I have been taken to the Promised Land and seen our data protection future

I have just attended an interesting (and partly depressing) data protection event which considered the implementation of the Data Protection Regulation. The European Commission’s spokesperson (Paul Nemitz) signalled an inflexible approach towards the implementation of the Data Protection Regulation; he stated that he would consider amendments that make the Regulation work better but not those amendments that were based on alternative (and better) ideas.

At the meeting Mr Nemitz pointedly said that in Germany there is a high level of data subject trust and a thriving German economy; high standards of data protection  and economic success go hand in hand. He said that the Commission had the balance of interests “more or less correct”, and changes to the text most needed would be those that tinker at the edges.

This means that the list of “no real change” areas for the Commission that appear to be non-negotiable are as follows:

• routine transfers of personal data outside the EEA by larger data controllers have to be approved by a data protection authority or Commission in some way or another;

• adherence to breach notification arrangements that do not consider the harm to data subjects. My fellow blogger Martin Hoskins – who deals with breach notifications as part of his day job - estimates that the ICO will have to employ 150 staff to deal with this element of the Regulation alone (see references)!

• a data protection authority that has no flexibility and little freedom of decision making and are almost reduced to automatons;

• a concentration of power in the hands of the Commission. All data protection power is in the hands of the Commission, there is little role for national parliaments.

I really don’t like the fact that we are expected to trust the Commission with these unfettered powers. This is a Commission that has a track record of ignoring the European Data Protection Supervisor, Working Party 29 Agreements and making political agreements such as the EU-USA PNR deal which have undermined data protection standards (see references). It even has powers to modify the Regulation that will apply to its own processing.

At the end of the presentation, a colleague who is on the candidates’ list of a major political party, reached across and asked “whether I agreed that Mr Nemitz was recruiting for UKIP?”. And that about sums it up.

Working Party view

The Data Protection Working Party has just published their view of the Regulation and has supported some of my concerns. For instance the Working Party says:

Data loss: “The Working Party nevertheless has doubts as to whether the way in which the notification duty is set up will lead to satisfactory results. Notably the scope of the duty to notify to the supervisory authority should be more focused and restricted. The situation that supervisory authorities are distracted by and overburdened with the processing of notifications of minor data breaches which are unlikely to adversely affect the rights of data subjects should be avoided”.

Lack of flexibility in the Regulatory structure: “DPAs  (data protection authorities) should be enabled to be selective in order to be effective; they should be able to define their own priorities and to start actions, such as investigations, on their own initiative, notwithstanding the obligations regarding cooperation, mutual assistance and consistency according to Chapter VII.

DPAs should be able to allocate resources according to the strategic character and the complexity of issues at stake, for example by taking into account the actual or potential detriment to data protection, the number of persons concerned and the technology used. Allowing DPAs to set their own priorities also helps to deal with financial and budgetary constraints.

In relation to Commission’s powers: “with regard to both proposed instruments, the Working Party notes with concern the extent to which the Commission is empowered to adopt delegated and implementing acts. While recognising the need to ensure that certain issues can be dealt with at a more detailed level at a later stage, the Working Party considers this is not the case, for example, for rules regarding data breach notifications”.

ICO is out on a limb re data transfers outside EEA

However, with respect to data transfers outside the EEA, even the Working Party want the data protection authority to sign them off in some way or another. Because of this, it is important to understand the difference between most DPAs and our ICO.

• The UK Act takes the view that all data controllers are responsible for all their own personal data and if they transfer personal data then they are accountable for that transfer.  The ICO takes the view that this is the best solution – ensure that the data controller remains accountable for transfers is maintained in the Regulation.

• Most European regulators have provisions that require transfers that have to be authorised by some way or another; the Regulation states that such authorisation has to be via standardised contracts authorised by the regulator or by binding corporate rules. If these regulators followed the ICO’s approach they will reduce what they do already; something that does not go down well.

• The European Data Protection Supervision is in the middle. For instance, he has stated in a speech that in the context of the Cloud, that “the mechanisms envisaged (in the Regulation) have proven to be, in many cases, burdensome or ineffective or have lacked of the necessary flexibility”; he expects Binding Corporate Rules to provide a solution (see references).

My own view is that the ICO’s position is correct. Under the Regulation, if a data controller gets this wrong, a hefty fine is on the cards. Because of this, I think that most data controllers will not take unnecessary risks and will seek real assurances (e.g. from Cloud service providers).

The alternative view is to say that most data controllers will not be in a position to argue with say Google or Microsoft re Cloud Services; hence there is a need to set out legal requirements to protect data subjects in advance of any problem.

The down side of this latter approach occurs when things go wrong. So suppose that these legal requirements are accepted and then the Cloud services go “pear shaped”. What you will find is that there is little redress for data subjects as the data controller has had adopted contract terms imposed on him. All such Controllers says is “sorry. I was following what was approved by the Regulator” or more or less “I was following orders”.

My own view: data subjects need the redress when things go wrong and the Commission’s approach thus removes the protection afforded to data subjects. Although the current UK position looks weaker, the approach adopted supported by large fines to buttress the test of adequacy will offer better protection for data subjects when they need it most (i.e. when things go wrong).

Concluding comment

As we had the German economic model thrust upon us, I will summarise the meeting in data protection terms by making an analogy to with the economy of the German Democratic Republic.

Pretend the Commission have manufactured a motor car; the seats are very comfortable, the windscreen wipers work, the door handles are the best stainless steel and the headlights are first rate. But sadly the rest of the car is based on the GDR’s Trabant design.

What the Commission want to do is make the other parts of their Trabant car work efficiently and effectively; it is not interested as to whether or not their chosen vehicle is any good.

References

Down load a copy of Working Party view of the Regulation/Directive here Download Wp view of regulation and directive_en

Martin Hoskyns blog (29th March 2012) re data breach reporting http://dataprotector.blogspot.co.uk/

Speech of the EDPS re Clud Computing: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2012/12-03-21_Cloud_computing_EN.pdf

“Analysis of proposed EU-USA PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

Just one example of the way the Commission ignores the EDPS: “Should the European Data Protection Supervisor resign?” http://amberhawk.typepad.com/amberhawk/2010/04/should-the-european-data-protection-supervisor-resign.html

 

Facebook passwords and employment: why data protection works and Facebook’s promise to take legal action to protect privacy doesn’t

The Huffington Post has recently published a story that begins thus:  “When Justin Bassett interviewed for a new job, he expected the usual questions about experience and references. So he was astonished when the interviewer asked for something else: his Facebook username and password”.

So what would you do in such circumstances? And what would the data protection implications be if this happened in the UK?  The conclusions I have reached is that the UK Data Protection Act would apply (even if an employer took a fleeting glance at a Facebook page), and that Facebook’s public comments promising legal action to protect privacy are window dressing.

Why does the Data Protection Act apply?

Suppose an employer at a job interview asks you to “consent” to provide your Facebook password and suppose further, the employer just loads one of your pages and says “No job for you”.

The data protection questions that need to be asked are (a) “has the employer processed personal data as a data controller?”; (b) “is consent valid?” and (c) “are there other data protection issues?”. I think the answer to (a) is “yes; (b) is that the employer’s consent procedure is very likely to be valid in the UK; and (c) there are potential breaches of the Data Protection Principles, at least relating to fairness and relevance.

So to the first question: why does the Act apply? Obviously, if the employer cuts and pastes anything from the Facebook pages onto a data file then obviously the Act applies as there are recorded personal data under the control of an employer as data controller.

But what if the data were not recorded by the employer? This is an important question because under the old Data Protection Act 1984, personal data needed to be permanently recorded. This meant that personal information held temporarily in electronic memory were not personal data and not caught by that Act.

So, suppose the employer just looked at a screen of personal information and that information had only a transient existence when it was displayed on the screen? Does this information still fall within one of the specified categories of “data”? Does the “data” still constitute the “personal data”? And are these personal data “processed”?

My answer is “yes” to all three. The information displayed on the screen is “data” by virtue of the definition of limb(a) of “data” which only requires that information “is being processed by means of equipment operating automatically in response to instructions given for that purpose”. Clearly the information is personal data as it identifies and relates to a prospective employee. The only remaining issue is whether the information is “processed” and there again, the definition of “processing” includes “obtaining”.

So the definitions do not include a requirement that personal data have to be “recorded in a form that can be processed” (as in the 1984 Act).  This means that the employer in the UK would be processing personal data and the Act would be engaged, even if the employer restricted himself to a fleeting glance of a single Facebook page on a VDU screen.

Has the data subject consented to the processing?

I think the answer under the current DPA is “yes” – and it is important to explain why.

Our hypothetical UK employer is using what I call “Home Office consent” (or “Hobson’s choice consent”, if one is talking to Home Office officials). This form of consent is often used in the UK – it describes circumstances when the consent is freely given and fully informed, but the choices on offer are not really a choice.

For instance, most readers will have consented to their personal details being used by any host of people to trace their debts via a credit reference agency; you have to consent to this or you don’t get a loan or mortgage.

When you go through airport security, you may be given the following consent choice: “go through the scanner or do not fly”. The New Labour ID Card system was also keen on this form on consent: “consent to showing us your ID card, or choose not to get the service”. Enforced Subject Access also depends on this: “consent to use your access rights to your personal data held by the police or forget about a job”. (Note: I use the term “Home Office consent” because the issues mentioned in this paragraph are to some significant degree, unaddressed policy matters that are the responsibility of the Home Office in the UK)
.
The changes proposed in the Regulation infer that “Home Office consent” constitutes a valid “data subject consent” with respect to the definition in Directive 95/46/EC. For instance, the Regulation states in Article 7 that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” (and obviously there is such an imbalance if the choice is “give consent or give up hope of a job”).

So why does this support the notion of “Home Office consent” is valid? Well, the Regulation would not propose the inclusion of a concept of “imbalance” if the meaning of “data subject consent” as found in the Directive excluded “Home Office consent”.

Other data protection principles?

Although the data controller can argue he has “data subject consent” has to consider at least two Data Protection Principles (even in the ‘fleeting glance’ scenario). These Principles are:

(a) the Third Data Protection Principle in that the data controller has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose).

(b) the First Data Protection Principle in that the data controller has to be fair. I think in this context, fairness requires telling the data subject what personal data have been used to making the employment decision and an explanation why the personal data are relevant to that decision.

Breach of these Principles would also, I assume, be likely to trigger other breaches of employment law.

Facebook’s response to the use of Facebook for employment purposes

In response to this problem in the USA, Facebook’s Chief Privacy Officer (CPO) has stated on the company’s web-site that “In recent months, we’ve seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information” and adds that “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information”.

The CPO continues “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges” adding that “While we will continue to do our part, it is important that everyone on Facebook understands they have a right to keep their password to themselves, and we will do our best to protect that right” (my emphasis).

Why these statements on privacy are window dressing

So is the threat of initiating legal action to protect privacy valid? Well, I think the threat is much diminished by Facebook’s own Privacy Policy. This states that “When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture)”.

The policy also states that “As a general rule, you should assume that if you do not see a sharing icon, the information will be publicly available”. Additionally, “when others share information about you, they can also choose to make it public” or “when you write on a Page's wall or comment on a news article that uses our comments plugin; this is because some types of posts are always public posts”. The Privacy Policy then states that “your name, profile picture, Facebook profile, User ID, etc has to be public so it can show up when someone does a search on Facebook or on a public search engine” (my emphasis).

Facebook has therefore stated that the fact you have a Facebook account (and therefore control Facebook pages) is public knowledge, available to all prospective employers, and this fact is out of your control. Of course you could deactivate a profile, but this deactivation does not guarantee to deactivate those details that have already been published (thus inferring the existence of a Facebook account that has been deactivated, an act that could easily reinforce the suspicions of any employer who asks for Facebook passwords).

In other words, Facebook makes a lot of information public and its business model makes it easy for users to make information public. And if information is in the public domain, it can’t have any claim that it is “private”. Hence, I don’t think there can be successful legal action in the USA to protect privacy with respect to this kind of public information.

But what about non-public information? Research has shown that the average Facebook user has 245 friends. So I think that most Facebook posts to large networks of “friends” are, in fact, publishing events in themselves. One cannot tell 200 individuals, many of whom are acquaintances rather that real friends, and expect to make a subsequent successful claim that these personal details distributed to 200 people (who could publish these details) are confidential or private.

So, I would argue that an employer would also have the defence that most personal information that is password controlled is effectively published. By asking for a Facebook password, all the employer is doing is accessing the public information in the full knowledge of the Facebook user.

In other words, I suspect the same “it’s in the public domain” defence as above could well apply, except in those rare circumstances when a circle of “Facebook friends” is very few in number.

That is why Facebook’s promise of supporting legal action to protect privacy is not credible. It’s a promise that has been defeated by Facebook’s own desire to make the maximum amount of information public, so it can be subsequently exploited by advertisers.

In summary, Facebook has been hoisted by its own petard – the use of Facebook by employers exposes the fact that users think their information is “private” when in fact it isn’t.

Privacy versus data protection; there are important differences

Finally, the above shows the fundamental difference in approach between the USA’s view of “privacy” and Europe’s view of “data protection”.  The USA Privacy Officers will state, quite correctly, that anything in the public domain cannot be private. Hence there cannot be any “privacy protection” so the information can be used for anything. But, as we have seen, a data protection analysis asks additionally whether the use of public domain information is fair and relevant; the fact that such personal data may be in the public domain is largely irrelevant.

So whenever you talk to American Privacy Officers do not use the term “privacy legislation” as a shorthand to explain the workings of Europe’s data protection legislation. This is a mistake; there are far too many differences between the two concepts.

References

Huffington post story: http://www.huffingtonpost.com/2012/03/20/facebook-passwords-job-seekers_n_1366577.html?1332247088&ref=business

Protecting Your Passwords and Your Privacy, statement from its Chief Privacy Officer, Policy  https://www.facebook.com/notes/facebook-and-privacy/protecting-your-passwords-and-your-privacy/326598317390057

 

 

The Commission’s Data Protection Regulation: weaknesses from the data subject perspective

Next week, the ICO is holding a meeting to discuss, in detail, the Regulation as published by the European Commission. So, I have decided to publish our comments on the Regulation (see references) and use this blog to provide a summary of the key points.

The comments I make focus on how the Regulation can be improved from the data subject perspective. This is because the initial “Call for Evidence” by the MoJ was more like a “Call for Ammunition”, where the only respondents were supposed to be data controllers. In such circumstances, I think data controllers can look after themselves; it is the data subjects who need a hand.

The comments that I think could interest blog readers relate to the following topics:

• The wider definition of “personal data” should not cause problems for data controllers
• The Regulation excludes confidential personal data already subject to the DPA
• There is need for a prohibition on enforced subject access
• Switch from the right to be forgotten to the right to object to the processing
• The centralization of power by the Commission is unbalanced and unacceptable

The wider definition of “personal data” should not cause problems for data controllers.

The fact that identifying details held by another person is not an alien concept for data controllers in the UK, as it already exists in section 8(7) of the current DP Act in the context of subject access. (It occurs when there is a subject access request made by the data subject and the issue is whether the data controller can release personal data that identifies another individual).

In this case section 8(7) states that if the “other individual” can be identified by the data subject from the personal data that are released or from the personal data plus “any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request”, then the data controller might redact any information that could identify the other individual.

So I conclude therefore, that such a change to the definition of personal data as proposed by the Regulation is unlikely to hold many difficulties for data controllers as they do it already, albeit in a more limited context. If there were practical problems or difficulties concerning the identification being held by another person, these would have been aired in the context of subject access.

I am sure that many data controllers will oppose the change in the scope of the data protection regime because it would mean more compliance work; by contrast, data subjects are likely to be in favour this change because it means more protection.

As there is no evidence of difficulty with the inclusion of identification by another person, this in turn means there is only one question for Government to resolve: “which side it is on?”.

The Regulation excludes confidential personal data already subject to the DPA

The Regulation applies to personal data held in a structured “filing system” (Article 4(4)) and the rights of access (Article 15) are to personal data (e.g. in a structured filing system). Recital 13 of the Regulation confirms that manual personal data that are not in a structured file are not subject to the Regulation.

An Accessible Record under the DPA contains personal data that does not need to possess any structure (section 1, definition of “data”). Thus Accessible Records could well be excluded from the Regulation if they are not held in a structured filing system. This exclusion could be from all Principles and all rights whereas currently such personal data is subject to all principles and all rights in the Act.

Similarly “Unstructured personal data”, as used in section 9A of the DPA (introduced as a result of FOIA) is subject to the right of access and correction. By implication the Regulation is stating that “Unstructured personal data” can’t be personal data (not in a structured filing system) so it follows that there is no right of access nor correction. The concept of “Unstructured personal data” does not exist in the Regulation.

The Regulation should be changed to maintain the protection of those personal data that are already subject to the UK’s data protection regime.

There is need for a prohibition on enforced subject access

There needs to be a provision that stops enforced subject access in the Regulation. Such provision exists in the Data Protection Act 1998 but has not been commenced; employers, in the UK for instance, can thus gain access to criminal records for employment purposes without the need to bother with the rules or Code of Practice promulgated by the Criminal Records Bureau.

The technique is being used by Legal and General (and possibly others in insurance industry in relation to health). This undermines the Access to Health Records Act. As the right of access to personal data is to be free under the Regulation, then other data controllers could be tempted to misuse a right targeted at protecting the individual.

The UK experience shows that the right can be perverted to protect a data controller’s interest.

Switch from the right to be forgotten to the right to object to the processing

My general view is that the many aspects of the “right to be forgotten” in Article 17 is best dealt with by “right to object” in Article 19, possibly by an amendment linked to Article 82 if the context is employment.

The switch to the “right to object” has the same effect as the “right to be forgotten” but it avoids any “attack on freedom of expression” criticism, and is more effective as it targets the use of personal data by a data controller within the EU (and not the hosting of the personal data anywhere in the world). This effectiveness is especially important in the context of employment.

For instance, suppose an embarrassing fact about a data subject is posted on a USA web-site, but is used in the UK by an organisation (which by definition has to be by a data controller) to make an employment decision. If the controller is situated in the UK, then even the current Data Protection Act would apply – let alone the Regulation.

Such a data controller under the existing UK Act has to apply three Data Protection Principles (1st, 3rd and 4th). He has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose), that they are accurate and up to date (e.g. the personal data relate to the actual individual under examination and not someone who happens to have the same name) and ensure that the data subject knows of their use for a specific purpose. The data subject also has the right of access to personal data used to make that decision. The same will go for the Regulation.

Instead of the “right to be forgotten”, I would extend the existing “right to object” to the processing (as is proposed in Article 19 of the Regulation) to apply the “right to object” to those circumstances where the processing is “necessary for an employment contract with the data subject” or with “a view to entering into an employment contract with the data subject” (e.g. an employment contract with a prospective employee). That is why I suggested this change might better stand as a part of Article 82.

In this way, data controllers can argue that they should be able to scour the internet for background details about an individual but that data subject will be able to argue the exact opposite. This provides a structure where the facts of each case can be independently examined to identify whether the data controller’s or the data subject’s position should prevail. Following such examinations, advice on best practice will emerge.

The centralization of power by the Commission is unbalanced and unacceptable

There are about 50 places where you have a provision like this: “The Commission shall be empowered to adopt delegated acts in accordance with Article yy for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data .breach is likely to adversely affect the personal data referred to in paragraph zz”.

Essentially this type of provision makes the Commission the ultimate arbiter of the data protection rules as these powers can overturn the actions of any supervisory authority.

My suggestion is that the untrammeled powers the Commission seeks should be modified so that the Board of Data Protection Regulators could be involved. I suggest:

the Board could exercise the powers the Commission identify in the Regulation. The Commission could raise an issue with the Board who then determines a suggested data protection solution. The Commission can then be given the power to overrule the Board in cases where this is deemed necessary – this would require the Board to “try again”. In this way, the Commission still possesses all the trump cards (as in the Regulation

an alternative is to leave the Commission’s powers where they are, but state that the exercise of the power is subject to Board approval on data protection grounds. This again provides a check on the misuse of Commission’s powers but gives the Board an ultimate veto.

There have been several circumstances when the European Commission has determined that there is an adequate level of data protection, when most data protection authorities have formed the opposite view. The PNR agreement with the USA is a good example of this divergence of view, and any reading of the output from the European Data Protection Supervisor will provide a host of other examples.

Put simply, the European Commission appears to have a track record of putting political considerations above those of data protection; there is a significant risk that this approach will continue. Secondly, the issue is quite serious in the context of the Commission as the Regulation will eventually apply to the Commission itself. This means the Commission is to be given powers to modify how the Regulation would apply to its own processing of personal data.

In my view, both these prospects are equally unacceptable.

References:

If interested in our submission, you can download it here. I go into some other definitional commentary and make comments on notification not mentioned above: Download Amberhawk_ MoJ Call for Evidence March 2012

Blogs that give background to our submission are:

“The Regulation: what are the big changes to the Data Protection Act regime?” (http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html)

“EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights” (http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html)

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws: http://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html

“Enforced Subject Access to medical data raises its ugly head in the insurance industry” on http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html)

“Data Protection: forget about a “right to forget”; http://amberhawk.typepad.com/amberhawk/2011/03/data-protection-forget-about-a-right-to-forget.html

MoJ asks for arguments to oppose the European Commission’s Data Protection Regulation; http://amberhawk.typepad.com/amberhawk/2012/02/moj-ask-for-arguments-to-oppose-the-european-commissions-data-protection-regulation.html

Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

Note: Our Update session on March 26th   (London, £195+VAT, next week; has a half-day devoted to the Regulation from the data controller perspective. Places still available - details on the Amberhawk web-site (top right button).

EU’s Data Protection Regulation: divisions exposed as Member States show disharmony.



DAPIX is the Working Party on Information Exchange and Data Protection where delegations of civil servants from Member States discuss the European Commission’s Data Protection Regulation. The minutes of the meeting held on 23-24 February shows that there are deep divisions as to the content of the Regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.

I can also reveal the Commission’s “hoped-for” timescale for the discussions about the Regulation to reach a conclusion. The Commission is aiming to have agreement between Member States on the content of the Regulation by June 2014 (before the Elections to the European Parliament). If one assumes a two-year lead in, then the new Regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the Regulation, but there is no immediate need to implement any measure to meet its content.

At the meeting, the Commission said that there was a “quadrant of objectives underlying the Commission's proposals”. These were:

stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;

the protection of fundamental rights;

the adoption of legal instruments that are flexible enough to adapt to future technological developments; and

legal certainty (Note: I think the last one is moderately amusing given the 120 page length of the Regulation as published!).

The minutes record that there was “a real need for reform of the EU data protection regime” but divergence on what was really needed. For instance:

“Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection”.

“Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors”.

“A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector”.

“As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations”.

“Some delegations strongly advocated a more risk-based approach for the future EU data protection regime”.

The minutes record that “A significant number of delegations stated they would have preferred a Directive” and that “a few delegations that a Regulation was too prescriptive”. One delegation “thought that a Regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the Regulation”.

Many delegations “criticised the many instances in which the proposal delegated powers to the Commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed Regulation, namely, to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether this is the UK?).

Finally the minutes noted that:

“Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral”.

“Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability”.

“A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance”.

“The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets”.

“Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs”.

Get the drift of these discussions yet? Do you get the impression that the minutes show that Member States are as harmonious as a busyness of ferrets in a sack?

Well if this level of “agreement” continues, then the Regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many on the lines of “if you support our view about consent we will support your line on data protection officers”.  Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".

I suspect “blocking” will be the name of the tactical game played by all Member States when they discuss the content Regulation. In other words, be prepared for agreements about the text of the Regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.

Also, if you can get odds on the Regulation not being implemented by 2018, please let me know!

References

Download the EU minutes on the proposed Regulation (there are comments on the Directive as well) here ... Download Minutes for blog_March2012

“The Regulation: what are the big changes to the Data Protection Act regime?” (http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html)

“EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights” (http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html)

Note: Our Update session on March 26th   (London, £195+VAT; follow link on the left panel  "(Update/Events)" for has a half-day devoted to the Regulation

Google’s Privacy Policy: incoherent and does not meet the standards of the USA’s own Safe Harbor Principles

Google’s new combined Privacy Policy (March 2012) has been widely criticised by privacy professionals and Data Protection Authorities (in particular the CNIL – the French Data Protection Authority). However the reasons for this criticism have been made in general terms; the analysis I have published (see references) provides a detailed explanation.

The analysis shows that Google’s Privacy Policy is incoherent because it uses overlapping terms. This makes the Policy difficult to follow or to understand what type of information the Policy is claiming to protect. It cannot be fair to users if they cannot easily understand what the Policy means for them. The Policy is also unfair in conventional terms as it does not, in many instances, fully describe the purposes of the processing. I identify these areas in the analysis.

Secondly, my analysis also supports the claim of the CNIL that the Privacy Policy is in breach of the Data Protection Directive. However, I also show that the Policy is in breach of the USA’s Safe Harbor Principles. As the Privacy Policy states that “Google complies with the US-EU Safe Harbour Framework”,  I show that this claim cannot be substantiated if Google’s new Privacy Policy is implemented.

Why contradictory and confusing?

The Privacy Policy uses a wide range of similar terms in different circumstances which I think are contradictory. For example, it uses the following terms: “information”, “personal information”, “personal data”, “data”, “non-personally identifiable information", “personally identifiable information”, “sensitive personal information", and "other information that identifies you". Are these terms talking about the same thing?  Put simply, the reader doesn’t know for certain.

So when one part of the Policy offers protection for “personal information”, another offers protection for “personal data”, another for “personally identifiable information” and yet another for "other information that identifies you" is the Policy referring to the same type of information or not? Answers on a post-card to Google.

This is not the only problem as sometimes the Policy uses a qualifier (e.g. “log information” or “location information”). "Log information" by the way are the "details of how you used our service, such as your search queries" whilst "location information" which is "information about your actual location". (My emphasis on you and your).

Can we have a quick quiz? Can you tell me whether “information” about your use or your location is “non-personally identifiable information” or “personal information”? My own view is that, because the Policy uses the word “information” to describe logs and locations, that Google thinks it to be the former, but I suspect you think it could well be the latter.

Confused? You can now safely join the ranks of those who do not know what Google’s Privacy Policy means in practice.

Why in breach of the Directive and Safe Harbor?

The CNIL has claimed that, at first reading, Google’s Privacy Policy is in breach of the Directive, a claim so far not accepted by Google. As the Directive is the legislation mentioned expressly in the Safe Harbor Framework, I have checked whether Google’s Privacy Policy is consistent with the terms of that Framework.

There are demonstrable areas where Google’s Privacy Policy is inconsistent with the Safe Harbor Principles (see Appendix 1); it follows that it is inconsistent with the Directive. These areas include the following:

1. Safe Harbor requires acceptance of the EU Directive definition of “personal data” – Google’s Privacy Policy uses a definition which is close to that used by the old UK’s Data Protection Act 1984 (and ignores the Directive definition of personal data completely).

2. Safe Harbor requires acceptance of the EU Directive definition of sensitive personal data – Google’s Privacy Policy does not include all items of sensitive personal data identified in the Directive.

3. Safe Harbor requires acceptance of the right of access to personal data – Google’s Privacy Policy includes some administrative exemptions from the right of access to personal data that are not authorised by Safe Harbor.

4. The confusion in the Privacy Policy does not meet the Safe Harbor requirement for clarity; there are several places where the purposes of the processing are not fully described by the Policy.

5. Google’s co-operation with data protection authorities specified in the Privacy Policy relates only to the transfer of personal data; Safe Harbor requires co-operation across the whole Framework.

Concluding comment

Everybody uses Google because its services are free and very useful. However, because they are “free”, it does not mean that Google can take the privacy of its users for granted in order to maximise profit. The Privacy Policy, I am afraid to say, is incoherent, unclear, and likely lead to breaches of data protection legislation. In my view, the Policy needs a major overhaul.

Secondly, I don’t think Google (and other USA corporations, I have to say) have quite “got it” in the context of the messages coming out of the Leveson Inquiry. Google has not understood that a large multinational communications company, headed by the Murdochs, is in trouble not because it invaded the privacy of celebrities, but because it invaded the privacy of ordinary individuals. Google’s meat and drink is the processing of personal data and data relating to millions of ordinary citizens.

The Murdochs thought they were so large and powerful  that they were invincible; so does Google. The Murdochs thought they were above the law; so does Google. By ignoring basic data protection laws and rules in the way described in its Policy, even those agreements established in the USA, Google is taking some unnecessary risks.

References

Follow the link to down load the analysis in Word (which includes Google’s Policy, the related FAQs and the Safe Harbor Framework). Download Google_privacy_policy blog