Are we nearly there yet with a final form of the Data Protection Regulation? And more importantly, are we any closer to knowing what this will mean in practice - one law for all of Europe, a one-stop shop to regulate disputes and fines of 2% or 5% of annual global turnover?
The European Council's 'partial general approach' on specific issues in the draft Data Protection Regulation (the "Regulation"), released in late December 2014, provided a glimpse of the Council's vision on the Regulation and we saw some differences on key provisions from the European Parliament's version approved in March 2014.
On 15 June 2015, the European Council published its completed proposals for the Regulation.
Now we have the European Council's draft of the Regulation, the next stage will involve the European Commission, European Parliament and European Council battling out their preferred version of the regulation and agreeing on the final text of the regulation. The 'Trilogue discussions', as they are being referred to, officially commenced on 24 June this year with the aim being to produce the finalised Regulation by December 2015.
One law for Europe
In our previous alert "The data protection regulation - are we nearly there yet?", we said that the Council had appeared to water-down the one-size-fits-all proposals for the Regulation by allowing member States to introduce more specific provisions to enable application of the Regulation to the processing of personal data for compliance with a legal obligation, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller, or for other specific processing situations.
While this doesn't depart entirely from the original proposal of one Data Protection law to apply across the whole of Europe, it does introduce a lack of certainty - something that was at the core of the Commission and Parliament drafts. Indeed, the Article 29 Working Party has highlighted this as one of the core issues to be discussed during the Trilogue - to ensure that in allowing room for local variation of the Regulation, the protections offered by the Regulation are not lowered at all and the goal of one harmonised law is not forgotten.
Although the Regulation will mean a higher threshold for compliance and bigger penalties for breaches, many businesses, especially those operating in multiple European countries, welcomed the possibility of a uniform approach across Europe.
It remains to be seen whether the Regulation will impose exactly one law across Europe - it looks like we may end up with some local differences, although perhaps not on the scale of the existing EU regime given the role of the European Data Protection Board (EDPB) as an overall governing body. (See more on the EDPB in our previous insight.)
Application and scope of the Regulation
How far does it reach?
The Council has not changed its position on non-European data controllers being caught by the Regulation. The Council proposes to widen the territorial application of the Regulation to data controllers established outside of the EU where they are offering goods or services to EU citizens (even if the goods/services are free - so likely to catch social media businesses), or where they are monitoring their behaviour as far as it takes place within the EU (likely to catch businesses targeting ads at EU citizens).
The Article 29 Working Party suggests that the Regulation should be clarified so that it also applies to non-EU data processors where they are acting on behalf of non-EU data controllers to offer goods/services to EU data subjects or to monitor their behaviour. The likely reasoning for this appears to be to ensure that non-EEA processors do not escape the Regulation when data processors within the EU will be caught.
Further, the Article 29 Working Party does not agree with the Council's risk-based approach to the requirement for non-EU controllers to appoint an EU representative - another requirement imposed by the Regulation on non-EU controllers fulfilling the above criteria.
The Council's draft proposes that an EU representative is not necessary where "the processing is occasional and unlikely to result in a risk for the rights and freedoms of individuals”. The Working Party's opinion is that this proposal is too vague and that objective criteria should be used taking into account "the nature, regularity and scale of the data processing activity targeting the EU". Also the Working Party advocates that representatives should have a legal personality so that non-EU controllers have true accountability and liability.
What is its purpose?
One of the key principles of the current European data protection regime is that personal data should only be collected for specified purposes and should not be processed incompatibly with those defined purposes - i.e. if personal data is collected for one reason, it should not be used for another unless the data subject has been told about the new processing and of course, the new processing complies with all of the other data protection principles as well.
In its draft, the Council appears to be moving away from this approach for certain processing. The Council has introduced a general exemption from the requirement that all further processing must be compatible with the original purpose where it is for archiving purposes in the public interest, and for statistical, scientific or historical purposes.
This would provide an exemption from the purpose limitation principle for the use of health data in research for example. In fact, one could even go as far as to interpret this as an exemption for the further use of personal data for big data analytics, which would be a welcome addition to the Regulation for many public and private sector organisations.
The development of this provision at Trilogue stage will certainly be interesting, particularly in conjunction with the proposals to increase the standards for consent - the latter being seen as a bar to profiling activities (e.g. online behavioural advertising or big data analytics). See more on the issue of consent below and for more on big data analytics in the context of the Regulation, see our previous alert "The future of Big Data - the elephant in the room".
The Article 29 Working Party is opposed to extending the purpose limitation principle and strongly recommends the deletion of this provision on the basis that it is too wide. The Working Party does not object to further processing for research purposes and indeed it states that it is likely that such further processing will not be considered incompatible with the original purpose.
However, its view is that there should be a clear legal basis for any further processing and this provision could be construed widely to mean that data controllers can process personal data for further purposes even if they are not entirely compatible with the original one, or even if they are not true research but actually further commercial purposes.
What does personal data include?
In the European Commission's draft of the Regulation, Article 4(1) defines 'data subject' as an identified natural person or a natural person "who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person" and 'personal data' is defined as any information relating to a data subject.
The European Parliament did not substantially amend these definitions other than to amalgamate the definitions of 'data subject' and 'personal data', but in Recital 24 of its version, the Parliament introduced the new concept of 'singling out', when considering whether data automatically generated by computers/mobile devices (e.g. IP addresses and cookies) should be considered as 'personal data'.
The Parliament's view was that "identification numbers, location data, online identifiers or other specific factors" should not necessarily be considered as personal data unless "processed with the intention of targeting particular content at an individual or of singling that individual out for any other purpose". This was an extension to the Commission's draft of Recital 24, which simply left it as, online identifiers etc "need not necessarily be considered as personal data in all circumstances".
So the Parliament's version could be read as potentially bringing processing activities within the material scope of the Regulation even where individuals are not directly identified (e.g. by name), but are still targeted because they can be singled out on the basis of their interests, likes and dislikes for example. Naturally, this was a controversial addition for certain businesses because it could significantly inhibit the use of online behavioural advertising techniques.
The Council on the other hand has not followed the Parliament's lead on the concept of 'singling out', instead it states that location data and online identifiers etc should not be considered as personal data "if they do not identify an individual or make an individual identifiable". This leaves the exact definition open to interpretation and potentially lowers the threshold for what types of data will be 'personal data'. Meanwhile, the Article 29 Working Party supports the concept of 'singling out' and further, it reiterates that IP addresses and other online identifiers should, as a general rule, be treated as personal data in line with recent European court rulings.
So we have varying views on whether the definition of 'personal data' should be broadened or not, and no real indication as to which way the final text of the Regulation will lean. Tied in with this is the concept of pseudonymised data and the European bodies will need to agree on whether this should be regarded as a separate category of data, or merely a security technique to disguise personal data.
Unsurprisingly, the Working Party's opinion is that pseudonymisation is for security/data minimisation and treating this as a new category of data may lead to confusion and allow processing which would otherwise be legally unjustified.
What does consent mean?
In the Commission's original proposal, the threshold for obtaining consent to processing of personal data was raised considerably compared with the current regime. Under the existing Data Protection Directive (95/46/EC), express consent is required for processing sensitive personal data where another condition for processing does not apply, but for standard, non-sensitive personal data, this is not the case. So for the latter, implied consent can be enough depending on the circumstances. Consent requirements do vary across Europe because of the non-uniform implementation of the Directive, but in general, these are the consent requirements in the Directive itself.
In Article 4(8), the Commission's draft proposes that, where consent is relied on for personal data processing, it has to be explicit consent for processing of both sensitive and non-sensitive personal data; the Parliament's draft did not alter this position.
This poses significant challenges for businesses conducting activities where consent from data subjects has to be relied on because that is the only relevant ground for the activity in question. For example, any sort of profiling activities/big data analytics would require obtaining express consent from individuals prior to their personal data being used for the activity, which has huge practical implications particularly where large numbers of data subjects are involved.
However, the Council has taken a softer approach to consent requirements, removing the word 'explicit' from the definition. So in the Council's draft, consent still has to be "freely-given, specific and informed" and there still has to be a statement or clear affirmative action indicating the data subject's agreement, but this does open the door again for implied consent to be used for non-sensitive personal data processing. The Council is clear that where consent is obtained for sensitive personal data processing though, it must be express consent.
The Article 29 Working Party says that there should be a clear distinction between opt-ins and opt-outs - its view is that consent has been used improperly too much in the online space. So consent requirements under the Regulation should be to obtain 'explicit' consent, which should relate to a specific purpose.
The Working Party does not agree with broad/general consent - presumably the target audience here are the big social media businesses doing vast amounts of tracking of individuals without their specific knowledge or consent. The rationale for raising consent standards is understandable - allowing individuals to exercise their rights in an informed manner is good, but many are questioning how much those who use and want these types of online services are concerned about the consent issue and this is the irony of the proposed new legislation, it is seeking to protect the rights of a majority who are likely to use such services regardless of whether they fully understand all uses of their data and agree with them all.
One stop shop
In our previous insight, we set out the proposals on the one stop shop approach envisaged under the Regulation, as well as summarising the debate and latest developments presented by the Presidency of the European Union.
The draft remains unchanged since our last report - the following sums up the concept of the one stop shop as it currently stands:
- All Data Protection Authorities (DPAs) remain competent on their home territory where the processing by controllers or processors within or outside of the EU affects data subjects in their member state;
- All DPAs to cooperate on cross-border cases with a designated lead DPA;
- The EDPB to issue binding decisions where necessary;
- Cases of pure national or minor cross-border relevance to be left to the local DPA; and
- Citizens able to seek remedies in their home courts.
So where are we with the original concept of the one stop shop - the aim of achieving a single supervisory decision in important cross border cases and having an approach that is fast, ensures consistent application of the law across all Member States, provides legal certainty and reduces administrative burden? It is being argued that the original concept has been diluted and we are heading back towards a position more akin to the existing one under the Directive.
As the Information Commissioner put it, it is looking like it will be a one stop shop with a branch in every country!
Certainly, this is one area where we know that many organisations, particularly those operating across multiple jurisdictions, would welcome the original proposals. Not only would it assist with cross-border disputes, but it would be hugely beneficial to have a one stop shop to approve binding corporate rules for example.
The rights of data subjects
To forget or not to forget?
The Council has now considered the right for EU citizens to require data controllers to delete their personal data. It proposes in Article 17(2a) that, where the controller has made the data public, the controller should be obliged to take all reasonable steps, including measures to inform other controllers that are processing the data, that the data subject has requested erasure.
However, the Council's draft does not impose an absolute obligation as controllers can take account of available technology and the cost of implementation in weighing up whether they are able to comply with such requests for erasure. Also, unlike in the Commission's original proposal, the Council's approach no longer makes the data controller responsible for publication of the personal data by a third party acting on the controller's behalf.
This, combined with the above qualifications makes this obligation less stringent than the one proposed by the Commission and Parliament. Perhaps the Council recognises the sheer burden on data controllers to comply with this obligation - the practical implications and difficulty of erasing data potentially spread across the globe by the internet.
The Article 29 Working Party is concerned about the Council's approach to data subject rights in general. It believes that granting the rights to data subjects according to the circumstances, i.e. on a case by case basis is "creating uncertainty and potentially room for interpretation that could lead to lowering the level of protection for data subjects".
The Working Party reiterates that the rights granted to data subjects by EU law (e.g. right of access, rectification, erasure, objection, transparency and data portability) should be strengthened and clarified - for the Working Party, the Parliament perhaps went a little too far with its stringent approach to data subjects' rights, but the Council has been too soft.
And finally, what does the Council's draft say about the proposed fines for data protection breaches? The Council has not concurred with the European Parliament on this point either!
In Article 79(6), the Commission had originally proposed 1 million Euros or up to 2% of an organisation's annual worldwide turnover, the Parliament significantly increased this to up to 100 million Euros or 5% of an organisation's annual worldwide turnover (whichever is higher) and the Council has agreed with the Commission's proposal. It is almost as though the three European institutions have created a bidding situation to make the ultimate fine, eye watering though it is, seem not so bad after all.
Some leading practitioners in the data protection field are advising not to panic over the proposals for huge fines though - their view is that these are aimed at those businesses whose product are people and who are crunching personal data to make money.
However, others advise caution - considering that big organisations processing lots of personal data of employees may well come under fire if something goes wrong (e.g. a data security breach is not reported correctly). We have already seen the health sector being vulnerable to fines for security breaches, but big organisations and those operating in high risk sectors involving lots of personal data or particularly sensitive data will need to watch out.
It remains to be seen what discretion regulators will have over imposing fines - this is also under debate. The worst case scenario is that it will be a near strict liability regime and the question will not be whether the organisation should be fined or not, but what level of fine the breach falls into.
With no room for complacency - what should we be doing?
We should continue working towards checking our data protection policies and procedures to ensure that they are accessible and that staff engage with them so they are effectively deployed across the business. This will go a long way to complying with the enhanced accountability rules under the Regulation.
Ensure that the principle of 'privacy by design' is enshrined in everyday business procedures. Conduct information gathering exercises to understand what you are doing with the data, where it is going, who will have access, how will it be protected and how will you comply with individuals' rights to access/erasure.
Privacy impact assessments are likely to become mandatory under the Regulation anyway, so it is a good idea to get into the habit of doing these. They shouldn't be viewed as a chore - in fact, carrying out such risk assessments really helps to understand what compliance measures are already in place, what actions need to be taken, where the risks lie and whether there is anything the business can do to mitigate the risks, or alternatively, to provide justifications for why certain risks will be accepted.
It is not a good idea to wait until we see the final text of the Regulation - we already have a fair idea of what it will look like and in many ways, the Regulation will be enshrining aspects of what is currently considered good practice, or what the courts have started adopting as law (e.g. the right to be forgotten, as Google found to its detriment in the recent Google Spain v Gonzalez case).
It is rare that an organisation will have compliance spot on - there is always room for improvement. Also, it is not just about ticking compliance boxes - having good compliance practices will generate the trust of customers/consumers and employees, as well as enhancing brand and reputation. Boosting confidence in a business while at the same time reducing compliance risks can only be a bonus and although, ultimately such outcomes are intangible and difficult to measure, they are undeniably valuable.