I have just attended an interesting (and partly depressing) data protection event which considered the implementation of the Data Protection Regulation. The European Commission’s spokesperson (Paul Nemitz) signalled an inflexible approach towards the implementation of the Data Protection Regulation; he stated that he would consider amendments that make the Regulation work better but not those amendments that were based on alternative (and better) ideas.
At the meeting Mr Nemitz pointedly said that in Germany there is a high level of data subject trust and a thriving German economy; high standards of data protection and economic success go hand in hand. He said that the Commission had the balance of interests “more or less correct”, and changes to the text most needed would be those that tinker at the edges.
This means that the list of “no real change” areas for the Commission that appear to be non-negotiable are as follows:
• routine transfers of personal data outside the EEA by larger data controllers have to be approved by a data protection authority or Commission in some way or another;
• adherence to breach notification arrangements that do not consider the harm to data subjects. My fellow blogger Martin Hoskins – who deals with breach notifications as part of his day job - estimates that the ICO will have to employ 150 staff to deal with this element of the Regulation alone (see references)!
• a data protection authority that has no flexibility and little freedom of decision making and are almost reduced to automatons;
• a concentration of power in the hands of the Commission. All data protection power is in the hands of the Commission, there is little role for national parliaments.
I really don’t like the fact that we are expected to trust the Commission with these unfettered powers. This is a Commission that has a track record of ignoring the European Data Protection Supervisor, Working Party 29 Agreements and making political agreements such as the EU-USA PNR deal which have undermined data protection standards (see references). It even has powers to modify the Regulation that will apply to its own processing.
At the end of the presentation, a colleague who is on the candidates’ list of a major political party, reached across and asked “whether I agreed that Mr Nemitz was recruiting for UKIP?”. And that about sums it up.
Working Party view
The Data Protection Working Party has just published their view of the Regulation and has supported some of my concerns. For instance the Working Party says:
Data loss: “The Working Party nevertheless has doubts as to whether the way in which the notification duty is set up will lead to satisfactory results. Notably the scope of the duty to notify to the supervisory authority should be more focused and restricted. The situation that supervisory authorities are distracted by and overburdened with the processing of notifications of minor data breaches which are unlikely to adversely affect the rights of data subjects should be avoided”.
Lack of flexibility in the Regulatory structure: “DPAs (data protection authorities) should be enabled to be selective in order to be effective; they should be able to define their own priorities and to start actions, such as investigations, on their own initiative, notwithstanding the obligations regarding cooperation, mutual assistance and consistency according to Chapter VII.
DPAs should be able to allocate resources according to the strategic character and the complexity of issues at stake, for example by taking into account the actual or potential detriment to data protection, the number of persons concerned and the technology used. Allowing DPAs to set their own priorities also helps to deal with financial and budgetary constraints.
In relation to Commission’s powers: “with regard to both proposed instruments, the Working Party notes with concern the extent to which the Commission is empowered to adopt delegated and implementing acts. While recognising the need to ensure that certain issues can be dealt with at a more detailed level at a later stage, the Working Party considers this is not the case, for example, for rules regarding data breach notifications”.
ICO is out on a limb re data transfers outside EEA
However, with respect to data transfers outside the EEA, even the Working Party want the data protection authority to sign them off in some way or another. Because of this, it is important to understand the difference between most DPAs and our ICO.
• The UK Act takes the view that all data controllers are responsible for all their own personal data and if they transfer personal data then they are accountable for that transfer. The ICO takes the view that this is the best solution – ensure that the data controller remains accountable for transfers is maintained in the Regulation.
• Most European regulators have provisions that require transfers that have to be authorised by some way or another; the Regulation states that such authorisation has to be via standardised contracts authorised by the regulator or by binding corporate rules. If these regulators followed the ICO’s approach they will reduce what they do already; something that does not go down well.
• The European Data Protection Supervision is in the middle. For instance, he has stated in a speech that in the context of the Cloud, that “the mechanisms envisaged (in the Regulation) have proven to be, in many cases, burdensome or ineffective or have lacked of the necessary flexibility”; he expects Binding Corporate Rules to provide a solution (see references).
My own view is that the ICO’s position is correct. Under the Regulation, if a data controller gets this wrong, a hefty fine is on the cards. Because of this, I think that most data controllers will not take unnecessary risks and will seek real assurances (e.g. from Cloud service providers).
The alternative view is to say that most data controllers will not be in a position to argue with say Google or Microsoft re Cloud Services; hence there is a need to set out legal requirements to protect data subjects in advance of any problem.
The down side of this latter approach occurs when things go wrong. So suppose that these legal requirements are accepted and then the Cloud services go “pear shaped”. What you will find is that there is little redress for data subjects as the data controller has had adopted contract terms imposed on him. All such Controllers says is “sorry. I was following what was approved by the Regulator” or more or less “I was following orders”.
My own view: data subjects need the redress when things go wrong and the Commission’s approach thus removes the protection afforded to data subjects. Although the current UK position looks weaker, the approach adopted supported by large fines to buttress the test of adequacy will offer better protection for data subjects when they need it most (i.e. when things go wrong).
As we had the German economic model thrust upon us, I will summarise the meeting in data protection terms by making an analogy to with the economy of the German Democratic Republic.
Pretend the Commission have manufactured a motor car; the seats are very comfortable, the windscreen wipers work, the door handles are the best stainless steel and the headlights are first rate. But sadly the rest of the car is based on the GDR’s Trabant design.
What the Commission want to do is make the other parts of their Trabant car work efficiently and effectively; it is not interested as to whether or not their chosen vehicle is any good.
Down load a copy of Working Party view of the Regulation/Directive here Download Wp view of regulation and directive_en
Martin Hoskyns blog (29th March 2012) re data breach reporting http://dataprotector.blogspot.co.uk/
Speech of the EDPS re Clud Computing: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2012/12-03-21_Cloud_computing_EN.pdf
“Analysis of proposed EU-USA PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html
Just one example of the way the Commission ignores the EDPS: “Should the European Data Protection Supervisor resign?” http://amberhawk.typepad.com/amberhawk/2010/04/should-the-european-data-protection-supervisor-resign.html