The final version of the European Data Protection Regulation (Council of Ministers text) is now published (on June 15). The official version however does not contain the 649 paragraphs of scrutiny reservations which shows the degree of disagreement between Member States; I have made both available (see references).
In summary, the Council of Ministers' version of the Regulation contains many carve outs for Member States; it would allow them to implement the data protection legislation with a considerable degree of “flexibility”. Such Member State flexibility can be applied to Articles: 1(2a), 3(3), 4(5), 6(3b), 8(1), 9(2a), 9(2b), 9(2g), 9(2h), 9(2hb), 9(2i), 9(4), 9(5), 9a, 14a(4c), 14a(4e), 17(3b), 20(1a), 21(1), 21(1c), 24(1), 24(3), 26(2), 26(2)(a), 26(2)(g), 26(2a), 30(2b), 33(5), 34(7a), 35(1), 35(7), 44(1)(g), 44(5), 44(5a), 55, 56, 74, 76, 79(3)(b), 79b, 80, 80a, 80aa, 80b, 82, 82(3), 83, and 84.
In addition the exemption specified Article 21 impacts on several Articles. It allows “… Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 20 and Article 32, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 20, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard”. This means that Article 21 itself allows each Member State to modify the obligations in: A5, A12, A13, A14, A15, A16, A17, A,18, A19, A20 and A32.
To be clear, in this blog, I am not making any argument that exemptions might not be needed; all I am saying is the range of exemptions is in the gift of each Member State and the exemptions in one State can be very different to that in another (although one can expect some common themes in the field of law enforcement).
The following gives a comprehensive list of 35 Articles and a brief description of the ways in which each Member State can implement the requirements; the paragraphs that specify “Member state’s law, via A.21”, defines legislative flexibility associated with an exemption. As there are about 90 Articles, it is fair to say that one-third of the Council of Minister’s text are more like a Directive than a Regulation.
The Articles are:
A.1(2a) Member States law can “introduce more specific provisions to adapt the application of the rules of this Regulation” to any public authority function; this I read to be an ability to “tweak” obligations (such as say data retention) to suit the needs of the public body. I will return to this Article in a different blog in future.
A.4(5) The definition of “controller” appears to allow Member States to designate who the controller is. This designation appears in the UK’s DPA at S.1(4) in a limited form, but the Regulation’s flexibility with this definition is very expansive. I don’t see how you can get harmonisation when Member States can amend the definition of “controller” in the way proposed by the Ministers’ text. See also A.24 below.
A.5 Member States' law, via A.21, can exempt the application of Principles relating to personal data processing via A.21 but only in the context of application of rights in A.12 to A.20.
A.9 & A.9a The is a general provision to process Sensitive Personal Data for “necessary … reasons of public interest, on the basis Member State law” and wide ability for Member State law to apply to medical records. Compared with Article 8 of Directive 95/46/EC, there are additional non-explicit consent conditions for the processing of Sensitive Personal Data
A.12 Member State’s law, via A.21, can exempt the provision of transparent information, communication and modalities for exercising the rights of the data subject.
A.13 Data subject rights in relation to those recipients who need to be informed if the data subject rights of erasure or correction have been successfully applied by a data subject. This right has been removed by the Council of Ministers; but see its new A.17b before jumping to conclusions.
A.14 & A.14a Member State’s law, via A.21, can exempt the provision of a fair processing notice when personal data are collected from any sources.
A.14a Member State’s law can also exempt to provision of a fair processing notice (a) when personal data are collected or disclosed by law by a public authority from sources other than the data subject AND most importantly in circumstances NOT covered by an A.21 exemption above.
A.15 Member State’s law, via A.21, can exempt the right of access to personal data and information about the processing .
A.16 Member State’s law, via A.21, can exempt the right to rectification of personal data
A.17 Member State’s law, via A.21,can exempt the application of right to be forgotten.
A.18 Member State’s law, via A.21, can exempt the right to data portability
A.19 Member State’s law, via A.21, can exempt the right to object to the processing
A.20 Member State’s law, via A.21, can exempt the application of the right not to be subject to automated decision taking
A.20(1a) Application right not to be subject to automated decision can also be exempt in circumstances, identified in Member State law, when an A.21 exemption does not apply.
A.21 Member State law can specify the exemptions to rights specified in A12 to A20 (and A.5 and A32 ); the exemption conditions are far more expansive than the exemptions specified in A.13 of Directive 95/46/EC. (When I first read this Article an expression that involves the words “coach” and “horses” came to mind!). I will return to this Article in a different blog in future.
A.24 The responsibilities of joint controllers can be determined Member State law (see also A.4(5) above.
A.26 Data Processors can be bound to the controller by the law of a Member State; usually it is by contract between controller and processor.
A.30 Security of processing; Member State law can require a processor to disclose personal data to the authorities without the controller’s authority.
A.32 Member State law can specify an exemption from the need to communicate a personal data breach to the data subject.
A.33 There is no need to do a Data Protection Impact Assessment if the processing is legitimised by point (c) or (e) of Article 6(1) (i.e. legal obligation, public authority function) unless Member State deems it necessary to carry out such assessment prior to the processing activities (My comment: a Nixonian “expletive deleted”).
A.34 A Member State’s law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to the processing of personal data by a controller for the performance of a task carried out by the controller in the public interest.
A.35 Member State law can mandate controllers to designate a data protection officer; no law – no compulsory data protection officer.
A.44 Member State law identifies when transfers outside the EEA are in the public interest (i.e. when there is no need to assess adequacy); in general transfers can occur between public bodies, merely because there is “a legally binding and enforceable instrument between public authorities” (see A.42(2)(oa). In practice this is a huge exemption that negates the transfer arrangements outside the EEA for public bodies.
A.55 Mutual assistance between supervisory authorities can be stopped by Member State law to which the supervisory authority receiving the request is subject. I can’t see the need for this.
A.56 Member State law can permit joint operations of between the data protection supervisory authority and other law enforcement agencies.
A.74 Member State law can specify the time period within which any judicial remedy against a supervisory authority can be taken.
A.76 Representation of data subjects. Member state law has to give an organisation a statutory obligations towards the protection of data subjects before such organisations can intervene on behalf of a data subject. I do not know whether this would exclude organisations such as Privacy International, Liberty etc (who are not statutory bodies) from representing data subjects, but this seems to me be the implication from this Article. (Truly disreputable if this is the intent).
A.79 Member State’s law can determine whether public sector controllers are fined.
A.80 Member State law can determine the balance between the processing of personal data and freedom of expression and information.
A.80a Member State law can determine the balance between the processing of personal data interacts with public access to official documents.
A.80aa Member State law can determine the balance between the processing of personal data interacts with the reuse of public sector information.
A.80b Member State law can determine the lawfulness of the processing of any national identification number.
A.82 Member State’s law can determine specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context. Member state law can “determine the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee” (I read that to mean define how “consent” applies).
A.84 Member State law can determine the extent to which an obligation of secrecy is imposed on a supervisory authority.
A far as I can see, Member State flexibility has been used to overcome objections from Member States about the provisions of the Regulation. Many of these amendments have been made via a legislative process that is remarkable for its lack of transparency; sometimes one can only guess what was driving an amendment or even why a change was needed.
However, the basic problem of Member States going their own way can be simply stated:
(a) The legislative flexibility undermines the consistency mechanism as if Member States can legislate flexibly when implementing any new data protection law, how can a consistency mechanism change that law?
(b) The legislative flexibility makes a reference to the European Court of Justice unlikely if the issue involves a provision where each Member States can decide how to implement it.
In the next few months I will be doing blogs on the specific parts of the Regulation when I understand their effect fully. I suspect that some of the provisions are so “flexible”, that they will result in a lower level of protection for individuals than compared with Directive 95/46/EC for the reasons identified above. I hope the above will give readers a start with their own analysis.
However, let’s end on a simple observation. Over then next few days I am expecting gushing statements about “how hard it was” and the “path to a 21st Century privacy law” etc etc. Ignore such comments by looking at the second file of 649 disagreements that are being resolved by allowing Member States to determine how the new data protection law works in practice.
In summary, there are 35 flexible provisions to be implemented by 26 Member States in their own way; this can result in 26 separate data protection laws which could have significant differences in 35 Articles The Commission’s objective of obtaining a consistent data protection approach has comprehensively failed.
From the UK perspective, it is well known, that the UK Government has not implemented Directive 95/46/EC properly (according to the European Commission), and is intent on messing with Article 8 of the Human Rights Act.
In short, there is much to be worried about in the Council of Ministers' text; one hopes the Regulation does not emerge in this form after the trilog discussions.
The text of the Council of Minister’s final text to be agreed on June 15th: Download Council of Ministers text minus objections from Member States
The text of the Council of Minister’s final text to be agreed on June 15th including the 649 paragraphs of disagreements: Download Council of Ministers text plus objections from Member States
UK not implemented Directive 95/46/EC properly. See for example: http://amberhawk.typepad.com/amberhawk/2014/10/european-commission-raises-infraction-threat-to-uk-on-failing-to-implement-directive-9546ec-properly.html