The Irish Presidency has published the first 40 Articles of what it considers to be an acceptable Regulation; as I said with my DAPIX blog (see references) based on a leak of this document, my conclusion is:
Irish text = old Directive 95/46/EC + tweaks
In previous blogs on this subject, I have referred to the fact that there has been no agreement by Member States on the text. The DAPIX leak document (see references) is one of the few documents which explains why these disagreements arise.
The Irish text does not make any attempt to explain why the text has changed from the published draft, and this lack of explanation is a major hurdle in any analysis as it is easy to jump to a wrong conclusion.
For example, consider any deletion (this is marked by “(…)”) in the text. Is this because that there is no agreement on the text or is it because there is total agreement that the text should be removed? The answer to this question informs the analysis. With the former, the removal is to paper over the cracks of disagreement; with the latter, all Member States disagree.
So when looking at the detail of the Irish text (which I expect many of you will do so), please have the DAPIX leak at your side – the "why?" the text has changed is as important as the actual change to the text.
To overcome all disagreements and arrive at its "hatchet job", the Irish Presidency has resorted to three devices:
(1) Remove the offending passage in the original’s text that give rise to the disagreement (Just look at the number of “(….)’s” in the Irish text – easy to find, they are on every page!).
(2) Reduce the impact of a provision (e.g. insert words such as “where appropriate”, “where necessary” or “taking into account the impact on the data subject”. For example, the data loss, PIA and PbD provisions do this). Such changes also introduce a "risk assessment" element to these provisions (e.g. data controllers report high risk data losses).
(3) Leave it to Member States to decide (e.g. the Data Protection Officer provisions). So where you see words like “where a Member State considers it useful….” replace them with “Except in the UK”. (The UK Government has a track record of “where there is an option, take it”).
Other changes that have caught my eye
I am not repeating the text of my blog on the DAPIX leak; those comments are still valid. Comments about the direction of travel are also valid as are comments on rights and security. So here goes with other commentary.
The Accountability Principle of the draft Regulation (personal data shall be “processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”) is replaced by a general security principle (more or less our Seventh).
So does this mean that accountability is reduced or do Member States think that the obligations are covered elsewhere? I suspect that accountability principle is covered elsewhere – but without official explanation, I can’t be sure!
There is a definition of 'pseudonymous data' which is not used in the Irish text! This suggests that the definition is used in the other 40 or so Articles that are not in the Irish text (e.g. Articles 81 or 83 that relate to the processing of personal data for medical purposes or research).
The definition of consent is weakened. The requirement that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” is removed. There is no requirement that “The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes”. No explanation is given for a change that will surely alarm most data subject advocates.
Article 11 (which requires data controllers to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights) is removed. For public bodies, FOI requirements will cover this obligation. Most large data controllers should do this already, so it is possible that its removal is an attempt to be less prescriptive for smaller SMEs.
Article 13 (Rights in relation to recipients) is removed. This Article concerns the requirement on data controller to communicate any rectification or erasure carried out in accordance with the exercise of data subject rights to any recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort. I have no idea why this removal was deemed to be necessary; it could be that the obligation becomes wrapped up in the data protection principles.
Article 29 (Co-operation with the supervisory authority is removed). This covers the requirement on the controller and the processor to co-operate, on request, with the supervisory authority in the performance of its duties or powers). This removal looks alarming – however, the powers of the supervisory authorities (Article 53) have not been agreed by Member States and I suspect that the content of this Article is contingent on the content of the powers granted to supervisory authorities (and that explains the removal).
The time period for meeting a subject access request can be doubled in complex cases to around 90 days; the normal time period for simple requests is 1 month (30 days), but it can be extended to 3 months max in difficult cases (90 days).
In conclusion, I think most of the privacy lobby will see the revised Irish text as a “sell out” to big business. This is especially the case as the Irish have made no effort to publish any explanation of its changes.
I need to look at some areas more carefully before I come to any conclusion. What I will be looking for is not the removal of the obligations on the data controller (which can be included in a broad based Principle approach) but the ability of the data subject to get corrective action when an error occurs. After all, when something goes wrong, the first thing we want is to get the problem fixed quickly and easily.
In this regards, the powers of the supervisory authorities are key. If these are given the Irish hatchet as well, then I think the result could easily be a lower standard of data protection. In which case, I would advise the European Parliament to reject the Regulation and stick to the Directive.
References
Down load the Irish text here: Download Blog_revised Irish text published 31 May 2013
Blog on DAPIX leak here http://amberhawk.typepad.com/amberhawk/2013/05/latest-leak-the-new-data-protection-regulation-is-looking-more-like-the-old-directive.html (The DAPIX document is a link at the end of this blog)
Comments
You can follow this conversation by subscribing to the comment feed for this post.