The European Commission issued a proposal for data protection reform at the start of 2012. The proposed legislation is set to replace the existing Directive 95/46/EC with the directly effective Data Protection Regulation (Regulation), designed to harmonise the currently fragmented rules, and a directive relating to the protection of personal data processed for the purposes of criminal offences and related judicial activities. Since January, commentators, regulators, businesses and EU Member States have been abuzz, voicing their concerns about the Regulation.
April saw detailed comments on the Regulation from the UK Information Commissioner’s Office and from the European Union Article 29 Data Protection Working Party. In June, the European Council prepared a revised version of the first 12 Articles of the Regulation, incorporating comments from various Member States. Many of the amendments highlighted significant resistance to basic points of principle. The European Council’s revised draft dealt with just 13 per cent of the substantive provisions, and included 147 footnotes explaining the changes and detailing the views of Member States.
In October, an Interparliamentary Committee Meeting was held at the European Parliament in Brussels. The conference was organised by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the body appointed by the European Parliament to assist with data protection reforms, headed up by rapporteurs Jan Albrecht and Dimitrios Droutsas. It was intended to engage members of the European Parliament and national parliaments in an exchange of views on the reform of the EU data protection framework. This debate provides a good overview of the main issues that are still of concern.
The proposed harmonisation of rules through the use of the directly applicable Regulation and the plan to clarify applicable law by introducing a “one-stop-shop” system were broadly welcomed. Concerns about subsidiarity, however, and how the Regulation would be reconciled with national laws and privacy cultures, remained. Unease was notable, particularly with regards to employment and law enforcement provisions, owing to legislative divergence in these areas.
The number of delegated and implemented acts were criticised consistently. These provisions would allow the European Commission to modify non-essential elements of the legislation and to propose non-legislative clarifications using a fasttrack procedure. While the delegated acts introduce an element of flexibility into the framework, anxieties over legal certainty and excessive power being granted to the European Commission also exist. Viviane Reding, vice president of the European Commission, made it clear that the Commission would consider reducing the vast number of delegated acts. There was also consensus amongst attendees that details of enforcement, especially the practical implementation of the proposed consistency mechanism and cooperation between various data protection authorities and the proposed European Data Protection Board, needed more clarification.
The Right to be Forgotten (Article 17 of the proposed Regulation) received a significant amount of attention. The principle itself builds on rights that exist already in European data protection law, with the main purpose being to remove data that people have shared about themselves, and not data published by others. Serious criticisms persist, however, of the potential for this right to infringe freedom of expression and the possibility of intermediary liability being imposed. Making online services liable for the availability of content over which they have no control, for example, could lead to measures that infringe on freedom of expression. Such measures may include the implementation of monitoring technologies that would fly in the face of everything the Regulation seeks to achieve. As such, skepticism remains as to how the right to privacy and the right to expression can be preserved without conflict.
While Article 80 of the Regulation directs Member States to provide derogations to protect freedom of expression, individual Member States sometimes have different interpretations of the fundamental right to freedom of expression. It is likely that reasonable exceptions in the Regulation will need to be expanded to take account of this.
Another contentious aspect of the Regulation is Article 23, which addresses data protection by design and by default. The concept of privacy by design is that data controllers should build privacy into the technological architecture of their products and services, as well as into their organisational policies, providing end-to-end privacy protection. The tensions between large, mostly US-based, corporations and European data protection regulators is notable in relation to this point. The Managing Director of Facebook and former Member of the European Parliament, Erika Mann, made the point that privacy by design is not at all conducive to social media networks. This line of argument has been rebuffed previously: while it is true that people join social networks to share, that doesn’t imply necessarily that they do not also value their privacy. Making conscious choices about sharing information with other individuals is completely different from information being shared with third parties without the individual’s knowledge or consent.
Issues surrounding consent (Articles 3 and 7) were also considered at length at the conference. The Regulation proposes to ban all data processing anywhere in Europe unless the users have granted their explicit approval, strengthening the obligation to use opt-ins by which the user has to grant consent actively. At present, some national laws allow consent to be inferred from the situation. The Regulation now requires that consent be informed and explicit, with a clear affirmative action or statement. If a data controller relies on consent, he or she has the burden of proof on showing that it was given.
Importantly, consent cannot be used when there is a significant imbalance between the data subject and the controller. Regulators welcome the stricter test of explicit consent, but there are reservations as to the invalidity of consent where this significant imbalance exists.
By contrast, many Member States and corporate lobbyists have criticised the additional requirements to consent as being unrealistic. Companies fear that this form of explicit consent will result in “click fatigue”, causing a considerable drop in user numbers and making personalised advertising considerably more difficult.
This is just a flavour of the heated debate that rumbles on in relation to European data protection reform. During this twoday event, the American delegation and the European Commission failed to make much progress towards reconciling their clashing viewpoints and, judging by the vehemence of argument that persists some seven months after the proposed Regulation was first published, there is still some way to go.
LIBE is expected to present its draft report on the proposed legislation by the end of this year, after which Member States will be invited to table their amendments. LIBE will then meet to discuss those amendments and it is expected that an orientation vote (where the committee votes and concludes upon its initial position in light of the negotiations) will be held in April 2013. The current timetable should allow the Regulation to be ready for trilogue with the European Council and European Commission by the summer of 2013, and to be put to a vote in the plenary session of the European Parliament in early 2014.