The Data Protection Regulation intended to replace Directive 95/46/EC has broken the very explicit link to Article 8 of the European Convention of Human Rights. It has also replaced the “right to privacy” with “the right to the protection of personal data” (which I will shorten to the "right to data protection").
Article 1 of Directive 95/46/EC to be replaced, defines its purpose in these words: “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data” (my emphasis).
Recital 10 then amplifies what is meant by the “right to privacy”. It states that “... the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms”. Recital 11 then adds that “the right to privacy” in the Directive is intended to “give substance to and amplify those (provisions) contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.
Compare this position with the Regulation which does not use the word “privacy” (except in the context of “privacy by design” or “data loss”). In the Regulation, there is no mention of the “right to privacy”, no mention of Article 8 of the Human Rights Convention, nor the Council or Europe Convention No 108 (which drove most European States to have data protection legislation in the first place).
Is this decoupling deliberate? Answer has to be “yes”. Why is there decoupling? So far, no reason has been given.
The “right to data protection” is found in Article 8 of the Charter of Fundamental Rights of the European Union (and Article 16(1) of “The Treaty on the Functioning of the European Union”). The three parts to Article 8 state:
1. “Everyone has the right to the protection of personal data concerning him or her”.
2. “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
This reference replaces, I assume, the Human Rights Article 8 emphasis of the Directive which relates to a “Right to respect for private and family life". This Article states that:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
So what is worrying about “a right to data protection?”.
Well, I think the term doesn’t mean anything and if one “Google's” the term, it is clear nobody on the planet has published a view. Whereas there is a detailed literature, legal precedence and 100 year history of debate surrounding the term “privacy”, there has none surrounding “a right to data protection”. Yes, I know there are several different expressions of what “privacy” means in practice, and these have been compared, criticised and compared and still people argue. However, such involvement and debate is a far cry from a Regulation that relies on a right which is not even been defined or subject to any debate.
Without such debate, there is a great risk that the “right to data protection” will mean different things to different people. For example, individuals might see it as equivalent to “data privacy” (which clearly it is not, in my opinion) whereas data controllers might see it as just an expression that they have to comply with the law (which I suspect it is). If it is the latter, the "right to data protection" is a right that possesses the same characteristics as “a right not to be mugged or murdered”.
In fact, I would say that if the “right to data protection” means as little as “data controller compliance” then it is not a right at all. A general statement that “data controllers have to comply with the data protection regulation” would have the same effect (e.g. as in Section 4(4) of the Data Protection Act 1998). To promote "a data controller compliance concept" as “an individual right” is clearly misconceived.
In short, the “right to data protection” upon which this Regulation is to be based is currently a confused, ill-defined concept. This is not an auspicious beginning.
Our Update session on March 26th (London, £195+VAT; details on www.amberhawk.com) has half a day devoted to the Regulation. As well as a guest speaker from the ICO on the Regulation, we have sessions on:
• What are changes in the definitions?
• What are changes in the Principles?
• What are changes in the Rights?
• What are changes in the Enforcement and other odds and ends?