On 31 May 2013, the Irish Presidency of the Council of the European Union released a draft compromise text on the European Commission’s proposed General Data Protection Regulation. The Presidency released the compromise text ahead of a meeting of the European Justice Ministers on 6 June 2013 as a basis for those debates. The compromise text narrows the scope of the Regulation and seeks to move away from a detailed, prescriptive approach towards a risk-based framework. Following the debate on 6 June, Irish Justice Minister Alan Shatter indicated that consensus had been reached on the concept of a risk-based approach and on the proposal not to require explicit consent in all cases. Other key areas of the text continue to be debated, not least the fundamental nature of the instrument itself. This article highlights some of the key changes proposed by the Irish Presidency.
Background
Since its publication in January 2012, the Regulation has been the subject of intense negotiation, commentary and media speculation. The adopted opinions of the parliamentary committees of the European Parliament and the draft report of the lead committee (the Civil Liberties, Justice and Home Affairs Committee, ‘LIBE’) have proposed divergent versions of the Regulation. As expected, the Irish Presidency’s draft compromise text seeks to eliminate some of the more prescriptive and bureaucratic proposals, and promotes a risk-based framework. The stark differences in approach between the various EU legislative actors will make compromise challenging, and casts some doubt on when, or even if, the Regulation will become law.
At the time of writing, the Irish Presidency has only released proposed amendments to Chapters I – IV of the Regulation. Its views on issues appearing in later chapters, including international data transfers, the powers of the supervisory authorities, and sanctions, are not yet known.
Choice of Legislative Instrument
The Irish Presidency’s text notes that eight Member States[1] still do not support the Commission’s choice of legislative instrument as a regulation taking direct effect, and would prefer that Directive 95/46/EC is repealed and replaced by another directive requiring implementation in each Member State. Interestingly, the Irish Presidency’s compromise text uses language that is typical of a directive, rather than a regulation, and does not rule out the possibility of a change of instrument.
Key Definitions
An additional category of ‘pseudonymised’ data is proposed at Article 4(2a), being ‘personal data processed in such a way that the data cannot be attributed to a specific data subject without the use of additional information, as long as such information is kept separately and subject to technical and organisational measures to ensure non-attribution’. This definition characterises pseudonymised data as a sub-category of personal data, rather than a sub-category of anonymous data or as a third type of data. This could assist in arguments that encrypted data constitute pseudonymised data, a view which has been repeatedly rejected by regulators on the basis that encryption is a mere security measure, and because encrypted data can be re-identified by the key holder.
This new definition of ‘pseudonymised’ data would also likely assist UK data controllers in particular. Under the Data Protection Act 1998, the concept of ‘personal data’ extends not only to data which could identify the data subject, but also to the combination of those data and other data in the possession of, or likely to come into the possession of, the data controller. The inclusion of ‘as long as such information is kept separately’ permits data controllers to hold other identifying information, including within organisations, provided that it is adequately segregated or held in silos. This would significantly ease controllers’ obligations in relation to the processing of pseudonymised data.
The definition of ‘sensitive personal data’ is amended to exclude data concerning criminal convictions or related security measures (Article 9(1)). This preserves the current position under the Directive, but differs from the DPA 1998.
Scope of the Regulation
Regulation 23 carves out the application of data protection principles to the processing of anonymous data or personal data that relates to the deceased. For data to be ‘anonymous’, they must not relate to an identified or identifiable natural person. Whether data could identify an individual depends in part on the costs and the amount of time that would be required to identify the individual. This clarification somewhat resembles the ‘motivated intruder test’ under the Information Commissioner’s guidance on anonymisation,[2] and may assist controllers, given the practical and technical difficulties of achieving complete and permanent anonymisation.
Importantly, the Irish Presidency’s text offers clarification on the extent of the Regulation’s extraterritorial application to data controllers located outside the EU. Recital 20 explains that mere accessibility of a controller’s web site from within the EU does not constitute ‘the offering of goods or services’ under Article 3(2)(a) and that whether the controller appears to ‘envisage’ doing business with EU data subjects is a determining factor. Whether a controller envisages doing business with EU data subjects can be ascertained from the functionality of its web site, including local language and currency. The amendments also delete Recital 64 of the Commission’s proposals, which included within its scope of the Regulation data controllers who ‘occasionally’ offer goods or services to EU data subjects.
The Irish Presidency’s text clarifies the extraterritorial application of the Regulation in relation to non-EU controllers that monitor the behaviour of EU data subjects. Under Article 3(2)(b), the monitored behaviour must take place within the EU. Accordingly, the Regulation would not apply to the monitoring of habitually resident EU data subjects when they are temporarily based outside the EU. The amendments also clarify that, under the household exemption, the Regulation does not apply to social networking and online activities by individuals provided that they are undertaken as a household activity (e.g., not sponsored or paid bloggers).
Risk-Based Approach
Overall, the compromise text proposed by the Irish Presidency can be seen as more business-focused and pragmatic. Specifically, it proposes an additional recital clarifying the right to data protection as a qualified right, highlighting the principle of proportionality and the importance of other competing fundamental rights, including the freedom to conduct a business.
The principle of proportionality is a consistent theme throughout, in particular, in the context of further processing of personal data. The compatibility of further processing purposes is dependent on a number of factors, including the context of collection and (i) any link between the original purposes and intended further purposes, (ii) the reasonable expectations of further use anticipated by the data subject, (iii) the nature of the personal data, (iv) the consequences of the further intended processing for data subjects and (v) appropriate safeguards. Under the Commission’s draft, all incompatible further processing purposes would require separate lawful bases for processing, and no guidance is provided on what constitutes an ‘incompatible’ further processing purpose.
The compromise text incentivises data controllers to process pseudonymised data or anonymous data instead of personal data. Recital 39 clarifies that data controllers can rely on the legitimate interests basis when processing personal data in order to anonymise or pseudonymise them. This would provide clarity and comfort to data controllers who, under current legislation, can struggle to satisfy the requirements of a legal basis for processing in order to render data anonymous or pseudonmyous. With the clarification that Recital 39 provides, data controllers could readily anonymise and pseudonymise personal data before processing them for statistical and analytic purposes, for example. In the current age of ‘big data’, this practical concession proposed by the Presidency would likely prove of great value to controllers, particularly those in data-heavy sectors such as information technology and consumer retail. In addition, under the new Article 10(2), where a data controller is ‘not in a position to identify the data subject’, critical substantive requirements of the Regulation do not apply, including rights of access, rectification, data portability, erasure and the right to be forgotten.
Consent and Lawful Processing
The criterion for valid consent would shift from ‘explicit’, under the Commission’s proposal, to ‘unambiguous’ in the Irish Presidency’s text – except in the case of processing sensitive personal data (Recital 25 and Article 9(2)). This reverts to the current position under the Directive, and is a concession to the practical difficulty of obtaining explicit consent in all cases.
Consent can be obtained in writing, orally or in an electronic manner and, where technically feasible and effective, can be given using browser settings and other technical solutions. The need for ‘informed’ consent is also relaxed from the requirement to provide the information requirements set out in Article 14 to the minimal requirement that the data subject is ‘at least’ made aware of: (i) the identity of the data controller and (ii) the purpose(s) of the processing of their personal data (Recitals 33 and 48).
Whereas the Regulation requires separate and distinguishable written consents for processing for different purposes (Article 7(2)), under the compromise text, requests for consent for separate processing purposes must be distinguishable, but the consents themselves do not have to be. Data controllers could therefore obtain a single written consent to multiple processing activities, provided clear and distinguishable notice of each different processing activity was given. The compromise text also changes the default assumption, that valid consent cannot be obtained where a significant imbalance exists between the data subject and the data controller, to an assessment in each specific case (Recital 34).
The legitimate interests basis for lawful processing (Article 7(f) of the Directive) is explicitly extended to include (i) fraud prevention, (ii) anonymising or pseudonymising personal data and (iii) direct marketing purposes. The first extension will likely be particularly welcomed by data controllers operating in the financial and retail sectors. The second extension, as discussed above, incentivises controllers to process anonymous and pseudonymous data in place of personal data. The third extension will likely cause the most surprise and may not be unanimously welcomed, in particular in continental European jurisdictions, although it could be said to reflect current practice in the UK.
Individual Rights
Under the compromise text, data controllers are not required to provide fair processing notices where the data are collected from publicly available sources (Article 14a(4)(c)). This would greatly reduce the burden, as compared to the Commission’s proposals, for controllers who process large amounts of publicly available data, including advertisers and recruiters who ‘scrape’ personal data from social media profiles.
The prohibition on profiling applies to decisions based on profiling, rather than to profiling measures, and more closely reflects the current restrictions on automated decisions under Article 15 of the Directive. It would only apply where the decision would produce legal effects that ‘severely’ impact the data subject. This significantly narrows the scope of the profiling restrictions introduced under the Commission’s draft, and would no doubt be welcomed by data controllers. Processing for profiling purposes is also expressly permitted for fraud monitoring and prevention and to ensure the security and reliability of services provided by controllers. This concession could be particularly pertinent in the context of cyber-security obligations.
Amendments to the right to be forgotten would also greatly assist data controllers. Under Article 17a, data controllers would be required to notify third-party recipients of a data subject’s erasure request only where that request is successful and the controller is required to erase the data. Where the controller is not required to erase the data (ie because an exemption applies), it is also not required to notify third parties of the erasure request. The requirement to notify third parties is also further limited from ‘all reasonable steps’ to ‘reasonable steps’ in the circumstances, taking into account available technology and the cost of implementation (Article 17(2a)). This would likely greatly reduce the burden of processing erasure requests for intermediaries such as search engines and social networks.
The right to object is limited to personal data processed on the grounds of legitimate interests and does not extend to cover personal data processed on the grounds of necessity in the vital interests of data subjects (Article 6(1)(d)) or necessity for the performance of tasks carried out by public bodies (Article 6(1)(e)). Further, the right to object does not apply where the controller can show ‘legitimate grounds’ (rather than ‘compelling legitimate grounds’) for continuing to process the data. Where an objection is upheld, the controller may still process the personal data to establish, exercise or defend legal claims (Article 19(1a)). The right to object to processing for direct marketing purposes is amended such that it no longer has to be free of charge (Article 19(2)).
Privacy by Design
The principle of data minimisation is excluded as an explicit obligation in the compromise text. This will likely be welcomed by data controllers, particularly those in sectors that are heavily dependent on big data analysis, such as insurance, finance, advertising, retail and information technology.
The application of the principles of data protection by design and default are limited, depending on the available technology and the risks posed to data subjects (Article 23(1)). Processing pseudonymised data is explicitly identified as a data protection by design and default measure.
The provisions concerning data retention are also significantly relaxed in the compromise text. In particular, controllers are not obliged to provide notice of specific retention periods (Articles 14, 15 and 28).
Security and Breach Notification
A new principle of data security is introduced (Article 5(1)(ee)), which has limited application, depending on the available technology and the risks posed to data subjects (Article 30(1)). Processing pseudonymised data is explicitly indicated as a data security measure.
As expected, the timeframe for reporting personal data breaches is extended from 24 hours to 72 (Recital 67 and Article 31). Further, only significant breaches which may result in ‘severe material or moral harm’ must be notified to the competent supervisory authority (Recital 67 and Article 31). This amendment greatly ameliorates the Commission’s proposals, which required notification of all data breaches and did not specify any threshold requirements. Similarly, the Irish Presidency proposes that only severe breaches must be notified to affected data subjects and that notification to both the supervisory authority and to data subjects is not required where technological measures applied to the personal data mean they are unintelligible to third parties, or where the breach affects pseudonymised data which would also be unintelligible to third parties (Recital 68a and Articles 31(1a) and 32(3)(a)). Further, notification to data subjects is not required where the controller takes subsequent steps to protect affected data subjects (Article 32(3)(b)). In addition, where it would involve disproportionate effort to notify data subjects individually, the controller may instead make a public communication (Article 32(2)(c)).
Internal Controls and Codes of Conduct
Data protection impact assessments (‘DPIAs’) would be the sole responsibility of data controllers, and not processors (Article 33(1)), and the list of processing operations at Article 33(2) requiring DPIAs would be exhaustive, and not indicative. In conducting a DPIA, data controllers would no longer be required to seek the views of data subjects or their representatives (Article 33). Under Article 34, supervisory authorities would no longer have the power to prohibit processing activities submitted for prior consultation following the conduct of a DPIA.
The appointment of a Data Protection Officer is re-cast as optional, unless stipulated by national law (e.g., as is currently the case for many organisations in Germany). Codes of conduct and certification play a more prominent role in the compromise text, in particular in relation to demonstrating privacy by design and default, as a kite mark for processors sufficiently guaranteeing processing in accordance with the requirements of the Regulation, and in relation to data security measures.
Hope for Controllers?
Overall, the Irish Presidency’s compromise text offers a more measured and flexible approach to data protection regulation than the Commission’s proposals. A risk-based approach is consistent with the regulatory approach in other contexts. The Irish Presidency’s compromise text offers hope to data controllers that many of the obligations which would be the most challenging to meet in practice, such as explicit consent, lengthy fair processing notices, strict data minimisation and profiling restrictions, could yet be re-cast in more pragmatic and realistic terms. If accepted, the Presidency’s proposed amendments in relation to the processing of pseudonymised data and additional bases for lawful processing, would also greatly ameliorate the position of controllers.
Nothing is yet written in stone. Ireland’s Presidency expires on 1 July 2013 and, Lithuania will then hold the Presidency. The Irish Presidency has made the Regulation a particular focus during its term and held a record number of meetings to debate the text. Lithuania, on the other hand, is something of an unknown quantity, and has reportedly stated its aims in relation to the Regulation are ‘unambitious’. This puts the timeframe of the Regulation under real pressure and, given the divergences which persist, it is unlikely that we will see much movement before the summer recess. Nonetheless, recognising the overall political objectives, the time and attention spent to date, and the extensive media coverage, there remains hope that a final draft will be agreed before the May elections in Europe. Whether the end product is one that data controllers will welcome, or at least learn to live with, remains to be seen.
Bridget Treacy is the managing partner of Hunton & Williams London office and leads the UK data protection and cyber security practice. Naomi McBride is an associate in the London office specialising in data protection and privacy matters.
[1] Belgium, the Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia, and the UK
[2] ICO Guidance, Anonymisation: managing data protection risk code of conduct, available at: http://www.ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx.