Would you be surprised if the Irish text of the Regulation could allow a Member State, most likely Eire, to implement specific exemptions for companies like Google and Facebook from those data subject rights that involve accuracy, correction, erasure of personal data and the so-called “right to be forgotten”?
In addition, would you be surprised if the definition of “main establishment” introduced by the Irish could mean that any enforcement action against such companies would be prolonged and could easily exhaust a regulator’s capacity (most likely the Irish Commissioner) to enforce the Regulation?
Finally, the change from “explicit consent” to “unambiguous consent” means that the fair information practices that these companies employ with respect to Directive 95/46/EC (which are now subject to legal action by the CNIL on behalf of all Europe’s Data Protection Commissioners) can continue into the new Regulation, unabated. This change makes the outcome of the CNIL’s action more important to the privacy of Europe’s citizens.
These are three reasons why, in my view, the Irish redraft risks taking the level of protection for individuals to a level lower than that achieved by Directive 95/46/EC. More detail of these concerns are given below.
The freedom of expression issue
The objective of the Irish drafting changes to the Regulation is to allow for “flexibility”. However, Article 80 is so “flexible” that it is possible for any Member State to enhance their “attractive” corporation tax policies with some “reduced” data protection standards as well. And when enacting these reduced standards, any politician would be able to justify them in terms of defending “freedom of expression”?
In the UK’s Data Protection Act, the Special Purposes (journalism, literature, art) and a special enforcement mechanism is defined in order to protect freedom of expression. In Section 22A of the Irish Data Protection Act, there are exemptions for that processing which is undertaken “solely with a view to the publication of any journalistic, literary or artistic material” (my emphasis on solely throughout).
Wide exemptions like this are justified in terms of Article 9 of Directive 95/46/EC which states:
“Member States shall provide for exemptions or derogations from (…the main chapters of the Directive such as rights and principles ..) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression”.
Notice that in the Directive, the processing has to be carried out “solely for journalistic purposes or the purpose of artistic or literary expression” and any exemption introduced by Member States has to be in the context of these three purposes.
Now look at the replacement for this Article in the Irish text:
Article 80: “Member State law shall reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression, including the processing of personal data for journalistic purposes and the purposes of artistic or literary expression”.
Notice the provision includes journalistic purposes or the purpose of artistic or literary expression. In other words, the provision of exemptions on freedom of expression grounds can go beyond art, journalism and literature as these three are examples of “freedom of expression”.
Of course, one might argue that the extension is needed to protect personal data in blogs or tweets. For instance, the Hawktalk blog is not journalism (far too accurate to qualify for journalism?), nor does its prose have much in the way of artistic or literary merit (not flowery enough, perhaps?). Hence, for example, if I criticised a politician for degrading the level of data protection, I am pleased that there is a freedom of expression exemption that could give me some protection.
However, the extension is not limited to blogs and tweets; it can “flexibly” be extended by a Member State. For instance, during the furore over the Commission’s initial suggestion for a “right to forget”, Google’s Global Privacy Counsel, Peter Fleischer began referring this right in terms of “censorship” (i.e. a restriction on “freedom of expression”). So could one imagine a “freedom of expression” exemption be fashioned by a Member State in order to satisfy a requirement from Google re the right to forget? I think it can.
Suppose you share something on Facebook about a friend without permission: is that an invasion of your friend’s privacy or an indication of your freedom of expression? Facebook representatives have often argued that any restriction on such sharing is a prohibition on the freedom of expression. So, there again, could a “freedom of expression” exemption be fashioned by a Member State that facilitates such data sharing on social networks?
Also, please remember that corporate USA’s dollars funded an extensive lobbying campaign against the Regulation. If corporate America organised this effort in the European Parliament, it is easy to imagine them applying the same pressure on a Member State to demonstrate “flexibility” in the context of rights that relate to “freedom of expression”. This is especially the case in these economic hard times.
Of course one might say that the European Commission would step in and take immediate action if this were to happen. All I would respond is that the words “immediate” and “action by the European Commission” in my judgment is a contradiction in terms. For instance, the Commission started threatening infraction proceedings against the UK in 2004 on the grounds that the Data Protection Act 1998 was an inadequate implementation of Directive 95/46/EC. Nearly a decade later nothing has happened.
The “main establishment” issue
I am also concerned that the regulatory framework in the European Commission’s original text could be so weakened to such an extent that a regulator cannot take effective legal action against such large multi-national companies. This is best shown in the context of the Ireland, because as is well known, for corporation tax “flexibility” purposes, Google and Facebook have both established their European HQs in Eire.
The definition of main establishment in the Irish text of the Regulation states that for a data controller “the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken”. This would be Ireland and it also means that the Irish Commissioner is the key data protection supervisory authority for all of Europe’s citizens with respect to Google and Facebook etc.
So suppose, perish the thought, that one of the European Union’s half billion data subjects has a data protection problem with Facebook. That data subject would turn to the Irish Commissioner.
Now Facebook is a large organisation, and UK taxpayers might want to know that a low corporation tax payment in the UK has allowed it to invest in real-estate in Dublin. Click here to view Facebook Dublin HQ (pleasant isn’t it): View this photo
Of course, if there are legal problems, Facebook in Dublin will call on the assistance of Facebook HQ in the USA. Click here to view Facebook HQ occupying a site of over a square kilometre in size: View this photo
Against Facebook would be the Irish Data Protection Commissioner and it is useful to click here to compare Facebook HQs with that of the Irish DP Commissioner. The Commissioner’s HQ is next to the Centra supermarket: View this photo
Get the message?
According to the 2012 Annual Report, the Irish Commissioner’s budget is £1.3 million per year (€1.5 million or $2 million). He will be taking on Facebook (2012 revenue of $1.68 billion) and Google (2012 Revenue $50 billion) and all the other corporation tax refugees settled in Ireland.
Thus, irrespective of the merits of the Irish Commissioner and the ability of his staff, any serious enforcement action means that he will be tied up in legal red tape; these companies are simply too big for one small Commissioner to take on.
The reasons above explain why I think the Irish text of the Regulation sets up, in the case of corporate America, a structure that could very easily seriously undermine the data protection obligations that protect the privacy of all of Europe’s citizens.
Update on FOI/DP Interface
In my blog of the DAPIX leak (date 29/05/2013) I said that the proposed changes to the Regulation could interfere with the DP/FOI interface. This risk of interference has been lessened by Article 80a of the Irish text which states that:
“Personal data in official documents held by a public authority or a public body may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile public access to such official documents with the right to the protection of personal data pursuant to this Regulation”.
This Article was missing from the DAPIX leak. So what I think will happen is that the powers in Schedule 2, para 6(2) can be used to restore the Data Protection/FOI interface that we love and know.
Data protection as “censorship”: Peter Fleischer; http://peterfleischer.blogspot.co.uk/2011/03/foggy-thinking-about-right-to-oblivion.html
Facebook: Proposed EU ‘right to be forgotten’ raises “major concerns” over freedom of expression online: http://thenextweb.com/facebook/2012/11/20/facebook-proposed-eu-right-to-be-forgotten-raises-major-concerns-over-freedom-of-expression-online/