Three years after the entry into force of the Lisbon treaty the long awaited legislative negotiations on the future European Union legal framework on data protection will now start between the European Parliament and the Council of the European Union. The competent parliamentary Committee LIBE will now debate two reports dealing respectively with
– a first report on the draft EU regulation covering the cases where possible the private sector is involved
– a second report on the draft EU Directive covering the cases where public authorities are involved.
On the procedural side the two reports will in the coming months be debated and amendments will soon be submitted by all the political groups so that everyone will have the chance to take position on the main aspects of the proposed EU legislation. A first “orientation” vote will then take place and a majority will arise inside the parliamentary commitee and this majoritarian position will be the basis for the dialogue with the Council. The latter will also try to build its own majority between the national delegations. If successful a “general approach” will be endorsed by the Committee of Permanent Representatives (COREPER) and by the Council and this will be the Council alternative text to the parliamentary Committee “orientation”. The dialogue between the two institutions will then take place with the aim to reach a possible compromise.
If a compromise is reached it will be voted by the parliamentary committee and then by the plenary. The same will happen on the Council side and the procedure could then be considered closed (according to the practice of the so called “first reading agreement” an interinstitutional practice which has become the rule in the legislative negotiations at European Union level).
Will this procedure be successful for the data protection “package” ?
It is still possible but not granted as the issue of data protection is extremely sensitive and impact on fundamental interests in the public and private sphere. The end of the legislature is not so far (mid-2014) and there is not much time to close the negotiations in time if no “first reading” agreement is out of view in the coming months.
The pressure exist on both sides as Ireland, which is now chairing the Council Presidency, is the country where giants like GOOGLE and Facebook have their european seat, and is interested more than others in clarifying the new legal framework to avoid all the possible problems which could arise from a still unclear legal situation.
On the other side also the European Parliament is strongly committed in reaching an agreement because data protection has been at the centre of a more then a decade long “saga” with the other institutions (suffice to remember the controversial Plenary votes on the international agreements with the USA on Safe Harbor, PNR, SWIFT, and enquiry on the ECHELON system..).
However because of this pressure on both side the risk of stalemate could not also be excluded.
The evolution of the EU constitutional framework
On the Content side there are several new elements to be taken in account.
First of all since the entry into force of the Treaty of Lisbon the constitutional framework for data protection is radically changed.
Before this Treaty Protection of personal data was not an autonomous EU objective but a condition to be fulfilled as a corollary of other public objectives such as sharing data in the framework of the single market or collecting data to prevent transnational crime and terrorism. The legal basis for legislating in this domain where the articles of the treaties empowering the EU institutions for building the internal market (art.95 of the European Community Treaty) or to grant an hig level of security (art.29 of the Treaty of the European Union).
It is worth recalling that notwhitstanding its original focus on internal market the Community draft legislation (Com (90)0314 – C3-0323/Syn 287; OJ No. C277, 5.1.1990, p3) became the most advanced standard setting legal text on Data protection principles taking stock of the previous works in international fora such as the Council of Europe (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted on 28 January 1981) and in the OECD (OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal data, adopted on 23 September 1980). The legal framework for data protection by law enforcement authorities were before Lisbon much more sparse, confuse and vague because at that time protection of public security at EU level was dealt at intergovernamental level and there was no real will to harmonize the existing national (diverging) standards.
Only because of the pressure of the European Parliament and after the signature of the Lisbon Treaty (!) an intergovenramental Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters has been published on 30 December 2008. However the Framework Decision which is still into force cover only transnational transfert of data so that it does not establish a common level of privacy protection nor cover the EU institutions and agencies (Schengen information system included) which continue even today to consider as reference the Council of Europe Convention of …1981 and a Recommendation of 1987 .
The lack of a legal general framework for data protection together with a lack of Member States political will have probably been the main cause of the interinstitutional conflicts of the last fifteen years as well as of the growing tensions with the USA. As it happens often in case of interinstitutional stalemate the only progresses made came from the jurisprudence of national and european judges.()
After the entry into force of the Treaty of Lisbon everything is changed because data protection has been recognised as a fundamental right as well as a self standing objective of the European Union.
On the first aspect the art. 8 of the EU Charter is crystal clear:
“(1) Everyone has the right to the protection of personal data concerning him or her.
(2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
(3) Compliance with these rules shall be subject to control by an independent authority. “
In short, protecting personal data is like protecting not only the image of an individual but also his ability to act in a given society without external public and private interference (the so-called right to “self-determination” which has been shaped already in 1983 by the jurisprudence of the German Constitutional Court. According to the “Census” judgment:“A social and legal order in which the citizen can no longer know who knows what when about him and in which situation, is incompatible with the right to informational self-determination. A person who wonders whether unusual behaviour is noted each time and thereafter always kept on record, used or disseminated, will try not to come to attention in this way. A person who assumes, for instance, that participation in a meeting or citizen initiative is officially recorded, and may create risks for him, may well decide not to use the relevant fundamental rights ([as guaranteed in] Articles 8 and 9 of the Constitution). This would not only limit the possibilities for personal development of the individual, but also the common good, because self-determination is an essential prerequisite for a free and democratic society that is based on the capacity and solidarity of its citizens”.
To protect personal data amounts not only to protect the liberty of the individual and, his dignity but even a more general good of the democratic society itself.
However such beautiful principles would be meaningless if not reflected in a binding legislation and in the daily life. To reach this objective art. 16 of the Treaty on Functioning of the European Union (TFEU) makes clear that personal data should be protected by “Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.”
This will not be an easy task because EU law cover now all the main aspects of a person’s daily life in a global world where personal data have become the blood of the information society.
Massive data collection, on-line tracking and profiling not only by private companies but also by public authorities have become so widespread that many people consider that the protection of personal data itself do not exist any more. It seems that it has been killed
– by widespread invasive relatively low-cost technology
– by individual’s naïve behaviour in the social network
– by big private societies which are making an incredible amount of money from on-line advertising built on the exploitation of personal data (obtained for free)
– and last but not least by public authorities which, in a borderless world, having the facto lost the control of their territories try to prevent crime and terrorism by profiling potential dangerous people and collect everywhere massive amounts of personal data.
The post-Lisbon legislative data protection package
Confronted with the challenge of defining the new post-Lisbon data protection framework the Commission after thorough comparative studies has decided to maintain a twin track approach by submitting a Draft Regulation for protecting personal data in the civil domain and a Draft Directive adressed to public authorities when collecting personal data for security purposes. This choice has not been appreciated by the data protection authorities and by the European Parliament not only for the risk of inconsistencies but also for the risk of grey areas for activities which can fall in between.