It appears that DAPIX civil servants are burning the midnight oil in an attempt to agree a draft text of the Data Protection Regulation which can be put before the Council of Ministers at its June meeting. Such a Ministerial agreement would then trigger tri-partite negotiations with the European Parliament and the Commission with the objective of producing a final text of the Regulation (my guess is still January-March 2016; implementation early 2018).
To get to a June agreement, the DAPIX group of experts from Member States have been asked to agree or disagree with certain propositions relating to data subject rights; these propositions are set out in Latvian Presidency document which is the subject of this blog (for a copy; see references).
The Presidency text confirms (and in some places admits) that many of these propositions reduce the protection afforded to data subjects from the level established by Directive 95/46/EC.
This reduction in data subject protection is in addition to the twenty or so Articles mentioned in my previous blog about the Regulation (see references), where Member States are given flexibility as to how a provision in the Regulation is implemented. For instance:
Article 21 has widened the categories of exemptions (e.g. from subject access ) from a list of 7 categories in Article 13 of Directive 95/46/EC to a list of 11 categories of exemption in Article 21 (with additional “flexibility” for each Member State to add more exemptions to suit the processing needs of the moment).
Article 1(2a) has been amended to allow each Member State to define the extent to which the Regulation applies to the public sector (i.e. some provisions might not apply).
To the above can be added the recent concerns raised by the Working Party of Data Protection Commissioners over the DAPIX-inspired change to the “purpose limitation principle” (in the UK’s DPA, the Second Principle states that any further processing of personal data cannot be for a purpose that is incompatible with the purpose of obtaining).
The DAPIX changes to this principle include conditions when a further processing purpose is deemed to be compatible with purpose of obtaining. As this change is very important, I will leave it to the Working Party to describe its impact; in its press release the WP29 states (see refererences):
“The Working Party considers that this situation would render one of the fundamental principles of the data protection framework, the purpose limitation principle, meaningless and void”.
“Such an approach, which conflates the notions of legal basis and further processing for compatible purpose, contradicts the EU data protection acquis and would be illegal under the current legal framework. It could furthermore have no other consequence but to undermine the whole new data protection framework and to dilute the level of protection for EU citizens in comparison to Directive 95/46/EC in force”.
CHANGES IN THE LATVIAN PRESIDENCY TEXT
I now highlight where the protection for data subjects, in my view, is weakened further by the Presidency text below the level of protection established by Directive 95/46/EC.
Personal data collected from the data subject
This Article concerns the Fair Processing Notice given to data subjects when they provide their own details directly to a data controller. Evidently there is to be a decision on adding “where appropriate” or “where practicable” because “listing the information the controller is obliged to provide at the time the data is obtained because it might not be possible to do so at that moment”.
Such a change means that a data controller, when collecting personal data from a data subject, can give the Fair Processing Notice after data collection; the Presidency’s document comments that this change “would go below the level of protection under the 1995 Directive”.
Personal data not collected from the data subject
Some delegations have asked “to delete the last two points (d) and (e) from the list of information provided” in the Fair Processing Notice (when personal data about a data subject are obtained from other sources). This is a reference to the removal of the following paragraphs from Article 14A:
"(d) where the data originate from publicly available sources";
or "(e) where the data must remain confidential in accordance with a legal provision in Union or Member State law or because of the overriding legitimate interests of another person" (from DAPIX leak of 16th March 2015; see references).
If the deletion goes ahead, it means that data subjects might not know that their personal data can be obtained from somewhere in the internet or from any public register. How, for instance, are data subjects going to exercise the right to be de-listed (Google Spain decision), if data subjects are kept ignorant about where public domain information is collected to make a decision about them?
If, for example, someone gets turned down for job, why shouldn’t the applicant know what public sources have been used to check what that person says in his or her CV?
General reduction in “fairness” criteria
It is noteworthy that in the DAPIX leaked text of 16th March shows that with respect to Article 14, the Commission (COM) has entered a “reservation” on deletion of the words 'such as' (COM also have a reservation on Article 14A as well). The removal of the words “such as” is another reduction in the level of protection from the equivalent provision in Directive 95/46/EC.
This can be seen by reference to the current fair processing notice (FPN) provisions under the UK’s DPA which requires a FPN to contain the identity of the data controller, representative (if any), the intended processing purposes and anything else necessary to ensure fair processing. Note that this is an open ended list depending on the context of the processing purpose.
However, in the DAPIX version of the Regulation, the list is now fixed. So if fairness criterion is not in the list defined in Article 14 or Article 14A, it does not need to be declared even though it could be important. In this way, the removal of “such as” can reduce transparency to each and every data subject.
The right to object (Article 19)
The DAPIX text limits the data subject’s right to object to the processing of personal data to those circumstances when the processing is based on the legitimate interest of the controller (Article 6(1)(f) – or Schedule 2, paragraph 6 for the UK DPA equivalent).
This can be compared to Article 14(a) of Directive 95/46/EC which allows the right to object to apply to that processing necessary for the functions of the public body. In UK DPA terms, the section 10 right to object can apply when the processing is justified in terms of Schedule 2, paragraph 5; it is this right that is being removed.
Although the Regulation makes the right to object easier with respect to that processing of personal data by the private sector (Article 6(1)(f) cannot be used by the public sector), the right is wholly removed for the public sector irrespective of the circumstances of the processing for every public body.
I cannot see why this blanket exclusion in the protection to data subjects should be afforded in every case, as Article 1(2a) of the DAPIX text allows for case by case derogations for the public sector as appropriate.
This Article can be seen as also reducing the protection afforded to data subjects from the standards of Directive 95/46/EC when the processing is undertaken by the public sector.
Profiling (Article 20)/right to object to automated decisions
I will let the Presidency document speak for itself: “Profiling is a fundamental question in the Regulation…. It has been discussed under many Presidencies…... Delegations are cautioned not to go below the level of protection in Article 15 in the 1995 Directive”.
Representation of data subjects (Article 76)
The DAPIX group is considering removing the ability of consumer/privacy groups such as Which?, Liberty, Privacy International, BigBrother Watch etc to represent the issues faced by data subjects in general.
The Presidency states “Delegations were quite concerned about paragraph 1a that allows for bodies, organisations or associations to lodge a complaint independently of a data subject's complaint and stated that such rights don't exist under national law”. Consequently “Delegations are asked to indicate if they would like to allow such possibilities” (and remove the ability of NGOs to protect the public independent of data subjects).
I can think of one word that describes the above: "shocking".
Penalties and fines
Amended Recital 119 in the Presidency document states “Member States may lay down the rules on criminal sanctions for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation”. It is well known that the UK Government is opposed to implementing the custodial element of the Section 55 offence in the DPA; the Regulation might not change that.
Amended Recital 120 states that “It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines”. This implies that the UK Government could decide that the mass data losses that are already subject to Monetary Penalty Notices in the public sector in the UK, are no longer subject to fines. Such a step could encourage non-compliance with data protection obligations by the public sector as a whole.
Concluding comment
The fact that I think that the Regulation could reduce the protection afforded to data subjects is not new; however, the Latvian text confirms this threat is real and immediate. In the scramble to agree a text the Regulation is being transformed, from an instrument that aims to protect the interests of data subjects in a brave new technological world, into one that could easily do the opposite.
If the Council of Ministers agree a text similar to that which has been leaked, I will be lobbying my Member for the European Parliament to vote down the Regulation and stick with Directive 95/46/EC; the risks are too great.
Indeed, if I were in a NGO with an interest in consumer or privacy protection, I would be actively making contingency plans for this eventuality.
References
We will be updating delegates on the Regulation at our Update session on May 11 in London: http://www.amberhawk.com/bookevents.asp
Reduction in protection for data subjects: as identified in the Latvian Presidency DAPIX discussion document dated 27th March 2015; Download March 27 2015 DAPIX Options
DAPIX leak of 16th March 2015 covering Article 14/14A; Download March 16 2015 DAPIX Options
Reduction in protection for data subjects: mainly because of the flexibility introduced into the Regulation so that Member States to legislate for a reduction in protection from level established by Directive 95/46/EC: http://amberhawk.typepad.com/amberhawk/2014/12/italian-data-protection-regulation-text-exposes-member-states-disharmony-risk-of-weaker-protection-for-data-subjects-increas.html
The Italian DAPIX text (232 pages) can be accessed by a link at the end of the above link.
EDRI (European Digital Rights) a NGO have already published their concerns about the direction of the Regulation: https://edri.org/files/DP_BrokenBadly.pdf
Reduction in protection for data subjects: Working Party 29 concerns over the caused by qualifying the “finality principle” (Second Principle of DPA) http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20150317__wp29_press_release_on_on_chapter_ii_of_the_draft_regulation_for_the_march_jha_council.pdf
Comments