Wednesday 9 January 2013

The best that can be said about the latest report on the Regulation is ...



Well well well. Viviane Reding may well have a few things to say about data protection after all,  when she addresses people from all walks of life after they have stormed into Dublin Castle to see her on Thursday.

As if by coincidence, the Committee on Civil Liberties, Justice and Home Affairs has just published its proposals to amend the draft General Data Protection Regulation. I’ve already read a number of commentaries on the proposals, and am astonished at the speed with which so many legal experts can read all 215 pages of the document, and take full account of each of the 350 amendments that are proposed.

I can assure you that I have not read them all yet – but can recommend, for those who have busy lives to lead, that eager professionals should first turn to the explanatory statement, which can be found on pages 209 – 215. That is all most of us need to bother with this week.

First, the good news. There’s lots of reassuring words to sooth the nerves of the professionals who are worried about legal certainty:

“The Regulation needs to be comprehensive also in terms of providing legal certainty. The extensive use of delegated and implementing acts runs counter to this goal. Therefore the rapporteur proposes the deletion of a number of provisions conferring on the Commission the power to adopt delegated acts. However, in order to provide legal certainty where possible, the rapporteur has replaced several acts with more detailed wording in the Regulation... In other instances, the rapporteur proposes to entrust the European Data Protection Board with the task of further specifying the criteria and requirements of a particular provision instead granting the Commission the power to adopt a delegated act. The reason is that in those cases the matter relates to cooperation between national supervisors and they are better placed to determine the principles and practices to be applied.”

And on data breach notification:

“The rapporteur proposes to extend the period within which to notify a personal data breach to the supervisory authority from 24 to 72 hours. Furthermore, to prevent notification fatigue to data subjects, only cases where a data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation, the data subject should be notified. The notification should also comprise a description of the nature of the personal data breach, and information regarding the rights, including possibilities regarding redress.”

And on consent:

“Technical standards that express a subject’s clear wishes may be seen as a valid form of providing explicit consent.” Presumably, this allows for people to signify their consent by continuing to browse a web site.

And on privacy iconography:

“Information to data subjects should be presented in easily comprehensible form, such as by standardised logos or icons.”
 
Even a few jokes are slipped in:

“Consent should remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities."

Excuse me. Whenever was consent a preferred technique of establishing that processing was legitimate, when a data controller could otherwise have relied on the legitimate interests provision?

But there are better jokes:

“In order to function, a crucial element is that DPAs, who must be completely independent, need to be sufficiently resourced for the effective performance of their tasks. Cooperation between DPAs will also be strengthened in the context of a European Data Protection Board (which will replace the current Article 29 Working Party). The rapporteur views the foreseen cooperation and consistency mechanism among national DPAs as a huge step towards a coherent application of data protection legislation across the EU.”

I say. What will it really take to ensure that DPAs are sufficiently resourced? And how many Governments can really afford that, in the current economic climate?

The second funniest joke is:

“The rapporteur supports the aim of strengthening the right to the protection of personal data, while ensuring a unified legal framework and reducing administrative burdens for data controllers.”

Will these measures really reduce administrative burdens for data controllers? Or does the report simply platinum plate a proposal that has already been severely criticised as being unaffordable? I can’t answer this as I have not seen a compliance cost assessment. I doubt that one has even been prepared.

The best joke of all is:

“The rapporteur expects his proposals to form a good basis for swift agreement in the European Parliament and negotiations with the Council during the Irish presidency.”

If the rapporteur’s expectation is that such a hugely complicated proposal will be rushed through the next stage of the scrutiny process, and that it forms a good basis for negotiations with the Council during the Irish presidency, then I’m a banana.

I do agree, though, that the proposal is guaranteed to deliver to MEPs who support it the gratitude of their constituents in next year’s European elections. That is, until the electorate realise that the burdens of paying for this uncosted proposal will quickly fall on all European consumers. Yes, even the Greek, Spanish, Portuguese, Italian and the French consumers. 


According to the mighty Eduardo Ursturan, writing in the FFW blog: “What was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.”

But it is Chris Pounder, the great HawkTalk blogger, wins the prize for the most challenging summary of the day: “However, remember that the real power is with the Council of Ministers. It what they say that goes; this report, when the chips are down will be more or less ignored (and the drafting errors will make this so easy to do).”


Sources:

http://europa.eu/rapid/press-release_MEMO-13-4_en.htm?locale=en
http://amberhawk.typepad.com/amberhawk/2013/01/european-parliament-mauls-the-data-protection-regulation-enhanced-protection-for-data-subjects-and-fettering-of-commission.html
http://privacylawblog.ffw.com/
.