A Critical Time for the EU Data Protection Regulation

A Critical Time for the EU Data Protection Regulation

Editorial By Christopher Wolf

 A Critical Time for the EU Data Protection Regulation

Policymakers around the world are re-examining the legal framework that regulates the collection, use, sharing, and storing of personal information – proposing more robust protections afforded to such information, and increasing the legal obligations of business. The new approaches are in response to the dramatically different ways in which technology interacts with personal data and the potential for that data to be exposed and misused.

Within the past year, new privacy frameworks were proposed by the European Commission and also by the Obama-Administration, each seeking more protection for individuals. Despite common foundations – Fair Information Practice Principles – the privacy regimes from opposite sides of the Atlantic exhibit fundamental differences in approach and substance.

The US proposal eschews the EU fundamental rights approach, but focuses on a privacy “Bill of Rights” and a related set of enforceable, multi-stakeholder codes of conduct. At the same time, solutions are being sought to accomplish a “Do Not Track”-option for consumers; the rules for children’s privacy are being tightened; mobile and App privacy are in focus; and data brokers are under scrutiny. Major issues associated with new technologies are being addressed in the US, although without the across-the-board approach to privacy protection that characterizes the EU approach.

At the start of the second Obama-Administration, the timetable for changes in American privacy law is indefinite. Progress is being made, but the completion date for any one of the initiative cannot be predicted. (The one exception relates to health privacy, as to which new regulations from the Department of Health and Human Services are expected forthwith.)

In contrast, in the EU it is widely expected that an opinion on the proposed EU Data Protection Regulation will be coming soon from the European Parliament Committee on Civil Liberties, Justice and Home Affairs – the so-called LIBE Committee. And while some adjustments to various provisions are likely to be proposed (such as the time period for reporting data security breaches, tagged at a presumptive 24-hours in the current draft), endorsement of the Regulation to the Parliament and Council is expected. At that point, rapid consideration of the proposed Regulation is likely in the Parliament and Council.

It is the proverbial “home stretch” of the formal consideration of the Regulation introduced January 2012 by Vice-President Viviane Reding. And for that reason, it is time for sharp focus on the EU Regulation, because what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.

Over the past year, there has been little disagreement over the goals of the Regulation to provide region-wide uniformity in privacy law, to reduce bureaucracy, to institutionalize “Privacy by Design,” and to establish a new framework that reflects the evolution of technology and social media and their impact on the protection of personal data.

More controversial are the proposed penalties of up to 2% of an entity’s global turnover for violations of the Regulation; the extension of jurisdiction and applicability of the Regulation outside the EU borders to companies “offering of goods or services to [...] data subjects in the Union or [engaged in] the monitoring of their behavior;” the establishment of data portability that could create a ban on “tying” information to services that otherwise would be permissible under competition law; and the “right to be forgotten.”

There are lingering questions over the operation of the “one stop”-shop, in which one Data Protection Authority (DPA) will have primary jurisdiction over a company based on the location of its “main establishment”; and concerns have been expressed over the impact of the Regulation on Small-Medium Enterprises (SMEs).

In November, the UK-Government published its Impact Assessment of the draft European data protection regulation. When the draft regulation was first published, the European Commission estimated that harmonizing the European data protection regime would bring a net administrative benefit of  2.3 billion to the EU. However, the UK-Ministry of Justice has carried out its own analysis of the proposals and concluded that for the UK alone there would be an annual net cost of between £ 100 million and £ 360 million.

The UK-Government takes the position that the Commission failed to take into account all of the costs that would arise from the draft regulation, and it identifies the following aspects of the regulation that will impose additional costs on businesses:

  • The requirement to employ a data protection officer;
  • The requirement to carry out data protection impact assessments;
  • The requirement to provide notification of all personal data breaches to the supervisory authority; and
  • The administrative costs of demonstrating compliance.

It also points out that supervisory authorities will require substantially more resources to carry out their widened responsibilities, and that the powers the Commission has proposed to give itself to make delegated acts could also affect the costs and benefits of the new proposal. The UK-Government stated that it will use the evidence set out in its Impact Assessment to “continue to push for a lasting data protection framework that is proportionate, and that minimizes the burdens on businesses and other organizations, while giving individuals real protection in how their personal data is processed.”

At the same time, also in November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

ENISA also noted that the “right to be forgotten” is virtually impossible to enforce in an open network such as the Internet. Nothing prevents users from freely copying and redistributing digital content, including photos. Subsequently trying to find and erase the distributed copies would be impossible. ENISA states that the only way to prevent such redistribution would be to use digital rights management (DRM) technology similar to that used by certain publishers of digital content such as motion pictures and music. However, most of the DRM technologies can be easily circumvented. ENISA points out that partial enforcement of the “right to be forgotten” could be achieved by requiring search engines subject to European jurisdiction to filter search results so that the information that is supposed to be forgotten does not show up:

“A natural way to “mostly forget” data is thus to prevent its appearance in the results of search engines, and to filter it from sharing services like Twitter. EU member states could require search engine operators and sharing services to filter references to forgotten data. As a result, forgotten data would be very difficult to find, even though copies may survive, for instance, outside the EU jurisdiction”.

The French data protection authority, the CNIL, recently made three critical points about the Regulation in its Annual Report. First, the CNIL expressed concern that making a single data protection authority responsible for the Europe-wide activities of an enterprise could result in a significant decrease in the level of protection of individuals. Citing the example of a social network whose main establishment is located in another European member state, the CNIL said it was inappropriate to reduce the role of the French data protection authority to a simple mailbox to forward complaints to the principal DPA responsible for the social network’s activities. According to the CNIL, a French user who is harmed by the activities of an enterprise doing business in France should be able to look to the French regulator for redress.

The second point on which the CNIL diverges from the Commission is on the issue on international data transfers. The CNIL believes that transfers to countries that have not been recognized as providing adequate protection should be based on contractual clauses or binding corporate rules (BCRs) that have been approved in advance by the CNIL. Under the proposed regulation, an international transfer based on standard contractual clauses will not require the prior approval of the DPA.

Finally, the CNIL made the point that the new accountability measures included in the draft regulation should not be viewed as a form of self-regulation, or as a trade-off for less regulatory supervision. Instead, the accountability measures should be viewed as a supplement to existing regulatory principles and enforcement practices.

The issues that have been raised about the proposed Regulation are real and substantial. How the reviewers in the European Parliament analyze and report on the proposal will be critical. As important as momentum may be to obtain approval of the Regulation in a timely fashion, equally important is ensuring the passage of a workable and balanced set of new rules.

Leave a Reply


Privacy Calendar

Oct
24
Fri
9:00 am Web Privacy & Transparency Confe... @ Princeton University
Web Privacy & Transparency Confe... @ Princeton University
Oct 24 @ 9:00 am – 4:00 pm
On Friday, October 24, 2014, the Center for Information Technology Policy (CITP) at Princeton University is hosting a public conference on Web Privacy and Transparency. It will explore the quickly emerging area of computer science research that[...]
Oct
29
Wed
4:00 pm Big Data and Privacy: Navigating... @ Schulze Hall
Big Data and Privacy: Navigating... @ Schulze Hall
Oct 29 @ 4:00 pm – 7:00 pm
The rapid emergence of “big data” has created many benefits and risks for businesses today. As data is collected, stored, analyzed, and deployed for various business purposes, it is particularly important to develop responsible data[...]
Oct
30
Thu
9:00 am The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
10:15 am You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]
Nov
12
Wed
all-day PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
Nov 12 all-day
The Privacy and Civil Liberties Oversight Board will conduct a public meeting with industry representatives, academics, technologists, government personnel, and members of the advocacy community, on the topic: “Defining Privacy.”   While the Board will[...]
Nov
20
Thu
all-day W3C Workshop on Privacy and User... @ Berlin, Germany
W3C Workshop on Privacy and User... @ Berlin, Germany
Nov 20 – Nov 21 all-day
The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection[...]

View Calendar