After entertaining the data protection and privacy community before Christmas with hints of what was to come, Vivian Redding, Vice-President of the European Commission, introduced a Draft General Data Protection Regulation (the "Draft Regulation") on 25 January 2012 which is intended to replace Directive 95/46/EC (the "Data Protection Directive").1 There has been quick response to this and already the Information Commissioner's Office has published a detailed initial analysis of the European Commission's proposals.2
On the surface, the most notable proposed change is that from a European Directive to a Regulation. It is clear that uneven implementation and enforcement of data protection laws in Europe can increase compliance costs for business. However, a move to a European Regulation means that the provisions are directly enforceable in each Member State, and these provisions will include setting penalties and sanctions. In a leaked copy of the Draft Regulation it was suggested that these sanctions could be up to 5% of annual worldwide turnover. In this official draft, they have been set at a maximum of 2%. However, this is still a figure greatly in excess of penalties we, in the UK, are used to – and will give the ICO powers that exceed those of comparable government authorities.
However, the Draft Regulation is wide reaching and although expressed as being technology neutral3, if enacted in its current form would have a significant and adverse impact on a number of different businesses. This article will deal primarily with online advertising, e-commerce and social media businesses in Europe. The following issues within the Draft Regulation are a selection of those which are of the most concern here. While this is not an exhaustive list, these are the most salient in today's legal and economic environment.
I. The expanding class of data subjects
Under the Draft Regulation, the definition of "data subject" has been revised in a way that will have a significant impact.4 Presently, a data subject means an identified or identifiable natural person, where an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.5
In the Draft Regulation, data subjects will additionally include those that can be identified by reference to "an identification number, location data and online identifier" with the latter given more colour in the Recitals, with "when using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers."6 Some of these new elements can clearly identify data subjects, especially when combined with other data, whilst for others it is not clear. These terms are certainly not technology neutral and there is a suspicion that some of these data types have been chosen because they exist on personal information devices such as smart phones and personal computers, rather than because they are personal data per se. In its initial analysis of the Draft Regulation, the UK Information Commissioner's Office ("ICO") has called for clarity as to which "non-obvious identifiers" qualify as personal data so that organisations may conduct business with a measure of legal certainty.7
Secondly, the concept of an "identifiable natural person" has changed. It now expressly includes information which is "reasonably likely to be used by the controller or by any other natural or legal person." This definition is problematic for a number of reasons. On the face of it, it would suggest that if party A has non identifiable data and party B has an index which can correlate that data with the identity of a person then this automatically means that the non-identifiable data is personal data – even if there is no relationship between party A and party B.
As a consequence of this broader definition of personal data, there will clearly be more "data subjects" under the Draft Regulation. This will put pressure on industry to ensure that whenever data is collected, held or processed in a way that might now refer to data subjects, then there should be processes and policies to form an audit trail around the processing together with information that can afford the enhanced group of data subjects rights – even when the information about them is very limited.
Article 10 provides an intriguing addition; it provides "If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation." The word "acquire" is interesting here – bearing in mind the new very broad definition of data subject and consequentially the definition of personal data.
This exception will certainly help small advertising networks and e-commerce businesses that have a limited data set about their users – but will not assist and may even disadvantage companies who have very large data sets, particularly where the data sets are complex. It will re-enforce the need for companies with large data sets to make connections within their own data set, even ones that were not formally made, to allow for more fulsome compliance with the Draft Regulation. The effect of which is to encourage data mining, a procedure generally believed to be contrary to good privacy practices.
II. Data anonymisation
The expanded definition of data subject provides a new ambiguity in the Draft Regulation, which is how can personal data be anonymized? In that, to what extent possible can personal identifiers be removed from personal data so that the information may be used for additional purposes not previously notified to the data subject? The ability for companies to render data anonymous is an important one. It can be a good way of complying with data protection law whilst still preserving some of the intangible asset value of that data.
Recital 23 of the Draft Regulation states that the "principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable". This is the same wording used in Recital 26 of the Data Protection Directive – but there is no guidance as to how one might not make personal data indirectly identifiable and for anonymity there is no Article 10 assistance.
Is it possible to hash that IP address to render it anonymous in the eyes of the Draft Regulation or will it still be considered to be an "online identifier"? The impact of the answer to this question has the potential to shape the future of web analytics and audience reach measurement as well as other forms of online statistical measurements. The ICO intends to publish a report on anonymization to bring clarity to the issue, but without a uniform European approach, some important online businesses will lack the legal certainty required to efficiently conduct online business.8
III. New rules for profiling
The Draft Regulation grants the right to object to profile building activities if the profiling can produce legal effects or can significantly affect the natural person.9 Such profiling activities are defined as those that evaluate, in particular, a natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. Further, profile building is only permitted where it is pursuant to a contract with specific safeguards, where it is expressly authorised by applicable law or where the data subject has given their consent.10
Presently, creating electronic profiles of web users may not be impacted by data protection legislation where the user cannot be identified. Under the Draft Regulation, the reference to "natural person" rather than "data subject" in Article 20 rather indicates that this activity is to be regulated whether or not the data would comprise personal data or whether data subjects could be identified.
It is not clear what is meant by "producing legal effects"; nor is it clear what is meant by "significantly affect the natural person." It could certainly be envisaged that certain types of advertisements, particularly ones with click through offers, could be construed as an invitation to accept a contract. The European Commission, or any Supervisory Authority, could also argue that a behavioural advertising system that only presented certain types of advertisements to a data subject could be significantly affecting them. These are worst case scenarios that would dramatically and adversely affect online behavioural advertising and targeted advertising. In this regard, the ICO has called for the Commission to clarify whether profiling carried out to deliver content to an individual does produce enough legal effects to constitute profiling as legal certainty "beyond [a] doubt" is needed.11
In addition, it is now clear that profiling based on "sensitive" categories of personal data, a definition that is now slightly expanded12, is now expressly not permitted13; nor may the profiling "concern a child".14 Arguably, under the language of the Draft Regulation, it would still not be permitted even with explicit consent.
The practical consequence is that it is likely that information society service providers are likely to move the point at which users must be registered and "logged in", so that more of the site is only available to users who are logged in. This will result in more data being collected about users rather than less and the debate then becomes whether the profiling and other related services are "necessary" for the performance of the information society service.
IV. Data breach notification – unexpected consequences
As expected, the Draft Regulation has extended the regime for data breach notification that is currently enjoyed by the telecommunications sector to all industries and sectors.
Unlike data breach notification laws that are present in the US, a personal data breach has a very broad meaning. It means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data …"
It is not just the loss or disclosure of personal data that is the trigger, but it also includes destruction or alteration. Accidental or unlawful modification of personal data can trigger this requirement, as well as any hacking activity regardless of whether information is modified or deleted.
Article 31 of the Draft Regulation requires the data controller to notify the supervisory authority without undue delay and, where feasible, within 24 hours. Companies with very good information security standards and systems generally also have the highest detection rates for information security breaches and attempted information security breaches. Under this broad definition an attempted information security breach is likely to fall within scope and consequentially, it may be the case that the companies with the best security will be reporting the greatest number of information security incidents and those with poor or negligible security will not report at all. As the reports to the Supervisory Authority are likely to be the valid target of freedom of information requests, the public perception may well be that the companies with the most number of reports have the weakest security – whereas in reality, the converse might have greater truth.
The ICO notes that there is the need for "triggers" before a Supervisory Authority is notified, lest they be swamped with notifications. Further, the ICO goes on to question whether the Supervisory Authority needs to be notified at all at such speed where the primary focus should be that of any affected data subjects.15
Article 32 of the Draft Regulations requires that where a personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, then the data subject should be notified without undue delay.
Recitals 67-69 elaborate on a threshold for notifying data subjects on a personal data breach; they should be notified when they are "adversely affected". Recital 67 states that "A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation."
Good information security practice dictates that it may not be the optimum approach to immediately notify data users and the "hacker" of a suspected intrusion. This best practice cannot be adopted within the present structure of the Draft Regulation, although there is some language in Recital 69 which appears to indicate that if the lost data was subject to appropriate technical protection measures which limit the likelihood of identity fraud or misuse, then the notification to the data users may be delayed. Article 32(3) goes further and provides that notification of a personal data breach to a data subject may not be necessary at all if technical controls such as encryption of any strength have been used, but provided the encryption can "render the data unintelligible to any person who is not authorised to access it." There is a lack of consistency here and as the ICO notes, a considerable burden on the Supervisory Authorities.
Finally, in addition to the ability for every person to seek a judicial remedy if they consider their rights to have been infringed,16 any consumer association will have the right to lodge a complaint with a Supervisory Authority or exercise the right to a judicial remedy on behalf of data subjects, and lodge a complaint in its own name, where it considers that a personal data breach has occurred.17 This raises the spectre of both an increasing number of actions in national courts as well as an increasing number of complaints that may be lodged by consumer associations and other consumer bodies that are particularly worried about data breach notifications.
Hopefully, revisions to the Draft Regulation will bring additional clarity to these important provisions.
The ICO is pleased to note that the different types of consent in the existing law have been consolidated into one form of consent in the Draft Regulation. The ICO is also pleased that the Draft Regulation provides clarity as to whether an implied consent is permitted.18
Under the Draft Regulation and where consent is required, the data controller will bear the burden of proving that the data subject has given consent for the processing of their personal data for the specific purposes for which the data was collected.19 Further, the regulation provides that the consent may not be "wrapped up" in a general consent to web site terms and conditions, and so, it must be broken out into a separate tick box or privacy statement.20
As the burden of proof lies with the controller, it is likely that best practice will develop such that the controller must record and store the results of this tick or click against the identity of the data subject.
The Draft Regulation provides that consent will not be a legal basis for processing, where there is a significant imbalance between the position of the data subject and the controller.21 Recital 34 provides examples of the employee-employer relationship although this is clearly illustrative and such an imbalance could be found in other types of legal relationships. The ICO has reservations about the blanket application of this rule to the workplace, and is concerned that without consent there may not be sufficient latitude for companies to conduct business effectively.
Finally, children under the age of 13 will not be permitted to give valid and effective consent unless the consent of their parents and guardians is also obtained. This opens up the question as to how the age of a web user can be identified. The Draft Regulation provides "The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology"22 and "The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to [above]".
This may have a very significant impact on web sites and internet services which are intended for children.
VI. The right to be forgotten
Many commentators have suggested that this proposed right would not make an appearance in the Draft Regulation; however, that has proven to be untrue.23
There are a number of complexities with this new data protection right. Firstly, the right is for the "erasure" of personal data relating to the data subject. It is certainly the case, however, that a single data item, such as a photograph, might relate to a number of different data subjects. Secondly, data is frequently processed into a derivative form, and as we now have a wide definition of personal data which is most likely still triggered even after a degree of de-personalisation, it is not clear how that right would affect those derivative data sets.
The ICO finds this right "one of the more interesting", an expression which means different things to different people, and welcomes it for example, to allow a person to remove information they have posed to a social networking site.
However, the ICO is concerned about the effect of this right on important topics such as freedom of expression and the maintenance of historical records.
In addition to there being no obvious limit to the effort that a company must make to determine references to an individual, there are further burdensome elements – in particular where the controller has made the personal data "public," or has provided or licensed the data to a third party for them to make it public, the controller shall take all reasonable steps, including technical measures, to inform all third parties which are processing such data that a data subject has requested them to erase all links to or copies of their personal data.24
Even if this ambitious step of requiring a data controller to chase onward publication of personal data were technically and practically possible, it will require the substantial revision of many internet related contracts to ensure that the relevant responsibilities are documented correctly.
The Draft Regulation also envisages a "hold state" where personal data is subject to restrictions whilst the identity of a data subject making a request to be forgotten is being determined.25 This "hold state" will require further development of e-commerce platforms and other applications.
This provision will have a very significant and perhaps costly impact on internet related businesses. As the ICO points out, it is also questionable as to how effective it will be in practice.
VII. Data protection impact assessments
There is a significant new proposal for a data protection impact assessment where the contemplated processing presents "specific risks" to the data subjects.26 There are a number of different types of processing activities which are deemed to present "specific risks" and they include "a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual" and "personal data in large scale filing systems on children, genetic data or biometric data" where for these purposes, children are those under the age of 18. It appears that the European Commission has within its sights online behavioural advertising and social networks as activities which present "specific risks".
The consequence of this is that there is a duty to conduct a privacy impact assessment and a duty to take the views of prospective users of the system prior to implementation which may include a compliance audit of the system after implementation.27
Of greater concern is the requirement to consult with and to obtain authorisation from the Supervisory Authority prior to the business being implemented.28 The risk is that the Supervisory Authority will be able to examine and interfere with the operation of both prospective and existing advertising and social media businesses. The ICO is in favour of these privacy impact assessments and would go further by seeking their publication.
VIII. Extraterritoriality and the international dimension
At present, the Data Protection Directive is applicable to the processing of personal data wholly or partly by automatic means within the European Union,29 but in practice, enforcement is limited to cases where either the controller is established in the EU or has agreed to be subject to data protection rules pursuant to a data transfer contract or binding corporate rules.
The Draft Regulation will expand the scope beyond that of the Data Protection Directive to seek to cover organisations not based in the EU and with no operations in the EU. It will apply to "the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour."30
It is difficult to see how this may be legally achieved. The Article 29 Working Party has previously sought to show that the Data Protection Directive is applicable by creatively looking at how web technology works.31 However, this does not necessarily solve the problem of making the transposed national law that implemented the Data Protection Directive enforceable on that non-EU company.
The ICO also finds it difficult to see how non-EU data controllers will be required to comply with the Draft Regulation.32 The Draft Regulation does contemplate the tension between applicable laws, but considers it in the reverse where there is an extraterritorial application of non-EU laws.33
Secondly, there is now an obligation for controllers not based in the EU or a country with "adequate" data protection laws to designate a representative in the EU (subject to certain exceptions).34 This provision goes on to say that the designation of a representative is "without prejudice to legal actions that could be initiated against the controller itself."35 However, the converse is not true and the presence of a representative in Europe is likely to make it more likely for an unhappy data subject to be able to successfully bring that non-EU controller within the jurisdiction of the court or Supervisory Authority in the country of that representative.
The extra-territorial extent of this Draft Regulation is as broad as might have been expected from the numerous public statements from Vivienne Redding in the last few months. That said, there is a difference between the applicability of law and the enforcement of that law. It is possible that certain non-EU businesses might be able to deal with EU data subjects and not be subject to enforcement activities and so maintaining the current non-level playing field. By contrast, multi-national corporations with operations within and outside of the EU are likely to have an increased compliance burden and regulatory risk. It will be particularly interesting to see how this develops.
To be published in the Computer and Telecommunications Law Review [18 C.T.L.R., Issue 4].