Happy New Year. Nice to be back at work, I think not.
In a 215 page report, the European Parliament has suggested 350 Amendments to the text of the Data Protection Regulation published last year. This blog gives you an impression of those proposed changes that caught my eye on a “speed read” of the Report (produced by Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs).
I think the most important proposal is the fettering of the European Commission’s powers. In many instances, many powers found in the Regulation are amended to involve the European Data Protection Board of Data Protection Commissioners (the Regulation’s formal structure for what we now call the Working Party 29 Group of Commissioners).
Sometimes the powers are transferred entirely (e.g. when the Board is “entrusted with the task of further specifying the criteria and requirements for the methods to obtain verifiable consent” or when specifying the criteria, conditions and appropriate safeguards for the processing of what we know as sensitive personal data (in the UK Act, these are the preserve of the Secretary of State).
Sometimes the Commission need to involve the Board before exercising powers; for instance the Commission may lay down standard forms for specific methods to obtain verifiable consent” but only “after requesting an opinion from the European Data Protection Board.
The change is to be welcomed because it helps reduce the conflict of interest that is endemic in every data protection regime that has ever existed. For instance, the European Commission is responsible for processing personal data for its own objectives and also responsible for establishing the data protection rules in the Regulation. This means that there is always a risk that the Commission could subvert data protection law to suit its policy objectives.
Such subversion happens in spades. So, for instance, if it is politically convenient to ignore data protection considerations when transferring personal data abroad (e.g. PNR data to the USA) or enter into agreements that are data protection deficient (e.g. the European Data Protection Supervisor has publicised several examples of such agreements), then the Commission does so quite freely. All Data Protection Commissioners can do is shout in public, and then go to the pub and cry into their beer.
In this way, the European Commission (and any Government) can be seen as a special data controller that has powers to amend the data protection law so to ensure that its processing is lawful. This contrasts with what most data controllers do; they have to amend their processing of personal data to ensure that it conforms with data protection law.
Another small amendment that caught my eye was that the domestic purpose exemption is modified so that individuals can use Ebay. This was one of the UK Government’s objections to the text. Someone contact the Daily Mail immediately: tell them that a lefty Green MEP has caved in to Dave and Nick.
The Report has introduced the concept of a not quite personal data; a 'pseudonym'; I am not sure of the consequences. A 'pseudonym' is a “unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject”.
The Report then states that “For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller undertaking the processing (e.g where personal data are processed only in the form of pseudonyms, consent may be given by automated means)".
I am not convinced the concept works also and I think it needs a definition of “pseudonymous data” which also considers what other information the data controller has. For instance, suppose I know that [email protected] is really Fred Bloggs. The mickey.mouse email address is pseudonymous data as it does not “not permit the direct identification of a natural person”; but I know who it is.
The Report has tried to separate that processing with the consent of the data subject from that processing that is necessary for a contract. For instance, we have all seen Fair Processing Notices of the form “by signing this contract, you consent to …… etc etc”.
In these cases, the Report recommends that “The execution of a contract or the provision of a service may not be made conditional on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service”.
The definition of data subject is stronger. “A data subject means a natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person….“ (main changes in italics). What this means that if an individual is not identified but is “singled out”, then the data controller is processing personal data.
Clearly if you are on the Internet and someone is monitoring your IP address, you are being “singled out” and you become a data subject. One can also see that also that the IP address is “pseudonymous data” (see above), and what the Report is trying to do, but there is an overriding uneasy feeling that the drafting is not quite right.
The Report’s proposals would still scupper requests for personal data under the UK's FOI Act. This is because the proposal still excludes reference to the “Third Party’s legitimate interests” to the disclosure (i.e. para 6 of Schedule 2 of the DPA). I should add, that my colleague Sue Cullen has written a wonderful chapter on the trials and tribulations of the DP/FOI interface in Rosemary Jay’s next edition of her data protection bible (see references).
In general, for data controllers relying on para 2 of Schedule 6, the Report has defined circumstances when the legitimate interests of the data controller are always overridden by concerns regarding the fundamental rights of data subjects. For instance, the rights and freedoms of the data subject always prevail if Sensitive Personal Data or location data, or biometric data are processed or if the personal data are to be used for profiling.
In the context of profiling, the Report suggests amendments that ensure that any data controller will find any profiling activity far more difficult to do.
I have to admit that some of the amendments are poorly drafted. For instance, consider the data minimisation principle (i.e. our Third Principle relating to adequate, relevant, not excessive). The Report amends the requirement and states that personal data are “limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing anonymous information that does not involve personal data) – (my emphasis).
Sadly the phrase “anonymous information that does not involve personal data” implies that some “anonymous information does involve personal data” – which of course is a contradiction in terms.
Some proposals are just “off the wall”. The Report has a proposal to modify the small business exception in several places by replacing the current criterion of 250 employees with a criterion based an enterprise processing personal data relating to fewer than 500 data subjects per year. I think most small businesses would have 500 email addressess in Outlook!
Anyway, Happy New Year again. Another 220 pages to read and digest. I just told my psychiatrist that it was a real pity the Report did not come in time for Xmas as fills your stockings nicely.
However, remember that the real power is with the Council of Ministers. It what they say that goes; this report, when the chips are down will be more or less ignored (and the drafting errors will make this so easy to do).
References
Jan Albrecht Draft report on the COM proposal for the General Data Protection Regulation http://t.co/3NtwVsYS
Details of Rosemary Jay’s book (the Fourth Edition of Data Protection law and Practice) can be downloaded here Download RJ BOOK DPLP FINAL
Details of our half day workshop on the Data Protection regulation can be accessed here http://www.amberhawk.com/uploads/Brochures/Amber_Regulation%20half%20day%20workshope.pdf
The powers are equally distributed between the ministers in council and the european parliament. It is ordinary legislative procedure, so both sides (and the comnission in case of major changes) have to agree on any final text of the law.
Posted by: Ralf Bendrath | 11/01/2013 at 12:38 PM