One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the
One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.
So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in 'Internet time'! But the reality is that the drafts we have on the table today still follow relatively closely the Commission's vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.
Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:
• Personal data – It is quite outrageous that we are still trying to figure out whether someone's name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let's therefore define personal data by reference to the impact that information about someone may have on that individual.
• Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word 'explicit' in it or not, everybody is going to interpret it in whichever way they want. Let's focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.
• International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.
• One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission's proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn't it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let's make it happen and also apply this concept to cases where the data controllership is outside Europe.
Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.
This article was first published in Data Protection Law & Policy in November 2013.
So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in 'Internet time'! But the reality is that the drafts we have on the table today still follow relatively closely the Commission's vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.
Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:
• Personal data – It is quite outrageous that we are still trying to figure out whether someone's name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let's therefore define personal data by reference to the impact that information about someone may have on that individual.
• Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word 'explicit' in it or not, everybody is going to interpret it in whichever way they want. Let's focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.
• International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.
• One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission's proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn't it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let's make it happen and also apply this concept to cases where the data controllership is outside Europe.
Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.
This article was first published in Data Protection Law & Policy in November 2013.