What does future legislation in the field of privacy and data protection look like? An idea can be garnered by looking at the common ground between privacy advocates such as Privacy International (PI), academic groupings such as Cyberspace Law & Policy Centre at the Faculty of Law of the University of New South Wales (CLPC), and Regulators such as the Information Commissioner (ICO) and the European Data Protection Supervisor (EDPS).
All these groupings want a definition of personal data that reflects modern Internet reality, a more powerful privacy regulator, a reappraisal of the processing of personal data in the domestic circumstances, and a clear definition of when personal data are lawful processed.
In summary, there is an emerging consensus which can be seen by comparing the responses made to the European Commission in connection with its intention to reform of the Data Protection Directive. Any significant area of overlap in these submissions indicates agreement on its likely content. (All the mentioned submissions can be downloaded in full – see references at bottom of this blog).
All respondents want any revised Directive to include definitions that capture behavioural advertising and the monitoring of Internet use. For example , the ICO states that “It is clear that information such as IP logs held by search engines are being used to identify individuals and to take action affecting them, in contexts ranging from behavioural advertising to digital rights management or national security. It is clear that data protection safeguards ought to apply to this sort of information”.
The EDPS achieves the same objectives by requiring all definitions to be “uniformly interpreted in all Member States, with no margin of implementation” coupled with the inclusion of further binding definitions of “anonymous data, pseudonymous data, judicial data, data transfer and data protection officer”. This tweaking of the definitions is subtle (e.g. an explicit definition of “anonymous data” implies that any data that is not “anonymous” could be treated as “personal data”). In this way those Internet activities that have cause controversy are unambiguously brought into the data protection framework.
The CLPC with the support of PI want personal data to be defined to include “information which allows individuals to be ‘targeted’ for customised action, whether involving direct contact or not, and even where the individuals cannot be actually identified”. CLPC has in mind “the increasingly common use of ‘analytics’ which can select individuals for attention; e.g. for customised direct marketing, presentation of webpage content etc, even though the data controller may not know, or even be able to find out, the actual identity of the target”. It argues that the “effect of this sort of intrusion on individuals’ privacy, based on analysis of their behaviour, is just as much a matter of privacy concern as if the controller actually knows their identity”.
In summary, it is not a question of whether a revised Data Protection Directive will apply to the use of IP addresses and URLs etc, the question is how will it apply?
Both Privacy International and the Information Commissioner regret the lack of consideration by the Commission of whether or not the processing of personal data in the domestic circumstance needs revision.
PI state that “There is little mention of the challenge of dealing with the issue of individuals as data controllers” for instance in relation to “user generated content, bloggers, video makers that release a constant wave of personal data which is often public by default”. This is a phenomenon that “did not exist at the time of the formulation of the current Directive, and needs to be addressed in any future review, since an individual using a platform service cannot be treated in law in the same way as large service provider weather public or private”.
This finds support in the ICO submission which remarks that he “is disappointed” that “there was no discussion on clarifying the rules surrounding the use of data for domestic purposes, of particular importance in an online world” or the need “to balance a high standard of data protection against a strong upholding of the right to freedom of expression. In an age of online blogging, where should the line be drawn in any future law?”.
PI with the support of CLPC also seek an obligation so that default settings on the platforms that provide processing services to individuals (blogging sites, social networks, etc) are those that maximise individual privacy. This is supported by the EDPS who wants a "privacy by default" setting for the processing of such personal data.
Commentary on processing personal data in the domestic context
I share the concern over this lack of consideration as this issue is very important for two reasons.
First, many households are installing security CCTV systems which are sometimes used to monitor neighbours. In the UK these cameras are not regulated by Data Protection legislation because a wide exemption applies for the processing of personal data in a purely personal and domestic setting (within which these CCTV cameras are supposed to operate).
Yet complaints about the invasion of privacy by such cameras is growing in circumstances where there is little or no justification (e.g. there is no antisocial behaviour on the part of neighbours that could justify the need for cameras to record evidence of such behaviour). The question then arises is whether a data protection regime should apply to these domestic CCTV installations, and if it does apply, how would it then apply to those who take camcorders to record their young child’s performance in a school play or orchestra?
Secondly, there is the issue with respect to the use of the Internet to convey personal details. For instance, should a blogger who publishes personal data about others (e.g. friends) in a blog be subject to data protection rules? Does the same problem arise if an upload to YouTube shows images of others? And what about telling Facebook friends details of someone else if “Facebook friends” are not really friends at all (e.g. merely acquaintances)?
These questions are very important given that the European Court has already ruled (7 years ago) that the display of personal data on a web-site about fellow church-going members was a processing operation that was fully subject to a data protection regime (see Lindqvist - references).
In this case, the Court concluded that the act of publishing on a web-site meant that the processing was no longer limited to “personal affairs”; such processing therefore could not qualify for the “personal affairs” exemption. The consequence is that a data protection regime can fully apply to ordinary blogging etc. This ruling applies to all Member States who have implemented the current Data Protection Directive, although I am fairly confident that most domestic users of the Internet are unaware of these legal niceties and most Member States have refrained from stressing the ruling.
Is Lindqvist (or should it be) the correct view? If the Directive is not revised in this area, this judgement will remain. My own view is that the absence of the “domestic question” discussion in the European Commission’s consultation implies that the Commission thinks that Lindqvist is valid.
Lawful processing of personal data
PI state that “The protection of individual’s rights requires more than just considering definitions” and argues that “each Privacy Commissioner should explicitly be extended to the processing of personal data in circumstances where the processing at issue is alleged to cause a breach of Article 8 of the ECHR”.
CLPC add sentiments on the same line: “For example, it should have be possible for Commissioners to assess whether or not some processing is lawful (i.e. proportionate) in terms of Article 8 in cases such as international data sharing or with the retention of personal data” whereas the EDPS states that “The new legal instrument should be as precise as possible with regard to the core elements determining the lawfulness of data processing”.
So why the fuss about a simple question: “what is lawful processing”?
Commentary on lawful processing
It is important to understand why establishing the “core elements” of lawful processing of personal data is such an important issue. For example, suppose legislation states that “50 items of personal data are to be used for purpose X”. Such legislative rules make it difficult for any Commissioner to enforce a proposition that states that these 50 items of personal data are not relevant to purpose X, because the 50 items are deemed to be relevant because the law states they are needed in connection with purpose X.
The only way to avoid this legal equivalent of a short-circuit loop, is to ask whether the law itself is properly formed. For instance is the law “necessary” for the functioning of a democratic state and is the processing “proportionate” in the context of the processing objectives. Note that the focus of this inquiry has shifted from “the relevance of the personal data to purpose X” to “the nature of the law that requires those personal data to be processed”. This shift in focus is best achieved by using the legislative framework that regularly assesses questions such as “proportionality” and “necessity”: Article 8 of the Human Rights Convention.
The EDPS has often criticised data sharing agreements with the USA on the grounds of the sharing was not proportionate. Any linkage with Article 8 would give Privacy Commissioners the power to test this proposition in the Courts.
I think most Governments will resist this linkage as they would see it as an independent, unelected official interfering in the way in which Ministers decide policies and then get Parliaments to enact laws. Most neutrals see it is a way of ensuring that Ministers do not usurp their powers to make bad law and see this link as protecting the individual from the overbearing state. And we all know that in New Labour’s Surveillance Britain, there has been a lot of overbearing.
The resolution of the lawfulness issue is a litmus test on whether a new Directive enhances privacy protection for the individual. If there is no change, then the answer is a resounding “NO”.
PI have asked the Commission to state that the right of access, correction and deletion of personal data should be delivered free of charge where possible. The argument is simple: if “Privacy by Design” is being promoted, these data subject rights should be designed into the system – and if they are designed into the data controller’s processing environment, they can be designed at minimal cost to the data subject.
PI, CLPC and EDPS all agree that there should be a general introduction of a provision to notify the data subject when personal data are lost. There appears to be almost a complete consensus around this issue – and expect it to feature in a revised Directive.
PI also want the “EU-US Safe Harbor Framework be included in this review, as several studies have documented massive compliance failures and lackluster enforcement”.
Final comment on process
I should mention that the EDPS states that the changes in privacy law should not be introduced by a new Directive. Instead he argues that a Regulation would be “a single instrument which is directly applicable in the Member States” as this “is the most effective means to protect the fundamental right to data protection and to create a real internal market where personal data can move freely and where the level of protection is equal independently of the country or the sector where the data are processed”.
Although the idea of a Regulation is well intentioned and seductively achieves all the above objectives, politically I think it is a non-runner. The idea that most of Europe’s democracies should enact processing rules in sensitive policing-type areas, at the behest of Brussels and a cohort of Ministers, with a minimal involvement of the European Parliament, hardly any from any national Parliament, or the involvement of a nation’s data controller or data subject communities is simply misplaced.
In my view, any such Regulation which applies to every citizen and business in Europe would not possess any democratic legitimacy in any Member State. It’s a recipe for disaster.
Lindqvist ECJ, Case C-101/01, 6 November 2003: http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?lang=en&num=79968893C19010101&doc=T&ouvert=T&seance=ARRET
Follow the link to load the EDPS submission to the Commission (Download EDPS response); to load the PI submission to the Commission (Download PI response); to load the CLPC submission to the Commission (Download CLPC response); to load Amberhawk’s own submission to the Commission (Download Amberhawk response), and to load the ICO submission to the Commission (Download ICO response)
Adverts re Data Protection courses
Our Spring UPDATE session is on 11th April in London: details of speakers and content on our web-site (and at £195+VAT for the day it is a real snip). We are also running a Privacy Impact Assessment Course, a RIPA course and a Data Protection Audit on consecutive dates (London, 21st to 23rd March).
We are starting a 5-day intensive data protection course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details from the Amberhawk website (www.amberhawk.com)