On Thursday, the Justice Committee will publish its conclusions about the European Commission’s Data Protection Regulation; yesterday, at our Update session, we had a speaker from the MoJ talking about the Regulation. This blog explains why I think a revised text of the Regulation will have to emerge and why I expect the Committee to support the ICO’s and the Government’s concerns about the text of the Regulation (as explained below).
Our Update speaker told us that the DAPIX committee of Member States discussing the Regulation have arrived at Article 38 – only 53 Articles to go – and this on first reading too; remember the first 10 Articles produced about 1,000 reservations, issues or comments. Just use your 11 plus mathematics: if it takes 10 months to discuss 38 Articles, how long will it take to discuss 91 Articles? (11+ answer is nearly 24 months by the way).
In other words, there is significant disagreement over the text (see references) and our speaker confirmed that concerns expressed by the UK were shared by other countries. So unlike Directive 95/46/EC it is not a case of UK v the Rest of Europe as it was in the Thatcher/Major era.
After first reading, the Commission has to respond to the concerns raised by Member States and produce a new text. In other words, if the June 2014 deadline is to be met there has to be more rapid progress; so if Commissioner Reding wants her Regulation she has to compromise on its content. As the June 2014 election appears on the horizon, Commissioners move on, MEPs are re-elected, and proposals are dropped (i.e. the Regulation effectively goes back to square one).
Ms Reding’s dilemma is made clear by the Minister, Lord McNally, who gave oral evidence before the Justice Committee. He said:
• “We want is a lighter-touch and more flexible system”. Translation: we think parts of the Regulation are heavy handed and inflexible.
• “We are not in the business of signing blank cheques for the Commission”. Translation: we don’t like the Commissioner wielding powers that impact on UK data subjects and UK data controllers without the UK Parliament or Ministers having much of a say.
• “The Commission have a very ambitious time scale”. Translation: the Commission could miss their June 2014 deadline.
• “We are negotiating to get results, not to fit into a timetable”. Translation: our contributions to debate should not be classified as “obstructing progress”.
• “If the Commission want an early result, then it may well be that they have to make substantial concessions to get the kind of outcome that we want”. Translation: Commissioner Reding can chose between “give in” or “give way”.
• We want the “benefits of harmonisation without the downside of over-bureaucratising and over-burdening business”. Translation: The UK believes that parts of the Regulation are over-bureaucratising and will over-burden business
Looking at the above comments it is easy to come to the general conclusion that the UK Government “doesn’t like it” (although the Government will say that they are supportive of the idea of better harmonisation and improved data subject protection; it is just the expression of the idea that causes the problem). And to some extent I agree with the UK Government (see references); I think this Regulation is, and always has been, a lengthy data protection suicide note.
It might surprise that much of the above is shared by the Information Commissioner. In his written evidence to the Committee, he noted:
• The Commission should have developed one comprehensive data protection instrument whether a Regulation or a Directive. Translation: the diverse set of data protection rules will lead to an overtly complex arrangement especially where one set of data protection principles will apply to some personal data (in the Regulation), and another set of data protection principles will apply to another set of personal data (in the Directive for law enforcement).
• Implementation and compliance with the revised framework to be achieved more quickly once it enters into force. Translation: data protection concepts are 20 years old; as they are not new, then they can be implemented quickly.
• The Regulation compared to the current Directive is far too prescriptive. Translation as per Lord McNally above.
• Implementation of rules may be perceived as onerous or disproportionate. Translation as per Lord McNally above.
• The ICO is pleased that there is only one form of consent in the Regulation; the distinction between ‘ordinary’ consent and ‘explicit consent’ in the current law has caused a great deal of confusion. Translation: there are too many data controllers in the UK who fixate on “implied consent” and I want to kill this idea off for all time.
• Durant: the ICO wants a focus on the accessibility of information relating to a particular individual rather than solely on the structure of system. Translation: The ICO has come round to the view that we proposed in the Durant hearing, but the Court of Appeal (bless them), came to a contrary view.
• There are significant doubts as to how meaningful any attempt by supervisory authorities to closely monitor, control or authorise transfers can be. Translation: The current Directive is existentialist in nature as data controllers are responsible for their actions, especially in the UK when transferring personal data overseas; doesn’t the French CNIL understand their Sartre?
Notice the consequences above: both the UK Regulator and UK Government are of the view that the Regulation is over prescriptive, overtly burdensome, involve two different data protection regimes (Regulation and Directive) and involve a power grab by the Commission. So don’t be surprised if the Committee produces warm words on “we support the idea of enhanced protection”, express significant concerns over “implementation” and agree with the above reservations.
So what is the consequence of all this for blog readers? Don’t worry too much about the text of this Regulation and don’t do too much in the way or preparation; if the Commission does not revise the text significantly, then this Regulation might be in serious difficulty. However, keep a watching brief for “compromises” as these have to emerge over the coming months.
Finally, the Lib/Dem Lord McNally is no longer responsible for data protection; now Conservative Helen Grant (MP for Maidstone) is in charge. Conservatives are more euro-phobic and Ms Grant will have the additional support of an all-Party Committee for her arguments that the Regulation has to change.
JUSTICE evening event at Hunton and Williams: “Defamation, privacy and freedom of expression online”, 30 St Mary Axe, London EC3A 8EP (the London “Gherkin”) 20 November 2012 –http://www.justice.org.uk/events.php/46/life-and-law-online-defamation-freedom-of-expression-and-the-web (£50)
Our next Update session is on April 15th 2013 (same place – London), same agenda (focusing what has happened in the last six months plus guest speaker and Rosemary Jay) and same inflation busting price (£195).
The Regulation what are the big changes to the Data Protection Act regime; http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html
The Commission’s Data Protection Regulation weaknesses from the Data Subject perspective; http://amberhawk.typepad.com/amberhawk/2012/03/the-commissions-data-protection-regulation-weaknesses-from-the-data-subject-perspective.html
EU’s Data Protection Regulation divisions exposed as Member States show disharmony; http://amberhawk.typepad.com/amberhawk/2012/03/eus-data-protection-regulation-divisions-exposed-as-member-states-show-disharmony.html
MOJ ask for arguments to oppose the European Commission’s data protection regulation; http://amberhawk.typepad.com/amberhawk/2012/02/moj-ask-for-arguments-to-oppose-the-european-commissions-data-protection-regulation.html
EU Data Protection Regulation breaks explicit link with privacy and human rights; http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html