The EU data protection reform package has entered its decisive phase. The first trilogue between the European Parliament, the European Commission and the Council of Ministers began on 24 June 2015 but, even at this late stage, there are many key concepts still to be finalised.
In a bid to influence the debate, the Article 29 Working Party has published its latest opinion on the current proposals and the areas it believes are "in need of further improvement".
Fundamentally, the Working Party wants to ensure that the reformed framework does not lower the current level of data protection and leaves as little doubt as possible about the rights of data subjects. Added to this is its objective that the text should be as simple, efficient and clear as possible, and that this should all be done without limiting innovation. It's a major juggling act.
As the process edges towards a conclusion, the Working Party's extensive list of recommendations suggests that it wants to ensure that its voice is heard right up until the last moment.
The Working Party's key areas of concern are as follows:
The Working Party is firmly in favour of requiring "explicit" consent to the processing of personal data and opposes any attempt to soften the wording to "unambiguous" consent which it believes would create confusion. Its view is that only "explicit" consent would truly enable data subjects to exercise their rights. Moreover, consent should be informed and concern a specific purpose.
To maintain a high level of protection, the Working Party believes that 'personal data' should be defined in "a broad manner" and should reflect that a person can be identifiable when they can be "singled out" in some way and, as a result, treated differently. It believes that this concept is not reflected in recital amendments proposed by the European Parliament and reiterates that information such as IP addresses and other online identifiers should generally be considered "personal data", in line with recent CJEU rulings1.
The Working Party also argues that techniques used to disguise the identity of individuals (or 'pseudonymisation') should be used strictly as a security measure and should not mean the creation of a new category of data. It is concerned that an independent category of "pseudonymous data" may cause confusion and be a way for data controllers to justify derogations from the appropriate level of protection for personal data and the rights of data subjects.
Principles of compatible use and purpose limitation
The Working Party agrees that data controllers should continue to have a degree of flexibility to process personal data for purposes that are not incompatible with the specific purposes for which it was originally collected.
It does not agree with proposals to allow data controllers to process data for an incompatible purpose when the controller has "legitimate interests" that override the interests of the data subject. Such a balancing test finds favour with 'big data' lobbyists but, in the opinion of the Working Party, it would fundamentally undermine the purpose limitation principle and offer weaker protection than under the current regime.
However, the Working Party strongly supports the view that further processing of data for archiving, scientific, statistical and historical research purposes should remain possible and should be considered as compatible with the original purpose of collection.
The right to data portability should be maintained as a separate and independent new right from the right to access. One of the aims of a data portability right is to empower the individual to control his/her personal data. Data subjects should therefore be able to request the transfer of their personal data to themselves or to a third person (including a separate data controller) from the moment it has been provided. The Working Party believes that this should apply to all types of processing whatever the legal basis being used for that processing.
Right to Object
The Working Party is also concerned by the Council's proposal to limit the right to object to cases where the data processing is founded upon the legitimate interest of the controller or upon the public interest or in the exercise of official authority vested in the controller. It believes that this will lead to an unacceptable decrease in the current level of protection.
Restrictions and qualification of rights
Rights granted to the data subject, such as the right to have sufficient information to ensure fair and transparent processing, should not be qualified in any way as being dependent on the "specific circumstances and context in which the personal data are processed", as currently proposed. The Working Party believes that this creates uncertainty and room for interpretation that could actually leave the data subject less well protected than under the current regime.
New grounds have been added by the Council to allow derogations from data subjects' rights for such reasons as "important objectives of general public interests of the or of a Member State" and "the enforcement of civil claims". The Working Party's view is that such "very general and vague derogations" go further than the legal grounds currently permitted under the Directive and are contrary to legal certainty.
The proposals to safeguard profiling are also, in the Working Party's view, similarly unclear. It believes that data subjects may be unaware of customer or user "profiling" and suggests that new obligations on data controllers to ensure that they become more transparent, by clearly defining the purposes for which profiles may be created and used. This might include specific obligations on controllers to inform the data subject of the creation of the profile and the data subjects' rights to object to the creation and the use of profiles.
Data breach notification
The Working Party agrees that there should be different thresholds for notification of personal data breaches to the data protection authority (DPA) and to the individual. It takes issue, however, with the Council's proposal that a data controller who has taken subsequent measures to ensure that any high risks for the data subject are no longer likely to materialise is exempted from notifying the data subject and the DPA. It considers that this derogation is tantamount to giving "most controllers a justification not to inform the relevant stakeholders".
In addition, the Working Party states that it is not the level of risk but "whether the personal data breach is likely to adversely affect the personal data or privacy" of the data subject that is paramount.
The Working Party continues to argue against diluting the 'adequacy' principle of international data transfers by allowing transfers on the basis of "legitimate interest pursued by the data controller" based on assessment of suitable safeguards2 . It considers this an over-broad derogation. The Parliament has proposed deleting this provision but, if it is to be maintained, the Working Party says that it should at least be on an exceptional basis and only for non-massive, non-repetitive and non-structural transfers.
Binding Corporate Rules
The Working Party expresses concern over the deletion of the proposals for Binding Corporate Rules for data processors and considers it essential to re-insert them. However, it supports the Council's proposals that set clear legal conditions to allow processors to sub-contract part of their activities, in particular in the context of the development of cloud computing.
After several years of what the Working Party describes as intense negotiations, sticking points remain.
The concept of consent has become a key aspect of the debate, with the UK resisting the notion of 'explicit' consent only for the Council's compromise proposal of 'unambiguous' consent to attract criticism for lacking clarity. Clarity may be gained in general guidance, which the Working Party will produce following adoption of the Regulation, although a significant period of bedding in will be inevitable. During this time, organisations with a commercial interest are likely to test key concepts like consent and strain the boundaries of the derogations, particularly in new areas like data breach notification.
Not surprisingly the Working Party recognises that the effectiveness of the Regulation will depend on the ability of DPAs to enforce it. It therefore reminds the EU institutions that DPAs should be equipped with appropriate powers of enforcement and sufficient resources. Sanctions should be strongly reinforced to constitute a "real deterrent" whether the data controller is a public or a private entity.
Effective investigation will depend on increased cooperation between DPAs, particularly via a designated 'lead' authority. The Working Party supports the concept of this "one-stop-shop" but, like much in the rest of the proposals, there is uncertainty over how this will work in practice and this has been left expressly for development by the European Data Protection Board rather than being covered in the Regulation.
But for all its efforts, the Working Party is just one of the voices trying to attract the attention of the Parliament, Commission and Council as they shepherd the reform package through its final stages. Lobbyists from big business, privacy activists and the EU institutions themselves all have their own agendas.
All have very different messages to push and, as they will be keen to point out, "nothing is agreed until everything is agreed".