Archive for the ‘Legislative reform’ Category

« Older Entries

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

The Internet of Things and a balanced approach to regulatory intervention

avatar Posted on March 14th, 2013 by Eduardo Ustaran

To say that the Internet has changed and penetrated our lives is without doubt an understatement.  As cliché as it may sound, Internet technology has already had an effect of historic proportions for humanity.  What is even more amazing is the fact that the real impact is yet to be seen and is only a few years away.  Today, using and benefiting from the wonders of the Internet typically involves a communication device – like a PC, a tablet or a mobile phone – that serves as an interface mechanism for the user.  Browsing the web, shopping online and communicating by e-mail have become second nature to anyone with access to a device connected to the Internet, and the fact that this can happen on the move in all but the most remote places on the planet only makes the whole experience more ordinary.  But the truth is that we have seen nothing yet!  A few glimpses of our current technological development show what is likely to happen next and the potential reach of the next stage in the evolution of the Internet.

The idea that things we do in the offline real world – like making breakfast, going to school, commuting to work, buying groceries, watching the telly and so on – could somehow be interconnected with each other through Internet technology in a sort of automatic way has the flavour of a 1960s science fiction cartoon.  However, that was precisely the kind of thing that a group of visionary engineers had in mind when in the late nineties – as the Internet was starting to catch on – they came up with the concept of the ‘Internet of Things’.  Their vision was that rather than having to rely on constant human intervention for feeding the Internet with instructions and information, everyday items – coffee machines, cars, fridges, central heating systems, TVs, tooth brushes…, you name it – could rely on the power of the Internet to provide even greater value and more convenient uses to their users.  Before we start thinking of this as a prequel for Terminator, this vision was not about machines running wild and taking over our lives, but about exploiting relatively straight forward and wide spread technology to make our lives… easier, more pleasant, more productive, lazier???

It is early days for some of the immediately graspable applications of the Internet of Things to become the norm.  I still text my neighbour on my last day of holiday asking him to pop into my house and turn on the heating rather than log onto my gas company smart console device to do it remotely.  We still rely on weekly shopping lists rather than ask our fridges what we have run out off.  Our everyday offline life is basically still pretty offline.  On the other hand, data from trains, crops, water pipes, smart meters and even running shoes is now being digitally collected for our efficiency and enjoyment.  As technology evolves, every object on the planet could end up being a node in a truly ubiquitous network of networks.  Not even the sky is the limit.  The possibilities are as wide as our imagination and for the more sombre thinkers, so are the risks.  Privacy and security are at the top of the risk list and that has not gone unnoticed to policy makers.

In 2012, the European Commission carried out a public consultation which sought views on an appropriate policy approach to foster a dynamic development of the Internet of Things.  The Commission has recently published its report on the consultation and the findings reflect an unfortunately common polarisation of views.  The Commission’s report shows that far from being consensus as to the need for and scope of public intervention in connection with the Internet of Things, there are two clearly distinguishable factions: the so-called industry camp and the interested citizens, civil society and consumer organisations camp.  The industry argued strongly against any kind of intervention in a sector which is still in its infancy and claimed that Internet technology should develop further before appropriate policy measures can be devised.  The other side claimed that a new and stronger data protection framework was needed so that people can be fully in control of their data.

According to the civil society group of respondents to the Commission’s consultation, the required new framework needs to incorporate elements such as consent, purpose limitation, data anonymisation, transparency, privacy by default and by design, system security, data deletion, accountability and regulatory audits.  A real mouthful of measures which according to this group must override any economic considerations, given that fundamental rights like privacy, security and other ethical issues are at stake.  As is often the case, the views expressed will be seen as antagonistic by each other and, worst of all, could have the regrettable effect of deafening the debate and preventing a balanced approach to regulatory intervention.  We cannot afford that to be the case.  Not just because of its potentially unreasonable effect on economic prosperity, but because there is a correct level of intervention that must be found and applied for everyone’s benefit.  As the Internet evolves, so does the need for privacy and security public policy.  The most appropriate outcome may be debatable but one thing is clear: responsible policies and norms must take into account real and likely opportunities as well as threats, not greedy dreams or extreme conspiracy theories.

This article was first published in Privacy Perspectives in March 2013.

Posted in Legislative reform, Uncategorized

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

Do BCR now, not later.

avatar Posted on February 23rd, 2013 by Phil Lee

BCR are a big feature of the Commission’s proposed General Data Protection Regulation.  Previously a regulatory invention (the Article 29 Working Party first established a structure for BCR back in its 2003 paper WP74), the Commission has sought to put BCR on a solid legal footing by expressly recognising them as a solution for data exports under Articles 39 and 40 of the proposed Regulation.  The intent being that, by doing so, all EU Member States will uniformly have to recognise and permit global data transfers using BCR, solving the issue presented today where the national legal or regulatory regimes of one or two Member States inhibit their adoption. 

As if further poof were needed of the Commission’s support for BCR, Commissioner Viviane Reding has even gone so far as to say: “Indeed, I encourage companies of all size to start working on their own binding corporate rules!  Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens’ trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.

High praise indeed, and certainly Ms. Reding’s description of BCR matches with our own experience helping clients design and implement them.  Clients who implement BCR substantially simplify their global data movemments and embed a culture of respect for privacy that enhances compliance and drives down risk.

What the Regulation will really mean for BCR adoption

But here’s the thing: far from supporting BCR adoption, the Regulation will make authorisation of BCR harder to achieve, and this flies in the face of the Commission’s very express support for BCR.  

Historically, the main barrier to BCR adoption has been the bureacracy, effort and cost entailed in doing so – early BCR adopters tell war stories about their BCR approval process taking years and having to address conflicting requirements of multiple data protection authorities all over Europe.  This burdensome process arose out of a requirement that the BCR applicant needed to have its BCR individually authorised by every data protection authority from whose territory it exported data.

Thankfully, this is an area where huge strides forward have been achieved in recent years, through the implementation of the so-called “mutual recognition” procedure that allows BCR applicants to submit their BCR to a single lead authority;  once the lead authority approves the applicant’s BCR, it then becomes binding across all mutual recognition territories (currently 21 of the 27 EU Member States).  No more trekking around Europe visiting data protection authorities individually then.

Mutual recognition has really lifted BCR out of the dark ages into an age of BCR enlightenment, and has been vital to the upswing in BCR applications all over Europe.  Now, though, the proposed Regulation – despite its intended support for BCR – threatens to actually inhibit their adoption, pushing controllers back to using “check box” solutions like model clauses that provide little in the way of real protection.

Why?  Because under the draft Regulation, any authority wishing to approve BCR must first refer the matter to the European Data Protection Board under the Regulation’s proposed “consistency mechanism” (designed to ensure consistency of decision making by authorities across Europe).  The European Data Protection Board can be thought of as the “Article 29 Working Party Plus”, and comprises the head of each data protection authority across Europe and the Data Protection Supervisor.  In effect, the consistency mechanism necessitates that an applicant’s BCR must once again be tabled before every data protection authority before authoristion can be granted – a step backwards, not forwards.  As the ICO noted in its initial analysis of the Regulation: “It is not entirely clear what would happen if, for example, the UK supervisory authority were to approve a set of binding corporate rules but, once informed of the approval, the EDPB takes issue with it.

To make things worse, it’s not clear how the consistency mechanism will sit with the mutual recognition procedure we have today.  Maybe it will supersede the mutual recognition procedure.  Maybe it will apply in addition.  Or maybe some kind of hybrid process will evolve.  We just don’t know and uncertainty is never a good thing. 

The time for BCR is now

What this means is that while BCR will remain the only realistic solution for multinationals exporting data on a global basis, the process for achieving them once the Regulation comes into effect will become much tougher.  Add to this that the fact that, as a whole, the Regulation will impose stricter data protection standards than exist under the Directive, and BCR applications will attract an even greater level of scrutiny once the Regulation comes into effect than they do today.

So given that there is strong regulatory support for BCR, but that the Regulation will create barriers to adoption, what strategy should multinational conrtollers adopt? 

The answer is simple: do BCR now, not later. 

The process for achieving today BCR is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.   When you look at it like that, why not do BCR now?

Posted in Accountability, Binding Corporate Rules, Legislative reform, Model clauses

Smart Meters – new data access and privacy rules for the energy sector

avatar Posted on February 21st, 2013 by David Lewis

The Department of Energy and Climate Change (DECC) carried out numerous studies and soundings in preparation for the rollout of smart energy meters to over 30 million UK homes between 2014 and 2019, but the most polemical press coverage was elicited by the consultation in Spring 2012 on the data access and privacy issues raised by the valuable energy consumption data (Consumption Data) generated by these new metering devices. Some newspapers cited warnings of “cyber attacks by foreign hackers” and “a spy in every home”, and there was much interest in the concerns highlighted in a report published in June by the European Data Protection Supervisor that the most granular real-time Consumption Data could reveal details such as the daily habits of household members or even tell burglars when a house was unoccupied.

The UK government’s response to this consultation, published on 12th December 2012, sheds considerable light on the data protection compliance measures that must be put in place by energy companies, network operators and others who access Consumption Data such as ‘switching’ websites and energy services suppliers. These requirements will apply alongside (and in addition to) those already set out in the Data Protection Act 1998. The measures will be implemented via amendments to the licence conditions adhered to by energy suppliers (enforced by Ofgem) and a new Smart Energy Code overseen by a dedicated Smart Energy Code Panel. A central information hub controlled by a body known as the Data and Communications Company (DCC) will enable remote access to Consumption Data for suppliers and third parties that have agreed to be bound by the Code.

Background: The aim of the UK government’s smart meters programme is to give consumers real-time information about their energy consumption in the hope that this will help to control costs and eliminate estimated energy bills, on top of the environmental and cost-saving side effects of the behavioural changes such information may encourage. In the long term, it is hoped that smart energy data will lead to fluctuating, real-time energy pricing, enabling consumers to see how expensive it will be to use gas or electricity at any given time of day.

Key rules: There are some key elements to the new framework which apply differently to energy suppliers (such as British Gas and EDF Energy), network operators (companies that own and lease the infrastructure for delivering gas and electricity to premises) and “third parties” such as switching websites and energy companies when they are not acting in the capacity as a supplier to the relevant household.

A crucial aspect of the rules that applies to all parties is the requirement to obtain explicit, opt-in consent before using Consumption Data for any marketing purposes. For other uses, third parties will always need opt-in consent to remotely access Consumption Data of any level of granularity, whereas in order to remotely access the most detailed level of Consumption Data (relating to a period of less than one day), energy suppliers will also be required to obtain opt-in consent.

From a consumer protection perspective, perhaps the most important safeguards introduced by the Stage 1 draft of the Smart Energy Code published in November 2012 are the requirements on third parties requesting Consumption Data from the DCC to:

(a)  take measures to verify that the relevant household member has solicited the services connected with the third party’s data request;

(b)  self certify that the necessary consent has been obtained; and

(c)   provide reminders to consumers about the Consumption Data being collected at appropriate, regular intervals.

Privacy Impact Assessments: In line with Privacy by Design principles promoted by data protection authorities globally, the UK government has developed its own Privacy Impact Assessment to assess and anticipate the potential privacy risks of the smart metering programme as a whole. The idea is that the government’s PIA will be an “umbrella document” and every data controller wishing to access Consumption Data is expected to carry out its own PIA before the new framework comes into force (likely to be this summer). The European Commission is also developing a template PIA for this purpose.

Apart from helping to identify risks to customers and potential company liabilities, PIAs are lauded by the UK Information Commissioner as the best way to protect brand reputation, shape communication strategies and avoid expensive “bolt-on” solutions.

Conclusions: Research carried out as part of the UK government’s Data Access and Privacy consultation showed that the overwhelming concern of consumers questioned was that smart meter data would lead to an increase in direct marketing communications. Many participants did not identify the potential for misuse of Consumption Data until it was explained to them. The less obvious nature of the potential for privacy intrusion of this new data underlines the fact that consent is not a panacea in the case of smart meters (despite the considerable focus on this in the consultation responses).

So, clear and comprehensive information is key. As part of preparing for compliance, companies planning to access Consumption Data should build clear messaging into all customer-facing procedures, including those in respect of all in-person, online and call centre interaction. And whilst some of the finer details of the new rules are yet to be ironed out, it’s clear that every organisation concerned will be expected to digest the details of the new framework now and be fully prepared – including by completing Privacy Impact Assessments – in time for when the regulatory framework comes into force, expected to be June 2013.

A longer version of this article was first published in Data Protection Law & Policy in February 2013.

 

Tags:, , , ,
Posted in Consent, Data as an asset, Data sharing, Legislative reform, Uncategorized

How the EU and US approach Cybersecurity – the compliance puzzle for the private sector

avatar Posted on February 14th, 2013 by Stewart Room

A common, though slightly belated, New Year resolution has emerged within the EU and the US; a fully-formed ambition to see greater Cybersecurity across the private sector. In the EU, this is signified by the Draft Cybersecurity Directive. In the US, it’s the President Obama Cybersecurity Executive Order. While the details and tools of regulation differ, there isn’t a cigarette-paper’s width between them on the motives for regulation and the core objectives of Cybersecurity law making. Both agendas were published this month, just four days apart, and they herald the beginnings of a very challenging new compliance puzzle for a wide range of private sectors actors, if they underpin economic stability and societal well-being.

Before considering the detail of the two approaches, its worth remembering the wider context within which they sit. Cybersecurity has been one of the hottest political topics of recent years. It has been rammed up the agenda by a combination of hundreds of high profile cyber incidents, sometimes extreme rhetoric from “opinion formers”, a lot of political grandstanding, and bucket loads of fear mongering, often from people who have solutions to sell. Occasionally the language has been regrettable, with concepts like “Cyber Armageddon” and the UK government’s rating of Cybersecurity being a greater threat than Nuclear weapons (within the UK Cyber Security Strategy) being cases in point. Yet, between the FUD there is truly a very real problem here. Cybersecurity is an incredibly serious problem for societies like our’s whose reliance on electronic communications networks and services is total. Neelie Kroes, the EU Commissioner behind the Directive, and President Obama, speak the truth when they say that the threats to Cybersecurity could cause us very grave damage.

This contextual view leads to only one conclusion; regardless of the overstatements and the hyperbole, new Cybersecurity law making is necessary and the trajectory for many businesses is one where wholesale operational change will be necessary.

Yet, a person new to this topic may think after reading the Directive and the Order that the EU and US are not as aligned as my opening seeks to suggest. A reader in the private sector could suggest that on the face of the Order there isn’t much for them to worry about. I mean, President Obama isn’t actually saying that his vision is one of Cybersecurity lawmaking for bigCos.

That observation is fair as far as it goes, but the President lays many clues for those who want to spot them. In his speech launching the Order, he referred expressly to the financial system as being under threat. The Order talks about the economy. There is more than enough there to say with supreme confidence that the US has chartered exactly the same course as the EU, as far as the private sector is concerned. To borrow a phrase from one of President Obama’s predecessors, “it’s the economy, stupid” and so it’s obvious where the President’s priorities lie. The US has to protect the key platforms that support business because the economy rests on them and much of this is in the private sector. Period.

This will be borne out soon enough, because the Secretary of Homeland Security has been charged with a Presidential task to identify critical infrastructures that need to be protected for, cyber threats. This task, which needs to be completed within 150 days, cannot avoid identifying critical infrastructures in the private sector.

However, the US approach to regulation will be one that builds more on cajoling than coercion, in stark contrast to the EU approach. This reflects political differences just as much as cultural and legal differences and viewing US matters from this size of the pond it’s clear that the President will always have to be cautious in his approach and how he presents things, seeing how the US political system is so split. So, the Order talks about consultations, voluntary frameworks, rather than “you must do this”. But however they get there, our US cousins are on the same path as us Europeans.

This is not to say that the EU will not promote consultation processes, industry working groups, the creation of public sector – private sector “partnerships”, and other positive engagements with business, which are the meat and drink of the Presidential Order, but the EU’s overwhelming preference is always regulation with a slap; as far as the EU is concerned why give a friendly tickle when a punch in the mouth will do?

So, what we see within the Directive is the standard EU approach to regulation; the EU prescribes its objectives and then commands the Member States to deliver. The natural result is that rather than dancing around the issue, the Directive names key parts of the private sector as being a compulsory focus of regulation. If President Obama is ballet dancer, the EU is a headbanger. The Directive is as subtle as a brick. All “market operators” are being ordered to “up” their Cybersecurity, which includes ecommerce platforms, internet payment gateways, cloud services, app stores, search engines, social networks and the financial and payment services sector, namely banking and credit institutions and financial market infrastructures, including stock exchanges and central counterparty clearing houses. And if they fail to be cybersecure they will have to disclose security breaches and take the regulatory pain that will be metered out. At all times they will be overseen by a watchdog, who will feel overwhelming pressure to be tough on failure.

There is a complex compliance puzzle here. For multi-nationals, they will have to cope with different regulatory styles, that is a given and it can be very unhelpful, yet this is not an uncommon problem and people will adjust. The greater problem is the nature of organisational change that will be required to deliver legal compliance. Presently, Cybersecurity is a silo’d operational function, where most of the corporate intelligence is contained in individuals’ minds, rather than written down on paper. The cybersecurity function will be concerned more about delivering patching, monitoring its dashboards and so on, rather than creating an organisational structure that is capable of demonstrating legal compliance to a regulatory mind. The means by which the adjustment from an operational function to a legal compliance function can be properly managed is probably the greatest puzzle that the Directive and the Order present.

Posted in Accountability, Legislative reform

Big Data at risk

avatar Posted on February 1st, 2013 by Eduardo Ustaran

“The amount of data in our world has been exploding, and analysing large data sets — so-called Big Data — will become a key basis of competition, underpinning new waves of productivity growth, innovation and consumer surplus”.  Not my words, but those of the McKinsey Global Institute (the business and economics research arm of McKinsey) in a report that evidences like no other the value of data for future economic growth.  However, that value will be seriously at risk if the European Parliament accepts the proposal for a pan-European Regulation currently on the table.

Following the publication by the European Commission last year of a proposal for a General Data Protection Regulation aimed at replacing the current national data protection laws across the EU, at the beginning of 2013, Jan Philipp Albrecht (Rapporteur for the LIBE Committee, which is leading the European Parliament’s position on this matter) published his proposed revised draft Regulation.  

Albrecht’s proposal introduces a wide definition of ‘profiling’, which was covered by the Commission’s proposal but not defined.  Profiling is defined in Albrecht’s proposal as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour“. 

Neither the Commission’s original proposal nor Albrecht’s proposal define “automated processing”.  However, the case law of the European Court of Justice suggests that processing of personal data by automated means (or automated processing) should be understood by contrast with manual processing.   In other words, automated processing is processing carried out by using computers whilst manual processing is processing carried out manually or on paper.  Therefore, the logical conclusion is that the collection of information via the Internet or from transactional records and the placing of that information onto a database — which is the essence of Big Data — will constitute automated processing for the purposes of the definition of profiling in Albrecht’s proposal.

If we link to that the fact that, in a commercial context, all that data will typically be used first to analyse people’s technological comings and goings, and then to make decisions based on perceived preferences and expected behaviours, it is obvious that most activities involving Big Data will fall within the definition of profiling.

The legal threat is therefore very clear given that, under Albrecht’s proposal, any data processing activities that qualify as ‘profiling’ will be unlawful by default unless those are activities are:

*      necessary for entering into or performing a contract at the request of the individual – bearing in mind that “contractual necessity” is very strictly interpreted by the EU data protection authorities to the point that if the processing is not strictly necessary from the point of view of the individuals themselves, it will not be regarded as necessary;

*      expressly authorised by EU or Member State law – which means that a statutory provision has to specifically allow such activities; or

*      with the individual’s consent – which must be specific, informed, explicit and freely given, taking into account that under Albrecht’s proposal, consent is not valid where the data controller is in a dominant market position or where the provision of a service is made conditional on the permission to use someone’s data.

In addition, there is a blanket prohibition on profiling activities involving sensitive personal data, discriminatory activities or children data.

So the outlook is simple: either the European Parliament figures out how to regulate profiling activities in a more balanced way or Big Data will become No Data.

 

Posted in 95 directive, Big Data, Data as an asset, Legislative reform, Profiling, Targeted advertising

Killing the Internet

avatar Posted on January 25th, 2013 by Eduardo Ustaran

The beginning of 2013 could not have been more dramatic for the future of European data protection.  After months of deliberations, veiled announcements and guarded statements, the rapporteur of the European Parliament’s committee responsible for taking forward the ongoing legislative reform has revealed his position loudly and clearly.  Jan Albrecht’s proposal is by no means the final say of the Parliament but it is an indication of where an MEP who has thought long and hard about what the new data protection law should look like stands.  The reactions have been equally loud.  The European Commission has calmly welcomed the proposal, whilst some Member States’ governments have expressed serious concerns about its potential impact on the information economy.  Amongst the stakeholders, the range of opinions vary quite considerably – Albrecht’s approach is praised by regulators whilst industry leaders have massive misgivings about it.  So who is right?  Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?

There is nothing more appropriate than a dispassionate legal analysis of some key elements of Albrecht’s proposal to reveal the truth: if the current proposal were to become law today, many of the most popular and successful Internet services we use daily would become automatically unlawful.  In other words, there are some provisions in Albrecht’s draft proposal that when combined together would not only cripple the Internet as we know it, but they would stall one of the most promising building blocks of our economic prosperity, the management and exploitation of personal information.  Sensationalist?  Consider this:

*     Traditionally, European data protection law has required that in order to collect and use personal data at all, one has to meet a lawful ground for processing.  The European Commission had intended to carry on with this tradition but ensuring that the so-called ‘legitimate interests’ ground, which permits data uses that do not compromise the fundamental rights and freedoms of individuals, remained available.  Albrecht proposes to replace this balancing exercise with a list of what qualifies as a legitimate interest and a list of what doesn’t.  The combination of both lists have the effect of ruling out any data uses which involve either data analytics or simply the processing of large amounts of personal data, so the obvious outcome is that the application of the ‘legitimate interests’ ground to common data collection activities on the Internet is no longer possible.

*     Albrecht’s aim of relegating reliance on the ‘legitimate interests’ ground to very residual cases is due to the fact that he sees individual’s consent as the primary basis for all data uses.  However, the manner and circumstances under which consent may be obtained are strictly limited.  Consent is not valid if the recipient is in a dominant market position.  Consent for the use of data is not valid either if presented as a condition of the terms of a contract and the data is not strictly necessary for the provision of the relevant service.  All that means that if a service is offered for free to the consumer – like many of the most valuable things on the Internet – but the provider of that service is seeking to rely on the value of the information generated by the user to operate as a business, there will not be a lawful way for that information to be used.

*     To finish things off, Albrecht delivers a killing blow through the concept of ‘profiling’.  Defined as automated processing aimed at analysing things like preferences and behaviour, it covers what has become the pillar of e-commerce and is set to change the commercial practices of every single consumer-facing business going forward.  However, under Albrecht’s proposal, such practices are automatically banned and only permissible with the consent of the individual, which as shown above, is pretty much mission impossible.

The collective effect of these provisions is truly devastating.  This is not an exaggeration.  It is the outcome of a simple legal analysis of a proposal deliberately aimed at restricting activities seen as a risk to people.  The decision that needs to be made now is whether such a risk is real or perceived and, in any event, sufficiently great to merit curtailing the development of the most sophisticated and widely used means of communication ever invented. 

 
This article was first published in Data Protection Law & Policy in January 2013.

Posted in Consent, Data as an asset, Legislative reform, Profiling

UK Government’s take on the Regulation: Much to negotiate about

avatar Posted on January 15th, 2013 by Victoria Hordern

Back in November 2012, we reported on the UK’s Justice Committee’s opinion on the European Commission’s proposals to reform the data protection legal framework. It was pretty clear from the opinion that the Justice Committee had significant reservations about the proposed regulation. Now the UK Government (through the Ministry of Justice) has issued its response to the Justice Committee’s opinion.

The response picks up on the conclusions set out by the Committee’s reports and provides the UK Government’s view. Overwhelmingly, the Government shares the concerns of the Committee. For instance, the Government argues that the proposed Regulation should be re-cast as a Directive which would provide greater flexibility for Member States where necessary. While supporting the aspiration of harmonisation and new principles in the draft Regulation such as the consistency mechanism, the Government states that data protection law should ‘secure individuals’ privacy without placing constraints on businesses practices that harm innovation and growth’.

The Government also has serious concerns about the potential economic consequences of the proposed Regulation and urges that a full assessment of the impact of the draft Regulation be carried out due to the additional administrative and compliance measures introduced. In that vein, the Government agrees with the Information Commissioner’s assessment that the system set out in the draft Regulation won’t work. The Government actively encourages interested parties to use the Government’s Impact Assessment to analyse the impact of the Regulation themselves and provide any feedback to the Ministry of Justice.  

Elsewhere the Government shares the Committee’s concerns around the right to be forgotten and the need for data protection authorities to have discretion when issuing sanctions, but disagrees with the Committee about charging a fee for subject access rights, arguing that organisations should continue to be able to charge a small fee.

Overall, the Government emphasises the need for a risk based data protection legislative model that moves away from the over-prescription in the Regulation and delivers a more proportionate and balanced approach. It stresses that the data protection framework should focus on regulating outcomes, not processes.

This response suggests that the UK Government is gearing up to take a tough negotiating stance on the proposed changes to the data protection legal framework. However, in view of the recent publication from the European Parliament’s rapporteur Jan Philipp Albrecht whose proposed changes to the draft Data Protection Regulation are ‘stricter, thicker and tougher’, negotiating changes to the proposed framework in line with the UK Government’s preferred position is likely to be hard work.

Posted in 95 directive, Legislative reform

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

« Older Entries