Introduction
Data protection has been much in the news recently. It is perhaps fair to say that little of the publicity has been complementary of the legislation. After a prolonged period of gestation, the European Commission has now published legislative proposals based in some respects on concepts in the recently revised Directive on Privacy in the Electronic Communications sector, that, if adopted, will alter significantly the data protection landscape.
One of the major complaints that has been raised at European level is that the existing Directive has been implemented in significantly different ways across the Member States. In the case of some countries, perhaps especially the UK there is the belief that the implementing legislation is too weak – and legal proceedings alleging a failure to implement fully the Directive have been initiated by the Commission. The range of legislative approaches is also seen as creating difficulties for multinational companies who have to comply with up to 27 different regulatory regimes.
In order to enhance legislative consistency across the member States a significant change is proposed with a Regulation (which will be binding in all States without the need for any implementing legislation) replacing the current Directive. In some respects it is difficult to see how this might operate in practice especially at the level of supervisory authorities. In the absence of a single EU supervisory authority, something that would probably be politically unacceptable to many countries – responsibility for establishing and resourcing national authorities remains with the Member States. The Regulation may will the ends but it cannot provide the means.
The IT world has been transformed massively since the original Directive was adopted in 1995. Indeed the Directive itself draws heavily on legal principles dating back to the 1970s. It has been suggested that if a single smart phone had existed in the 1970s it would have classed as the most powerful computer in the world. OFCOM now reports that there are almost 13 million ‘smartphones’ in use in the UK.. The search engine Google was founded in 1998 and the ubiquitous social networking site, Facebook in 2004. The list of examples could go on and on but, undoubtedly explaining the increasing publicity afforded to privacy protection issues, more and more important and indeed sensitive elements of our lives are conducted on-line. The key question relating to the new legislative proposal is, how well can it refine data protection law to meet the demands of the online world? The Commission Communication accompanying the draft Regulation commences
The rapid pace of technological change and globalisation have profoundly transformed the way in which an ever-increasing volume of personal data is collected, accessed, used and transferred. New ways of sharing information through social networks and storing large amounts of data remotely have become part of life for many of Europe's 250 million internet users. At the same time, personal data has become an asset for many businesses. Collecting, aggregating and analysing the data of potential customers is often an important part of their economic activities
Whilst there are some interesting aspects to the new draft Regulation (which is very substantially larger than the current Directive) my initial assessment is that it represents something of a wasted opportunity.. Given the size of the new instrument, an early comment cannot be comprehensive but I will try to focus on the points that seem most significant to me.
Plus ça change?
Many of the key definitions survive unchanged from the original Directive. In some respects this is not a surprise but the emergence of cloud computing has raised some novel and serious issues regarding the applicability of concepts of data controller and processor and it is unfortunate that the opportunity has not been taken to attempt to address the issue.
There is a potentially significant change in the definition of consent. The UK approach has traditionally been to accept that the use of ‘opt out’ approaches is a valid means of securing and evidencing consent. The draft Regulation takes a different approach stating that
the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed
It is further provided that ‘Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.’. It is difficult to see how this can be implemented but the effect could be devastating for many data controllers. A passenger seeking to book a railway ticket on line is in a weak position compared with the train provider. The choice is between accepting the conditions of carriage or find another mode of transport. It is normal practice for web sites to ‘offer’ to send further promotional mailings if the traveller consents. It seems that this will no longer be possible. This seems draconian, given especially that if there was real evidence of abuse of a dominant position, there could be challenge on the ground that consent was not freely given. Many consumers might actually value being notified of future offers.
A further change to the notion of consent relates to the processing of data relating to children under the age of 13.. In such cases it is provided that processing ‘shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian.’ It is difficult to see what problem this provision is seeking to overcome and again the consequences may be undesirable. If a child should be injured and taken to hospital it would appear that it would be unlawful for the hospital to take any X Rays without parental consent. Whilst consent might always be desirable the consequences could be serious in the case of an emergency and where the parent cannot be contacted.
Likewise, perhaps, the data protection principles have remained largely unchanged since the earliest days of data protection legislation. They can fairly be analogised to religious notions such as the Ten Commandments (or mother’s apple pie) Few would disagree with the concepts but the devil is always in the detail. The headline change proposed in the Regulation is that there should be a Right to be Forgotten. As an old-fashioned sort or person, this concerns me. I am old enough to recall the debates in the UK in the context of computer related fraud whether the machine could be the victim of deception. The Law Commission’s work on Fraud seems to me to have provided compelling reasons why the establishment of criminal offences should be based on other criteria (which can fairly easily be established as Scots law has shown with the notion of basing criminality on the making a false pretence. By focusing on the intent of the perpetrator this neatly avoids the issue. If computers cannot be subject to the human fallibility of being deceived, neither can they forget. This, however, is exactly what the Regulations proposes. Article 17 is headed ‘Right to be forgotten and to erasure’. The first part of this is abject nonsense. Just as a computer cannot be deceived, so it cannot forget. Even placed in a human context, no law can compel forgetfulness – although human frailty may be more effective.
There is no doubt that the emergence of social networking sites has lured many users into placing sensitive aspects of their lives into a public or semi-public domain. It does seem clear beyond doubt that this data may be used in ways which would not have been conceived of or approved by the individual. Article 17 goes on at some length:
The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
(c) the data subject objects to the processing of personal data pursuant to Article 19;
(d) the processing of the data does not comply with this Regulation for other reasons.
Whilst certainly well meaning, it is difficult to see what this provision will accomplish that could not have been attained under existing provisions. It has always been the case, for example, that data must be processed fairly that it must not be retained for longer than is necessary for the controller’s legitimate purposes.
There have long been issues whether an individual is aware of the implications of their online conduct but the reality is that once data is put into the public domain it cannot be retrieved. It does appear that responsible social networking sites have made efforts to inform users and, within their possibilities of control, accede to request that data be deleted. It is hard to see this provision as anything other than an attempt at headline grabbing which takes advantage of vulnerable elements of society. It is wrong to give a headline promise of legislative support that is not worth the paper it is written on.
One of the most impressive legal documents of recent times has been the Hargreaves Report on the digital economy. Covering issues such as the value of software patents and the losses caused by copyright piracy it makes the point again and again that what is needed is an evidence based approach. In some respects it seems the Commission is falling into the trap of making proposals without evidence. There are certainly tales of individuals being denied employment because a potential employer has viewed their social networking postings. A recent survey has suggested that 69% of employers have denied an applicant a job on thie basis of such a search. That is the bad news. 68% of employers have indicated that they have offered a job because they have been impressed by on-line postings. A bigger problem perhaps is the malicious dissemination of personal data. Reference might be made to the recent English case of AMP v. Persons Unknown. This relates to a sad, but perhaps increasingly common situation where a teenage girl had used her mobile phone to take intimate photographs of herself. They were intended to be sent to her boyfriend (itself often a source or problems) but the phone was stolen and an unknown person posted copies on the Internet. In the case, the English courts have issued orders compelling any ISPs who can be identified to take steps to block access to the pictures and ordering that the anonymity of the complainant be preserved. It appears, however, that in order to serve an order in the USA on Google, US law requires that the identity of the complainant be disclosed.
Data Portability
Linked in some respects to the deletion of data is the issue of portability. The draft Regulation proposes that:
The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
Concerns have been expressed that data subjects might effectively be locked into online services, perhaps in particular social networking (or blogging) sites because of the investment in time and effort expended in creating their profiles. It is not clear, however, to what extent competing sites operate in ways that are sufficiently interoperable to make the right of significant value.
Data Security Breaches
The imposition of requirements to notify supervisory authorities and data subjects of security breaches which may have implications for data subjects was introduced in the Directive on Privacy in Electronic Communications. It is now proposed to extend it to the more general field of data protection with the draft Regulation proposing that:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.
When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred, communicate the personal data breach to the data subject without undue delay.
In an era of 24/7 online businessess there might perhaps be a query whether supervisory authorities are in a position to respond to notifications received between 5pm on Friday and 9am on Mondays.
It is perhaps strange that the formula for notifying data subject is less extensive than that for notifying the supervisory authority. Certainly it can be accepted that it is easier to notify one person then perhaps several millions but it is hard to see what constructive purpose is served by such a notification. One of the criticism made of breach notification requirements (which have been commonplace in the United States for several years) is that the number of notifications required is too great so that there is the danger of notifications of potentially serious breaches being disregarded following a number of trivial notifications.. In the event of a potentially serious breach – perhaps involving details of credit cards or bank accounts,- there seems no reason why controllers should not be subject to the same 24 hour rule. Many businesses manage to send marketing communications on a daily basis to millions of subject so there is no valid reason why they should not be as quick to send breach notifications on a similar timescale.
Data Protection Officers
The notion of in-house supervisory officials has been an established feature of the German data protection scheme. Although it is sanctioned in the Data Protection Act 1988, it does not appear to have been adopted to any significant extent within the UK. The draft Regulation proposes what will be a significant change. Every public authority or private sector undertaking employing more than 250 persons will have to appoint a data protection officer:
The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
.The tasks of the data protection officer are stated to be to inform the data controller of the extent of its obligations under the Regulation and to monitor its compliance with its requirements. Data protection Officers (who may be an employee of the data controller or an independent sub-contractor (possibly a lucrative new source of work for IT Lawyers) are to be appointed on a fixed term contract of at least 2 years duration. Within this period the data protection officer may be dismissed only for a failure to fulfill data protection obligations.
Any legislative move to increase awareness amongst data controllers and their staff as to data protection issues is to be welcomed. In some respects, however, the approach demonstrates some of the weaknesses of the new approach. It specifies that there is to be a data protection officer and what the prime duties are to be. It does not indicate how extensive requirements may be. Is it to be a full time job or a part time (how part time?) position? If part time and the position is held by an employee what is to happen if the person is considered to be guilty of misconduct in other aspects of his or her work sufficient to justify dismissal? There is need for much more detail. In this provision, as with a number of the other Articles, the Regulation provides that the Commission is to have power to make supplementary provision. These will not, however, have legal effect.
Data protection by design and by default
Considerable work has been carried out by the UK’s Information Commissioner under the general heading of Privacy by Design. The basic premise is that it is easier and better to take data protection factors into consideration at the earliest stage of designing IT systems than to attempt to include them at a later stage. The draft Regulation endorses this approach proposing that:
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Such an approach could create difficulties for many web sites. The word ‘necessary’ has featured prominently in many instruments in the field of human rights. It sets a high threshold for data collection. An e-commerce web site sending goods to consumers through a postal system will not need, for example, details of phone numbers. The same will apply with systems such as airline booking systems. Very often these give customers the option of giving a mobile phone number so that they can be advised of any schedule alterations by SMS. It might be argued that this should be classed as a distinct form of processing, but what is a well meaning attempt to protect individuals could all too easily turn into a bureaucratic nightmare.
Subject Rights
In many respects what has been considered above is intended to protect the interests of data subjects. It has also been a feature of data protection laws that subjects should have the right to object to certain forms of processing The draft Regulation proposes that:
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
This is a significant and very much welcome change from the current legislation which provides that, except in the case of processing with a view to direct marketing and a few other limited situations, a data subject can object to processing only if he or she can demonstrate that the processing is unlawful (as implemented in the UK the requirement is to show that the processing would cause substantial and unwarranted damage or distress) . It seems entirely appropriate to reverse the burden of proof and after many paragraphs of criticising aspects of the new Regulation, three cheers are in order.
Supervisory Authorities
In some respects the provisions regarding the status, powers and duties of supervisory agencies appear to be based on those contained in the Electronic Communications Privacy Directive. There may well be implications for the UK regime and it is perhaps here where it becomes difficult to identify the basis for a Regulation.
Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
The Regulation states that supervisory authorities are to be given ‘complete independence’ and in particular provides that:
Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation with the European Data Protection Board.
Throughout, the terminology of the Regulation appears consistent only with the notion that the supervisory authority should be a multi-membered authority; something which has been recommended by the UK’s former Information Commissioner but which has not been adopted as Government policy.
In terms of the powers to be afforded to supervisory authorities, the draft Regulation provides that there should be a general auditing power
Each supervisory authority shall have the investigative power to obtain from the controller or the processor:
(a) access to all personal data and to all information necessary for the performance of its duties;
(b) access to any of its premises, including to any data processing equipment and means, where there are reasonable grounds for presuming that an activity in violation of this Regulation is being carried out there
Such a power has long been sought by the UK’s Information Commissioner.
One further element of the Regulation may have significant implications for data protection in the United Kingdom. At present, the Information Commissioner’s office is funded almost entirely through fees paid by data controllers upon notification . The Regulation proposes that responsibility for maintaining the data associated with notification should lie with the data controller and that this should only be supplied to the supervisory authority on specific request. There does not appear to be any possibility of the authority charging fees and it appears that significant change will be required to the UK’s funding mechanism. Given that the section of the Information Commissioner’s office which is responsible for the freedom of information legislation is funded directly by the exchequer, it would seem logical to treat data protection in the same way.
Transborder Data Flows
The attempt to regulate Transborder data flows was one of the most controversial aspects of the data protection Directive. With its headline of “you shall not transfer there unless there is an adequate level of protection” the legislation offered so many hostages to fortune .
There is remarkably little change in the headline provisions of the Regulation. Given the small number of findings of adequacy which have been made in the 14 years Directive 95/46 has been in force, it might be questioned whether it serves a particularly useful rule. Assuming (perhaps a big assumption) that transfers are lawful there are so many other mechanisms which can be used to confer legitimacy. The notion of adequacy if a complex one and certainly as interpreted by the Commission would not seem to provide a basis which would secure sufficient global acceptance to form part of any wider privacy protection instrument.
Binding corporate rules
The concept of binding corporate rules has emerged through the Article 29 Working Party this year as a potential mechanism for evidencing an adequate level of protection in the case of Transborder data flows. The concept has been applied without any specific statutory provision, something which the draft Regulation proposes to rectify although without changing significantly anything in the system as it has been applied.
The European Data Protection Board – and Consistency
Since the implementation of Directive 95/46, the Article 29 Working Party has provided a forum for national data protection supervisors to meet and publish opinions and guidance on a wide range of data protection related issues. The Regulation proposes that it should be replaced by a European Data Protection Board. The membership will be essentially the same but the intention appears to be that it should operate on a more formal basis with the general duty to ‘ensure the consistent application of this Regulation’.
The Data Protection Board’s powers are however limited and legal authority to ensure the consistent operation of the Regulation lies with the Commission. The Regulation establishes a general obligation for supervisory authorities to ‘cooperate with each other and with the Commission’. In respect of a range of issues, principally relating to the regulation of transborder data flows, any national proposals are required to be notified to the Commission which, after consulting the European Data Protection Board, may approve the proposal, require modifications or require that it be withdrawn.
Conclusions
The draft Regulation has been the subject of internal discussion within the Commission and consultation with external parties for a number of years. My initial impression might be summed up by the old aphorism ‘the elephant has laboured and given birth to a mouse’.
Few would deny that there have been problems with the implementation of Directive 95/46. These were perhaps inevitable. At the time of its adoption two countries in particular raised concerns. Germany feared that the Directive was too weak and might weaken its own strong data protection regime. The United Kingdom, which abstained in the final vote in the Council, complained that it went too far. Given the normal problems that arise concerning national implementation of a Directive, problems were perhaps inevitable.
Although it does seem to me that there is now greater awareness of the value of data protection in the United Kingdom than was the case in the 1990s, the core problems do remain. The decision to proceed on the basis of a Regulation may overcome some of the problems of inconsistency although the political road to implementation may be a long and tortuous one. Some of the headline elements of the draft Regulation, such as the right to be forgotten, are stronger on style than on substance. It is probably politically inconceivable that a single European Data protection Supervisory Authority would be acceptable to all the Member States, but in its absence it is unclear how consistency of application will be achieved in practice.
Perhaps the main cause for concern is how reluctant the draft Regulation is to accept that the computer world has moved on from the 1970s. In previous eras, it was important to know what data was held by a data controller. Today the key question is ‘what data can be accessed’? Networks and data sharing agreements have transformed the data processing world but this is not reflected in the draft Regulation. It still reads like a twentieth century piece of legislation. Individuals certainly need more rights but there is also need for a workable regime for data controllers.
As a final point, and perhaps as important as any, we are faced every day with evidence that the Internet operates on a global basis. National borders have not disappeared and we also see continually evidence of nation states trying to flex their muscles in respect of particular activities. As is perhaps emerging in the field of computer crime, there is need to establish wide consensus. It is not clear that the draft Regulation will assist. Fortress Europe may have some appeal but history tells us that medieval fortresses which were largely resistant to bow and arrows crumbled before the cannon. It is unfortunate that part of the effort which has obviously gone into drafting the new proposals had not been diverted to seeking to find a basis for a wider Convention which might in the medium term better protect the interests of EU citizens.
