Here is a swift “low-down” on the latest DAPIX leak (thanks to a friend of a friend who knows someone who received an email).
I think the headline says it all; the Regulation is being softened and weakened from the data subject perspective. The DAPIX document (see references for a copy) only refers to some Articles so the general effect on the Regulation is not clear from the document. However the direction of travel is clear.
That direction is; less prescription and more flexibility for Member States, all data subject rights to object (e.g. to forget, profiling) much reduced, the data protection officer role is not going to happen in the UK (I think), and data loss reporting becomes more sensible. The proposed modification to Schedule 2, paragraph 6 condition could impact on the UK's DP/FOI interface (Note posted 12/6/2013: the Irish draft text of the Regulation contains Article 80(a) which removes this risk - see last para of blog of 12/6/2013)
My own view: I still think the Regulation will not make it. Just look at the number of reservations from Member States. And there are another 40 Articles to go.
Definitions are closer to the Directive
The definition of personal data looks like the one in the Directive:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. (Identification by persons other than the data controller has "gone")
There is a definition of 'pseudonymous data': this means “personal data processed in such a way that the data cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”. However, it is unclear where it is used in the Regulation, so hold off criticism. Remember Google et al have spent a lot of money on this amendment!
Despite intensive lobbying from those who avoid corporation tax, the definition of 'pseudonymous data' has not been well received by Member States (so I suspect its use will be limited). The DAPIX document notes that “BE, DE, DK, IT, SI, PL and PT have lodged scrutiny reservation. FR and UK reservation. FR and PL queried the need for a definition of pseudonymous data. UK thought the definition was too strict, making pseudonymous data tantamount to anonymous data”. (I am assuming that readers can identify Member States by their two letters).
The Schedule 2 condition if the 1998 Act re that processing which is necessary in order to protect the vital interests of the data subject” has “or another person” added. This makes the condition look like the Schedule 3 vital interests condition.
The balance of interest conditions (para 6 of Schedule 2 of the 1998 Act) has replaced “third parties” by "data controller". For instance, the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a controller to which the data are disclosed except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Note that for this condition to apply, the person to whom the personal data are disclosed has to be a data controller (and thus most likely subject to a data protection regime). So for instance, disclosure to Third Parties who are not processing personal data will no longer be legitimised by this version of the para 6 condition.
It can be seen that the condition used to justify disclosures of personal data to "third party" FOI requestors (i.e. the public in general) does not work if the requestors are NOT data controllers (i.e. some requestors will not be data controllers). An example of the law of unintended consequences perhaps.”.
Second Principle expanded in the direction of WP29 view
There are conditions prescribed for when a further processing purpose is incompatible with the purpose of collection. The WP29 view of the purpose limitation principle finds some reflection in the DAPIX document. It suggests:
“In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take into account:
(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;
(b) the context in which the data have been collected;
(c) the nature of the personal data;
(d) the possible consequences of the intended further processing for data subjects;
(e) appropriate safeguards (CP comment: "for whom?" - one hopes "data subjects")
Right to data portability in trouble
The document shows that Member States don’t like this right and it might not survive. There is a “UK reservation: while it supports the concept of data portability in principle, the UK considers it not within scope of data protection, but in consumer or competition law. Several other delegations (DK, DE, FR, IE, NL, PL and SE) also wondered whether this was not rather a rule of competition law and/or intellectual property law or how it related to these fields of law. Therefore the UK thinks this article should be deleted".
The countries of “DE, DK and UK pointed to the risks for the competitive positions of companies if they were to be obliged to apply this rule unqualifiedly and referred to raises serious issues about intellectual property and commercial confidentiality for all controllers. DE, SE and UK pointed to the considerable administrative burdens this article would imply.”
Right to forget in trouble
I have counted 18 countries (66% of Member States) having some gripe or other about this right; I think it’s a “gonner”. Just look at the following:
“DE, EE, PT, SE, SI, FI and UK scrutiny reservation . BE, EE, FR, NL, RO and SE reservation on the applicability to the public sector. Whereas some Member States have welcomed the proposal to introduce a right to be forgotten (AT, EE, FR, IE); other delegations were more skeptical as to the feasibility of introducing a right which would go beyond the right to obtain from the controller the erasure of one's own personal data (DE, DK, ES). The difficulties flowing from the household exception (UK), to apply such right to personal data posted on social media were highlighted (BE, DE, FR), but also the impossibility to apply such right to 'paper/offline' data was stressed (EE, LU, SI).”
Right to object to profiling neutered; carry on profiling
The right to object to profiling is made completely ineffective (e.g. as the right to object to automated decision taking in the current Act). There is an exemption that covers most of the time when profiling occurs. Profiling is OK if:
"it is carried out in the course of the entering into, or performance of, a contract between the data subject and a data controller (…) and suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the rights of the data subject to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision"
Transfers outside the EEA
There is a new Right to know about transfers : "Where personal data are transferred to a third country, the data subject shall have the right to obtain a copy of the appropriate safeguards relating to the transfer".
Data loss reporting conditions much reduced
All data loss provisions are qualified by the condition: "In the case of a personal data breach which is likely to severely affect the rights and freedoms of data subjects" or “When the personal data breach is likely to severely affect the rights and freedoms of the data subject, the controller shall communicate the personal data breach to the data subject without undue delay".
Data protection officer role left to Member States
In the UK, we might not have the data protection officer role. This can be seen immediately when one reads “The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer”. Will we get one? Doubt it.
Happy summer time reading (if we have a summer that is).
The DAPIX document Download Blog DAPIX leak June 2013
We are holding our half day on the Data Protection Regulation on June 10th (half a day with me must be worth something; for details click on the top left)