Do you know what? After watching a very turgid video covering the meeting of Ministers (June 6th) which discussed the Irish text of the Data Protection Regulation, I have concluded that there is a no agreement in sight. Indeed, I think the Regulation will not see the light of day unless there is a great “love-in” between Member States.
As I explained in the last blog, some Member States want more “risk assessment”; a move which in combination with a reduced consent requirement will, in my view, definitely reduce the protection afforded to individuals below that of Directive 95/46/EC (see last blog). This view has been reinforced by public comments in the French Parliament (see references) following the meeting last Friday week.
In summary, at the Meeting, each Minister expressed broad support for the risk assessment elements of the Irish text (i.e. that certain security elements such as reporting data losses depend on a risk assessment or Privacy Impact Assessment) and the consequential reduction in the administrative burden.
There was also universal agreement that the Regulation should apply to the European Union itself (and this will happen).
Apart from that, there was very little else to agree on and that is why all Member States agreed that “nothing is agreed until the text as a whole is agreed”. A better version of this quotation is perhaps “we agree to disagree for the moment”, (which I suspect is more accurate).
I have broken down the blog into four areas that report the areas of Member State division: these are;
• Do we want a high level of data protection?
• Unambiguous consent versus explicit consent
• Public sector inclusion
• Data minimisation
Do we want a high level of protection?
The European Commissioner responsible for the original text of the Regulation (Viviane Reding) and Ministers from Germany, Austria and France all referred to the need for a “high level of protection”. This statement really should raise alarm bells with data subject groups; why would this question be raised unless the Member States concerned think that the Irish text did not offer a high level of protection?
Indeed, Ms. Reding stressed that a red-line for her was a text that did not offer the level of protection afforded by the Directive 95/46/EC. Greece, for instance, explicitly referred to “regression with respect Directive 95/46/EC” (which happens to coincide with my view of the Irish text; see references).
In other words, some important Member States have expressed the worry that the Irish “flexible” text degrades the existing level of protection afforded to individuals; if this view persists, the Regulation is finished (much to the satisfaction, I suspect, of a few Member States including the UK).
As for Ms Reding, all I will do is use the quote she gave in press release before the Minister’s meeting. It says it all:
"I will fight for a reform of the EU's data protection rules that will strengthen the rights of EU citizens and stimulate growth in the evolving digital single market. With this reform, Europe should become a standard setter for modern data protection rules across the globe. I count on the European Parliament and on the incoming Lithuanian Presidency to resist, alongside the Commission, all attempts by those who are still trying to weaken data protection standards in Europe. (my emphasis).
Unambiguous consent versus explicit consent
For Mrs Reding, the Irish reversal to “unambiguous consent” means that the Regulation will fail to offer a higher level of protection. Her view is that the Directive 95/46/EC formulation of “unambiguous consent” has meant that silence (e.g. some forms of opt-out, one presumes) has been equated with consent, thus guaranteeing some lower level of protection.
For her, “explicit consent” is needed because the “unambiguous consent” of Directive 95/46/EC has failed to deliver; a view that has the support of Germany, Greece, France, Italy, Poland, Rumania and Spain. On the other hand, many countries prefer “unambiguous consent”; for instance, the UK, with many others in support.
My own conclusion is that Member States are split on this subject and the final form of consent is unclear. However, on balance, I think consent needs to be explicit because many Member States want the old “unambiguous consent” to be combined with a risk based approach to data protection.
As I explained in the last blog, this combination could significantly degrade the protection afforded to data subjects so much so that any call for “risk approach” in the absence of “explicit consent” as per the original Regulation text, is in my view, is a euphemism for the “reduced protection” so feared by Ms. Reding.
Public sector flexibility
A number of Member States (e.g. Germany, Denmark, Spain, Belgium, Lithuania) want “flexibility for the public sector”. For flexibility, read “more exemptions”.
Sadly, however, these Member States did not specify what "flexibility" was being sought so one assumes that it is broadly based. Since the Irish text relates to rights and Principles, one presumes also that these exemptions being sought by certain States are from rights of data subjects and/or Principles (merely because the data controller is in the public sector). However, public sector exemptions from the regulatory regime (yet to be agreed at Ministerial level) could be a further possibility.
It is important to explain why such exemptions degrade the level of data protection. For example, suppose a data controller is required by law to collect data item X from all data subjects for purpose Y. For example, in Scotland, Mrs Thatcher’s Poll tax legislation demanded the collection of dates of births of all adults in Scotland.
In practice dates of birth were only needed for those coming up to the age of 18 so the date upon which the Community Charge commenced for them could be identified. After the 18th birthday, the date of birth was not needed by Community Charge officials.
In other words, the vast majority of dates of birth were collected by law and not needed. However, because there was legislation requiring the collection and use of such dates of birth, the processing was lawful and the personal data were relevant (i.e. the legislation itself legitimised the excessive processing of personal data is in fact an exemption from that requirement).
Note that the data protection requirements of “relevance” did not get a look in!
This problem is writ large across the public sector and explains why public sector surveillance, authorised by law, is in effect a broad data protection exemption. So if Ministers want more carve outs from data protection obligations for their own Departments of State; don’t be surprised if you see many of them in the Regulation.
Minimal data minimisation
Quite a few countries (Germany, France) expressed concern that the Principles had lost the requirement for data minimisation (i.e. the obligation that personal data are “limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).
These Member States agreed with Ms Reding who said that the data minimisation Principle was important to protect privacy with respect to developments in Cloud Computing and Big Data, and would promote the use of 'pseudonymous data' (rather than identifiable personal data). I suspect Ms. Reding sees data minimisation as another red-line.
Note that this has to be read with the fact that Privacy by Design (PbD) requirements are now subject to a risk assessment which reduces the impact of the original provision. The data minimisation requirement of the original text have been eliminated; instead PbD is a requirement (if appropriate to the risks); the Irish requirements (in A.23) applies only to “the amount of data collected, the period of their storage and their accessibility”.
Note that these PbD provisions do NOT apply to the “use” and “disclosure” of personal data and I think this, and the removal of the strict data minimisation requirement, substantially degrades PbD as a protection.
So, in short, data subjects can see reduced consent requirements, their personal data not subject to some minimisation rules, more exemptions for the public sector in circumstances not related to crime and taxation, as well as a risk based/unambiguous consent combination I discussed in the last blog.
I short, I think Member States that fear a reduced the level of privacy protection afforded to data subjects are right.
Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013; (starts 9 minutes 48 secs in):
Note: to get to a specific Member State contribution, scroll down after the five items marked (Item A), the last obe being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, is a list of country flags (Mrs Reding is the Euro flag). Before each country flag is the Irish flag (which is the Irish chair’s introduction to the contribution to each Member State. Remember to choose your national language as well.
My blog on Google and Facebook getting the upper hand with the Irish text:
My blog on the Irish gutting the Commission’s original Regulation text: http://amberhawk.typepad.com/amberhawk/2013/06/irish-do-hatchet-job-on-the-data-protection-regulation.html
French view of the Regulation (another blog) http://www.hldataprotection.com/2013/06/articles/consumer-privacy/draft-eu-data-protection-regulation-rejected-by-french-government/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ChronicleOfDataProtection+%28HL+Chronicle+of+Data+Protection%29
If you are interested in why data protection and human rights legislation has difficulty in protecting privacy (set in the context of general surveillance): http://www.amberhawk.com/uploads/surv1_website(2).doc