New Draft of Data Protection Regulation Released

Shortly before Christmas a new draft version of the Data Protection Regulation was released by the Council of Ministers.  The text is still being debated but this certainly shows the direction the ministers are heading in, so is worth some analysis.

Once it is approved, this will become the third version of the law, following on from the original produced by the Commission in 2012, then the one approved by the parliament in 2014.

Once the Council version is finished, there will then be a final trilateral negotiation to reach the final piece of legislation. Comparing this latest Council draft with the version produced by the Parliament in particular gives some indication of how difficult that negotiation might be, and therefore how long it will take.

Key Issues:

Definition of Consent.  The council text weakens consent by removing the requirement that it must be ‘explicit’, preferring the use of the term ‘unambiguous’, a significant departure from both the Commission and Parliament. Although all texts support the interpretation in Recital 25 that consent should be indicated by ‘affirmative action, the Parliament further strengthened this by adding that ‘mere use of a service’ should not constitute consent.

This issue is particularly relevant to web services, which often seek to rely on continuation of browsing a site as an indicator of consent to privacy practices. The traditional alternative is putting some mechanism in place to require users to signify consent – such as tick boxes.  However this can put some people off from using a service by creating a barrier to entry, or lead to ‘consent fatigue’ – where they blindly agree to terms and conditions they haven’t read.

We have seen this battle played out before – most recently with the consent requirements in the cookie law.  I think it is safe to say that this is going to continue to be a key battleground right down to the wire.

Information Requirements. Allied to consent is the need to provide information so that data subjects can understand what it is they are consenting to. Here the Council text is far less prescriptive than the Parliament one, which sought to create a highly standardised format for information notices, with clear and consistent language and iconography. The aim was to find a model that would make privacy notices easier to understand, which many have argued is a highly laudable goal.  However the format of the notice, and especially the design of the icons, was not well received in the design community in particular.

Data Protection Impact Assessments and Data Protection Officers. The Council has embraced the ‘risk based approach’ to data protection, and this is nowhere more clear in the modifications to the requirements for carrying out Data Protection Impact Assessments and employing DPOs.  The Parliament version of the text is prescriptive in its requirements, with DPIAs and DPOs being required in most circumstances, with exceptions for small business and small scale data usage.  By contrast the Council makes DPOs voluntary for most organisations and requires DPIAs only for ‘high risk’ data processing activities.

Whilst this may lift administrative burdens in many circumstances, it also leaves much greater room for interpretation, especially around what constitutes ‘high risk’, and this potentially results in greater uncertainty and widely differing practices, which in turn could lead to weaker consumer protections.

Harmonisation.  One of the original stated goals of the Regulation was to harmonise both rules and practices across the EU – creating a level competitive playing field and contributing to the Digital Single Market initiative.  This idea is particularly attractive to multi-national operators – but one of the hardest to deliver, because it reduces the authority of individual countries through their national regulator.

That makes it a highly politicised issue.  True harmony might weaken rules in one country, whilst strengthening them in others, and this has resulted in objections to the same wording, but for very different reasons – Germany and the UK being prominent examples.  The Council text has a number of provisions in it which appear designed to increase the autonomy of individual country regulators in comparison with the Parliament and Commission texts, leading to a weakening of the ‘one stop shop’ principle.

Also of significant interest in this draft are the sheer number of notes indicating the continued concerns of individual member states.  This tells us that agreement on this document may still be a long way from being reached.

January 2015 saw the start of the 6 month Latvian presidency of the EU, and whilst they have put getting a final position from the Council as their top priority, the continuing differences have already led prominent MEP Jan Albrecht, who led the Parliament work on the legislation, to predict that we won’t see finalisation of the Regulation much before the end of this year.

DPR Negotiations to Finish in 6 Months?

The New European Commission started to take shape this week with the release of information on key appointment nominations, including their roles and priorities.

As promised during President Jean-Claude Juncker’s campaign, completion of the Data Protection Regulation comes across as a high priority, with a clear target to get all negotiations on the legislation finished within the first 6 months of office.

What is perhaps surprising to many is that the organisation of the Commission has been quite radically changed, with the result that several Commissioners will have responsibilities related to data protection issues.

Much of the detail is revealed in Mission Letters in which Mr Juncker sets out the priorities, responsibilities and expectations he has of each member of his team. And team is the operative word here – there is much emphasis on breaking down silos and joined up working.  One of the consequences of which was that as the letters were released, there was much discussion on Twitter about who exactly was responsible for what.

The Key Players in Data Protection

Having read through the relevant Mission Letters, this is what seems to be emerging:

Frans Timmermans (Netherlands) is to become First Vice President, in charge of, among other things, ‘Better Regulation’. Timmermans effectively becomes Juncker’s deputy.  His role is to make sure legislation supports jobs and growth, and to support the Parliament and Council on ‘removing unnecessary red tape’ – which the DPR has been widely accused of introducing.  However Timmermans is also responsible for making sure the Commission’s work complies with the Charter of Fundamental Rights – which includes the right to the protection of personal data

Andrus Ansip (Estonia) is Vice-President in charge of the Digital Single Market. As a Vice-President, Ansip is effectively the project team leader for the DPR. His overall role is to bring ‘together the different regulatory powers of the Commssion to complete the Digital Single Market’ – which encompasses telecoms, copyright and ecommerce.  His Mission Letter also states ‘You should oversee, during the first six months of the mandate, the conclusion of negotiations on the reform of Europe’s data protection rules as weel as the review of the Safe Harbour arrangement with the US’

Vera Jourova (Czech republic) is appointed Commissioner for Justice, Consumers and Gender Equality.  Justice is of course where the DPR started life under Viviane Reding (now and MEP for Luxembourg). Jourova will be ‘part of the project team’ led by Ansip, with a role of ‘contributing…to the realisation of a connected digital single market by ensuring the swift adoption of the Eu data protection reform.

Additionally Jourova’s role will include ‘Concluding negotiations on a comprehensive EU-U.S. data protection agreement which provides justiciable rights for all EU citizens, regardless of where they reside, as well as reviewing the Safe Harbour arrangement.

Gunther Oettinger (Germany) is Commissioner for Digital Economy and Society, and part of the Digital Single Economy team. His role is focussed on improving and supporting the competitiveness of the EU in digital matters.  His Mission Letter highlights a ‘supporting’ role in the DPR negotiations.  However, following the conclusion of that he is tasked with a ‘reform of the e-Privacy Directive’.

This last is quite telling.  The e-Privacy Directive is of course better known as the Cookie Directive. Many people have commented on uncertainty of the relationship between the DPR and the cookie rules – and this seems to be the first acknowledgement that this is something that will need to be resolved in the future.

At the moment these positions are nominations for posts.  There has to be agreement from the Council of Ministers and the Parliament before they are confirmed, although this is expected to be a formality.

Update 13 October

Following interviews conducted by MEPs last week, the Commissioners have now all been confirmed in their posts.

EU Data Protection Reform

The EU Data Protection Regulation is a proposed reform to Directive 95/46/EC. Originally passed in 1995, Directive 95/46/EC, or the EU Data Protection Directive, is a European Union law focused “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

In a nutshell, it prevents the personal data of anyone in the European Union from being shared with anyone else without express consent of the person the data is about. Though, it should be mentioned that this legislation was passed before the advent of the Internet, so there is little to no way to regulate the sharing of personal data on the Internet at this moment all throughout the Union; however, some of the member states have their own data sharing regulations, which companies must follow if they do business in each of the individual states–something that is both a tedious and expensive process currently. For this and many other reasons, on the 25th of January 2012 the European Commission stated their desire to ameliorate Directive 95/46/EC.

The original legislation Directive 95/46/EC, went into effect on the 24th of October 1995. However, it too is actually a continuation of Convention 108, which focused on protecting individuals in relation to “automatic processing of personal data” and passed on the 28th of January 1981. The proposal to reform the Data Protection Directive was submitted on the 25th of January 2012. The data protection reform should be done by 2014, and should go into effect sometime in 2016.

The EU Data Protection Regulation’s main purpose is to extend the EU Data Protection Directive 95/46/EC to cover the massive changes in technology and the increase in globalization that have happened since 1995. Due to these changes, some of the countries in the EU have added individual personal data sharing regulations to their own laws. The new EU data protection reform will make the laws consistent across the Union–as well as have provisions for outside countries who wish to do business within the Union. Those who disobey the laws may incur hefty fines of up to 1 000 000 EUR.

And it will update the complimentary Framework Decision 2008/977/JHA which regulates the protection and interoffice sharing of personal data in police matters. In other words, while this privacy regulation would not interfere with the government’s right to supersede these policies if it is reasonably justified and in the best interest of the state as a whole such as to stop a terrorist attack.

However, the major concern of the EU is about individual security and safety while using online commerce. The policy aims to make data sharing simpler, more transparent, optional, and safer so that more consumers feel safe in the digital market. Which is why they write in the proposal for the Data Protection Reform, “Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.”

Though, some people, including certain US-based companies feel that these regulations go too far. Two major issues are that any data breaches must be reported within 24-hours and “the right to be forgotten”. The former is an issue because many companies do not like to divulge that their security systems have failed because they see it as a brand malfunction. And the latter is problematic to many companies because it means that the consumer will now have access to their “profile”, be able to delete or move it to a competitor at any time, and be able to completely opt out of that sort of data collection altogether, which will they see as a potential threat to internet direct marketing.