About three months ago, I blogged about the considerable Member State “disharmony” about the content of the Data Protection Regulation published in January. Well the disagreements have multiplied, and the Council has “released” a revised position on the first 10 Articles of the new Data Protection Regulation that will replace the 1995 Directive. The changes favour data controllers.
The text contains details of 147 Member State reservations on Articles 1-10 and 80(a) and 83 (about one ninth of the 90 or so Articles in the Regulation). So, if this rate of disagreement continues, one can expect over a 1,000 reservations about this Regulation. In some places, the Commission is in a minority re its proposals for change.
This number of objections suggests that the Regulation is in difficulty, a view reinforced when one reads on Page 1: "Almost all delegations are of the opinion that the proposed regulation contains too many cases of delegated acts. Several delegations have a reservation on the chosen legal form of the proposed instrument and would prefer a Directive".
Anyway, this is my view of the changes so far. I have focused on issues which resonate in the UK. Full references as usual.
Issue 1: FOI carve-out inserted; problem with FOIA averted
There was a potential problem with the DP/FOI interface and the S.40(2) exemption under FOIA. This arises because the Regulation suggests that public authorities cannot legitimise the FOI disclosure of personal data by using the “balance of interest justification” (paragraph 6 of Schedule 2). The problem was that this paragraph is at the centre of most UK Tribunal Decisions re disclosure of personal data to the public at large under FOIA (e.g. MPs expenses”) .
This problem has been “fixed” by an insertion into Recital 18. Recital (18) now states that:
“This Regulation allows the principle of public access to official documents to be taken into account when applying the provisions set out in this Regulation. Personal data in documents held by a public authority or a public body may be publicly disclosed by this authority or body if the disclosure is provided for by Union law or Member State law to which the public authority or public body is subject, and the data subject's legitimate interests or fundamental rights and freedoms in the particular case are not prejudiced”.
Issue 2: The UK’s attempt to dilute the impact of Lindqvist decision has failed:
The UK suggested adding words to Recital 15 so that “The number of individuals to whom the data are disclosed shall not of itself determine whether the processing of personal data is conducted by a natural person in the course of an personal or household activity”. This change, if accepted, would largely negate Lindqvist (where the European Court of Justice concluded that the personal affairs exemption could not apply to personal data posted on a web-site).
The UK's attempt was rejected and the Recital 15 still maintains Lindqvist; it states that:
“(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic and without any gainful interest and thus without any connection with a professional or commercial activity. The Regulation should not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities”.
Issue 3: UK tried to get Internet tracking provision removed
The UK unsuccessfully tried to get Recital 21 removed and I cant see why. The offending Recital remains and states:
"In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on theinternet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes".
Issue 4: No protection for the dead; UK wants to narrow scope of personal data
Recital (23) now states that:
“The principles of protection should apply to any information concerning an identified or identifiable natural person. To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the individual, unless this would involve a disproportionate effort in terms of time or technical or financial resources. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. The principles of data protection should not apply to deceased persons” (my emphasis).
Instead of the above which refers to “reasonably likely” the document notes that “the UK suggests to clarify that the principle of data protection applies only where the person is easily identifiable”. So if the individual is not easily identifiable, then there should be no data protection. This is a pretty shocking approach if you ask me; it undermines "personal data" so much, that one wonders what the MoJ were playing at when they made this suggestion.
Issue 5: Wider carve out for law enforcement and national security; could exclude CCTV in certain circumstances
In the old Article 2, there was an exemption defined by “This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law, in particular concerning national security”. This is now widened to include “and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters)".
The reason why this change could exclude CCTV is that many CCTV systems are installed for “public security” reasons where “public security” is undefined. The lack of definitions of “state security”, “economic well-being of the State” and “public security” is unsettling; history reminds us that Robespierre had a “Committee of Public Safety” which had little to do with “public safety”.
Issue 6: Definitional changes
Thank heavens we are back to a definition of “personal data”. The long clumsy definition of “data subject” has been replaced by a definition of “personal data” as follows:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources the natural living person shall not be considered identifiable;
Genetic data and biometric data definitions have been narrowed. Now the former is defined only in terms of the “result from an analysis of a biological sample”; similarly “biometric data” have to be the result “from a specific technical processing”.
Issue 7: The protection afforded to health information reduced; important in the UK context
The definition of “‘data concerning health” no longer “means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual”; it is now “information related to the physical or mental health of an individual, which reveal significant information about health problems, treatments and sensitive conditions of an individual”. This change has to considered in the light of other changes – see below.
Issue 8: The definition of Third Party returns (for data sharing)
In the UK law, a “third party” disclosure of personal data is often to a law enforcement agency. The return of this definition therefore signals the maintenance of the exemptions from the fairness provisions of the First Principle (e.g. from giving a fair processing notice) that arise when there are disclosures to law enforcement, government bodies and for national security purposes.
Issue 9: UK gets changes to facilitate use of personal data (e.g. medical records) in research
At the request of the UK Government, the Commission has added a research exemption to the purpose limitation principle; so any personal data has the potential to be available for research purposes. The Principle now reads
Personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible subject to the conditions and safeguards referred to in Article 83.
Issue 10: Lawfulness of processing has enlarged.
There are three changed (equivalent of Schedule 2 conditions); these are:
(f) “processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Note, this change maintains the status quo under the current Act and provides a general justification for disclosure of personal data to third parties (see “The definition of Third Party returns” above). It also helps the FOI position (see Issue 1: FOI carve-out inserted; problem with FOIA averted)
(g) the processing is for “purposes and under the conditions provided for in Article 9(2) (b) - (j)”. Looking at Article 9, the provision pairs the processing of sensitive personal data (e.g. Article 9 is the equivalent of Schedule 3 of the DPA) with an identical Article 7 (Schedule 2) condition; the most notably addition is for the (medical) research purposes. This change is likely to facilitate disclosures of sensitive personal data (e.g. medical records) for research purposes, so long as the data controller informs the data subject about the research purpose; there is no right to object to this (as yet). Researchers hated the current consent requirements in the DPA that restricted the use medical personal data for research purposes; their pleadings have been heard.
(h) the “processing is necessary for the purposes and under the conditions referred to in Articles 80 to 85”. Again this widens the processing without data subject consent in areas of “the processing of personal data concerning health”, “the processing in the employment context”, “the processing for historical, statistical and scientific research purposes”, where there is an “obligations of secrecy” and for “existing data protection rules of churches and religious associations”.
What’s my view on the above?
Well most of the changes favour data controllers at the expense of data subjects. This reflects the changing mood in Europe where the main focus is on economic stimulus and growth to avoid a catastrophic Euro collapse. In such an tight economic environment, data controllers want to exploit their personal data assets and not be limited by what is still a very prescriptive Regulation. Put simply, at the current time, I think Member States have concluded that protecting data subjects just gets in the way of the economic priorities.
That is why there are 1,000 objections in the offing, many of which have been overridden by the Commission. I think it won’t be long before some Member States might say: “Do you think we should remit this Regulation to a Committee where it can get a private funeral?”.
I have said it before, with this level of Member State squabbling, I don’t see this Regulation surviving; if it does survive it will be a completely different animal. And I expect the lead in time will not be 2 years but far longer.
References:
Download detail of the 150 disagreements here! (happy reading) Download Blog_June2012_eu-council-revised-dp-position
A blog on the Commission’s inflexible approach: “I have been taken to the Promised Land and seen our data protection future”: http://amberhawk.typepad.com/amberhawk/2012/03/i-have-been-taken-to-the-promised-land-and-seen-our-data-protection-future-explained.html
EU’s Data Protection Regulation: divisions exposed as Member States show disharmony: http://amberhawk.typepad.com/amberhawk/2012/03/eus-data-protection-regulation-divisions-exposed-as-member-states-show-disharmony.html
The Regulation: what are the big changes to the Data Protection Act regime?: http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html
The Lindqvist case is a decision of the European Court of Justice in Case C-101/01, made in 2003; see for example, “Baby battle woman can’t claim data protection exemption for YouTube video, warns expert” on http://www.out-law.com/page-8401 ). The “expert” is me!