ICO analysis of new EU data protection proposals
Caroline Redhead, an information law specialist explains the Information Commissioner's analysis of proposals to change data protection legislation.
In April 2010, the European Commission announced plans to prepare a new comprehensive legal framework for data protection by modernising the Directive which currently set out the EU’s data protection regime. This was part of a more general drive to protect citizens' rights in the “information society” in which we live. The objective of the review was to respond to new technological challenges and to put in place a harmonised framework across the EU for the protection of personal data.
In November 2010, the European Commission issued a Communication to the European Parliament and the Council, in which it set out its approach to the task and subsequently, there was significant lobbying against the leaked form of the proposals, including representations from the US Department of Commerce in relation to interoperability, cross-border transfers of data and enforcement.
A copy of the Commission's proposal for legislation to replace the Directive was leaked to various online blogs in December 2011. The European Commission published its proposals for reform of EU data protection law on 25 January 2012 and, on 27th February, the Information Commissioner's Office (ICO) produced an initial analysis of these proposals.
The ICO’s view, put very simply, is that the proposals represent a positive contribution towards updating EU data protection law which, in the ICO’s view is definitely necessary. At this stage, the ICO has underlined that it is not offering a comprehensive analysis of the proposals but an overview of the most significant points which is intended, amongst other things, to identify and draw attention to those aspects which the ICO believes need further consideration.
The ICO’s analysis starts with an introductory section where its general comments are summarized. Key points are that:
(i) the ICO accepts that either a new Regulation or new Directive is needed; simply updating the various national laws already in place could add to the lack of harmonisation that the European Commission wishes to address. Although in the ICO's opinion, there are adverse implications for harmonisation by having one instrument which is a Regulation and one which is a Directive (the ICO would have preferred one comprehensive instrument), a reasonably comprehensive and consistent framework is achievable provided there is a common approach in both instruments as regards the "core" aspects, such as principles, rights, obligations and supervision;
(ii) the ICO is sceptical of the need for a two-year implementation period as it considers that many of the proposed provisions are already either in place or recognized as good practice. While it accepts there may need to be a transitional period to implement some of the provisions, it would prefer implementation of and compliance with the revised framework to be achieved more quickly once it enters into force; and
(iii) the ICO notes that the Regulation is more detailed and prescriptive than the existing regime, particularly in respect of the measures it would require organisations to adopt to achieve and demonstrate compliance. The ICO believes that a more prescriptive approach will not necessarily bring about better data protection and that there is a risk that the implementation of rules that may be perceived as onerous or disproportionate could actually lead to more variable standards of compliance by reluctant data controllers. It would prefer a more flexible instrument, with rather less emphasis on ensuring all data controllers follow common processes, and rather more on ensuring they actually deliver equivalent standards of privacy protection across the EU.
Chapter 1: General Provisions
Personal or household activity (Article 2)
The ICO welcomes the fact that the Regulation recognises the need to retain an exemption for exclusively personal processing. However there is a requirement that such processing should be “without gainful interest” and the ICO believes that it would be helpful to clarify that personal commercial activity – such as selling one's personal possessions on an auction site - can also fall within the exemption.
The ICO also welcomes the clarification that data controllers providing the means for domestic processing do not themselves benefit from the exemption, although would like further consideration of the extent to which organisations hosting personal data processed for domestic or personal purposes are responsible for that content. This is a particular problem where controllers do not exercise editorial control over content and it should be made clear to what extent the responsibility of the online platform provider for publication of personal data is limited when the provider has little or no control of that data.
Territorial scope (Article 3)
The ICO sees the advantage to EU data subjects of non-EU data controllers being required to comply with the Regulation, but it doubts how far this is achievable in practice. The Regulation should not lead EU consumers to believe that the law offers them a degree of protection that, in reality, it cannot deliver.
It is also unclear how a supervisory authority could determine whether a company is offering goods or services to consumers in Europe: for example, would a company in the US that merely makes its goods or services available on a website which happens to be accessed by consumers in a member state be considered to be offering its goods or services to them? The ICO believes clarification is needed (although in the context of consumer regulation, it is arguable that this is already accepted to be the case).
The ICO welcomes the expanded definition of "data subject", particularly that this definition makes it clear that an individual can be identified by an "online identifier" as well as by traditional identifiers such as names and addresses or reference numbers, as there is considerable uncertainty over the status of IP addresses, cookie identifiers and similar information generated online.
It recommends that a better approach might be to make it clear in the Regulation that where IP addresses are processed with the intention of targeting particular content at an individual, then the identifier will be personal data and, as far as possible, the rules of data protection will apply.
The ICO believes that the expanded definition of "data subject" and, by implication, "personal data" make it clear that identification can take a number of forms and is not only based on traditional identifiers. However, the ICO cautions that, given the wide scope of "personal data", it may be unrealistic to expect all the requirements of the Regulation to apply fully to all forms of personal data that fall within its scope.
The ICO welcomes the proposal in the Regulation that all consent must be explicit; the ability for consent to be implied has long caused difficulty. It also welcomes the recognition that the data subject can indicate consent by a clear affirmative action, such as clicking on a tick-box online, as an alternative to making a statement of consent. However, the ICO has reservations as to the invalidity of consent where there is a significant imbalance between the data subject and the data controller. Where consent cannot be valid – for example because, in a particular situation it cannot be freely given (or withheld) – the ICO would prefer that alternative means of legitimising the processing can be found where the processing is otherwise necessary, legitimate and/or in the data subject's interests. The welcome strengthening of consent should not leave data controllers without a lawful basis for processing.
Chapter 2: Data protection principles
Principles relating to personal data processing (Article 5)
The ICO notes that there is significant variation between the versions of the principles that appear in the Regulation and in the Directive. It recommends that the two sets of principles are harmonised, to avoid confusion, particularly on the part of those data controllers who are required to comply with both the Regulation and the Directive in respect of their various data processing activities.
Whilst it believes that the principle of “necessity” already implies a data minimisation requirement, the ICO welcomes the specific references to data minimisation.
Lawfulness of processing (Article 6)
The ICO has always had doubts as to the approach taken in the Regulation – and in the current Directive – whereby there is a general prohibition on processing personal data unless a particular condition or "gateway" exists. It would like to see an explicit recognition in the Regulation that processing may take place where it is clearly in the data subject's interests and does not override his or her fundamental rights and freedoms. This would help allow reasonable evolution in the delivery of public services that might otherwise be unhelpfully constrained.
Processing of special categories of personal data (Article 9)
The ICO reiterates that it has continuing doubts about the binary distinction between sensitive and non-sensitive data, on the basis that such a distinction does not recognize the significance of context and personality, and expresses the view that there is a lack of correlation between the Regulation's list of special data categories and the sensitivities of citizens. For example, trade-union membership is not particularly sensitive but most citizens would consider that information about their financial status is.
The ICO considers it important that the presence of gaps in the exceptions from the prohibition on processing special categories of data does not lead to a prohibition of otherwise unobjectionable processing. It proposes that a practical solution could be to introduce an additional condition for processing special categories of personal data where the processing manifestly does not impact adversely on the privacy of data subjects.
Chapter 3: Rights of the data subject
The ICO particularly welcomes this part of the Regulation, as it updates and strengthens rights in a way that will be of particular benefit to individuals.
Transparent information and communication (Article 11)
The ICO welcomes the requirement for clarity, accessibility and plain language in policies relating to the processing of personal data; this accords with the ICO’s own approach and reinforces its view that privacy policies, couched in difficult legal language, are likely to become or represent exercises in corporate indemnification, rather than being genuinely informative to the public.
Procedures and mechanisms for exercising the rights of the data subject (Article 12)
The ICO considers one month to be a reasonable period for dealing with a subject-access request or an objection to data processing. It suggests a shorter compliance time for requests made electronically for electronically held information, recognising the greater expense and difficulty that can be involved in giving access to manually held data.
The ICO also recommends that the law should encourage data controllers to give direct, online access to personal data free of charge where this is feasible and no significant administrative costs are incurred by the data controller.
Information and access to data (Article 14)
The ICO generally welcomes the expanded "fair processing" information that data controllers will be required to provide to the individuals about whom they collect information. However, it raises some practical questions and recognises the difficulty which might be involved in, for example, providing lengthy and complex fair processing information in all cases and in informing individuals as to the level of protection afforded to third countries to which data may be transferred.
Right to be forgotten and to erasure (Article 17)
The ICO regards this as one of the more interesting parts of the Regulation, although acknowledging that its implications need thinking through carefully, as does the challenge of making this right work in practice. On the one hand the ICO can see the desirability of an individual being able to require the deletion or removal of information where there is no compelling reason for its retention but on the other, it can appreciate that data controllers may be able to justify their holding personal data about someone.
The ICO believes there is a risk that individuals will be disillusioned if are led to believe they have a right to be forgotten but find that the right is strictly limited in practice. It might be preferable if this right were presented in less ambitious terms. However, in the context of social networking, the ICO thinks that individuals who choose to post information about themselves should generally be able easily to secure its removal (although it accepts that, once information is cached and published elsewhere it may be impossible to remove it from the internet entirely).
Right to data portability (Article 18)
While the ICO supports the idea of individuals having a right that will help them to transfer their personal data from one service provider to another, it is concerned that data controllers will seek to circumvent this provision by holding information in non-standard formats.
It also believes that there should be provisions allowing data controllers to protect their trade secrets and intellectual property rights when complying with the data portability right.
The right to object and profiling (Articles 19 and 20)
The ICO notes that the "right to object" to processing represents a significant shift from the current situation, where the individual only has a right to prevent processing where he or she can demonstrate that unwarranted damage or distress is being caused. The ICO welcomes this proposal because it gives individuals a greater degree of control over information about themselves by changing the burden of proof, meaning that data controllers have to be able to justify their processing of personal data. However, it is important that a data controller will be able to refuse an objection where there are compelling legitimate grounds for continuing to process the personal data.
The ICO welcomes the additional level of control and protection against automated personal profiling of individuals (although considers that the application of this Article to apply to behavioral advertising should be put beyond doubt) but suggests that a more risk-based approach, perhaps linked to a data controller carrying out a data protection impact assessment, could provide more effective safeguards.
Chapter 4: Obligations on controllers and processors
Responsibility of the controller (Article 22)
While the ICO views as “the essence of accountability” that data controllers who process personal data should be able to demonstrate their ability to comply with the law by having the necessary policies, administrative measures and personnel in place, it believes that, rather than mandating the measures a data controller should take, a better approach might be to promote these measures as good practice.
The ICO would welcome a clearer indication of the Commission's intentions in relation to measures for micro, small and medium-sized businesses. This is important as many smaller businesses carry out routine, low-risk processing about their staff and clients and should not necessarily be required to have the same comprehensive data protection compliance mechanisms in place that are likely to be needed for larger businesses.
Data protection by design and by default (Article 23)
The ICO welcomes the principle that data protection measures should be "by design" rather than "by default"; "Privacy by design" is a concept that has long been promoted by the ICO. In the ICO's view, it is important that this principle be applied in a way that is proportionate to the risks posed by the processing of personal data by, and the resources available to, individual businesses and in particular to small and medium-sized businesses.
Documentation (Article 28)
The ICO doubts whether it is either necessary or helpful to prescribe in detail the extensive range of documentation data controllers and processors are required to maintain. The ICO would prefer the Regulation to focus more on the desired outcome, noting that it is not necessary to achieve high data protection standards so that all controllers and processors maintain precisely the same documentation.
Notification of personal data breaches (Article 31)
While the ICO is strongly in favour of a legal requirement for data controllers to notify data breaches in certain circumstances, it stresses the importance of breach notification triggers to avoid supervisory authorities being swamped with notifications of trivial or inconsequential breaches.
The ICO raises a number of points on notification of a breach, including;
* its preference for a simple requirement for notification without undue delay rather than the 24-hour target specified in the Regulation;
* its view that the duty to notify individuals should not be linked solely to the effect of the breach on the protection of personal data or privacy. Financial loss, embarrassment or other negative effects should also form part of the trigger mechanism for notifying individuals; and
* its view that there is no reason why the supervisory authority should be notified before the individual.
Codes of Conduct and certification (Articles 38 and 39)
The ICO is strongly supportive of the duty on supervisory authorities to draw up codes of conduct and to develop data protection certification.
Chapter 5: Transfer of personal data to third countries or international organisations
The ICO has in the past called for a radical rethink of the way transfers of personal data overseas are treated under data protection law. Its favoured approach would be to ensure that data exporters are aware of their responsibilities and have the tools necessary to assess risk and to ensure compliance. Failure to do so would leave the data controller open to enforcement action by supervisory authorities and claims from individuals.
The ICO would therefore prefer the Regulation to take an approach to international transfers that is based on data exporters assessing risk and putting their own arrangements in place for making sure that, when they transfer personal data overseas, it continues to be protected to an adequate standard. The provisions in the Directive that set out the factors to be taken into account in assessing adequacy could be reintroduced.
Chapter 6: Independent supervisory authorities
The ICO welcomes the explicit requirement that data protection supervisory authorities be completely independent and properly resourced, but raises a number of practical concerns. These include that:
* the number of duties placed on supervisory authorities by the Regulation will have considerable resource implications which need to be thought through by member states. Unless there is a genuine commitment to significantly increased funding, the duties on supervisory authorities will need to be scaled back to those which give the greatest value for money in terms of the protection of personal information;
* although suppliers of the “one stop shop” or lead supervisory approach for businesses operating in “a multiplicity” of member states, the definition of "main establishment" means that it will not always be easy to ascertain which is the competent supervisory authority for organisations operating in more than one member state;
* it is not clear how the “main establishment” provision will apply to businesses which have a high degree of centralised control but operate as separate legal entities, and so are separate data controllers in each member state where they have a presence.
The ICO suggests concentrating less on identifying the main establishment and more on having several criteria to narrow down which should be the lead supervisory authority.
Chapter 8: Remedies, liability and sanctions
While generally supportive of the proposals, the ICO has several concerns, again largely focused on practical application of the Regulation:
* the idea of a "one-stop shop" could mean that any data subject anywhere could complain to any supervisory authority about any data controller (and, possibly, “cherry pick” the regulator considered likely to offer the most advantageous outcome);
* one supervisory authority should not be able to initiate proceedings against another authority;
* fines should not be imposed for procedural or record keeping failures alone; what is needed is a link between administrative failure and practical consequence; and
* the link between the level of fine and company turnover is problematic, because it will hit high turnover but small profit organisations harder than ones with a relatively low turnover but a high profit margin.
The ICO is concerned at the administrative burden the proposed Regulation will impose on businesses, largely because it believes that compliance will only increase (and therefore lead to enhanced protection for individuals) if “red tape” does not make it too difficult or expensive. With this in mind it suggests a number of amendments which would ease the burden on business and, in some cases offer a “best practice” target rather than a three-line whip, while leaving the increased protection for individuals intact. The ICO describes this initial analysis as an “overview”; it will be interesting to see whether the Commission is prepared to take on board the ICO's broad, practical suggestions at this stage. It will also be interesting to see the comprehensive and detailed analysis which the ICO promises as the legislation process progresses.