Friday 20 January 2012

Another day, another draft of the Regulation

The word from Brussels is that DG Justice is really, really keen to publish something soon to show for all the hard work that has been put in, behind the scenes, for the Data Protection Day (or the Davos) celebrations. If I were a cynic, I might argue that a fuss about proposals for an obscure Data Protection Regulation might be welcomed by the Commission right now, especially if it diverted media attention from the fuss about the European economic situation. Or the fuss about the recent legal and constitutional changes in Hungary.

Or, is this a time to bury bad news, which is a phrase sometimes used in the UK?

Anyway, I’ve got my hands on something that looks suspiciously like (yet) another draft proposal from the Commission. Or, perhaps I have been sent a spoof document from someone I usually trust, cunningly designed to divert my attention from the real discussions that could still be continuing somewhere. I honestly don’t know. But I’m happy to believe it is genuine.

When you read it, it becomes evident that it has been prepared after representatives from all Directorate Generals had been summoned to a basement room in Brussels and told to stand on one leg on the naughty step until they had all agreed on a version that could be published for us ungrateful rabble to pick holes in. And, to add to the pressure on the representatives that had turned up, perhaps no one was allowed a bathroom break until all the stakeholders had had indicated their agreement to the same draft. Whatever the pressure was, it seems to have done the trick.

What are the areas that the Directorate Generals had previously issued unfavourable opinions about but where a deal has now been reached? And what is the deal? That was the question I tried to keep in mind as I read it.

The version I’ve seen (which could have been prepared around 16 January, so is probably already out of date) contains 140 Whereas clauses, 92 Articles and is 102 pages long. Version 56, which is the one commonly available on the internet, has just 118 Whereas clauses, 91 Articles and is only 96 pages long.

A new Article (Article 3) relates to the territorial scope of the Regulation, and tries to define when non EU controllers will be obliged to respect the Regulation. I’m not clever enough to appreciate the subtlety of what is being proposed, and what changes it heralds, so we’ll wait for the international lawyers to opine on this point.

The definition of “personal data” is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. The definition of “personal data breach” means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

We ought to brace ourselves for “children” to be defined as any person below the age of 18 years – which could have implications on the legitimacy of data processing for anyone under 18. And, a special article could well introduce special rules for the processing of children under 13. Perhaps they will only need to get their parent’s consent for some types of processing if they are under 13. On the other hand, the Regulation may also provide that it won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child. So, the “one Regulation to rule them all” approach will fall flat on its face when it comes to the problem of addressing the different requirements that Member States already have in how they treat people under the age of 18. But will children be permitted to give their consent for profiling activities? Let’s see. I can’t quite work it out as you have to cross refer to various Articles in the text, and I frankly don’t have the motivation to work out which will take priority. Especially if I’m working on a text that has already been updated, and will be updated again before it is formally published.

As far as the principles of data processing are concerned, we can expect a slight tweak (but probably nothing to worry about), and the processing for legitimate interests condition survives – at least for private companies. It looks as though public authorities can’t use the “legitimate interests clause” to justify the processing of personal data, but they will be able to process data when it’s in the public interest or the exercise of official authority vested in the data controller. Don’t ask me what the difference is, but there probably is one – and if so there might be howls of protest around Brussels and town halls when the implications sink in.

We can expect a glimmer of hope as far as the rules on marketing “similar products and services” are concerned.

On the rights of data subjects, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). This could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

And yes, of course we’ll have some stuff about the “right to be forgotten and to erasure”. And to data portability. Whether it will have any practical effect, only time will tell.

There’s lots more to comment on, if I felt that any reader had the energy to carry on reading this posting. Let me just whet their appetite by suggesting that the breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). Help may be at hand, though, if they provide standard forms and templates to work out what needs to be reported to whom. Well, templates that work, anyway. I’ll shortly be blogging on an initiative by ENISA, offering guidance and a standard form. And a mightily clever (and fiendishly complicated) way of calculating the severity of harm.

Turning to the infamous sanction powers, we may all have a pleasant surprise. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours could well be lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover. Is anyone celebrating?

But that’s enough from me. It’s enough to put me off my pudding tonight. I won’t read and analyse any more of this draft, or any more drafts. I will just thank the folk at European Commission for their commitment to transparency. Yet again, they appear to have created and circulated a document that has no protective security markings, so it is only fair to assume that it is not a confidential document.

Confidential or not, I won't be sharing this draft with anyone. Sorry, friends, but it won’t be too long to wait before another text emerges from the official channels, and you will be free to feast on that.