This blog explains why I think the Italian text of the Regulation published just before Xmas is likely to provide data subjects with a lower level of protection than Directive 95/46/EC or even the current Data Protection Act 1998 (DPA).
In the blog, I raise four areas to make the case:
- A carve out for the public sector (this allows Member States to legitimise processing that otherwise could be in breach of a data protection requirement).
- The “risk based” approach and consent (this transfers some of the risks arising from the processing to the data subject).
- The right to object to the processing (this right which currently exists under the Data Protection Act is removed for public sector data controllers).
- There is no requirement in the Regulation to maintain the Directive level of protection.
Carve-out for the public sector
Article 1 of the Italian text allows Member States to:
“…maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to the processing of personal data for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller … by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing ….”.
The new provision was inserted to meet the concerns of applying the Regulation to the public sector in Germany. However, the consequence of this provision is that it allows any European Government to ensure the lawfulness of any processing of personal data which is required by any political policy objective of any governing party.
In the UK context, it allows the practice of using secondary legislation (which is hardly ever scrutinised by Parliament), to modify the application of the data protection principles to continue. For example, should Ministers have wide ranging powers to specify how personal data about education are collected, retained, used or disclosed or even to determine when such personal data are accurate? And what about a power for Ministers to prescribe the use of patient health records for medical research because a Minister considers such use “expedient”?
The use of such powers to make the processing of personal data lawful is commonplace in the UK. For instance, look at Section 12(6) of the Children Act 2004 or Section 251 of the National Health Service Act 2006 (see references). Such powers get more controversial when they relate to Home Office functions such as law enforcement as they often provide untrammelled powers to facilitate data sharing or data retention.
I have often raised this issue in Hawktalk. As soon as legislation is used to make the processing of personal data lawful (e.g. the retention of communications data for say a year), then the protection afforded to data subjects falls away (e.g. if one-year data retention is lawful it is difficult to establish a breach of the Fifth Principle until one year has elapsed; see references for more detail on this).
In summary, however, Article 1 permits “legislative excess” to grow. Quite simply, it is so broad that it enables any Government to legislate one set of data protection rules for itself and another set of data protection rules for the rest.
The “risk based” approach
Article 22 of the Italian text states that the controller, when implementing any data protection obligation, can take into account:
“… the nature, scope, context and purposes of the processing as well as the likelihood and severity of risk for the rights and freedoms of individuals, the controller shall (…) implement appropriate measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.”
In summary, this provision establishes the “risk-based” approach to data protection much favoured by several Member States including the UK. The objective is to allow the data controller to implement data protection controls proportionate to the risks associated with the processing. This approach appears in several Articles of the Italian text (e.g. relating to security, PIAs etc) and appears to be eminently sensible.
In the DPA there is a risk test which looks at the harm arising to data subjects under the Seventh Principle; this is to make sure the security measures adopted by a controller are based on an assessment of risk to data subjects. By contrast, the harm test in Article 22 is much broader and applies to any Regulation requirement (e.g. any Principle).
So can the controller assess the risks to data subjects arising from the processing? If I asked you the question “who is aware of the actual risks associated with the processing of personal data?” I would expect the answer “the data subject” (i.e. and not the controller). The controller can have a good go at estimating the risks but he does not know the actual risk.
In other words, the “risk based approach” is based on a fundamental intellectual flaw; it assumes that the data controller’s risk assessment can apply to each and every data subject. Such a risk based assumption can work if the content of the personal data is obviously sensitive for all data subjects (e.g. a database of health records or personal data subject to an obligation of confidence). However, it is a dubious assumption to rely on when other circumstances arise.
For example, a database of names and addresses is likely to be viewed as low risk from the perspective of a data controller; this is because the content of the personal data (names and addresses of data subjects) is often in the public domain (e.g. lists of contacts, electoral rolls, telephone books etc).
However from the perspective of a particular individual data subject who has a personal security issue unknown to the controller (e.g. a woman trying to avoid an abusive relationship), then any use or disclosure of a name and address could present a high risk.
In addition, we know that many data subjects do not read T&C’s or privacy policies (see last week’s blog). So suppose a prominent fair processing notice says “Tick the box if you do not want third parties to contact you” and suppose further, a subsequent “third party contact” with the data subject was of an unsavoury nature.
The controller could argue that the risk of the unsavoury contact was identified in the fair processing notice; it was then accepted by the data subject when he ticked (or did not tick) the relevant box which clearly specified contact by any third party. In other words, because the data subject has accepted the risk of contact, the data controller is absolved from any responsibility.
This is especially the case as Article 7 of the Regulation has made the data subject consent requirements more specific; the Regulation makes it easier to argue that the data subject is fully aware of specified processing activities and related risks.
In combination, the Italian text permits a data controller to argue as follows:
“I have done a thorough risk assessment which applies to the vast majority of data subjects. I have determined the major risks and taken remedial action. I have fully informed the data subjects concerned about the processing and each data subject is thus aware of any residual risks and has had the opportunity to minimise them. Therefore it follows that I have met the requirement to implement the appropriate measures and the data subject, sadly, is to blame for not acting on the residual risk that I have identified”.
The risk based approach is absent in the Data Protection Act and in Directive 95/45/EC; in my view, its inclusion in the Italian text represents a transfer of residual risk from the data controller to the data subject. In a sense, the risk based approach makes it easier for the data controller to argue that data protection compliance is limited to the major risks the controller can identify.
Another way of seeing this transference: if it is easier for data controllers to prove compliance, it becomes harder for data subjects to seek redress. The Regulation, by the way, is meant to protect data subjects.
The right to object to the processing
The DPA’s Section 10 right to object applies to any processing of personal data which is necessary for the functions of a public body controller and where the processing causes, or is likely to cause, unwarranted substantial damage or unwarranted substantial distress in the context of a specific data subject.
This right is in Directive 95/46/EC; it’s in the Commission’s original Regulation text; it’s even in the current UK’s DPA, but has been expunged from Article 19 of the Italian text. It is a clear example of where the current level of protection afforded to data subject is being reduced.
The right to object is valuable as it affords limited protection for an individual when the processing of personal data by a public body is manifestly unreasonable. So, for instance, suppose a Local Authority installs a facial recognition CCTV system and suppose further the data subject’s face has similar biometrics as an offender wanted by the police. Suppose further, every time the data subject goes shopping in the High Street, he is picked up by the police as a result of the Local Authority tip-off about the wanted person.
Under the current DPA, that data subject can exercise the S.10 right to object on the grounds that the processing is causing unwarranted substantial distress because the algorithm used by the facial recognition system is always presenting a false identification for the data subject. Under the Italian Regulation text, there is no such right to object.
Note that in a risk based approach, a Section 10 right is an essential counter-balance for an individual; it allows a particular data subject to argue that even though the processing is perfectly proper for most other data subjects, in his particular case the processing is so distressing or damaging that it should cease.
Those Member States that favour a risk based approach have failed to recognise that if there is a general approach based on data controller assessment of risk, there is a need to offer some kind of redress when an exceptional set of circumstances arise for a data subject on a case-by-case basis. Thus, instead of removing the right to object, a risk based approach should require the right to object to be widened. The Italian text, regrettably, goes in the other direction.
In general, there is no safeguard in the Regulation that prevents a significant diminution in the level of protection afforded to data subjects from the level established by Directive 95/46/EC. For instance, the Italian text has widened the categories of exemptions (e.g. from subject access) from a list of 7 categories in Article 12 of Directive 95/46/EC to a list of 11 categories of exemption in Article 21.
In addition, there are 20 so Articles where Member States have flexibility on how they implement a provision. So what protects the data subject from a reduction in protection? Answer: nothing.
By contrast, implementation of Directive 95/46/EC contained Recital 10. This required that the harmonisation of national data protection laws did not disadvantage data subjects by causing a reduction in the standard of data protection afforded to them by the respective national law. The second part of Recital 10 states:
“….whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.”
There is no similar provision in the Italian version of the Regulation text. Indeed, I suspect that such a provision could not now be inserted into the Regulation because of the widening of exemptions in Article 12, the introduction of a risk based approach towards data protection, and the diminution of the right to object. All of these have the effect of lowering the level of protection afforded to data subjects as compared with the protection offered by Directive 95/46/EC.
Let us be clear. If the Italian text stays as it is, I would want the European Parliament to vote down the Regulation and stick with Directive 95/46/EC.
This is especially the case if the next relevant ECJ judgment on the Directive concluded that an IP address can be personal data in many instances. This would mean that URLs, location data used by apps etc would also be personal data subject to national data protection law.
Recent judgments from the ECJ have served to protect the interests of data subjects. This is unlike the Italian text of the Regulation I hasten to add.
Italian DAPIX text permits Member States set its own data protection rules: “Italian Data Protection Regulation text exposes Member States disharmony; risk of weaker protection for data subjects increases” on: http://amberhawk.typepad.com/amberhawk/2014/12/italian-data-protection-regulation-text-exposes-member-states-disharmony-risk-of-weaker-protection-for-data-subjects-increas.html (You can download the Italian text at the end of the above reference).
“How the UK’s risk-based data protection policy can result in lower standards of data protection” (in particular the section of the blog in the middle entitled “The risks of the risk based approach” on: http://amberhawk.typepad.com/amberhawk/2013/06/how-the-uks-risk-based-data-protection-policy-can-result-in-lower-standards-of-data-protection.html
Why the one-stop shop does not work: http://amberhawk.typepad.com/amberhawk/2014/06/google-lost-its-two-recent-court-cases-for-the-same-reason-the-one-stop-shop-does-not-work.html
Examples of what I call “legislative excess”: Section 12(6) of the Children Act 2004 http://www.legislation.gov.uk/ukpga/2004/31/section/12 and Section 251 of the NHS Act 2006 http://www.legislation.gov.uk/ukpga/2006/41/section/251
How direct powers denude the protection afforded by the Data Protection Act: see from page 8 of http://www.amberhawk.com/uploads/surv1_website(2).doc.
Why there should be a link between Article 8 and the Regulation: http://amberhawk.typepad.com/amberhawk/2012/11/information-commissioners-enforcement-proceedings-links-article-8-to-unlawful-processing.html
To see videos that show data subjects responses when they realise what they have actually given consent for: http://amberhawk.typepad.com/amberhawk/2015/02/materials-to-help-you-laugh-learn-and-chill.html