is wholly unclear, except perhaps to Commission bureaucrats. A series of paragraphs pluck various points from the Commission’s Communication and variously ‘‘considers’’, ‘‘invites’’, ‘‘demands’’, ‘‘expects’’, ‘‘is of the opinion that’’, ‘‘is aware that’’ and ‘‘supports’’ in relation to these points.
There are contradictions. Paragraph five ‘‘considers’’ there should be a ‘‘concrete cost analysis for all the new measures proposed’’, suggesting a concern over the cost to the EU Member States’ economies of all these changes.
However, in paragraph six the Council ‘‘demands’’ special attention be given to minors and ‘‘invites’’ the Commission to assess whether the categories of sensitive data should be expanded. Special rules for one particular set of data subjects and broadening the scope of the extra protection given to sensitive personal data can only increase the cost of the data protection regime.
Police and Judicial Cooperation
As in the recitals, the use of data in police and judicial cooperation is aired, and emphasis is given to the use of biometric data. ‘‘Certain limitations’’ have to be set on the rights of individuals where data protection is being used for police and judicial cooperation. These limitations are supposed to be harmonised and balanced, necessary and proportionate. The message is that the Council supports a fairy large exclusion from the general thrust of data protection law for moving around data for the purposes of police and judicial cooperation.
Genetic data also gets a special mention. Why is not clear. Apparently processing genetic data should be carried out in accordance with the principles of necessity and proportionality. Surely those are the guiding principles for the processing of any data? The paragraph in question goes on to consider that special provisions on aspects of cross-border processing should be explored for genetic data. It is not clear why genetic data should be selected for this honour. There is no difference in principle between genetic data and other biometric data or indeed data about, say, a person’s health or religion. It is just another piece of data about the data subject.
Privacy by Design
There are a couple of mentions of the privacy by design principle much favoured by the UK Information Commissioner’s Office. This is something that the Council ‘‘invites’’ the Commission to explore, although the Commission might need little persuading, as it is already fairly enamoured of the idea of ‘‘built in’’ data protection to guard against the unreliability of default settings as indicators of the data subject’s consent.
Three paragraphs deal with globalisation. One refers to groups of companies, which apparently require special attention. Generally the globalised nature of data processing is accepted and even encouraged.
The strange thing is that the Council seems to have got the wrong end of the stick when identifying where the problem lies. It considers the difficulty which individuals may have maintaining protection for their personal data sent outside the European Union for processing. It is difficult to see this as a real problem. Where a party in the European Union sends data out of the European Union for processing, there remains a party in the European Union on whom responsibility can be fixed. The difficulty with data export to third countries has not been finding someone to be responsible, but rather that it has been difficult for a data controller who intended to process data outside the European Union to know whether or not its actions were legal. Perhaps the Council was thinking of the self-export of data characteristic of Facebook.
Something which should surely be at the core of all data protection — a data subject’s right to be informed in understandable language and in a simple form about the data processing that will be undertaken — is jammed into this data export paragraph.
Standard Privacy Information Notices
The Council supports the Commission’s proposals to draw up standard privacy information notices to be used across the European Union with the minimum information which needs to be provided to data subjects.
Of all the rather disjointed issues mentioned in this communication, there can be no doubt that this would be the single step that would most assist data controllers and most assist the transmission of data between Member States.
The inability of framers of notices given to data subjects when their data is collected to foresee accurately how those data would be processed in the future, as collecting businesses change and evolve, has led to problems.
This is a serious inhibition on the free transmission of data between Member States and processing generally, to which there can be only two responses. The first is to go ahead, sorting out the problems later; and the second is a form of paralysis. It is rarely practical to go back to data subjects and inform them of some proposed new processing.
Data Breach Notification
Music to data controllers’ ears will also be found in paragraph 19, which states that data breach notification should not become a routine alert for all types of security breaches. The Council encourages consideration of the cost to business and EU competitiveness of extending data breach notification obligations beyond the telecommunications sector.
Bizarrely, there is an encouragement to ‘‘explore the opportunity’’ to business of such notification. It is difficult to see where the opportunity for business lies, save perhaps in the growth of data breach service providers as seen in the United States, where breach notification is a prominent feature of the data protection landscape.
Right to be Forgotten
The most innovative part of the communication comes right at the end, where the Council encourages the Commission to explore the introduction of the right to be forgotten. The Council says no more than that A minefield surely awaits here. What happens if the person who has exercised his or her right to be forgotten suddenly decides to pursue a claim against the person who has forgotten him or her? Should the data controller not at least have a right to remember enough to be able to protect himself?
Nonetheless, as EU Justice Commissioner Viviane Reding made clear in her speech to the EU Privacy Platform on March 16, 2011, the right to be forgotten is likely to be one of the central ‘‘pillars’’ of the Commission’s new data protection framework.
More contradictions arise in the encouragement to the Commission to define more precisely the rights of data subjects and the aim of reducing the administrative burden on data controllers. The Council supports the Commission’s aim of enhancing the data controller’s responsibility, and encourages the idea that data protection officers should be appointed, while not wishing to impose any undue administrative burdens.
Contradictions abound in the Council’s conclusions, even within single paragraphs, and it is impossible to see that this communication is doing more than trying to have it all ways. This author cannot see that it advances the review of the data protection law to any significant degree.
Thoughts that one might try to group together haven’t been grouped together. This whole document resembles nothing more than one of those television contests where a contestant is required to remember items passing him or her on a conveyor belt.