On 25 January 2012 the European Commission released the EU’s keenly anticipated new Data Protection Regulation and Directive. A large array of resources, including the full text of the proposed new rules, is available on the Commission’s website. The UK’s own Information Commissioner has published an initial response to the proposals, broadly welcoming them.
The publication of the proposed legislation was previewed by an announcement of some of its content by Viviane Reding, the Commission Vice President who has been one of the driving forces behind it, at the annual Digital Life Design Conference in Munich on January 22. The Regulation and Directive are intended to supersede the piecemeal provisions for data protection and privacy which exist across the 27 Member States with a single, Union-wide legal framework; in the UK, this will mean overriding the Data Protection Act 1998.
The new rules, said Reding, aim to
“ensure a smoother exchange of information between member states, police and judicial authorities in the fight against terrorism and serious crime while at the same time protecting people’s fundamental rights to data protection.”
They are a response to concerns arising from the increasingly widespread use of social media and e-commerce, with all the sacrifice of personal information that the phenomenon entails. The Commission quotes a survey which found that 70% of European citizens are worried about misuse of their personal data, and the effect of the new rules seems broadly to be a re-balancing in favour of the interests and rights of the data subject over those of data controllers and processors.
Concerns about the long-term implications of giving up personal information online are particularly relevant to so-called digital natives, who have grown up sharing details of their entire lives via social networks, and a spokesman for the Commission confirmed that the rules are
“particularly aimed at young people as they are not always as aware as they could be about the consequence of putting photos and other information on social network websites, or about the various privacy settings available.”
The Regulation (and the separate Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities) will be the subject of detailed commentary and analysis in the weeks and months ahead, but these are some of the main innovations, and one respect in which the law’s approach to the media remains the same:
The right to be forgotten
Article 17 is a right to be forgotten, that is for the data subject to
“obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child”
This is perhaps the most headline-grabbing and contentious aspect of the reforms, although it is worth noting that it is, of course, a circumscribed right rather than an absolute one. Potentially alarming for data controllers is that, where they have made data public in the first place, their obligations in effacing it extend to third parties involved in processing or publishing that data.
In his detailed post for Inforrm, Paul Bernal draws attention to the often emotional reactions to this aspect of the proposals, which has been painted by some as a potential restriction on free speech, or as making provision for attempts to erase the past, and Reding herself sought to address this kind of alarmism, saying that
“[i]t is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”
Bernal argues that the right is really intended to address “the deletion of data that is no longer needed” and points to the existence of similar principles of data minimisation in the current law. It seems, however, that this aspect of the new rules, along with the right to object to the profiling and processing of personal data under Articles 19 and 20, will change the approach of online businesses which store data on customers, profile and target advertising at them.
No presumption of consent
There is a focus throughout the legislation on the data subject’s consent to the processing of her data, which will have to be “freely given specific, informed and explicit” under Article 3. Silence or inactivity will not suffice, and consent must be given “by a statement or by a clear affirmative action”. Article 6, which addresses the lawfulness of processing, details scenarios in which processing data without consent is acceptable, including when it is “for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
The requirement to obtain consent is a major plank of the proposed reforms and should have a significant impact on the widespread practice of obtaining, and even trading in, consumers’ personal information without their being aware of it. It could, however, have a detrimental effect on the web browsing experience, resulting in all internet users spending more time dealing with data-related aspects of web-use.
Notification of data breaches
Articles 31 and 32 introduce an obligation to notify the relevant parties of personal data breaches, and they develop the personal data breach notification provisions in Article 4(3) of the e-privacy Directive 2002/58/EC. The most onerous aspect of the two articles is the obligation to notify the national supervisory authority of any personal data breach within 24 hours of it taking place, but the breach must also be communicated to the individual data subject “without undue delay”, a timescale which, according to Reding, also means 24 hours.
The Outlaw blog has commentary on this aspect of the provision, pointing out that the timing provisions will make it difficult to issue meaningful communications to customers, and that the prospect of fines for non-compliance will probably result in the sending of large numbers of reports. Data related spam is not an appetising prospect. However, Reding’s assertion that the new regulations will result in an increase of consumer trust in those they give their data to is perhaps best borne out by this aspect of the proposals.
Data Protection Officers
Article 35 obliges data processors and controllers to designate a data protection officer where processing is carried out by a public authority or body, or where it is carried out by an enterprise employing 250 persons or more, or where the activities carried out “require regular and systematic monitoring of data subjects”. This individual will have to have expert knowledge and be appointed for at least two years.
This undoubtedly will be an additional cost to businesses, and is one focus of anxiety from the commercial world. But it does not seem particularly disproportionate when compared with the requirements surrounding Health and Safety, particularly as the nature and amount of data held by businesses increases.
Fines and enforcement
Many news organisations, including the BBC, have led on the fact that companies face fines of up to 2% of turnover for breaches of the legislation. Article 79 outlines a sliding scale of administrative sanctions, starting with a written warning and increasing to 2% of turnover or 1,000000 Euros for the most serious breaches.
The majority of the technology businesses likely to be most affected by the regulations and the possible sanctions are based in the United States and would prefer the minimal controls that exist at the moment. Although Reding has said that sanctions are to be seen as a last resort, and it’s notable that their extent has been significantly reduced from a 5% maximum since an earlier draft of the proposals was leaked, they may be necessary to give teeth to the new framework.
Commissioner Reding emphasised freedom of expression and freedom of the media in her announcement, and the Regulation does, like the Data Protection Act, contain explicit provisions relating to the media. Article 80 provides for exemptions or derogations from the Regulation’s provisions
“for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression”.
This provision is based on Article 9 of Directive 95/46/EC, which is in force in the UK as s32 of the 1998 Act. A margin of appreciation is left to the Member State in the implementation of Article 80, so it seems likely that the existing test applied by the courts in this jurisdiction, that the publication of personal data should be in the public interest, will persist in some form.
The ECJ held in Satakunnan Markkinapörssi and Satamedia (C-73/07, ECR 2008 p. I-9831) that the notion of journalism in Article 9 should be interpreted broadly, including all activities whose object is “the disclosure to the public of information, opinions or ideas”, irrespective of who is carrying them out (although this must not encroach unnecessarily on the fundamental right to privacy). Explicit reference to this decision in the preamble to the Regulations points to the continued existence of a broad exemption, encompassing both old and new media.
Gervase de Wilde is a student barrister and former journalist at the Daily Telegraph