March has seen a swathe of developments on the EU's draft Data Protection Regulation as the political heavyweights start to gear up for the habitual horse-trading necessary to get EU legislation home. The EU is unquestionably listening to the feedback it has received, but remains wedded to many of its core principles. We look at the key points.
1. The scale of potential changes being considered is significant. According to Francoise Le Bail (European Commission Director General for Justice), speaking at the ICO's Data Protection Officer conference back on the 5th March, over 2000 separate amendments have been tabled. The number is indicative of the scrutiny to which the legislation has been subjected. It also makes it difficult to be precise about where we will end up. The political rhetoric (some of which is digested below) is the only guide we have to go on.
2. The timeline looks like it will go back. Although Viviene Reding has made positive noises about the Irish Presidency moving things forward at pace, Christoper Graham, UK Information Commissioner speaking at the ICO's Data Protection Officer conference was of the view that the Regulation would not pass into law much before 2014, not June this year as originally anticipated. With the proposed two year implementation period, this means organisations would have until 2016 to become fully compliant.
3. The concept of personal data is going to remain broad. Some interest groups have been pushing a narrower interpretation. One particularly key issue is the status of identifiers. These are codes used in IT systems, including the ever-burgeoning ad retargeting and online marketing industry, to identify one user and track their behaviours.
The marketing industry would love for these codes to not be "personal data", and therefore fall outside the scope of the Regulation. One example is the UK Direct Marketing Assocation, who are running a particularly strongly-worded campaign.
The EU is having none of it. Its advisory body, the Article 29 Working Party has long held that such codes are personal data. Indeed, this position is written into the language of the current EU Data Protection Directive (it was not explicitly carried over into the UK's Data Protection Act 1998, which has led to some uncertainty in UK practice). In Viviene Reding's words "a narrow definition of [personal] data...is out of the question".
4. The EU do want to encourage use of identifiers. Quite sensibly, they see such identifiers as giving users a degree of anonymity and therefore greater protection.
The EU are very careful to distinguish identifiers from truly anonymous data though, which is unregulated.
To be anonymous in the EU's eyes, personal data must be irrecoverably hashed, and not actually be used as an "identifier" (the very name belies the fact that this constitutes regulated personal data).
In the EU's words, identifiers constitue "pseudonymous data", and they intend to incentivise their use through the draft Regulation. That said, they only seem to have in mind relaxing the requirements around up front risk assessment and planning (so-called "privacy by design") and the regime for notifying data breaches; a start but hardly the most eye-catching of incentives!
The underlying message also has a hint of foreboding. To quote Viviene Reding's concluding remarks on this subject in one speech she delivered a fortnight ago: "I would sound a note of caution: pseudonymous data is [still] personal data...pseudonymous data must not become a Trojan horse at the heart of the Regulation allowing the non-application of its provisions." (Emphasis added). Digital marketeers beware.
5. The EU looks likely to tweak things for SMEs. This development is obviously to be welcomed. Amongst other things they may slaken the requirement for Data Processing Officers (which are mandatory for large organisations). The noises coming out of the Commission indicate this would only happen where an organisation is an SME and their core business does not involve processing personal data. The unanwered question is what determines an organisation's core business?
6. No "risk-based" approach? The ICO has gone on the record, not least at its Data Protection Officer conference to say it would support a generally risk-based approach to not just the DPO issue, but most if not all of the Regulation's black-and-white compliance requirements, such as risk assessments and the need to document an organisation's processing. This message has been subsequently backed up by the EU Presidency. The Commission does not agree. It sees risk-based language in the Regulation as heaven for lawyers, but not much use for small organisations and prefers the relative clarity of the Regulation's current approach.
7. A flexible DPO role? The Commission has made some noises to the effect that Data Protection Officers (mandatory for large organisations) could be full or part time, employees or external advisors. This clarification is to be welcomed. It remains to be seen if this flexability will just apply to SMEs who have a core business based on personal data, or all organisations though.
8. The hullaballoo over explicit consent. The Commission appear to view the discussions over the move in the draft Regulation to explicit consent as scaremongering.
Viviene Reding has gone to some pains to point out that other grounds for the fair and lawful processing of data remain under the draft Regulation. Only where "consent" is being relied on, will that consent now have to be not only clear, unambiguous and informed (as it is under the current Directive), but also explicit (ie more of a tick-box approach).
Organisations can still choose to rely on the "legitimate interests" ground for processing data, as the marketing industry has done to date. The only catch in this ground requires the privacy interests of data subjects to be balanced against an organisations legitimate interests. This decision is far from black and white, and arguably easy to get wrong. The recent WhatApp investigation by the Dutch is a case in point.
Ms Reding's position also ignores the fact that consent is being put at the heart of a lot of the new consumer rights in the new Regulation. For example, user consent it is one of only a few grounds in which behavioural profiling can be undertaken under the Regulation. It is this reason why the marketing industry in particular are so animated about this subject (see our comments above).
9. Privacy by design and privacy impact assessments look here to stay. The Commission has gone on the attack over the importance of these issues.
Viviene Reding used the example of Sony's Playstation hacking breach to illustrate the consquences of making mistakes in this area. According to her, Sony lost $1-2 billion as a result.
She contrasts that with the relative success of the Hamburg software game industry, which she cites as a "data sensitive industry developing in an area where data protection standards are high, maybe the highest in the world", yet comprises 155 SME businesses employing 3500 staff.
Cynics could criticise this comparison. Nevertheless, Ms Reding's implicit message is clear: working extensive privacy rights into products from the ground up is definitely the correct way forward and does not stop business from thriving. The only way this can be done effectively is through careful upfront design, and risk assessments.
10 Germany as a model? The political speeches and press releases coming out of the European Commission certainly point this way.
Germany has a federal system, and data protection regulation is delegated to the individual German states, so one should be careful before making sweeping generalisations. That said, the following statement taken from a joint Commission - German press release on 7th March will not come as easy reading to a UK audience used to quite a lenient approach to data protection enforcement:
"In many respects, the high level of data protection in Germany has served as a model for European data protection rules and for the new General Data Protection Regulation. High data protection standards, as they are the law in the Germany, must under no circumstances be lowered, but be preserved by the new EU Data Protection Regulation."
Its important not to take this language too much out of context though.
The Regulation is there to level the legal playing field across Europe. In that sense, all countries will no doubt experience a shift in practice which may appear startling at first when approached in soundbites, but may not materialise in full. There are some big changes, but the core of the Regulation is very much the same as the previous Directive so there is also lot of continuity. Furthermore, many of the headline changes, although significant, are evolutions of existing rights which have never been significantly used by individuals.
So why does the German example create worry?
Putting aside nationalist interests, the real cause for concern is (perhaps controversially) the imperfect regard that many UK organisations currently have to the detail of the law as it currently stands
In our experience only a few areas of compliance are generally done well. Security is taken seriously, and most organisations "get" the transparency point behind their privacy polices and cookie policies. Beyond these points compliance often becomes a bit sketchy. Many organisations are not good at applying the true meat of the Data Protection Act 1998 to sophisticated technologies and service providers, struggle to apply data retention and deletion policies in practice, and disregard the rules against changing the purposes for which data is used because they are a real headache to marketeers in particular. This trend makes the concepts of mandatory breach reporting, and far larger fines, doubly concerning.
If you then feed into this picture the growing cliche that "data is the oil of the 21st century" and the simple fact that noone is sure if the new rules will capture the imagination of the increasingly privacy-aware public, let alone confident about how they will be applied in practice by European regulators, and you can understand why some of the rhetoric we have seen in recent weeks is viewed with concern in the UK.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.