At a meeting of the Council of Ministers at the end of last month, the UK Government joined the Governments of Denmark, Slovenia, Belgium, Hungary and Sweden in opposing the Commission’s Data Protection Regulation; instead these countries want a new Data Protection Directive. Only Bulgaria, Germany, Spain, Netherlands, Luxembourg, France, Italy, Greece and Ireland expressed support for the concept of a Data Protection Regulation.
Sensing that the Regulation might be in trouble, the European Commissioner proposing the Regulation (Ms. Reding) stated that she will “help to progress” an agreement by offering to remove 40% of the Commission’s delegated powers; furthermore, she said that she would introduce some new “flexibility” with respect to the administrative burden on SMEs and how the Regulation would impact on the public sector.
At that meeting, Ministers from Finland, Romania, Estonia, and the Czech Republic stated they had not yet formulated a view about whether they preferred a Regulation or a Directive. The silence of Ministers representing Austria, Cyprus, Latvia, Lithuania, Malta, Poland, Portugal, and Slovakia means that they too are undecided. So in summary it is: 9 for a Regulation, 5 for a Directive and 13 floating voters.
The five countries wanting a Directive did not say that they wanted the data protection proposal in the field of law enforcement proposal to be merged with any new Directive that replaces the Regulation. Although it would be reasonable to assume that this merger makes sense, this rational prospect is not at all certain (especially as the Data Protection Principles of the Regulation are different to those of the Directive). Additionally, the fact that none of the five Member States suggested it (when it is so obvious) means that it is possible to end up with two Data Protection Directives – not one!
For the UK, Secretary of State Chris Grayling MP, stated that the Regulation hindered progress to an agreement and that the Directive route offered the prospect of more rapid progress. The UK position is that a Regulation will not provide legal certainty and a Regulation could have the effect to lower national standards (e.g. in Germany, Hungary, Slovenia).
Sources close to the discussions say that the UK has serious concerns with respect to:
• Administrative burdens and the blanket requirements on documentation and data protection officers as the Commission has underestimated the costs of this obligation;
• Exemptions for SME’s (under 250 employees): the UK is against the criteria based on the number of employees, as arbitrary. Instead it wants the nature of the activities or the type of personal data processed to form part of the criteria for the exemption to apply;
• Impact on consumer of the definition of “consent”: the UK position is that it is too cumbersome and will disturb the on line experience of users; and
• Free access to personal data: The UK argue that if subject access is free, the volume of requests will increase and there could be abuses; even personal injury lawyers could try to obtain financial gains out of the provision.
At our Update session in October, our guest speaker from the MoJ stated that the UK has also concerns with:
• The “Right to be Forgotten”; although inspired by social media, the UK is concerned that it is unrealistic.
• The obligatory need for a Data Protection Officer without consideration of the personal data being processed;
• Data loss breaches and the costs and the effect of data subject notification fatigue;
• Adequacy processes in relation to transfers outside the EEA; authorisation processes for transfers, contracts and BCRs;
• Interoperability with other regimes (Convention 108 and wider world); transfers to third countries and how enforcement is to work in practice?
It is noteworthy that three delegations (Germany, Bulgaria, Denmark) expressed concern that the public sector would have to abide by all the data protection rules. This raises the prospect that any “flexibility” shown by the Commission might involve the private and public sectors having to apply different data protection rules whereas law enforcement (via a separate Data Protection Directive) might have different set of data protection rules again.
This is hardly what one calls “harmonisation” and the late Oliver Hardy's catchphrase immediately springs to mind: "Well, here's another nice mess you've gotten me into!".
The reason why the UK wants a Directive is easy to explain. A "regulation" is a binding legislative act across the EU and must be applied in its entirety across the EU. For example, when the EU wanted to protect the names of agricultural products coming from certain areas such as Parma Ham, the Council adopted a regulation.
By contrast a "directive" is a legislative act that sets out a goal that all EU countries must achieve; however, it is up to the individual countries to decide how. This was the case with the working time directive, which stipulates that too much overtime work is illegal which set out minimum rest periods and a maximum number of working hours; it was for each country to devise its own laws on how to implement it.
So if the UK gets its way and a new Data Protection Directive is fashioned, the UK can implement its provisions in its own way. However, if each Country can go its own way (as with Directive 95/46/EC) then you risk the harmonisation objective of the Regulation. So if there is any divergence in views as to whether the UK has implemented the Data Protection Directive properly, then infringement proceedings can commence (in secret).
Does this have a depressingly familiar ring? Do you recognise this as a case of déjà vu? Since Durant, the EU has said that the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC. Full details of the alleged discrepancies (which relate to nearly half the Articles in the Directive) have yet to be revealed (see references). If you want to follow this particular seven year FOI saga which is due for an oral Tribunal hearing on Jan 17th, tickets are available at the Amberhawk box-office.
What is also clear from the recording of October’s Ministerial get together, is that December’s meeting is going to be crucial. The undecided Member States have to get off the fence and it won’t take many additional votes to make the Regulation untenable. (The decision is taken by QMV which currently requires 255 out of 345 votes; the five Member States in opposition have 68 votes already; the Regulation supporters have 160).
In the last blog on this Regulation (30th October), I summarised the position of the Commission as a choice between “give way” or “give in”. It appears that this choice is going to be made to Ms Reding a lot earlier than she or I expected.
Advert
JUSTICE evening event at Hunton and Williams: “Defamation, privacy and freedom of expression online”, 30 St Mary Axe, London EC3A 8EP (the London “Gherkin”) 20 November 2012 –http://www.justice.org.uk/events.php/46/life-and-law-online-defamation-freedom-of-expression-and-the-web (£50)
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.
References
You can see the various Member State positions at http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-12048. The data protection agenda item (Friday, October 26th, 2012) starts at 3 hours and 2 minutes in; Chris Grayling (for the UK) speaks at 03:19:46.
To see the level of disharmony over the Regulation: see http://amberhawk.typepad.com/amberhawk/2012/06/expect-1000-objections-by-member-states-to-the-eus-data-protection-regulation.html
Also see “Psssst! Want to know what the UK or any other Member State thinks about the Data Protection Regulation?” at http://amberhawk.typepad.com/amberhawk/2012/08/psssst-want-to-know-what-the-uk-or-any-other-member-state-thinks-about-the-data-protection-regulatio.html
Why the European Commission believes that eighteen of the thirty four Articles in the Data Protection Directive 95/46/EC have not been properly implemented by the UK Government. See . http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html (and attachments at the end of that blog)
Hello,
Thank you for this very interesting article. However, I'm a bit confused regarding the end of your description. Would you happen to have some more information about the meeting which you said is going to be "crucial" in december (date, and agenda...). In order for me to have a bigger picture,do you know where or if I can find more details about the procedure pending before the Council of Ministers. I can't find any specifics on the Council's website. I'm a bit lost... Thank you so much for your help, François
Posted by: François | 21/11/2012 at 09:53 AM