Today’s blog deals with the UK position on the Irish text of the Regulation and is based on the statements of Chris Grayling MP, the Cabinet Minister responsible for data protection at a June’s Council of Ministers meeting (see references).
Following these statements I have concluded that the current UK Government policy on data protection supports a level of protection below that established by Directive 95/46/EC. This arises because the Government want many more data protection obligations in the replacement Regulation to be assessed on a risk based approach whereas in the current Act, the notion of risk is only applied in a small part of the Interpretation of the Seventh Principle.
In this blog, I explain why such a comprehensive approach based on risk or harm is flawed and why it reinforces my concerns over Article 80a (see last blog). I also show that the Information Commissioner’s (ICO’s) stance on the Regulation has been selectively used to bolster the Government’s position.
The UK position on the Regulation
The UK position was expressed by Secretary of State, Chris Grayling in a 5 minute speech. After welcoming the changes in the Irish text, all further statements related to imperfections in the Irish text. Only once did the Secretary of State mention, in passing, the importance the enhanced protection for individuals but only in the context of a balanced approach for data controllers.
In summary, the UK position on the Regulation is as follows; remember these comments relate to the Irish text published in June 2013, and not the draft produced by the European Commission a year and a half ago. These are
- The territorial nature of the Regulation needs more consideration to assess whether it is practicable; Chris Grayling used the word “unrealistic” to describe these provisions in the Irish text. These provisions relate to a provision where a data controller based outside the EEA, offers goods or services to data subjects or monitors their behaviour within the European Union. In other words, the UK is questioning the application of the Regulation to data controllers based in the USA (and there are no prizes for guessing which USA based organisations fall into this category).
- The provisions concerning “consent” have not been discussed by the working groups (by implication, the Irish move to “unambiguous consent”, which is exactly as those in Directive 95/46/EC, might not be a sufficient change for the UK). Remember the Irish text has removed the provision that the data controller has the burden of proof to show he obtained consent, and the provision relating to the imbalance of power between data controller and data subject (i.e. the Irish text allows for the continuation of Hobson’s choice consent – or as I call it, Home Office consent).
- The impact on business should be judged from the context of the SME’s which are going to drive economic recovery and not from the standpoint of Google or Microsoft (this is at variance from the French position which is seeking application for the complete Regulation to Microsoft and Google but with appropriate exemptions for SMEs).
- There should be a business impact assessment (as the UK has its own figures, as do the Dutch and Belgium Governments which show a cost to business of the original Regulation). This I suspect is a device to waste time as the Regulation needs to be enacted by June 2014.
- The risk based approach needs to be taken further and the security principle is welcome (mainly because it looks like the existing UK provision). This implies that other Principles and rights should be subject to risk based approach (see below).
- Finally, the UK still want a Directive (with the support of Belgium and Hungary); I consider this likely for the next European Parliament (see next blog; later this week).
The ICO position
The ICO has published a letter that summarises his well known concerns with respect to the Regulation text as published by the Commission in January 2012. These are not new: for example, reporting every data loss; authorising transfers; funding for his office if notification is scrapped; lack of flexibility re the role and responsibilities of the ICO.
Unsurprisingly, as this supported the UK position, the letter was promoted by Secretary of State, Chris Grayling as justifying the UK stance. What the Secretary of State did not say was that ICO’s letter (see references) also welcomed elements in the Commission’s text which the Irish text has subsequently weakened.
For instance, the ICO’s letter welcomed:
• the stronger explicit “consent” provisions of the Commission’s text; by contrast these have been reduced by the Irish text to “unambiguous consent” (i.e. the standard of Directive 95/46/EC).
• the clearer provisions about data processor responsibilities; however the Irish text provides a mechanism so that Member States can order a data processor to disclose personal data to the law enforcement authorities without informing the data controller. Note that this means that NSA-PRISM-type activities can be legitimised by any Member State in relation to any data processor – and nobody is the wiser unless a whistle-blower is forthcoming.
• the “introduction of accountability” for data controllers; by contrast, the Irish text removes the Accountability Principle in favour of a Security Principle based on the current UK Seventh Principle.
• recognition of the importance of Privacy by Design or Privacy Impact Assessments; by contrast, the Irish text removes the data minimisation provisions (i.e. removal of the requirement to limit the processing to the “minimum necessary in relation to the purposes for which they are processed” and that personal data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).
One really wonders whether the ICO is content with the Irish text changes so far? What I will say is that after being so critical of the Commission’s Regulation, he cannot remain silent if, in his view, changes to the Regulation reduces the protection afforded to data subjects.
The risks of the risk based approach
However, Chris Grayling also stated that the risk based approach should be extended to more of the Regulation. This moves UK data protection policy objectives in the direction of the approach adopted by the APEC Privacy Framework or the Obama Administration’s policy towards online privacy – both of which are based on a risk assessment or the notion of “harm”.
There are three problems with such a harm or risk-based approach:
• First, a risk based approach will be based on a data controller assessment of harm to data subjects in general, whereas harm can only be accurately assessed from the standpoint of each data subject.
• Second, any personal data processed with “data subject consent” is unlikely to need a risk assessment.
• Third, any personal data that is published does not need a risk assessment.
Some thirty five years ago, well before the UK had any data protection law, the notion underpinning a data protection regime based on "harm" was firmly rejected by the Lindop Committee in its Report on data protection in 1978 (Cmnd 7341 paras 18.24-18.27).
Lindop concluded that there was no objective standard whereby a data controller could be able assess harm prior to the processing of personal data because there was no way an organisation could judge whether its personal data or its processing would be sensitive or non-sensitive.
Of course the data controller could identify that there might be harm in some cases (e.g. because of the confidential nature of some personal data or the potential for impact on the data subject). However, as a data controller could not make an assessment that the processing was “harmless”, it followed that many data protection obligations could not be based on harm.
This is because the potential for harm is a subjective assessment that can only be accurately judged by each data subject concerned and of course, such assessments can change over time and in context.
For example, suppose a data subject gives a new address to a data controller: is this “harmless”? For most data subjects the change of address might follow some routine house-move. However, if a data subject is changing address because of a violent relationship, then who has access to the name and new address becomes a matter of deep concern for that data subject. The data subject knows this context; the data controller doesn’t.
That is why putting more of the Regulation on a risk-based approach is a flawed idea; the only person who can assess risk properly is the data subject and such risks fluctuate depending on the context.That is why the French Minister, at the meeting of Ministers, was wholly correct to assert in her speech that any risk assessment approach needs the involvement of the data subject.
Consent, public domain personal data and a risk-based approach
If a data subject consents to the processing of personal data, then he is making an informed judgement about any harm to himself caused by any intended processing by a data controller. Any data controller assessment of harm is redundant as it will be trumped by the data subject’s own assessment of harm.
For instance, what would you say to a data subject who took a risk in relation to his own privacy and then argued for compensation based on the fact that the data controller’s assessment of risk was wrong. I think you would say something like “get lost”.
And that is why data subject consent makes it difficult to argue there has been a breach of Article 8 of the Human Rights Act; most Article 8 cases involve interference with private and family life in the absence of consent.
And that is why, when considering the Regulation, the definition of “data subject consent” is so important. If it is weakened, then a single unticked-opt-out box could easily reduce the protection afforded to data subjects. Note also, the implication that any change to a risk based approach towards data protection needs a stronger and more detailed consent base (not a weakened one!). For example, for consent to be fully informed, details about retention periods (5th Principle) might need to be given.
If more of the Regulation becomes “risk-based”, the more protection is stripped off the data subject for that unticked-opt-out box. For instance, if all the data protection principles were “risk based” and if the data subject were to consent, then the application of the principles would also be removed.
Similarly, if personal data were published by a data subject and someone else took advantage of that, one would say “well, you should not have published”. In the APEC Privacy Framework for example, the Privacy rules do not apply to personal data that has been published (e.g. by Facebook, Youtube etc).
So, for instance, in a complete risk-based data protection world, a data controller can use public domain information (e.g. put into the public domain by unambiguous default Facebook settings) to assess a data subject for employment. There is no obligation to ensure that these personal data are relevant for the employment purpose, nor to be fair to the data subject, nor indeed to keep the personal data secure.
After all these personal data are in the public domain. By contrast, the Data Protection Act does require observation of these Principles.
More importantly, Article 80a of the Irish text allows Member States liberty to introduce exemptions with respect of freedom of expression; this could be applied to personal data placed in the public domain by the data subject with “consent” (whatever that means).
You can see now why the UK Government public policy for reduced standard of consent AND more risk based approach results in a reduction of the standards of data protection.
ICO letter of 24th May 2013: https://www.ico.org.uk/news/~/media/documents/library/Corporate/Notices/rt-hon-chris-grayling-ministry-of-justice-20130603.ashx
Blog on UK Government’s preference for a Directive:
Blog on Article 80a of the Regulation;
Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013; (starts 9 minutes 48 secs in):
Note: to get to the UK contribution, scroll down after the five items marked (Item A), the last one being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, click on the Irish flag just before the Union Jack.
Obama’s Consumer Privacy Bill of Rights: https://www.whitehouse.gov/sites/default/files/privacy-final.pdf
The APEC Privacy Framework and data protection – 2008 which explains why the APEC Framework is deficient in European Data Protection terms (e.g. Directive 95/46/EC); available on https://www.amberhawk.com/uploads/APEC.doc