Wednesday 25 January 2012

“Ladies and Gentlemen, we have done it”

With these words, Commissioner Reding unveiled the latest set of proposals for a comprehensive reform of Europe’s data protection today. The Commission has, apparently, just adopted what is called “a comprehensive reform on the use of the data protection rule”. I won't ask too many questions about how this agreement was reached. Like making sausages, you really don't want to know just how they managed to do it.

If you want to view the 34 minute recording of today's announcement yourself, click the “banbuser” link below.

There are some grand claims: “Our reform will eliminate the unnecessary administrative burden as well as the many costs linked to the different reporting requirements currently existing throughout the EU.” Apparently, there will be a single set of rules across the EU, which will save some 2.3 billion Euros each year. But, there will be special care for SME’s, who will be sheltered from some of the more onerous requirements, at least until they have grown into larger enterprises. Commissioner Reding wants to help these young companies to become big – and to help them to do their job without being drowned by administrative burdens. So, there will be no need for them to appoint Data Protection Officers, carry out impact assessments for low and medium risk processing operations, or put together documentation about other data processing activities.

As far as citizens are concerned: "there are to be immediate benefits, and these will ensure that they are well informed about what will happen to their personal data.”

If you listen closely to the recording of the announcement, you will occasionally hear the audience’s reaction. Once or twice there is nervous laughter. On at least one occasion someone out of vision is heard to ask their colleague “is this legal?” It will be interesting to learn the reaction of more of our learned friends once we've all had time to fully consider the implications of the published proposal.

Anyway, how did this one differ from the version that I saw a few days ago and blogged about on 20 January? What can be gleaned about the shifting nature of the text as it underwent those final revisions in the period of frantic activity up to today? The text has lost one Whereas clause (there are now just 139 of them), it has gained an additional Article (there are now 93) and, somewhere along the way, three pages of text. This tells me that the negotiations carried on for some time, and a lot of changes were made, compared to the infamous leaked “Version 56” (which had a mere 118 Whereas clauses, 91 Articles and 78 pages).

As predicted, there is new language around the territorial scope of the Regulation, and we can wait for our legal chums to opine on whether it clarifies matters or causes more confusion.

As predicted, the definition of personal data is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. And, the definition of a personal data breach means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

A radical rethink on what to do about protecting the interests of children has resulted in special rules for the processing of children under 13, and some interesting questions to resolve if a data controller is dealing with people between the ages of 13 and 18. As the Regulation won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child, we’ll have to work out just what all this stuff means quite carefully. But the Commission wants to give itself the power to adopt other legislation to further specify the condition sunder which children’s data should be processed, so I don’t have a clue what the final effect will be.

As far as the principles of data processing are concerned, private data controllers can breathe a sigh of relief and the processing for legitimate interests condition survives. As predicted, the rules for public data controllers have been tweaked – but I have not had the time to consider whether there might be howls of protest around Brussels and town halls when the implications sink in.

As anticipated, the rules on consent have been tweaked, and to such an extent that I do expect that data controllers will react in an unexpected way to the lessons learnt when individuals exercise greater control of their information by exercising their right to withdraw their consent to the processing of that information. The natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

On the rights of data subjects, and as anticipated, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). As I’ve suggested before. this could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

Just a few more headlines for today. The breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). We really need to make better sense of this provision. I'll be developing this theme when I presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird tomorrow. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

Turning to the infamous sanction powers, the Commission continues to back down in the face of protests at their disproportionate nature. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours, which was lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover last week, has been further reduced to just up to 1 million Euros or just 2% of their annual worldwide turnover. But, is anyone celebrating?

There’s so much more to be said about this document and about the inevitable subsequent versions. And there are lots of people with good will, who want to see high data protection standards enforced by proactive data controllers and adequately equipped regulators. But that is a huge ask, especially in today’s economic climate.

Let’s hope that, as we work through the compliance cost assessments, the end result is an appropriate increase in standards that can be afforded by data controllers. My main worry is that, given the extensive powers the Comission wants to give itself to make further changes to the data protection rules, by means of delegated legislation, so they don't need to go through such an extensive consultation process, the result could be the creation of a monster that can turn on anyone at will.

If we get it wrong, we could get it wrong for an entire generation of EU citizens. And I don’t want my name associated with that.