Xmas has come and to get you in the festive mood, I present a link to 232 pages of gripping holiday reading. Forget all those TV repeats over the holiday period; in the forthcoming break why not snuggle down with the latest DAPIX version of the Data Protection Regulation which identifies the current thinking of Member States.
I have made two preliminary conclusions:
• I think that the Data Protection Regulation will not be agreed until the end of 2015 (if that); this is because Member States cannot agree on the contents of the text. I counted over 500 “reservations” in the footnotes from diverse Member States which are clearly identified in the text (a “reservation” means that the Member State really does not like the provision).
• More worryingly, I am beginning to think that the protection afforded to individuals by the Regulation could easily be less than the Directive 95/46/EC. Quite simply, in its attempt to resolve or accommodate Member States concerns, Data Subjects are being put at risk. This blog explains why.
When looking at the DAPIX text (see references), please note the warning given on page 1:
“All changes made to the original Commission proposal are underlined text; where text has been deleted, this is indicated by (…). Where existing text has been moved, this text is indicated in italics. Changes that were not yet fully discussed in DAPIX are marked in bold underlining.”
You only need to scan a few pages to see that the changes from the Commission’s original proposals are considerable. In addition, even when Member States do not enter a reservation, they are clearly “unhappy bunnies” as the footnotes record the many disagreements with the Italian's text.
I cannot see these disagreements being resolved unless a political fix is agreed (e.g. if you vote for our version of “consent”, we will support your position with respect to “the right to object”). This method of agreement depends on "understandings" made in "smoke filled back rooms”. It is not way to identify privacy rules that hope to gain respect from data controllers and data subjects; indeed, it risks the emergence of a mish-mash text that will probably irritate both communities.
So why is the protection for individuals reduced? Well just look at the exemptions. For instance, there are a number of Articles (e.g. Article 21 dealing with exemptions) which begins with, or contains the words “Member State law…” (i.e. the Member State can determine how the Article or provision applies in that State). There then follows a longer list of exemptions than in Article 13 of Directive 95/46/EC. In other words, Member States can determine more exemptions to suit their needs.
"Member State law" flexibility can be applied to other provisions: namely in Articles 4, 9, 14, 17, 24, 26, 30, 35, 44, 48, 49, 53, 55, 56, 74, 79, 80a, 80aa, 83, and 84. This means that the provisions in these Articles could diverge across all Member States. The Regulation, remember, is supposed to harmonise data protection; these Articles with their reference to “Union or Member State law” comprise a recipe for disharmony.
For instance Member States have flexibility with respect to the definition of “data controller” (Article 4(5)) and Article 9 (Sensitive personal data). How will this flexibility be used? – Well your guess is as good as mine.
For example, using the terminology of the 1998 Act, what do you think of this new very “accommodating” Schedule 3 criterion:
The processing of sensitive personal data “is necessary for the performance of a task carried out for (…) reasons of public interest, on the basis of ... Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests”
In addition, there are about 30 COM “reservations” entered by the European Commission which is clearly miffed about the changes to its original text (e.g. the deletion of the “data minimisation principle”; the “deletion of 'explicit' in the definition of ‘consent’” or even the deletion of the “reference to the UN Convention on the Rights of the Child”). Often there is no detail for the deletion except for “COM reservation on deletion” (of the text identified by those ubiquitous “(…)”.
There are new provisions that reinforce harmony, but these are through the European Data Protection Board. These provisions are not agreed by Member States (witnessed by all the bold underline). It appears to me that the new proposal amounts to the European Data Protection Board making recommendations on harmonisation. The making of recommendations is not a credible mechanism that ensures harmonisation.
From January 1st, the DAPIX text is handed to the Latvians to sort out the mess; it does not need Nostradamus to predict the Latvian’s New Year hangover will probably last the following six months.
Merry Xmas - Hawktalk is back in the New Year
Download the December 2014 DAPIX text here Download DAPIX TEXT eu-council-dp-reg-December 2014
Those looking for a seasonal Xmas Card are referred to "Leaked GCHQ Xmas Card resonates to Tolkien as Advocate General slams Data Retention Directive as breaching ECHR": http://amberhawk.typepad.com/amberhawk/2013/12/leaked-gchq-xmas-card-resonates-to-tolkien-as-advocate-general-slams-data-retention-directive-as-bre.html