Saturday 8 October 2011

The Commission’s dilemma about a new data protection directive

I’ve just finished reading a sensational document. It’s not probably designed for general publication, so I won’t post it anywhere on the internet. It does not carry any private or confidential markings, though, so I don’t think that I’m breaching any national or international secrets by blogging about it. And I’m only going to quote 140 words from it in this blog. I understand it to be a candid document written for members of the Commission staff reviewing the comments that have been received following the consultation exercise on amending the data protection directive. The direction of travel for the Commission is set out in a range of policy options. But the most interesting comments appear in a frank assessment of the political dimension of these options.

I can now understand why its going to take until next February to publish their proposals – as first the Commission needs to consider very carefully which block of opinion formers it wants to side with, and which block it can afford, politically, to overrule.

The 72 page document first very cleverly sets out four problems that currently exist and have arguably become more serious over the years. After all, thanks to the wonders of the internet, greater numbers of people are blogging, posting images on the internet, and generally acting in ways which indicate that they are oblivious to the concept of fundamental rights and freedoms of others. This increasingly results in:

• Difficulties for individuals to exercise their data protection rights effectively;
• Legal uncertainty, unnecessary costs and administrative burden for data controllers operating in the EC;
• Loopholes in the protection of personal data in the field of police and judicial co-operation in criminal matters and inconsistency of the rules;
• Weak and inconsistent enforcement of data protection rules.

This analysis, set out over 14 pages, is really good, solid stuff, as each of the four problems are analysed in some detail. The text identifies the drivers of each problem, who is affected and also to what extent.

The analysis then tries some crystal ball gazing, and makes a series of predictions as to what might happen if nothing were done to address these problems. Some of these predictions might be challenged by people who get to see the document. I think they probably need to be challenged and earnestly debated, as the Commission’s proposals on how to amend the directive depend, to a significant extent, on whether the assessment of what would happen if nothing were to be done is actually credible. It is also really important to test these predictions if the Commission wants to make a case for ignoring the general concept of subsidiarity (ie allowing rules to be implemented at the level of the Nation State rather than the Community Level). If there is a case to be made for implementing change by means of a Regulation, rather than a Directive, surely this can only happen if Member States can’t be trusted to make the right changes themselves, and if the predicted outcomes really are dire.

The document authors then get a bit bolder, and set out their policy objectives, the purpose of amending the current data protection directive, in terms of four general objectives, nine specific objectives, and 18 operational objectives.

The document authors then create three quite detailed options to meet some, most, or all of these objectives. And then the real fun begins, as the paper analyses the impacts of these options. The analysis includes an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

Using a rough and ready (and unweighted) marking system, one of the three options as presented appears to be significantly less attractive than the other two.

And of these remaining two, it is clear that there are real political hurdles to overcome if either is to be adopted. One option is assessed at medium risk of political feasibility / acceptability: Member States are likely not to welcome increased harmonisation and the reduction of their room of manoeuvre. The European Parliament is, on the contrary, likely to welcome an ambitious proposal, both enhancing individuals’ rights and the internal market dimension of data protection. Private stakeholders/businesses will also welcome more harmonisation/reduction of administrative burden.

The other option is considered at low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

It’s a very cleverly written paper. Full of common sense, but it is not clear who ought, in a democratic society, be given the honour of deciding whether any of these options, or indeed a different option, should be presented to the European Parliament. Don’t say “and this is why we have Commissioners”, as I can’t remember the names of many of them and have forgotten just how (and why) they were appointed to their respective roles.

Initial decisions on the future direction of the Directive, which include the concept making people more accountable when they process other people's personal information, appear to have to be taken by people who aren’t that accountable themselves.

So, there is an awful lot more work that needs to be done. And the decisions are, to some extent, overshadowed by decisions that are being taken on the European economic front. As some EC Member States work ever more closely together to support the Euro, so their financial systems will converge. But Member States whose currency is not the Euro will want to take steps to run their own financial systems in ways that best support the interest of their own currencies.

Using a similar analogy, will Member States that wish to remain outside the Euro zone necessarily accept such a convergence of data protection laws? Or will they take steps to ensure that their data protection laws best support the interests of their own data controllers?

Time will tell.

Image credit:
This not a joke. This is part of the cover page of the document I’ve been reading. Wait for your copy to be posted somewhere on the internet, so that you can download it yourself. I guess those folk at Privacy International will be trying hard to locate a copy and get it up there before anyone else does.