I have just realised the Irish revisions to the text of the European Commission’s Data Protection Regulation anticipates Member States enacting legislation that requires data processors to disclose personal data, possibly for any exemption specified in the Regulation, without the knowledge or consent of the data controller and, if needed, contrary to any instructions given by the data controller.
The possibility of such disclosures extends well beyond the “NSA and PRISM” circumstances exposed by whistle-blower, Mr. Snowden. Indeed, I would argue that the exemption provisions in the Regulation undermine the purpose of having a Data Protection Regulation (i.e. of having the same or similar data protection regime across the European Union).
Currently, many data controllers are considering whether to use cloud services provided by USA suppliers. The publicity surrounding the notorious PRISM disclosures has ensured that such controllers don’t know, if they contract with an USA cloud service provider, whether or not their personal data will be disclosed to USA’s National Security Agency.
Not many data controllers realise that this doubt could now extend to any data processor within the European Union. The provisions I describe below have the potential to completely undermine the data controller-data processor relationship, so much so, that confidentiality guarantees from data processors could prove to be worthless.
I know it would be extreme to do so, but the revised provisions in the Irish draft are so broadly drafted that it could allow Member States to permit its law enforcement authorities to approach any data processor and require the disclosure of any volume of a controller’s personal data in secret; just like PRISM – but writ large.
Don’t believe me? Then read on; Article 21 of the Irish text (below) has to be read in conjunction to the data processor provisions in Article 26.
First to Article 21 of the Irish text which deals with exemptions from the provision of the Regulation (see references). The Irish version of Article 21 now reads (my emphasis on the added “or processor”):
“Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5, and Articles 12 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
(aa) national security;
(ab) defence;
(a) public security;
(b) the prevention, investigation, detection and prosecution of criminal offences
(c) other important objectives of general public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including, monetary, budgetary and taxation matters and the protection of market stability and integrity;
(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);
(f) the protection of the data subject or the rights and freedoms of others.
As way of explaining the above, “points (a) to (e) of Article 5” provides for exemptions roughly equivalent to exemptions from the First to Fifth Data Protection Principles of the DPA, “Articles 12 to 20” provides for exemptions from data subject rights (e.g. of access, objection, fair processing notices), whilst “Article 32” concerns exemptions from data loss notification by the data controller to affected data subjects.
Note that Article 21 is a "pick-and-mix" Article; Member States can legislate for any combination of exemption in the context of paragraphs (a) to (f) subject to a "necessity" and "proportionality" test - which in the UK has not stopped the Government enacting legislation that has fallen well short of this test.
The reference to Article 32 is quite interesting. Member States are seeking the flexibility to enact legislation that allows the law enforcement agencies, for instance, even if they had a serious loss of personal data that could seriously damage data subjects, to be exempt from most of the consequences of the loss. It is, for instance, difficult for data subjects to seek compensation for damage caused by a data loss, if they are not informed of there has been a data loss in the first place.
There are undoubtedly some data loss dilemmas. For example, in the context of the national security agencies, it is easy to see that if these agencies were to notify a data loss to data subjects, then such notifications inform these data subjects that they were under surveillance.
However, resolving this limited kind of dilemma is not what the Irish text is about; their "pick and mix" exemption Article permits Member States to draft legislation across the whole range of exemptions. In my view, a “flexibility” which equates “national security” and “ethics” in the same Article dealing with exemptions is “flexibility” gone mad.
Note also that if each Member State can legislate for their own "pick and mix" range of exemptions, each Member State is likely to have differently drafted exemptions. Given that the Regulation is supposed to harmonise data protection across Europe, the Irish text provides for dis-harmonisation as the exemptions can vary widely from country to country. In other words, Article 21 as drafted undermines the whole harmonisation project.
Now consider Article 21 in the context of the data processor relationship specified in Article 26. This says that as well as the usual contractual matters (see the requirements of the current Seventh Principle of the UK Data Protection Act), the data processor:
“shall process the personal data only on instructions from the controller unless required to do so by Union or Member State law to which the processor is subject and in such a case, the processor shall notify the controller unless the law prohibits such notification” (my emphasis).
In other words, Member States can enact legislation in relation to any exemption (Article 21) which allows a data processor to disclose any amount of personal data to a host of organisations without the knowledge of the data controller and even against the controller’s instructions (Article 26). As I said previously: this combination is what you had with PRISM.
That is why, if the Irish text of the Regulation ever sees the light of day, those data controllers that worry about cloud services in the USA, should equally worry about using any data processor in Europe.
I think the harmonisation project is now dead; the Irish Article 21 confirms that if Member States can draft their own exemptions, then there can’t possibly be harmonisation.
In addition, the combination of Articles 21 and 26 undermines every data controller-data processor relationship and is wholly unworthy of a proposal that purports to protect Europe’s data subjects.
References
At the end of this blog, you will find the first 40 Articles of the Irish text which includes the Articles relevant to the above: http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html
Blog item: “Is the Data Protection Regulation dead? If not, should it be?”: http://amberhawk.typepad.com/amberhawk/2013/07/is-the-data-protection-regulation-dead-if-not-should-it-be.html
Advert
Still places on our Edinburgh Data Protection Course starting 15th September. Details on http://www.amberhawk.com/dp.asp
But doesn't the current data protection regime already contemplate this situation? Isn't article 7(c) of the Data Protection Directive broad enough to cover a situation where a processor releases information without the knowledge or consent of either the controller or data subject?
RESPONSE
Article 7 of Directive 95/46/EC (see schedule 2 of the DPA and the text of the 1st Principle) sets out the requirement that the data controller’s processing operation has to fall within one of the grounds specified in A.7; if there is no grounds, the data controller can’t process. If he does process without a ground then it’s a breach.
So a data controller might be under a legal obligation to disclose (A.7(c)). He can instruct his data processor to disclose. The data processor cannot disclose unless instructed to do so; if this occurs, the data processor is deemed to be a data controller (see WP29 on SWIFT where this was debated at length).
What the Regulation does is allow the data processor to disclose without telling the data controller. Even if a data controller says “tell me data processor if the law enforcement authorities approach you for disclosure”, then the instruction could be ignored.
The problem is A.21 puts all the exemptions together; effectively it says to Member States. You can defined your own exemption. Take any combination of (a) one to five Principles in A5 and (b) any combination of rights in A.12-A.20 and if needed (c) A.32 and apply that exemption if any of the conditions (aa) to (f) in A.21 applies.
Different countries are allowed to have different combinations; if this happens you don’t get harmonisation!
Posted by: Luke, Out-Law Lawyer | 15/08/2013 at 02:42 PM