ORIGINAL PUBLISHED TODAY ON EU LAW ANALYSIS
Monday, 9 March 2015
by Steve Peers
So far, 2015 is not like the Back to the Future movies promised it would be like. In particular, there are no hoverboards (drones are a poor substitute). Moreover, instead of agreeing a data protection framework fully fit for 2015, the Council is probably about to agree that the key principles of the law should remain as they were in 1995 – which might as well be 1985 (or even 1955) in terms of technology law.
The negotiations on the EU’s proposed General Data Protection Regulation finally seem to be nearing the final stretch, as far as the Council is concerned. Member States’ ministers in the Council seem likely to agree later this week on two more parts of the proposed Regulation: on basic principles of data protection (text here) and on supervisory authorities, including the idea of a ‘one-stop shop’ for data protection supervision (text here).
Previously they had agreed on three other parts of the Regulation, namely rules on: territorial scope and external relations (see discussion here); public-interest exceptions (see here); and the roles of data controllers and processors (see here; see particularly the discussion of the ‘privacy seals’ rules here). (For full consolidated text of everything the Council has agreed to date, see here). If the proposed texts on principles and data protection authorities are indeed agreed this week, the Council mainly only has to agree on the scope and definitions in the Regulation, along with the rights of data subjects, such as the right to be forgotten (see discussion of the proposed text on that issue here), and related individual remedies.
This blog (EU LAW ANALYSIS) post focusses on the issue of basic data protection principles. The Commission’s proposal suggested some fairly modest changes to these basic rules as compared to the current data protection Directive, although the European Parliament (EP) would like to go further than the Commission (see its position here). However, the Council’s position would entail very modest changes indeed to the status quo. For this aspect of data protection law, if the Council has its way, the EU’s lengthy legislative reform journey would end up much where it originally started.
Currently, the data protection Directive begins with a clause (Article 5) which appears to give the Member States a great deal of discretion in how to apply the Directive. The CJEU effectively sidelined that clause in its ASNEF judgment, emphasising instead the need for uniform interpretation of the Directive. The new Regulation would suppress this clause entirely, but the Council in particular wants to reintroduce a number of specific provisions referring back to national law. So in some respects, the current Directive resembles a Regulation already – but conversely, the future Regulation will continue to resemble a Directive.
The basic principles of data protection as proposed and (nearly) agreed by the EU institutions are similar to the current Directive: fair and lawful processing; purpose limitation; data minimisation; accuracy; and storage minimisation. The changes would concern: the addition of ‘transparency’; some express protection for archiving or other scientific purposes; and the insertion of data security (by both the EP and the Council). The EP also suggests that the effective protection of rights should be listed as one of the principles. This is a useful suggestion, since although it might seem at first sight that such effective protection is a procedural, not a substantive rule, in the field of data protection it is necessary to ensure that procedural rights are built in to the system (the so-called ‘privacy by design’). An example would be a social network that makes it easy to complain that the user’s privacy has been violated.
Next, the proposal sets out the grounds for processing personal data, again based on the current Directive: consent; contract; compliance with a legal obligation; vital interests of the data subject; public interest or official authority; or legitimate interest of the controller or a third party, subject to an override for the privacy of the data subject. The latter rule is particularly important for the private sector, in the absence of consent or a contract, and the case law points in different directions. In ASNEF, the CJEU ruled that Member States restricted direct marketing companies too much in the interests of consumers, but in Google Spain (discussed here) it ruled that the privacy interests of those named in search results overrode Google’s financial interests as regards its search engine.
The rules would be amended to: refer to consent for specific purposes; extend to the vital interests of another person (according to the Council); and consider the interests of children as regards the ‘legitimate interests’ clause. (The Commission proposal, agreed by the EP, defines a child as anyone under 18; the Council has not agreed this definition yet). Also, the Commission would like to remove the possibility that the legitimate interests of third parties are a ground for processing, but the EP and Council both want to keep this. However, the EP wants to add an important new proviso that such private interests are linked to the ‘reasonable expectations’ of the data subject. The Council also wants to retain the current rule that consent must be ‘unambiguous’, while the EP and Commission want to delete this adjective.
Furthermore, the institutions differ greatly on what happens if the purpose of data processing is changed. The Commission proposes that changing the purpose should be acceptable on any of the grounds for the initial processing of the data, except for the legitimate interests of the controller. The Council wants to allow a change of purpose for any of the grounds for the initial processing, including the legitimate interests of the controller; while the EP does not want to provide expressly for any incompatible processing at all. The Council’s position in particular would turn the purpose limitation principle into the very smallest of figleaves.
One of the most significant changes in the new rules would be a definition of consent (the CJEU has not yet been asked to clarify this concept under the current Directive).
All the institutions agree that the data controller would have to prove consent.
The Council’s version would add some very useful rules requiring the data controller to use plain language, while the EP would specify that the relevant contractual terms would be void. The institutions also agree that there should be an express power for the data subject to withdraw consent, although it’s arguable that such a power already exists implicitly under the current rules. Finally, the Commission wants a new clause that would reject the possibility of consent if there is a ‘significant imbalance’ between the data subject and the data controller, and the EP wants to disapply contract terms which are unnecessary for supplying a service. However, the Council rejects entirely the idea that the Regulation should protect Davids from Goliaths.
The other significant change would be a specific rule on children. The Commission proposes that information society services must get the consent of the parents of children under 13. This broadly reflects social networks’ practice of either requiring consent or not permitting younger children to join their network (as we know, this is not fully effective in practice). But the Council version, if agreed, will refer instead to national laws on contract, removing the reference to a particular age. For its part, the EP would broaden the scope of the clause to refer to all supply of goods and services, and would also add a very useful ‘plain language’ clause. Unfortunately, none of the EU institutions propose an amendment which would enormously improve the lives of parents across Europe: an EU-wide hour-long daily limit on children playing Minecraft.
Next, the proposed Regulation keeps largely intact the supposed prohibition on processing so-called sensitive personal data, namely data on racial origin, political opinions, religious beliefs, trade union membership and health or sex life. All institutions agree to add ‘genetic data’ to this list. The EP and Commission also want to add criminal convictions, but the Council wants to retain the current separate rule on this type of data. Furthermore, the EP wants to add sexual orientation, gender identity and biometric data to the list.
The ‘prohibition’ on processing such data is a legal fiction, since both the current rules and the proposed Regulation allow it to be processed on a number of grounds. In fact, the Council will likely agree to extend those grounds, to include social security and social protection, judicial activities, public health and archiving. The Council also wants to retain the current rule that consent by the data subject must be ‘explicit’, while the EP wants to add the possibility of processing based on a contract.
Finally, both the EP and the Council want to strengthen the current rule providing that the data controller is not obliged to obtain further data on the excuse that it has to identify the data subject in order to apply data protection law.
In summary, the Council’s likely version of the future Regulation would only differ from the current Regulation as regards: new principles of transparency and security; a new definition of consent; a largely cosmetic clause on children’s consent (since it refers back to national law); and a small extension of the list of sensitive data, coupled with a bigger list of exceptions to the prohibition on processing that data.
For its part, the EP would: add a new principle of effective exercise of rights; adjust the balance of interests between the data subject and data controller; limit incompatible further processing; curtail questionable contract terms; strengthen children’s rights; and widen the scope of the concept of sensitive data.
Despite all the fuss made over the proposed new legislation, the Council’s changes would amount to a very marginal change in the rules. (To be fair, though, there would be bigger changes in some other areas of data protection law, such as the new ‘one-stop-shop’ rules). In particular, there are manifold protections for research-related activities in the Council version of the text: the end is clearly not as nigh for research as many advocates of it have been predicting. The key differences between the EP and the Council concern the balance between corporate interests and individual privacy rights, where it seems that companies have successfully lobbied the Council to make no significant changes, while privacy NGOs have convinced the EP to argue for modest improvements in individual rights. The forthcoming negotiations between the EP and the Council on the final version of the Regulation will determine whether the new rules will genuinely be different, or will merely amount to old cookies in new jars.