This blog explains, in detail, how the Council of Minister’s text of the Regulation, in particular the exceptions specified in Article 21 (A.21) and the flexibility granted to Member States to enact variations to the obligations under the Regulation, are very likely to result in a level of data protection below the standard established by Directive 95/46/EC.
Given that the relevant parts of the Regulation (e.g. the exceptions in A.21) are being considered in current Trilog discussions, the blog provides a link to a full analysis as well as this summary. You can download the full analysis here which expands the summary considerably. Download Detailed analysis of A.21 (Council text)
For a convenience I am using “The Regulation” to mean “the Council of Minister’s version of the text of the Regulation currently under discussion at the Trilog” whilst the “Directive” is shorthand for “Directive 95/46/EC” (see references for links to both if need be).
Summary of key points of the analysis
1. The Regulation in A.21 increases the number of exceptions that Member State law can introduce to more than twenty; of particular note is the exception with respect to “important objectives of general public interests of the Union or of a Member State”. As any government can argue that the reason for enacting any legislation is to meet “important objectives of general public interests”, then the A.21 exception is potentially very broad in its application and could apply to any Member State legislation.
2. By definition, the “important objectives of general public interests” exception is only one exception in the 20+ that are listed in A.21; this exception is unconnected with the other exceptions in that long list (i.e. the “general public interests” exception is unconnected with protecting national security, defence, public security, crime etc etc.). I have failed to identify any “important objective of general public interest” which does not fall within the other 20+ exceptions.
3. The Directive exception in Article 13 (A.13) does not contain the “important objectives of general public interests” exception. It follows that any use of this exception is very likely to allow the use of an exception that is below the level of protection specified in Directive 95/46/EC.
4. All Directive exceptions in A.13 are explicitly linked to Article 8(2) of the European Convention on Human Rights (ECHR) and, as a result, there is the general safeguard that the requires the use of any exception to be “necessary” and “proportionate”. There many exceptions in the Regulation (see from paragraph 6 and “Exceptions introduced by Member State law” below) where the link to the ECHR safeguards is absent.
5. There is no explicit requirement for Member States to consult the data protection authority, when legislation that varies the impact of the Regulation has been enacted or being drafted (e.g. to assess the quality of any proposed data subject safeguard).
6. The exceptions to the rights in Article 14(a)(c) (not to be transparent), Article 14(a)(e) (maintaining secrecy) and Article 17(3)(b) (right to be forgotten) are delinked from A.21; this means that the exceptions in relation to these Articles do not require an “important objectives of general public interests” threshold to be identified. For example, the use of an unqualified “public interest” which triggers the exception in A.17(3)(b) is well below the threshold of “important objectives of general public interest” as required by the A.21 exception.
7.. The three exceptions from data subject rights in A.14(a)(c), A.14(a)(e) and A. 17(3)(b) are also delinked from A.21 safeguards that any “restriction constitutes a necessary and proportionate measure in a democratic society”.
8.. As the use of the “important objectives of general public interests” exception lowers the protection afforded to data subjects below that of the Directive (see paragraph 3 above), then it follows that any application of the exceptions from the rights based on a mere unqualified “public interest” in A.14(a)(c), A.14(a)(e) and A.17(3)(b) will do likewise.
9. The Regulation has narrowed the application of the A.21 exception with respect to the Data Protection Principles in order to facilitate wider exceptions with respect of these Principles. There is an exception from the Finality Principle if the “further processing” purpose is for an “archiving purpose in the public interest” or any “scientific, statistical or historical purposes”; similarly there is no breach of the Retention Principle if the purpose of retention relates to these purposes. Use of these two exceptions are delinked from A.21; therefore the application of the exception does not need an “important objectives of general public interests” or safeguards that the exception “constitutes a necessary and proportionate measure in a democratic society”.
10. The Regulation introduces a general “archiving purpose in the public interest”. In my view, archiving is not a purpose in itself because organisations create “archives” for a specific purpose (e.g. in order to prove that payments have been made, because legislation requires retention of records for a purpose such as money-laundering). The notion of “archiving purpose in the public interest” needs additional clarification as to the purpose of archiving. As stated in paragraph 8 the “public interest” associated with the archiving purpose is much lower that the test of “important objectives of general public interests” specified in A.21 and is likely to result in a level of protection lower than the Directive.
11. The “right to erasure or to be forgotten” (A.17(3)(d)) does not apply “for archiving purposes in the public interest or for scientific, statistical and historical purposes”; the objections identified in paragraphs 9 and 10 thus apply and a level of protection lower than the Directive will result. Of particular concern is the removal of the word “research” in the Council of Ministers text (see next paragraph).
12. Perhaps the Council of Ministers have “archiving for a scientific, statistical or historical research purposes” in mind with respect to the exception described in paragraphs 9-11 above. However, the use of the word “research” has been removed; the Regulation refers to “scientific, statistical and historical purposes” whereas the Commission and European Parliament versions refer to “scientific, statistical, or historical research purposes”. Thus in the attempt to facilitate research, the Regulation has constructed an exception that is far too broad which can take the level of protection below that of Directive 95/46/EC. Far from making it easier for researchers, this exception could undermine trust in researchers who need data subjects to embrace their research programme.
Exceptions introduced by “Member State law”
I have already mentioned in a previous blog that Member State law can change the impact of the Regulation in the following Articles: A1(2a), A3(3), A4(5), A5, A6(3b), A8(1), A9(2a), A9(2b), A9(2g), A9(2h), A9(2hb), A9(2i), A9(4), A9(5), A9a, A14a(4c), A14a(4e), A17(3b), A20(1a), A21(1), A21(1c), A24(1), A24(3), A26(2), A26(2)(a), A26(2)(g), A26(2a), A30(2b), A32, A33(5), A34(7a), A35(1), A35(7), A44(1)(g), A44(5), A44(5a), A55, A56, A74, A76, A79(3)(b), A79b, A80, A80a, A80aa, A80b, A82, A82(3), A83, and A84.
In other words, Member State law can legislate to change the impact of the Regulation; diverse (disharmonious) versions in the implementation of the Regulation across Europe will inevitably result. In the context of this blog, however, any change legislated by a Member State in relation to any of above Articles should be seen as allowing that State to implement an exception from the effect of a particular provision in the Regulation.
The flexibility introduced in relation to Member State law is, in effect, a euphemism for “Member States legislating for additional exceptions” from the Regulation.
Most of these Articles that allow Member States to legislate in their own way are not linked to the requirements in A.21. This means that any exception that the Member State law introduces by virtue of these unlinked Articles is not explicitly required to be “a necessary and proportionate measure in a democratic society”. Indeed there is no need for any Member State exception to possess any “important objectives of general public interests of the … Member State”.
For clarity, I am not saying that Member States will actually implement inadequate safeguards; however the risk is there. History shows that Member States have often legislated to suit their own processing objectives and modify the impact of data protection law to suit their own needs (e.g. the row in the UK about communication data retention by telecommunications companies or use of medical records in research).
More detail on what needs to be done?
To identify some important key omissions in the Regulation just answer a simple question:
“Who do you trust to get the correct balance between data subjects’ rights and data controllers’ responsibilities in data protection when Member States enact legislation to vary the effect of the Regulation?”.
There are five real choices: (a) data controllers (b) Member States (c) European Commission (d) data subjects or (e) data protection authorities (and the courts). So which one is it?
Member States would answer (b); I suspect you answered (e).
You can now identify what the Regulation is missing. So if there are going to be a large number of exceptions from the provisions of the Regulation available for Member States to enact, then….
(1) There needs to be an Article in the Regulation that explicitly states that the use of any exception or modification to the Regulation introduced by Member State law does not take the level of data subject protection below that of Directive 95/46/EC.
(2) Data protection authorities must have to have a role in advising Member States whenever any exception introduced by virtue of Member State legislation is being considered.
(3) All exceptions in the Regulation including those introduced by Member State law have to be brought within the compass of A.8 of the ECHR (i.e. subject to a test of “necessity” and “proportionality”).
(4) The data protection authorities have to have a role in enforcing A.8 of the ECHR where any enforcement can be appealed through the judicial system.
(5) Groups representing data subject interests or data controller interests can raise issues of data protection importance with a data protection authority (and/or the Courts).
(6) Data subjects are not charged a fee to instigate review or appeal proceedings with respect to a breach of the Regulation (given recent moves in the UK re charging and FOI requests this is essential).
If the above happened, I would be more relaxed with Regulation as there would be a counter-balance to the problem of Member States “doing their own thing at the expense of data subjects”. However, in the absence of the above safeguards, my conclusion is that if the Council of Ministers text prevails, the level of privacy protection established under Directive 95/46/EC cannot be guaranteed.
Indeed, I go so far as to say that the Regulation is likely to result in Member State laws that significantly lower the protection afforded to data subjects (well below that of Directive 95/46/EC).
You can download the full analysis here. Download Detailed analysis of A.21 (Council text)
A recent blog explained how the Council’s text removes the data subject protections established by recent ECJ Judgements: https://amberhawk.typepad.com/amberhawk/2015/07/council-of-ministers-regulation-text-negates-ecj-rulings-in-lindqvist-and-ryne%C5%A1.html
The Trilog Regulation set of documents (520 pages); I have provided the EDPS version as it is useful to see his compromise solution in his “Comparative table of GDPR texts with EDPS recommendations Comparative table of GDPR texts with EDPS recommendations”. https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package
Data Protection Directive 95/46/EC: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
More detail on the list of Articles where Member States can go their own way: https://amberhawk.typepad.com/amberhawk/2015/06/harmony-what-harmony-disharmony-extends-to-one-third-of-the-data-protection-regulation.html
History: the infamous Clive Ponting prosecution in 1985 was under the Official Secrets Act. It concerned a Civil Servant who disclosed classified documents to Tam Dalyell MP which allowed him to asked precise Parliamentary Questions about the location and direction of travel of the “General Belgrano”, the World War II cruiser, when it was torpedoed at the start of the Falklands War. The judge’s summing up in the Ponting case: https://www.documentcloud.org/documents/1386622-ponting-summing-up-as-sent-by-lslo-to-pm.html
More on data protection authorities acting as Human Rights Commissioner for Article 8:
We are discussing the Data Protection Regulation at our half day workshop on Sept 28 https://www.amberhawk.com/bookevents3.asp or Update session on Oct 19 https://www.amberhawk.com/bookevents.asp (both London)