“Hats off” to Statewatch. I don’t know how they do it, but they have just managed to liberate a 170 page document from the Commission that explains what each Member State thinks of the Data Protection Regulation. The UK, of course, has the largest number of pages outlining its objections (24 pages in all).
So here is a summary of some of the key issues for the UK with the Regulation. All sentences that are not italicised are quotes from the document; the italics underneath contain either some serious commentary or a flippant translation concerning the relevant chunk of “MoJspeak”. References and useful links at the bottom as usual.
So here goes......
1. “We are of the view that the proposed general Regulation should be a Directive in order to provide greater member state flexibility to implement the measures – a Regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice”.
Translation: a Directive will give more chance for the UK to negotiate specific carve-outs as and if we don’t get our way, we can delay proceedings as we did with Directive 95/46/EC.
2. “There is an excessive number of delegated and implementing acts, which often does not constitute a correct exercise of the power conferred in the parent legislation - for example there are many instances in the instruments where the Commission has powers to impose further criteria or requirements which cut across essential aspects, such as pursuant to Article 6(1)(f) of the proposed Regulation in determining whether personal data may be processed on the basis of legitimate interests in various situations”.
Translation: the Secretary of State currently has these powers (see Schedule 2, para 6(2) or Schedule 3, para 10) and we don’t like them being taken away. We only need to mention that these powers are going to Brussels and many of our Conservative back-benchers will become so apoplectic they will demand a referendum – so be warned.
3. “The Regulation contains many prescriptive requirements in the main body of the instrument which places unrealistic obligations on data controllers, particularly on Small and Medium Size Enterprises and not-for-profit organisations.”
Translation: we would like more exemptions for SMEs and not-for-profit; preferably we would like the UK Government to define these.
4. “Other prescriptive requirements includes requirements to notify a data breach within 24 hours, to maintain documentation of all data processing operations and mandatory data protection officers which could be costly and impractical for many business and organisations.”
Translation: if there is any prescribing to be done, please leave it to Member States to do.
Commentary: In practice there is common ground that the data breach notification provisions will become more flexible.
5. “It would be helpful to clarify that personal, commercial activity, such as selling ones’ personal possessions on an auction site can also fall within the (domestic purpose) exemption”.
Translation: the domestic purpose exemption is too narrowly drawn; surely people can sell their own stuff on Ebay?
6. “Where data controllers are not established in the EU and fail to appoint a representative, there is a real question as to whether this is enforceable and what steps Member States are expected to take in order to enforce where there is no existing mechanism”.
Commentary: this problem already exists in the UK Act which also gives no clue as to what a representative has to do and what happens if one is not appointed. In the current UK Act, if a data controller is outside the EEA and uses equipment to process personal data in the UK a representative has to be appointed, identified in notification, and in a fair processing notice. What else the representative does is not specified in the UK Act.
7. “The scope of what could constitute “personal data” is unjustifiably broadened to include “any information relating to” a data subject. The term “related to” lacks the precision required for a Regulation”.
Translation: If we play our cards carefully we might be able to sneak in the Durant definition of “relate to”, especially if we can successfully argue for a Directive (see above)!
8. “We question the removal of: “authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients”, as set out in 2(g) of the 1995 Directive. It is unclear what the consequences of this would be for authorities”.
Commentary: The UK want to maintain the current structure of the UK’s DPA which excludes from the definition of “recipient”, any person who has the power to perform an investigation and needs the disclosure of personal data in connection with a specific investigation authorised by law.
So for example police, when they obtain of personal data from a data controller in connection with a criminal investigation, are not a recipient. As recipients are identified in fair processing notices and in the right of access, the fact they are “not recipients” means that the disclosure does not need to be identified.
So the consequences are not as unclear as the Government indicate; it means more data sharing is transparent to data subjects.
9. “We would like to revisit this discussion in working groups, particularly whether it imposes the higher consent threshold for sensitive personal data under the existing Directive onto non-sensitive personal data”.
Translation: we don’t like the high threshold for consent and prefer to keep the current Directive 95/46/EC definition of data subject’s consent.
Commentary: I have some sympathy for this position, for if the controller has the burden of proof of establishing that the data subject gave their consent, and consent has to contain an indication of the data subject’s wishes, there is less need for a more prescriptive formulation of consent. But see the next item before you agree.
10. We prefer that “the existence of imbalanced situations should be taken into account in determining whether consent is freely given, and informed”.
Commentary: The use of “should” rings alarm bells as I see it as an attempt to maintain the flexibility to identify circumstances when this imbalance can be ignored with respect to consent. In other words, this is a recipe for the retention of what I call “Home Office” consent, where there is no real choice (e.g. when you go through airport security for your holiday flight, you can consent to go through the airport scanner or not travel).
11. Having two definitions of a child (Article 4 (18) – under 18 threshold; Article 8(1) – under 13) complicates understanding the definition of a child.
Commentary: The UK prefers the common law position established by Gillick/Fraser competence.
I am worried that a general euro-standard definition of child might have unintended consequences; for instance, if there is a “sexual health helpline for teenagers advice line” and any processing of personal data might require parental consent.
The Government in my view is identifying the difficulty of having a general definition of a child, when in practice, this is a case-by-case assessment (as is done via Gillick/Fraser). For instance, 19 year-olds on the autistic spectrum might not be competent to make decisions; on the other hand, some 12 year olds might easily be competent. On balance, I think the Government may be right here.
12. “The current Directive 95/46/EC states in recital 28 and Article 6(1(c) that personal data must be adequate, relevant and not excessive - now Article 5(c) says that personal data must be "adequate, relevant and limited to the minimum necessary for each specific purpose of the processing". This shifts the focus away from proportionality to one where data can only be collected where explicitly justified. This will mean organisations will have to cleanse excess data and change the focus of their data collection activities. It is not always possible to know at point of collection what ‘minimum necessary’ constitutes”.
Translation: we don’t like or understand the concept of data minimisation
13. “The requirement for personal data to be accurate and kept up to date, without any caveat is too prescriptive and, in certain instances will be unnecessary”.
Translation: we prefer the UK’s relaxed position where data controller’s only updates personal data when it is necessary to do so. For instance, should you keep your archived personal data up-to-date? Obviously not.
14. “The burden on the controller to “ensure and demonstrate” compliance with the provisions of the Regulation is too onerous. We believe that controller should not be expected to document everything as a matter of course”.
Commentary: The “Accountability Principle” is worded so that “each processing operation” is in compliance with the Regulation.
What the UK Government wants, I suspect, is an Accountability Principle obligation that looks at all processing operations as part of an overall assessment. In other words, the Principle works on a rounded-view of assessment towards data protection compliance rather than an assessment based on each specific processing operation.
15. “It is illogical that public authority data controllers cannot rely on their legitimate interests in order to lawfully process personal data”.
Commentary: the Government want public sector bodies to be able to process personal data which is not for their statutory functions or where there is no legal obligation to process and rely on the balance of interests ground (i.e. use paragraph 6 of Schedule 2). I think the Government need to justify this position as I can’t see why it is illogical.
What two words come to mind if a public body came to you and said: “I have no statutory function with respect to processing your personal data and I have no legal obligation to process your personal data and I don’t have your consent to process your personal data .. so what should I do?”
16. The requirement that processing under points (c) and (e) must be provided for in Union law or the law of a Member State must accommodate processing that is lawful.
Commentary: the UK claims there is an issue where processing of personal data is required by a common law obligation. The Regulation assumes that as public bodies are creatures of statute, there must be statutory legal provisions that make any processing of personal lawful.
I think the UK Government needs to identify what these common law circumstances are before I am convinced.
17. “The UK questions the need for special categories of personal data” i.e. “sensitive personal data”.
Translation: let’s get rid of Schedule 3.
Commentary: The Government argue that personal data about a “cold” should not be treated as sensitive personal data, and I have been at meetings where the Information Commissioner has supported this idea. I am not so sure, as in the UK the regulatory framework rarely considers the First Principle other than “fairness”. The Information Commissioner, for instance, does not enforce lawfulness (e.g. that processing that would breach a confidence) nor have I seen him delve much into Schedules 2 or 3.
If the equivalent of Schedule 3 is removed, it leaves the processing of sensitive personal data subject to the mercies of paragraph 6 of Schedule 2 (legitimate interests of a data controller unless there is an overriding interest of the data subject). This is, in my view, could be a step too far.
I need much more convincing that there is adequate protection before I could support this idea. For example, if the test in Schedule 2, paragraph 6 were reversed for sensitive personal data (i.e. there had to be an overriding legitimate interest for the data controller and the starting presumption was that sensitive personal data were not processed) and the Commissioner enforced “lawful processing”, I would be much more relaxed.
If you want the 170 page discussion issued by the Council including detailed individual comments from Member States: http://www.statewatch.org/news/2012/jul/eu-council-dp-reg-ms-positions-9897-rev2-12.pdf
EU’s Data Protection Regulation: divisions exposed as Member States show disharmony: http://amberhawk.typepad.com/amberhawk/2012/03/eus-data-protection-regulation-divisions-exposed-as-member-states-show-disharmony.html
Expect 1,000 objections by Member States to the EU’s Data Protection Regulation: http://amberhawk.typepad.com/amberhawk/2012/06/expect-1000-objections-by-member-states-to-the-eus-data-protection-regulation.html
The Regulation: what are the big changes to the Data Protection Act regime?: http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html