Latest DAPIX leak of the Data Protection Regulation eases transfers and makes fining difficult

This blog reports the latest leak from "the DAPIX sieve" in the areas of transfers of personal data outside the EEA and fines from Data Protection Authorities (references below has the link to the leaked document).

As is well known the Irish have published the first 40 Articles of the Commission’s Regulation (see previous blogs); this leak (at the end of the Irish Presidency) gives a good idea of the direction of travel in relation to the remaining 50 Articles.

In summary, I think that data controllers should welcome the easing of the transfer position from that in the original Regulation; I would expect that adherence to a code of practice covering all the key requirements that a data controller needs to consider when transferring personal data outside the EEA should work as easily as an assessment of adequacy as required by the Eighth Principle.

Alternatively, there can be contract terms approved by the ICO – which is more flexible than using those published by the Commission (which have to be adopted in their entirity).

In relation to fines, the first thing to say is that the DAPIX leak does not provide any figure; the multi-million euro fine hasn’t gone (yet) – these important numbers [the dots in square brackets] have been left for later arguments between Member States.

However, what is new is a set of prescriptive conditions which, if adopted, appears to make a Monetary Penalty Notice (MPN) almost impracticable to serve. This is because the Commissioner would have consider a dozen factors (many of which will give no doubt rise to appeal). In addition, Member States can decide whether public sector data controllers can be fined; this might be attractive to the UK Government.

In addition, the fines in the Regulation require consideration of the actual damage caused; this compares unfavourably with the current MPN where large fines have been contingent on grave security errors on the part of the data controller (i.e. the MPN of the UK DPA does not need damage to data subjects – only the likelihood of substantial distress or damage which should have been preventable/forseeable).

Transfers outside the EEA

Transfers outside the EEA become more manageable. As well as the equivalent of the circumstances where a data controller does not need to assess adequacy (i.e. the Schedule 4 conditions of the DPA more or less continue), there are a number of options available for transfers. These options arise when adequacy requirements are covered in:

(a) binding corporate rules;
(b) standard data protection clauses adopted by the Commission;
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism;
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority;
(e) an approved code of conduct (i.e. code of practice), or
(f) a certification mechanism.

Data controllers can no longer assess adequacy for itself (unlike the 1998 Act) for all transfers. However, if a particular transfer "is not large scale or frequent and is necessary for the purposes of legitimate interests pursued by the controller or the processor", and "where the controller or processor has assessed all the circumstances surrounding the data transfer" and has  "adduced suitable safeguards with respect to the protection of personal data" .... then the transfer can occur.

Fines

The leaked document omits the level of fines, presumabably because there is not agreement on the fine level. However, it is clear that any fine will be subject to a large number of conditions, several of which appear to be immaterial (see next). The Monetary Penalty Notice familiar to UK readers will have to substantially change; it will have less of a bite (if it ever did have a bite).

Before fining an organisation, a Regulator has to take into account the following:

(a) the nature, gravity and duration of the infringment having regard to the nature scope or purpose of the processing concerned;
(b) the intentional or negligent character of the infringement,
(c) the number of data subjects affected by the infringement and the level of damage suffered by them;
(d) action taken by the controller or processor to mitigate the damage suffered by data subjects;
(e) the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them pursuant to Articles 23 and 30;
(f) any previous infringements by the controller or processor;

(g) the financial situation of the controller or processor, including any financial benefits gained, or losses avoided, directly or indirectly from the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) the level of co-operation with the supervisory authority during the investigation of the infringement.
(j) adherence to approved codes of conduct pursuant to Article 38 or approved certification mechanisms pursuant to Article 39;
(k) whether a data protection officer has been designated;
(l) whether the controller or processor is a public authority or body;
(m) any other aggravating or mitigating factor applicable to the circumstances of the case.

In addition each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. Note this means that MPNs for public authorities could be history if the Government decides.

This step can be justified as the public sector gets its money from the Treasury. The concept of a public sector regulator fining another public body and then returning the fine to the Treasury (only for the money to be passed back to the public authority the next financial year) is an odd one. Mind you, the other alternative of allowing the Regulator to keep the fine, introduces a motive for a Regulator (if short of cash) to go fishing for fines. 

Finally, it appears to me, that the European Data Protection Board is reduced to a talking shop; it can issue opinions, recommendations and guidelines (in exotic locations one hopes). Looking at the Working Party experience, such opinions are largely ignored in the law enforcement area. I expect this to continue.

As for the rest, I leave the reader to have a go at the remaining 220 pages! Why is it that in data protection, every publication has to be a 100+pages!

References

To download the latest leak (220+ pages – be warned): http://www.statewatch.org/news/2013/jun/eu-council-dp-regulation-revised-11013-13.pdf  (Hats off to Statewatch)

This blog covers the first 40 Articles: Member States divide over the protection offered by the Irish version of the data protection regulation: http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html

Irish do a "hatchet job" on the Data Protection Regulation: http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html

How the UK’s risk-based data protection policy can result in lower standards of data protection. http://amberhawk.typepad.com/amberhawk/2013/06/how-the-uks-risk-based-data-protection-policy-can-result-in-lower-standards-of-data-protection.html

Mr Hague can explain GCHQ interception of “external communications”

No doubt you have seen this weekend’s brouhaha about GCHQ and the Guardian’s allegation that it has intercepted communications on a gargantuan scale. Well I think Mr Hague can clear everything up with a public statement as to why he thinks such interception is proportionate without any nonsense such as: "I can't say anything because that could jeopardise national security”.

Why? Because it is very likely that he has signed (or authorised) a warrant phrased in very general terms that allows such interception; indeed as he has been in office for three years since 2010, he has signed (or authorised) this  particular warrant every six months. One assumes therefore, he knows what it contains.

I should add the interception, if tested in Court, is likely to be lawful under the Regulation of Investigatory Powers Act 2000 (RIPA). This raises the issue as to whether Ministers and Parliament are content for it to remain so (as it depends on the meaning of "external communication"). Another reason for a public statement perhaps.

Under Section 5 of RIPA, the relevant SoS (e.g. Home Secretary, Foreign Secretary) can issue a warrant if an interception of communications is “necessary in the interests of national security” or “necessary for the purpose of preventing or detecting serious crime”. Under S.5(2) the SoS has to attest on the warrant, the fact that the conduct being authorised is "proportionate".

RIPA also allows that such an interception warrant can make lawful “conduct for obtaining related communications data”. This means that Mr Hague’s warrant, assuming it authorised the current GCHQ interception, could also have authorised the collection of communications data on an equally gargantuan scale.

Section 8 of RIPA says that, in general, “An interception warrant must name or describe either (a) one person as the interception subject; or (b) a single set of premises as the premises in relation to which the interception to which the warrant relates is to take place”. This warrant has also “to comprise one or more schedules setting out the addresses, numbers, apparatus or other factors, or combination of factors that are to be used for identifying the communications that may be or are to be intercepted”. Note that such a warrant is very detailed.

However Section 8(4) then says that a warrant does not need to specify any of the above details if the warrant relates to “the interception of external communications in the course of their transmission by means of a telecommunication system”.

In this case the warrant merely has to provide “the descriptions of intercepted material the examination of which he considers necessary”. In other words, Mr Hague’s warrant in this case is very general, and by implication, NOT targeted at any specific individual or premises. Indeed, I suspect it could be so general that it takes the form or National Security Certificates under S.28 of the DPA – many of which are published (see references).

However, under RIPA, an “external communication” means “a communication sent or received outside the British Islands”. So, for example, does this include an Facebook message leaving one UK resident to another resident in the UK via Facebook’s systems in Eire or an email between two “Gmail” accounts via the server in the USA?

If this is the case, then many “external communications” between UK citizens are “external” merely because the server that deals with the communication is not in the UK. Mr Hague should clarify this confusion very quickly; any explanation has nothing to do with national security.

In addition Section 16(3A) of RIPA states that a warrant covering the Section 8(4) “external communications” activities above is valid for 6 months in the case of national security and 3 months otherwise.

In other words, Mr. Hague has repeated his signature on this particular warrant on a twice yearly basis attesting the interception is proportionate; he is therefore in a good position to explain why.

References

Mr Hague (as have all other previous incumbents) claim he takes his warrant signing duties very carefully. I did a blog “Home Secretary spends 90 minutes per day with interception warrants?” which should interest readers. http://amberhawk.typepad.com/amberhawk/2009/09/home-secretary-spends-90-minutes-per-day-with-interception-warrants.html

Example of S.28 National Security Certificate in the public domain: https://www.gov.uk/government/publications/section-28-data-protection-act-dpa-certificate-regarding-the-intelligence-and-security-committee-isc

The TfL National Security Certificate is on http://www.statewatch.org/news/2007/aug/uk-london-tfl-exemption-certificate.pdf

Member States divide over the protection offered by the Irish version of the data protection regulation

Do you know what? After watching a very turgid video covering the meeting of Ministers (June 6th) which discussed the Irish text of the Data Protection Regulation, I have concluded that there is a no agreement in sight. Indeed, I think the Regulation will not see the light of day unless there is a great “love-in” between Member States.

As I explained in the last blog, some Member States want more “risk assessment”; a move which in combination with a reduced consent requirement will, in my view, definitely reduce the protection afforded to individuals below that of Directive 95/46/EC (see last blog). This view has been reinforced by public comments in the French Parliament (see references) following the meeting last Friday week.

In summary, at the Meeting, each Minister expressed broad support for the risk assessment elements of the Irish text (i.e. that certain security elements such as reporting data losses depend on a risk assessment or Privacy Impact Assessment) and the consequential reduction in the administrative burden.

There was also universal agreement that the Regulation should apply to the European Union itself (and this will happen).

Apart from that, there was very little else to agree on and that is why all Member States agreed that “nothing is agreed until the text as a whole is agreed”. A better version of this quotation is perhaps “we agree to disagree for the moment”, (which I suspect is more accurate).

I have broken down the blog into four areas that report the areas of Member State division: these are;

• Do we want a high level of data protection?
• Unambiguous consent versus explicit consent
• Public sector inclusion
• Data minimisation

 Do we want a high level of protection?

The European Commissioner responsible for the original text of the Regulation (Viviane Reding) and Ministers from Germany, Austria and France all referred to the need for a “high level of protection”. This statement really should raise alarm bells with data subject groups; why would this question be raised unless the Member States concerned think that the Irish text did not offer a high level of protection?

Indeed, Ms. Reding stressed that a red-line for her was a text that did not offer the level of protection afforded by the Directive 95/46/EC. Greece, for instance, explicitly referred to “regression with respect Directive 95/46/EC” (which happens to coincide with my view of the Irish text; see references).

In other words, some important Member States have expressed the worry that the Irish “flexible” text degrades the existing level of protection afforded to individuals; if this view persists, the Regulation is finished (much to the satisfaction, I suspect, of a few Member States including the UK).

As for Ms Reding, all I will do is use the quote she gave in  press release before the Minister’s meeting. It says it all:

"I will fight for a reform of the EU's data protection rules that will strengthen the rights of EU citizens and stimulate growth in the evolving digital single market. With this reform, Europe should become a standard setter for modern data protection rules across the globe. I count on the European Parliament and on the incoming Lithuanian Presidency to resist, alongside the Commission, all attempts by those who are still trying to weaken data protection standards in Europe. (my emphasis).

Unambiguous consent versus explicit consent

For Mrs Reding, the Irish reversal to “unambiguous consent” means that the Regulation will fail to offer a higher level of protection. Her view is that the Directive 95/46/EC formulation of “unambiguous consent” has meant that silence (e.g. some forms of opt-out, one presumes) has been equated with consent, thus guaranteeing some lower level of protection.

For her, “explicit consent” is needed because the “unambiguous consent” of Directive 95/46/EC has failed to deliver; a view that has the support of Germany, Greece, France, Italy, Poland, Rumania and Spain. On the other hand, many countries prefer “unambiguous consent”; for instance, the UK, with many others in support.

My own conclusion is that Member States are split on this subject and the final form of consent is unclear. However, on balance, I think consent needs to be explicit because many Member States want the old “unambiguous consent”  to be combined with a risk based approach to data protection.

As I explained in the last blog, this combination could significantly degrade the protection afforded to data subjects so much so that any call for “risk approach” in the absence of “explicit consent” as per the original Regulation text, is in my view, is a euphemism for the “reduced protection” so feared by Ms. Reding.

Public sector flexibility

A number of Member States (e.g. Germany, Denmark, Spain, Belgium, Lithuania) want “flexibility for the public sector”. For flexibility, read “more exemptions”.

Sadly, however, these Member States did not specify what "flexibility" was being sought so one assumes that it is broadly based. Since the Irish text relates to rights and Principles, one presumes also that these exemptions being sought by certain States are from rights of data subjects and/or Principles (merely because the data controller is in the public sector). However, public sector exemptions from the regulatory regime (yet to be agreed at Ministerial level) could be a further possibility.

It is important to explain why such exemptions degrade the level of data protection. For example, suppose a data controller is required by law to collect data item X from all data subjects for purpose Y. For example, in Scotland, Mrs Thatcher’s Poll tax legislation demanded the collection of dates of births of all adults in Scotland.

In practice dates of birth were only needed for those coming up to the age of 18 so the date upon which the Community Charge commenced for them could be identified. After the 18th birthday, the date of birth was not needed by Community Charge officials.

In other words, the vast majority of dates of birth were collected by law and not needed. However, because there was legislation requiring the collection and use of such dates of birth, the processing was lawful and the personal data were relevant (i.e. the legislation itself legitimised the excessive processing of personal data is in fact an exemption from that requirement).

Note that the data protection requirements of “relevance” did not get a look in!

This problem is writ large across the public sector and explains why public sector surveillance, authorised by law, is in effect a broad data protection exemption. So if Ministers want more carve outs from data protection obligations for their own Departments of State; don’t be surprised if you see many of them in the Regulation.

Minimal data minimisation

Quite a few countries (Germany, France) expressed concern that the Principles had lost the requirement for data minimisation (i.e. the obligation that personal data are “limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).

These Member States agreed with Ms Reding who said that the data minimisation Principle was important to protect privacy with respect to developments in Cloud Computing and Big Data, and would promote the use of 'pseudonymous data' (rather than identifiable personal data). I suspect Ms. Reding sees data minimisation as another red-line.

Note that this has to be read with the fact that Privacy by Design (PbD) requirements are now subject to a risk assessment which reduces the impact of the original provision. The data minimisation requirement of the original text have been eliminated; instead PbD is a requirement (if appropriate to the risks); the Irish requirements (in A.23) applies only to “the amount of data collected, the period of their storage and their accessibility”.

Note that these PbD provisions do NOT apply to the “use” and “disclosure” of personal data and I think this, and the removal of the strict data minimisation requirement, substantially degrades PbD as a protection.

Conclusion

So, in short, data subjects can see reduced consent requirements, their personal data not subject to some minimisation rules, more exemptions for the public sector in circumstances not related to crime and taxation, as well as a risk based/unambiguous consent combination I discussed in the last blog.

I short, I think Member States that fear a reduced the level of privacy protection afforded to data subjects are right.

References

Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013;  (starts 9 minutes 48 secs in):
http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13017

Note: to get to a specific Member State contribution, scroll down after the five items marked (Item A), the last obe being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, is a list of country flags (Mrs Reding is the Euro flag). Before each country flag is the Irish flag (which is the Irish chair’s introduction to the contribution to each Member State. Remember to choose your national language as well.

My blog on Google and Facebook getting the upper hand with the Irish text:
http://amberhawk.typepad.com/amberhawk/2013/06/irish-data-protection-regulation-text-gives-google-and-facebook-the-upper-hand.html

My blog on the Irish gutting the Commission’s original Regulation text: http://amberhawk.typepad.com/amberhawk/2013/06/irish-do-hatchet-job-on-the-data-protection-regulation.html

French view of the Regulation (another blog) http://www.hldataprotection.com/2013/06/articles/consumer-privacy/draft-eu-data-protection-regulation-rejected-by-french-government/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ChronicleOfDataProtection+%28HL+Chronicle+of+Data+Protection%29

If you are interested in why data protection and human rights legislation has difficulty in protecting privacy (set in the context of general surveillance): http://www.amberhawk.com/uploads/surv1_website(2).doc

 

How the UK’s risk-based data protection policy can result in lower standards of data protection

Today’s blog deals with the UK position on the Irish text of the Regulation and is based on the statements of Chris Grayling MP, the Cabinet Minister responsible for data protection at a June’s Council of Ministers meeting (see references).

Following these statements I have concluded that the current UK Government policy on data protection supports a level of protection below that established by Directive 95/46/EC. This arises because the Government want many more data protection obligations in the replacement Regulation to be assessed on a risk based approach whereas in the current Act, the notion of risk is only applied in a small part of the Interpretation of the Seventh Principle.

In this blog, I explain why such a comprehensive approach based on risk or harm is flawed and why it reinforces my concerns over Article 80a (see last blog). I also show that the Information Commissioner’s (ICO’s) stance on the Regulation has been selectively used to bolster the Government’s position.

The UK position on the Regulation

The UK position was expressed by Secretary of State, Chris Grayling in a 5 minute speech. After welcoming the changes in the Irish text, all further statements related to imperfections in the Irish text. Only once did the Secretary of State mention, in passing, the importance the enhanced protection for individuals but only in the context of a balanced approach for data controllers.

In summary, the UK position on the Regulation is as follows; remember these comments relate to the Irish text published in June 2013, and not the draft produced by the European Commission a year and a half ago. These are

• The territorial nature of the Regulation needs more consideration to assess whether it is practicable; Chris Grayling used the word “unrealistic” to describe these provisions in the Irish text. These provisions relate to a provision where a data controller based outside the EEA, offers goods or services to data subjects or monitors their behaviour within the European Union. In other words, the UK is questioning the application of the Regulation to data controllers based in the USA (and there are no prizes for guessing which USA based organisations fall into this category).
• The provisions concerning “consent” have not been discussed by the working groups (by implication, the Irish move to “unambiguous consent”, which is exactly as those in Directive 95/46/EC, might not be a sufficient change for the UK). Remember the Irish text has removed the provision that the data controller has the burden of proof to show he obtained consent, and the provision relating to the imbalance of power between data controller and data subject (i.e. the Irish text allows for the continuation of Hobson’s choice consent – or as I call it, Home Office consent).
• The impact on business should be judged from the context of the SME’s which are going to drive economic recovery and not from the standpoint of Google or Microsoft (this is at variance from the French position which is seeking application for the complete Regulation to Microsoft and Google but with appropriate exemptions for SMEs).
• There should be a business impact assessment (as the UK has its own figures, as do the Dutch and Belgium Governments which show a cost to business of the original Regulation). This I suspect is a device to waste time as the Regulation needs to be enacted by June 2014.
• The risk based approach needs to be taken further and the security principle is welcome (mainly because it looks like the existing UK provision). This implies that other Principles and rights should be subject to risk based approach (see below).
• Finally, the UK still want a Directive (with the support of Belgium and Hungary); I consider this likely for the next European Parliament (see next blog; later this week).

The ICO position

The ICO has published a letter that summarises his well known concerns with respect to the Regulation text as published by the Commission in January 2012. These are not new: for example, reporting every data loss; authorising transfers; funding for his office if notification is scrapped; lack of flexibility re the role and responsibilities of the ICO.

Unsurprisingly, as this supported the UK position, the letter was promoted by Secretary of State, Chris Grayling as justifying the UK stance. What the Secretary of State did not say was that ICO’s letter (see references) also welcomed elements in the Commission’s text which the Irish text has subsequently weakened.

For instance, the ICO’s letter welcomed:

• the stronger explicit “consent” provisions of the Commission’s text; by contrast these have been reduced by the Irish text to “unambiguous consent” (i.e. the standard of Directive 95/46/EC).

• the clearer provisions about data processor responsibilities; however the Irish text provides a mechanism so that Member States can order a data processor to disclose personal data to the law enforcement authorities without informing the data controller. Note that this means that NSA-PRISM-type activities can be legitimised by any Member State in relation to any data processor – and nobody is the wiser unless a whistle-blower is forthcoming.

• the “introduction of accountability” for data controllers; by contrast, the Irish text removes the Accountability Principle in favour of a Security Principle based on the current UK Seventh Principle.

• recognition of the importance of Privacy by Design or Privacy Impact Assessments; by contrast, the Irish text removes the data minimisation provisions (i.e. removal of the requirement to limit the processing to the “minimum necessary in relation to the purposes for which they are processed” and that personal data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).

One really wonders whether the ICO is content with the Irish text changes so far? What I will say is that after being so critical of the Commission’s Regulation, he cannot remain silent if, in his view, changes to the Regulation reduces the protection afforded to data subjects.

The risks of the risk based approach

However, Chris Grayling also stated that the risk based approach should be extended to more of the Regulation. This moves UK data protection policy objectives in the direction of the approach adopted by the APEC Privacy Framework or the Obama Administration’s policy towards online privacy – both of which are based on a risk assessment or the notion of “harm”.

There are three problems with such a harm or risk-based approach:

• First, a risk based approach will be based on a data controller assessment of harm to data subjects in general, whereas harm can only be accurately assessed from the standpoint of each data subject.
• Second, any personal data processed with “data subject consent” is unlikely to need a risk assessment.
• Third, any personal data that is published does not need a risk assessment.

Some thirty five years ago, well before the UK had any data protection law, the notion underpinning a data protection regime based on "harm" was firmly rejected by the Lindop Committee in its Report on data protection in 1978 (Cmnd 7341 paras 18.24-18.27).

Lindop concluded that there was no objective standard whereby a data controller could be able assess harm prior to the processing of personal data because there was no way an organisation could judge whether its personal data or its processing would be sensitive or non-sensitive.

Of course the data controller could identify that there might be harm in some cases (e.g. because of the confidential nature of some personal data or the potential for impact on the data subject). However, as a data controller could not make an assessment that the processing was “harmless”, it followed that many data protection obligations could not be based on harm.

This is because the potential for harm is a subjective assessment that can only be accurately judged by each data subject concerned and of course, such assessments can change over time and in context.

For example, suppose a data subject gives a new address to a data controller: is this “harmless”? For most data subjects the change of address might follow some routine house-move. However, if a data subject is changing address because of a violent relationship, then who has access to the name and new address becomes a matter of deep concern for that data subject. The data subject knows this context; the data controller doesn’t.

That is why putting more of the Regulation on a risk-based approach is a flawed idea; the only person who can assess risk properly is the data subject and such risks fluctuate depending on the context.That is why the French Minister, at the meeting of Ministers, was wholly correct to assert in her speech that any risk assessment approach needs the involvement of the data subject.

Consent, public domain personal data and a risk-based approach

If a data subject consents to the processing of personal data, then he is making an informed judgement about any harm to himself caused by any intended processing by a data controller. Any data controller assessment of harm is redundant as it will be trumped by the data subject’s own assessment of harm.

For instance, what would you say to a data subject who took a risk in relation to his own privacy and then argued for compensation based on the fact that the data controller’s assessment of risk was wrong. I think you would say something like “get lost”.

And that is why data subject consent makes it difficult to argue there has been a breach of Article 8 of the Human Rights Act; most Article 8 cases involve interference with private and family life in the absence of consent.

And that is why, when considering the Regulation, the definition of “data subject consent” is so important. If it is weakened, then a single unticked-opt-out box could easily reduce the protection afforded to data subjects. Note also, the implication that any change to a risk based approach towards data protection needs a stronger and more detailed consent base (not a weakened one!). For example, for consent to be fully informed, details about retention periods (5th Principle) might need to be given.

If more of the Regulation becomes “risk-based”, the more protection is stripped off the data subject for that unticked-opt-out box. For instance, if all the data protection principles were “risk based” and if the data subject were to consent, then the application of the principles would also be removed.

Similarly, if personal data were published by a data subject and someone else took advantage of that, one would say “well, you should not have published”.  In the APEC Privacy Framework for example, the Privacy rules do not apply to personal data that has been published (e.g. by Facebook, Youtube etc).

So, for instance, in a complete risk-based data protection world, a data controller can use public domain information (e.g. put into the public domain by unambiguous default Facebook settings) to assess a data subject for employment. There is no obligation to ensure that these personal data are relevant for the employment purpose, nor to be fair to the data subject, nor indeed to keep the personal data secure.

After all these personal data are in the public domain. By contrast, the Data Protection Act does require observation of these Principles.

More importantly, Article 80a of the Irish text allows Member States liberty to introduce exemptions with respect of freedom of expression; this could be applied to personal data placed in the public domain by the data subject with “consent” (whatever that means).

Conclusion

You can see now why the UK Government public policy for reduced standard of consent AND more risk based approach results in a reduction of the standards of data protection.

References
ICO letter of 24th May 2013:  http://www.ico.org.uk/news/~/media/documents/library/Corporate/Notices/rt-hon-chris-grayling-ministry-of-justice-20130603.ashx

Blog on UK Government’s preference for a Directive:
http://amberhawk.typepad.com/amberhawk/2012/11/uk-government-opposed-to-the-commissions-data-protection-regulation.html

Blog on Article 80a of the Regulation;
http://amberhawk.typepad.com/amberhawk/2013/06/irish-data-protection-regulation-text-gives-google-and-facebook-the-upper-hand.html

Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013;  (starts 9 minutes 48 secs in):
http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13017

Note: to get to the UK contribution, scroll down after the five items marked (Item A), the last one being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, click on the Irish flag just before the Union Jack.

Obama’s Consumer Privacy Bill of Rights: now on https://templatearchive.com/consumer-privacy-bill-of-rights/ (used to be http://www.whitehouse.gov/sites/default/files/privacy-final.pdf)

The APEC Privacy Framework and data protection – 2008 which explains why the APEC Framework is deficient in European Data Protection terms (e.g. Directive 95/46/EC); available on http://www.amberhawk.com/uploads/APEC.doc

Irish data protection regulation text gives Google and Facebook the upper hand

Would you be surprised if the Irish text of the Regulation could allow a Member State, most likely Eire, to implement specific exemptions for companies like Google and Facebook from those data subject rights that involve accuracy, correction, erasure of personal data and the so-called “right to be forgotten”?

In addition, would you be surprised if the definition of “main establishment” introduced by the Irish could mean that any enforcement action against such companies would be prolonged and could easily exhaust a regulator’s capacity (most likely the Irish Commissioner) to enforce the Regulation?

Finally, the change from “explicit consent” to “unambiguous consent” means that the fair information practices that these companies employ with respect to Directive 95/46/EC (which are now subject to legal action by the CNIL on behalf of all Europe’s Data Protection Commissioners) can continue into the new Regulation, unabated. This change makes the outcome of the CNIL’s action more important to the privacy of Europe’s citizens.

These are three reasons why, in my view, the Irish redraft risks taking the level of protection for individuals to a level lower than that achieved by Directive 95/46/EC. More detail of these concerns are given below.

The freedom of expression issue

The objective of the Irish drafting changes to the Regulation is to allow for “flexibility”. However, Article 80 is so “flexible” that it is possible for any Member State to enhance their “attractive” corporation tax policies with some “reduced” data protection standards as well.  And when enacting these reduced standards, any politician would be able to justify them in terms of defending “freedom of expression”?

In the UK’s Data Protection Act, the Special Purposes (journalism, literature, art) and a special enforcement mechanism is defined in order to protect freedom of expression. In Section 22A of the Irish Data Protection Act, there are exemptions for that processing which is undertaken “solely with a view to the publication of any journalistic, literary or artistic material” (my emphasis on solely throughout).

Wide exemptions like this are justified in terms of Article 9 of Directive 95/46/EC which states:

“Member States shall provide for exemptions or derogations from (…the main chapters of the Directive such as rights and principles ..) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression”.

Notice that in the Directive, the processing has to be carried out “solely for journalistic purposes or the purpose of artistic or literary expression” and any exemption introduced by Member States has to be in the context of these three purposes.

Now look at the replacement for this Article in the Irish text:

Article 80:  “Member State law shall reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression, including the processing of personal data for journalistic purposes and the purposes of artistic or literary expression”.

Notice the provision includes journalistic purposes or the purpose of artistic or literary expression. In other words, the provision of exemptions on freedom of expression grounds can go beyond art, journalism and literature as these three are examples of “freedom of expression”.

Of course, one might argue that the extension is needed to protect personal data in blogs or tweets. For instance, the Hawktalk blog is not journalism (far too accurate to qualify for journalism?), nor does its prose have much in the way of artistic or literary merit (not flowery enough, perhaps?). Hence, for example, if I criticised a politician for degrading the level of data protection, I am pleased that there is a freedom of expression exemption that could give me some protection.

However, the extension is not limited to blogs and tweets; it can “flexibly” be extended by a Member State. For instance, during the furore over the Commission’s initial suggestion for a “right to forget”,  Google’s Global Privacy Counsel, Peter Fleischer began referring this right in terms of “censorship” (i.e. a restriction on “freedom of expression”). So could one imagine a “freedom of expression” exemption be fashioned by a Member State in order to satisfy a requirement from Google re the right to forget? I think it can.

Suppose you share something on Facebook about a friend without permission: is that an invasion of your friend’s privacy or an indication of your freedom of expression? Facebook representatives have often argued that any restriction on such sharing is a prohibition on the freedom of expression. So, there again, could a “freedom of expression” exemption be fashioned by a Member State that facilitates such data sharing on social networks?

Also, please remember that corporate USA’s dollars funded an extensive lobbying campaign against the Regulation. If corporate America organised this effort in the European Parliament, it is easy to imagine them applying the same pressure on a Member State to demonstrate “flexibility” in the context of rights that relate to “freedom of expression”. This is especially the case in these economic hard times.

Of course one might say that the European Commission would step in and take immediate action if this were to happen. All I would respond is that the words “immediate” and “action by the European Commission” in my judgment is a contradiction in terms. For instance, the Commission started threatening infraction proceedings against the UK in 2004 on the grounds that the Data Protection Act 1998 was an inadequate implementation of Directive 95/46/EC. Nearly a decade later nothing has happened.

The “main establishment” issue

I am also concerned that the regulatory framework in the European Commission’s original text could be so weakened to such an extent that a regulator cannot take effective legal action against such large multi-national companies. This is best shown in the context of the Ireland, because as is well known, for corporation tax “flexibility” purposes, Google and Facebook have both established their European HQs in Eire.

The definition of main establishment in the Irish text of the Regulation states that for a data controller “the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken”. This would be Ireland and it also means that the Irish Commissioner is the key data protection supervisory authority for all of Europe’s citizens with respect to Google and Facebook etc.

So suppose, perish the thought, that one of the European Union’s half billion data subjects has a data protection problem with Facebook. That data subject would turn to the Irish Commissioner.

Now Facebook is a large organisation, and UK taxpayers might want to know that a low corporation tax payment in the UK has allowed it to invest in real-estate in Dublin. Click here to view Facebook Dublin HQ (pleasant isn’t it):  View this photo

Of course, if there are legal problems, Facebook in Dublin will call on the assistance of Facebook HQ in the USA.  Click here to view Facebook HQ occupying a site of over a square kilometre in size:  View this photo

Against Facebook would be the Irish Data Protection Commissioner and it is useful to click here to compare Facebook HQs with that of the Irish DP Commissioner. The Commissioner’s HQ is next to the Centra supermarket:   View this photo

Get the message?

According to the 2012 Annual Report, the Irish Commissioner’s budget is £1.3 million  per year (€1.5 million or $2 million). He will be taking on Facebook (2012 revenue of $1.68 billion) and Google (2012 Revenue $50 billion) and all the other corporation tax refugees settled in Ireland.

Thus, irrespective of the merits of the Irish Commissioner and the ability of his staff, any serious enforcement action means that he will be tied up in legal red tape; these companies are simply too big for one small Commissioner to take on.

Conclusion

The reasons above explain why I think the Irish text of the Regulation sets up, in the case of corporate America, a structure that could very easily seriously undermine the data protection obligations that protect the privacy of all of Europe’s citizens.

Update on FOI/DP Interface

In my blog of the DAPIX leak (date 29/05/2013) I said that the proposed changes to the Regulation could interfere with the DP/FOI interface. This risk of interference has been lessened by Article 80a of the Irish text which states that:

 “Personal data in official documents held by a public authority or a public body may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile public access to such official documents with the right to the protection of personal data pursuant to this Regulation”.

This Article was missing from the DAPIX leak. So what I think will happen is that the powers in Schedule 2, para 6(2) can be used to restore the Data Protection/FOI interface that we love and know.

References

Data protection as “censorship”: Peter Fleischer; http://peterfleischer.blogspot.co.uk/2011/03/foggy-thinking-about-right-to-oblivion.html

Facebook: Proposed EU ‘right to be forgotten’ raises “major concerns” over freedom of expression online: http://thenextweb.com/facebook/2012/11/20/facebook-proposed-eu-right-to-be-forgotten-raises-major-concerns-over-freedom-of-expression-online/

Irish do a "hatchet job" on the Data Protection Regulation

The Irish Presidency has published the first 40 Articles of what it considers to be an acceptable Regulation; as I said with my DAPIX blog (see references) based on a leak of this document, my conclusion is:

Irish text = old Directive 95/46/EC + tweaks

In previous blogs on this subject, I have referred to the fact that there has been no agreement by Member States on the text. The DAPIX leak document (see references) is one of the few documents which explains why these disagreements arise.

The Irish text does not make any attempt to explain why the text has changed from the published draft, and this lack of explanation is a major hurdle in any analysis as it is easy to jump to a wrong conclusion.

For example, consider any deletion (this is marked by “(…)”) in the text. Is this because that there is no agreement on the text or is it because there is total agreement that the text should be removed? The answer to this question informs the analysis. With the former, the removal is to paper over the cracks of disagreement; with the latter, all Member States disagree.

So when looking at the detail of the Irish text (which I expect many of you will do so), please have the DAPIX leak at your side – the "why?" the text has changed is as important as the actual change to the text.

To overcome all disagreements and arrive at its "hatchet job", the Irish Presidency has resorted to three devices:

(1) Remove the offending passage in the original’s text that give rise to the disagreement (Just look at the number of “(….)’s” in the Irish text – easy to find, they are on every page!).

(2) Reduce the impact of a provision (e.g. insert words such as “where appropriate”, “where necessary” or “taking into account the impact on the data subject”. For example, the data loss, PIA and PbD provisions do this). Such changes also introduce a "risk assessment" element to these provisions (e.g. data controllers report high risk data losses). 

(3) Leave it to Member States to decide (e.g. the Data Protection Officer provisions). So where you see words like “where a Member State considers it useful….” replace them with “Except in the UK”. (The UK Government has a track record of “where there is an option, take it”).

Other changes that have caught my eye

I am not repeating the text of my blog on the DAPIX leak; those comments are still valid. Comments about the direction of travel are also valid as are comments on rights and security. So here goes with other commentary.

The Accountability Principle of the draft Regulation (personal data shall be “processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”) is replaced by a general security principle (more or less our Seventh).

So does this mean that accountability is reduced or do Member States think that the obligations are covered elsewhere? I suspect that accountability principle is covered elsewhere – but without official explanation, I can’t be sure!

There is a definition of 'pseudonymous data' which is not used in the Irish text!  This suggests that the definition is used in the other 40 or so Articles that are not in the Irish text (e.g. Articles 81 or 83 that relate to the processing of personal data for medical purposes or research).

The definition of consent is weakened. The requirement that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” is removed.  There is no requirement that “The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes”. No explanation is given for a change that will surely alarm most data subject advocates.

Article 11 (which requires data controllers to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights) is removed. For public bodies, FOI requirements will cover this obligation. Most large data controllers should do this already, so it is possible that its removal is an attempt to be less prescriptive for smaller SMEs.

Article 13 (Rights in relation to recipients) is removed. This Article concerns the requirement on data controller to communicate any rectification or erasure carried out in accordance with the exercise of data subject rights to any recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort. I have no idea why this removal was deemed to be necessary; it could be that the obligation becomes wrapped up in the data protection principles.

Article 29 (Co-operation with the supervisory authority is removed). This covers the requirement on the controller and the processor to co-operate, on request, with the supervisory authority in the performance of its duties or powers). This removal looks alarming – however, the powers of the supervisory  authorities (Article 53) have not been agreed by Member States and I suspect that the content of this Article is contingent on the content of the powers granted to supervisory authorities (and that explains the removal).

The time period for meeting a subject access request can be doubled in complex cases to around 90 days; the normal time period for simple requests is 1 month (30 days), but it can be extended to 3 months max in difficult cases (90 days).

In conclusion, I think most of the privacy lobby will see the revised Irish text as a “sell out” to big business. This is especially the case as the Irish have made no effort to publish any explanation of its changes.

I need to look at some areas more carefully before I come to any conclusion. What I will be looking for is not the removal of the obligations on the data controller (which can be included in a broad based Principle approach) but the ability of the data subject to get corrective action when an error occurs. After all, when something goes wrong, the first thing we want is to get the problem fixed quickly and easily.

In this regards, the powers of the supervisory authorities are key. If these are given the Irish hatchet as well, then I think the result could easily be a lower standard of data protection. In which case, I would advise the European Parliament to reject the Regulation and stick to the Directive.

References

Down load the Irish text here: Download Blog_revised Irish text published 31 May 2013

Blog on DAPIX leak here http://amberhawk.typepad.com/amberhawk/2013/05/latest-leak-the-new-data-protection-regulation-is-looking-more-like-the-old-directive.html  (The DAPIX document is a link at the end of this blog)

 

ICO needs a different strategy to deal with data protection offences

I have drawn the conclusion that the Government will not commence the custodial nature of Section 55 offence in the Data Protection Act this side of the General Election (and within the next few years). The reason is familiar: fear of upsetting the press.

I also think that the ICO needs to adopt another strategy to deal with the problem of not having the custodial element available; for instance, by passing over suitable cases to the public prosecutors and/or using the Monetary Penalty Notice (MPN).

As is well known, some of the tabloids and broadsheets are to the right of UK politics. Most of these newspapers take an anti-European stance and some support the idea of an “in-out” referendum; most of these newspapers also support the alternative Leveson Royal Charter drafted by their proprietors. In addition, some proprietors of these newspapers support those Conservative Euro-sceptic back-benchers who want Mr. Cameron either tied to a “UKIP-like” political-agenda (e.g. on human rights, immigration etc) or not leading the Party at all.

Suppose you are advising Mr Cameron in this febrile political atmosphere? With the next General Election about a year or so away, how about suggesting an offence that could result in Daily Mail journalists being locked up? Even after the Election, I don’t think an incoming Government say: “Hey, let’s implement S.55?”.

That is why, in a nutshell, I think the S.55 offence will not see the light of day for the next four or five years, when I suspect any Data Protection Regulation (if it survives – another story) will force the issue. The Regulation would also give Government the perfect alibi when implementing the custodial element of this offence: “Don’t blame me. Look what those nasty Europeans are imposing on us”. (No doubt, another reason for leaving the EU).

The issue has come to a head with the ICO’s Press Release (23 May 2013) concerning a former manager of a health service based at a council-run leisure centre in Southampton. This manager used sensitive personal data (medical) relating to over 2,000 people, and a fortnight ago was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court. He was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

The ICO said:

“This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a 'recordable offence' which it isn't now. For the most serious cases the current 'fine only' regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

How many times, over the last decade, have you heard the ICO say something like the quote above? Well, if I were ICO, I would not “go there” again.

So what is my suggestion?

Well, I would pass serious cases like this to the Director of Public Prosecutors asking him to assess whether there was a prospect of a custodial offence:

• under the Computer Misuse Act (as personal data are often on a computer) and unauthorised access to a computer should equate with using computerised personal data without the consent of the data controller;

• of Malfeasance in Public Office (this is a common law offence – see references below) which applies to all public servants (as in this case); or

• under sector specific legislation that applies to certain information held by public authorities (e.g.  Census, Official Secrets and Social Security legislation has these offences).

Secondly, I would take a close look at the Monetary Penalty Notice (MPN). According to the Press Release, the convicted manager  “took the information hoping to use the data for a new fitness company he was setting up”.  Ergo, his company was a data controller and could have actually processed sensitive personal data unlawfully (and the data controller should have known that this is the case).

So, it is possible that the manager’s company could be subject to a MPN that then puts it out of business; well if a business depends on the unlawful processing of sensitive personal data it probably deserves it. Even if the company went into bankruptcy before the penalty could be recovered (as with the case of ACS Law), the message that a MPN would send would be unmistakeable.

Even if the manager moved jobs to by some other employer, that employing data controller could have benefitted by the processing of sensitive personal data unlawfully. Here the substantial breach could be associated with the First Data Protection Principle on the grounds of “unlawful processing”. There again, the MPN could be in the frame.

Then I would look at the manager’s previous employer. What did this data controller do with respect to leavers procedures? Are leaving employees told that they cannot use or disclose personal data they have been privy to? Is there a breach of the Seventh Principle?

Finally, I would challenge tosh like this published by the NHS on its home to reassure the public. Read on to find one obvious mistake:

“There are strict laws and regulations to ensure that your health records are kept confidential and can only be accessed by health professionals directly involved in your care….  Under the terms of the Data Protection Act (1998)  …. “It is a criminal offence to breach the Data Protection Act (1998) and doing so can result in imprisonment”.  (Quote present  on the site’s home page on 5 June 2013; I wonder how long it remains!)

If I were ICO, I would insist that this sentence would be replaced by: “It is a criminal offence to breach the Data Protection Act (1998); the penalty associated with this offence might be insignificant, for example when compared with what individuals might gain from committing the offence”.

References:

ICO press release re the DPA offence: http://www.ico.org.uk/news/latest_news/2013/leisure-centre-employee-prosecuted-for-unlawfully-obtaining-health-information-23052013

More on malfeasance in public office: http://amberhawk.typepad.com/amberhawk/2011/01/absence-of-custodial-data-protection-offence-increases-likely-use-of-malfeasance-in-public-office.html

NHS website with tosh about the DPA: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/overview.aspx