1. European Parliament "rapports" on proposed Data Protection Reforms
European Parliament Rapporteur Jan Philipp Albrecht has published his report on the proposed Data Protection Regulations, suggesting some onerous amendments to the draft Regulations.
The role of a rapporteur is to present a report which has been adopted by one of the European Parliament’s committees. These reports contain proposals for resolutions or legislative amendments to be voted on by the entire Parliament. Rapporteurs are elected by fellow MEPs when one of Parliament's committees is assigned to draft up a report on a legislative proposal or other document or subject. The rapporteur's key task is to analyse the project, consult with specialists in the particular field and with those who could be affected, discuss with other members within the committee and recommend the political “line” to be followed. The Rapporteur's report is not binding on the European Parliament but it will often carry significant weight during the negotiation phase of proposed legislation. For the purposes of the proposed Data Protection reform, the Rapporteur for the European Parliament, Jan Philipp Albrecht was elected to review the European Commission's proposals and has now published his report.
In January 2012, the European Commission published its long-awaited proposals on reform of the Data Protection Directive. In the Rapporteur's report, Mr Albrecht broadly supports the reforms proposed by the European Commission. However, European businesses may be disappointed to note that, in a number of instances, the Rapporteur suggests even more onerous obligations than those originally proposed by the European Commission.
Some of the key amendments proposed by the Rapporteur include:
- Strengthening individuals' rights – The Rapporteur believes that consent should remain a cornerstone of the EU approach to data protection since it is the best way for individuals to control data processing activities. The Rapporteur therefore proposes amended wording to the Regulation to make it clear that the use of default options that a data subject is required to modify in order to object to processing, such as pre-ticked boxes, do not express free consent. In addition, the Rapporteur believes that other legal grounds for processing than consent, in particular, the "legitimate interests" grounds should be clearly defined and limited in use to exceptional circumstances. The Rapporteur therefore proposes amendments to the Regulation listing circumstances in which there is a presumption that the interests or fundamental rights and freedoms of the data subject outweigh those of the data controller, e.g. where processing carries a serious risk of damage to the data subject. If a data controller wants to rely on this justification, the Rapporteur suggests that it must also publish reasons for believing that its legitimate interests override the interests of the data subject. This proposed amendment could have a significant effect on data controllers in the UK where the legitimate interests justification is one of the most often relied upon conditions to legitimise processing.
- Ensuring better enforcement of data protection rules – A suggestion which will be more welcome to data controllers is the proposal to extend the period within which data controllers must notify a personal data breach to the supervisory authority, from 24 to 72 hours. Further, to prevent "notification fatigue" by data subjects, the Rapporteur proposes that the data subject should only be notified where he/she is likely to be adversely affected by the data breach, e.g. in cases of identity theft or fraud, physical harm or significant humiliation. The notification to be given should comprise a description of the nature of personal data breach, and information regarding their rights, including possibilities regarding redress.
- Strengthening the global dimension – The Rapporteur rejects the European Commission's proposal to recognise sectors in third countries as providing adequate protection on the grounds that it would increase legal uncertainty and undermine the EU's goal of a harmonised and coherent international data protection framework. Instead the Rapporteur proposes strengthening the criteria for assessing the “adequacy” of a third country and requiring the European Data Protection Board to provide an opinion on the adequacy of the level of protection in any particular third country, prior to any Commission decision in relation to such country.
Going forward, some reports have recently indicated that both the European Parliament and the European Council are aiming for a first reading agreement. As a result, both institutions are likely to use the Rapporteur's report as a basis for informal negotiations with a view to producing a compromise version of the proposed Regulation that would then be adopted by both institutions. The current timetable is to adopt the new Regulation by the end of June 2013 (the end of the Irish Presidency of the EU) although it is accepted that this may slip. All parties have announced that they would like to see the Regulation adopted before the European Parliament elections and the next rotation of the European Commission in 2014. If they manage to keep to the later 2014 date, it is likely that the Regulation would become directly applicable in the Member States some time in 2016.
A copy of the Rapporteur's report and proposed amendments is available here.
2. Setting a new agenda: The European Commission updates the Digital Agenda
The European Commission has adopted seven new priorities for the digital economy and society, following a comprehensive policy review. These priorities place new emphasis on the most transformative elements of the original 2010 Digital Agenda for Europe.
The Digital Agenda is the EU's strategy to help digital technologies, including the Internet, to deliver sustainable economic growth. Launched in May 2010, the original Digital Agenda contained 101 actions, grouped around seven priority areas. These 101 actions remain valid. However, the new priorities complement these, and build on what has been achieved so far.
The new priorities highlight the European Commission's focus on superfast broadband, and freedom of information and digital services. The new priorities include:
- Create a new and stable broadband regulatory environment.More private investment is needed in high speed fixed and mobile broadband networks. The Commission's top digital priority for 2013 is therefore finalising a new and stable broadband regulatory environment. A package of ten actions in 2013 will include Recommendations on stronger non-discriminatory network access and a new costing methodology for wholesale access to broadband networks, net neutrality, universal service and mechanisms for reducing the civil engineering costs of broadband roll-out.
- Propose EU cyber-security strategy and Directive.The Commission believes that the EU should offer the world's safest online environments, valuing user freedom and privacy. The Commission will deliver a strategy and proposed Directive to establish a common minimum level of preparedness at national level, including an online platform to prevent and counter cross-border cyber incidents, and incident reporting requirements.
- Update EU's Copyright Framework.The Commission will complete its on-going effort to review and modernise the EU copyright legislative framework, with a view to a decision in 2014 on whether to table resulting legislative reform proposals.
- Accelerate cloud computing through public sector buying power. The Commission will launch pilot actions in the European Cloud Partnership.
For further information regarding the Digital Agenda for Europe, please click here.
3. Making the (white) list: New Zealand approved for data protection transfers
The European Commission has added New Zealand to its list of countries pre-approved as providing adequate protection for personal data being transferred outside of the EEA.
The effect of the Commission's decision is that personal data can now be transferred from the 27 EU Member States and three EEA member countries (Norway, Liechtenstein and Iceland) to New Zealand without any further regulatory safeguard being necessary.
The European Data Protection Directive restricts the transfer of personal data to a jurisdiction located outside of the EEA unless the recipient country ensures an adequate level of protection for such personal data. The Council and the European Parliament have given the European Commission the power to determine whether a third country ensures an adequate level of protection through its domestic law or through the international commitments it has entered into.
To date, the European Commission has recognised Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, Uruguay and the US Safe Harbor Scheme as providing adequate protection. Australia has not been found to provide an adequate level of protection, although an agreement between the EU and Australia for the processing and transfer of European Union-sourced passenger name record data by air carriers to the Australian Customs Service has been approved as providing adequate protection in relation specifically to such data. However, the European Commission has now formally recognised the adequacy of personal data protection in New Zealand, recognising that New Zealand’s data protection standards are compatible with those of the EU and that they ensure adequate protection of EU citizens' personal data. New Zealand is the first country in the Asia-Pacific region to achieve such recognition.
A copy of the European Commission's press release is available here.
4. Access all areas: European Commission publishes Website Accessibility Directive
The European Commission has published a proposed Directive on the accessibility of public sector bodies' websites, introducing mandatory EU standardised accessibility features.
The public sector bodies affected would include those that allow the public to apply for passports or driving licences, conduct income tax calculations, enrol with universities and submit benefits claims. However, the proposal would leave it possible for Member States to be able to go beyond what the Directive prescribes and require additional public sector bodies offering other services via their websites to adhere to the rules.
Web-accessibility refers to principles and techniques to be observed when constructing websites, in order to render the content of those websites accessible to all users, in particular, those with disabilities.
In accordance with the proposed new Directive, Member States must take necessary measures to ensure that the content of the websites of public bodies providing certain services are made accessible in a consistent and adequate way for users' perception, operation and understanding. The Directive requires compliance harmonised accessibility standards. A European standard that includes web accessibility based on internationally recognised and technology-neutral guidelines is already under development within the “European Commission Mandate 376” — and could be available as early as 2014. A harmonised standard for the purposes of conformity with the Directive will then be developed. Websites falling within the scope of the Directive must comply with the harmonised standard once developed and published in the Official Journal. Failing development of such standard, websites must conform to the European standard or failing that, to the parts of the ISO/IEC 40500:2012 covering the Success Criteria and Conformance Requirements for Level AA conformance.
Although 21 Member States already have national laws or measures on web accessibility, for example the Equality Act 2010 in the UK, Member States would have to put national rules and regulations in place by 30 June 2014 to implement the proposed Directive.
A copy of the proposed Directive is available here.
5. Mis-Communication? UK Parliamentary Committee criticises proposed Communications Data Bill
The Joint Parliamentary Committee tasked with considering the UK Government's proposed new Communications Data Bill has published its report, in which it criticises the proposals.
In June 2012, the Home Office published a new Communications Data Bill to enable authorities to monitor internet communications "to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses". A Joint Parliamentary Committee was tasked with reviewing the proposals and publishing its report by the end of 2012.
The Committee's report has now been published, and is critical of the proposals. In its report, the Joint Committee accepts that there is a case for legislation to provide law enforcement agencies with some further access to communications data, but believes that the draft Bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it needs to or should for the purpose of providing necessary and justifiable official access to communications data.
In particular, the Committee believes that Clause 1 of the proposed Bill should be narrowed so that the Secretary of State's powers to issue orders are limited to those categories of data for which a case can now be made. The Committee also recommends amending the definition of "communications data", which it acknowledges does not satisfy current needs because the definition was developed at a time when telephony records were considered to be of more immediate interest to investigators than a person's usage of the Internet.
Since publication of the report, the Prime Minister's spokesperson has said that the Prime Minister remains committed to giving police and security services new powers to monitor internet activity. It remains to be seen if and how the Bill now progresses through the legislative process.
A copy of the Joint Parliamentary Committee's report is available here.