Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.
An area of great importance for organisations seeking to benefit from the use and exploitation of personal data is covered by Chapter IV of the draft EU Data Protection Regulation, which includes the substantive obligations affecting controllers and processors. As is well known, the Regulation aims to replace the existing maze of national laws implementing the Directive with a single set of rules that will be uniformly applied throughout the EU. For that reason, knowing what substantive obligations will be imposed on those handling personal data is a top priority – particularly if the Regulation is set to be adopted during the course of 2015.
Assessing the latest position of the Council of the EU on this Chapter is not only a worthwhile exercise to understand where the law may stand in the future, but a way of anticipating what is likely to be on the To Do list of most organisations in the not too distant future. Whilst we do not know the exact content of the text that will eventually be adopted, it is fairly certain that the Regulation will introduce a new set of accountability obligations that do not exist under the current Directive. The reason why we can predict this is that following the Commission’s original proposal, neither the Parliament nor the Council have questioned this model.
Crucially, the Council is seeking to introduce a mechanism to determine the relevant accountability measures taking into account the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risk for the rights and freedoms of individuals. The Council’s stance is that the implementation of data protection policies to ensure compliance should be proportionate in relation to the processing activities. This could well be the Council’s most important legacy of the whole data protection legislative reform. After all these negotiations and political wrangles, the so-called ‘risk-based’ approach is emerging as the most likely solution to the very diverse views that exist in Europe as to how strict or flexible the future framework should be in regulating the exploitation of personal data.
This weighing exercise will be very relevant in the context of applying ‘data protection by design’, for example. A completely new legal concept in Europe, data protection by design is aimed at forcing data controllers to take into account the nature of the data processing activities alongside their potential risk before those activities take place, and deploy suitable privacy and data protection tools to address that risk. The defining feature of the Council’s thinking about risk is that different activities – even when they involve the same data – will often have different repercussions and hence deserve a different treatment.
The introduction of the risk-based approach is also likely to be relevant in respect of two potentially very onerous obligations. One is the requirement to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. The other is the requirement to consult the supervisory authority prior to the processing of personal data where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures to be taken by the controller to mitigate the risk.
The bottom line is that taking into account the political situation in Europe today, where Member States’ governments prefer an element of legal uncertainty over complete harmonisation, it is possible to see what may happen. In all likelihood, the Regulation will include some risk-based provisions, which will have the effect of raising or lowering the level of accountability of organisations handling personal data depending on the perceived risks of those activities for the individual.
If that is the case, we will see in due course how onerous the regime currently being crafted is. However, if the concerns raised by policy makers and regulators about developments like cloud computing, Big Data, data analytics and the Internet of Things are anything to go by, a very large amount of data activities will qualify for the full range of accountability obligations – from the application of ‘data protection by design’ and the deployment of data protection impact assessments to the requirement for close interaction between organisations and the EU data protection authorities. Preparation starts now.
This article was first published in Data Protection Law & Policy in October 2014.