Back to basics today. As I try to work out what burdens might have been removed, and what costs might have been imposed by that “draft Regulation”, I’m still coming to grips with just what it is that this Regulation us supposed to regulate. Because if this Regulation is all that regulators are going to be able to regulate, what implications does that have for stuff that regulators currently regulate but don’t feature in the draft anymore?
I started by taking a squint at what the draft Regulation had to say about manual records. After all, if the European Commission is to impose rules that apply everywhere equally, then presumably some types of manual records will fall within the ambit of the Regulation while others will not. Then, in a flash of inspiration it occurred to me that, actually, it’s not quite as clear as that – in fact it could be chaos as normal (as if anyone really mattered about it, that is).
My argument, in a nutshell, is as follows:
By making no change to the critical definition of a “filing system”, most data controllers will assume that there has been no change to the extent to which manual records fall within the ambit of the draft Regulation. But, currently, Member States define what is meant by a “filing system” in slightly different ways, so it’s not quite true that all types of information in these filing systems are covered in the same way - yet. However, very considerable compliance costs might be imposed on data controllers if it were determined that, despite their local practices, changes were now required to, say, give applicants across Europe equal access to information held in “filing systems” that previously fell outside local rules.
The trouble is, until I know what changes might be required for the data controllers in 'Blighty, it’s quite hard to offer the Ministry of Justice an indication of what the increased compliance costs might be.
Here’s a more technical explanation:
Whereas Clause 13 of the draft Regulation points to the desirability of data controllers in all Member States following the same rules: "The protection of individuals should be technologically neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to the processing of personal data by automated means as well as to manual processing, if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of the Regulation.”
This is a slightly different concept than that which is used in Whereas Clause 15 of the current Directive: “Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question.”
If I were a Eurodatalegalpolicywonk, I might argue that the difference in the new Whereas clause is to make it clear that, in future, the file should still be structured according to specific criteria, but it’s not just data which affords easy access which is covered. Someone could well argue that the draft Regulation now applies to the stuff that’s harder to access, as well as the stuff that's easy to access.
Fear not, for all hope is not lost – at least yet. Because while a change was made to the Whereas clause, no-one bothered to make any changes to the actual Article in the main body of the Regulation.
Article (2)( 2)(c) of the current Directive provides the current rule: 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
The new draft Regulation is identical - Article (24( 4) provides that “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
So, do British data controllers need to make any changes to the current processes to make sure that they can get at the stuff that’s harder to access, which is what the Whereas clause implies?
I think not.
This is because, despite what the Article 29 Working Party might say, it is still lawful to rely on statements that have been made by our very own Court of Appeal on the meaning of a relevant filing system, and these remarks trump those of the Commission . And this must remain the case until someone either challenges the state of the law, as it is held by the Court of Appeal, or until someone changes the definition, at which time it might be prudent to assume that it would be impolite to continue to rely on the Court of Appeal Judgment.
The judgement – of course, our very own Durant vs FSA judgement. For those that don’t have it on their favourites tab, I’ve referenced it below. But take a good look at Lord Justice Auld’s remarks at paragraphs 32- 51. This is the law that currently applies in the UK, whatever the European Commission would like to think.
At paragraph 50 he announces that: "a relevant filing system" for the purpose of the Act, is limited to a system:
1) in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it ... is held within the system and, if so, in which file or files it is held; and
2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.
This is in line with his previous very pragmatic views, set out in paragraph 45, on the practical reality of searching for specific and readily accessible information about individuals: “The responsibility for such searches, depending on the nature and size of the data controller's organisation, will often fall on administrative officers who may have no particular knowledge of or familiarity with a set of files or of the data subject to whose request for information they are attempting to respond. ... If the statutory scheme is to have any sensible and practical effect, it can only be in the context of filing systems that enable identification of relevant information with a minimum of time and costs, through clear referencing mechanisms within any filing system potentially containing personal data the subject of a request for information. Anything less, which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search. And ... it could, in its length and other costs, have a disproportionate effect on the property rights of data controllers under Article 1 of the First Protocol to the European Convention on Human Rights, who are only allowed a limited time ... 40 days ... to respond to requests, and are entitled to only a nominal fee in respect of doing so."
So, how will the Commission fudge this issue? Will it allow Member States to continue to have their own local rules on what manual files are covered, or will it be bold and try a new rule to apply to everything, regardless of the additional costs that may be imposed on data controllers in certain Member States?
Sources:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Current Directive)
http://www.bailii.org/ew/cases/EWCA/Civ/2003/1746.html (Durant vs FSA)
.