Sunday, 16 May 2010

Will a revised Data Protection Directive get any new clothes?


Lots of work is going on behind the scenes to look at the deficiencies in current European data protection legislation to see what can be done. Two camps are assembling.

One camp promotes the view that the main problem is the patchy implementation of the specific (and sectoral) Directives by Member States. Accordingly, the miscreants need to apologise profusely to the (current) She Goddess of Data Protection (aka Commissioner Vivien Reading) and promise to do better in future.

The other camp promotes the view that the main problem is that the specific (and particularly sectoral) Directives were inadequate, in that they concentrate on processes and procedures, rather than focussing on areas that are capable of causing the greatest amount of harm to individuals. Accordingly, they need drastic surgery, to carve out the awful bits and allow benign practices to flourish.

Naturally, some followers have feet in both camps.

I’ve just read a (50 page) report by the European Agency for Fundamental Rights, which analyses the extent to which data protection, which has now acquired the status of a fundamental right in the EU, distinct from the right to respect for private and family life, is protected and promoted by the national authorities within each Member State.

The report highlights six challenges – but my money is on Member States having the stomach to address just a couple of these as they revise the Directive. Here’s some of what the report has to say, together with a few personal observations:

Deficiencies of Data Protection Authorities:
At a structural level, the lack of independence of several Data Protection Authorities (DPAs) poses a major problem. In a number of Member States concerns are reported about the effectiveness and capability of the officers of Data Protection Authorities to perform their task with complete autonomy. At the functional level, understaffing and a lack of adequate financial resources among several Data Protection Authorities constitutes a major problem. At the operative level, a major problem is represented by the limited powers of several Data Protection Authorities. In certain Member States, they are not endowed with full powers to investigate, intervene in processing operations, offer legal advice and engage in legal proceedings.

Given current economic conditions, will Member States will be brave enough to increase resources in this area when they are forced to reduce funding elsewhere? It would be awfully brave of them to do so.

Lack of enforcement of the data protection system:
In some Member States, prosecutions and sanctions for violations of data protection law are limited or non-existing. With regard to compensation, the legal system of various Member States effectively rules out the possibility of seeking compensation for a violation of data protection rights, due to the combination of several factors such as burden of proof, Difficulties relating to quantification of the damage and a lack of support from the supervisory bodies, which are engaged principally in “soft” promotional activities like registration and awareness raising. There is a general tendency in the Member States to focus on ‘soft’ methods of securing compliance with data protection legislation, instead of applying and enforcing ‘hard’ instruments by which violators of data protection rights may be detected, punished and asked to compensate victims. Good practices in this respect regarding cooperation of Data Protection Authorities and other authorities to strengthen investigations were found in some Member States.

Many people can’t see much point in encouraging authorities to spend more resources in policing rules that are pretty outdated, burdensome and bureaucratic. The concept of compensating victims is fraught with difficulty, as it really is hard to assess the financial loss that someone has incurred because information has been misused which has caused them a certain amount of embarrassment. I’m looking forward to seeing what the Information Commissioner does with his new fining powers in the first few years of their introduction. Not much, I recon.

Rights awareness:
During the research for this report, the FRA was able to identify national surveys addressing data protection in 12 out of 27 EU Member States. These surveys have in some instances been commissioned by the national Data Protection Authorities. The questions posed, the number of participants, the methodology and the final results are diverse and do not always allow forcomparison. Nevertheless, of itself the existence of these national surveys constitutes a good practice. In February 2008, two Eurobarometer surveys on data protection were published.The most important findings from these surveys were that a majority of EU citizens showed concern about data protection issues and that national Data Protection Authorities were relatively unknown to most EU citizens.

Believe me, I think we Brits know all about our data protection rights and that the Commissioner’s staff can be called upon when there’s a problem. I do what I can to encourage anyone I’m dealing with, and whom I think has an unrealistic expectation of their entitlement to compensation following an administrative slip, to complain to the folks in Wilmslow. My company is paying them over £500 a year so they can share my pain! (Why more than £500? – because it has more than one DPA registration entry)

Lack of data protection in the former third pillar of the EU:
The main limitation currently faced by the EU to provide for effective and comprehensive data protection arises from the constitutional architecture of the former EU pillars. While data protection is highly developed in the former first pillar of the EU, the data protection regime in the former third pillar cannot be regarded as satisfactory. Yet the former third pillar of the EU comprises areas such as police cooperation, the fight against terrorism, and matters of criminal law where the need for data protection is especially important. The Lisbon Treaty facilitates the closing of this gap. Declaration No 21 to the Lisbon Treaty notes that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation may prove necessary because of the “specific nature” of these fields.

This is a really important but a very hard issue to deal with. The Lisbon Treaty is supposed to reach into the shadows to extend regulations to areas no-one talks about in polite company. So how will we ever know whether anyone has listened? And if it meets resistance, again how will we ever know? And if I ever got to find out I expect I would be shot!

Exemptions from data protection for security and defence:
Article 13(1) of the Data Protection Directive provides for broad exemptions and restrictions concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters), and the activities of the State in areas of criminal law. There is a lack of clarity regarding the extent of these exemptions and restrictions. In various Member States, these areas are altogether excluded from the protection of data protection law. This leaves a considerably large area unprotected with potentially serious consequences for fundamental rights protection. Declaration No. 20 to the Lisbon Treaty says that whenever rules on protection of personal data are to be adopted which could have direct implications for national security, “due account” will have to be taken of the specific characteristics of the matter.

The lack of clarity regarding the text of various exemptions from data protection laws for national security purposes is easy to explain. Legislators make laws. They are voted into office by us, the public. You don’t have to be able to keep a secret to become a legislator. But that is precisely what we demand of those who safeguard our national security. So let’s all just shut up, and place our trust in people we never meet but hope have powers that are sufficiently special to keep us safe.

The challenge of technology:
Recent and ongoing technological developments pose challenges that urgently need to be addressed. Video surveillance in public space and in the employment environment is widespread, but the legislative framework is lagging behind. As an example, the report reveals that, in practice, CCTV cameras are often not registered and/or monitored in some Member States.

Technology moves at a terrific pace. I find it an incredibly exciting challenge to retain a working understanding of the technologies my company uses. Given that legislation almost always follows behind technology by several years, the legislators are never going to catch up. Let’s just hope they aren’t sufficiently foolish to think they can dictate the pace of technological change. They can’t, and if they try they’ll simply get ignored. And no-one wants to see legislators, like the fabled Emperor, without any clothes.



Point your browser at http://fra.europa.eu/fraWebsite/attachments/Data-protection_en.pdf and download your copy now!