Archive for the ‘Right to be forgotten’ Category

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

The UK’s Justice Committee is not impressed with the EU Data Protection Framework Proposals

avatar Posted on November 2nd, 2012 by Victoria Hordern

In the week that the UK Parliament voted for a real-terms cut in the EU’s future budget, it’s no particular surprise to hear criticism from UK Parliamentarians levelled at EU institutions. On Thursday this week, the House of Commons Justice Committee produced its opinion on the European Commission’s legislative proposals for reform of EU data protection law. Whilst accepting that reform of data protection law is necessary, the opinion urges the Commission to ‘go back to the drawing board and devise a regime which is much less prescriptive’. The opinion strongly calls upon the Commission to re-think a number of issues including the division of the proposals into a Regulation and Directive, the drive towards harmonisation at the expense of flexibility, the need for a proper impact assessment, the right to be forgotten and the power of data protection authorities to issue sanctions. The Justice Committee heard evidence from the Ministry of Justice (in charge of negotiating the UK’s position on the proposals), the Information Commissioner’s Office, the EU Commission as well as representatives of UK small businesses, the police, privacy and consumer lobbyists and global businesses.   

Regulation and Directive

While the MoJ and ICO remained resistant to splitting the proposals for reform between a Regulation (for most data processing) and a Directive (for data processing for law enforcement and judicial co-operation), the Commission argued that this split was deliberate to give Member States flexibility to take their particular culture and type of legislation into consideration. So, in the case of the UK, the Commission considered this accommodated the UK’s reliance on common law.  However, a number of witnesses considered that the protection afforded by the draft Directive was less than the protection provided by the draft Regulation so potentially not protecting the rights of individuals. 

Principles rather than prescription?

There was considerable opposition to the prescriptive elements in the Regulation and the ICO, amongst others, encouraged an outcome focused approach based on principles. On the other hand, privacy and consumer lobbyists welcomed the administrative requirements on controllers which they considered helped to secure the rights of individuals.

Good for business?

It was accepted that simple, harmonised rules would greatly help small businesses seeking to expand across the EU as well as global businesses. However, the more prescriptive the rules the harder it would be for businesses to comply (particularly small businesses). The MoJ saw a real threat to business if the Regulation placed extra burdens on businesses and stated that it would influence negotiations to ensure a proportionate, flexible approach that does not impede entrepreneurship. The recent announcement from the EU Justice Commissioner Viviane Reding that she does not wish to see small businesses overburdened by the Regulation should provide some relief for businesses overawed by the compliance requirements of the Regulation.

Good for the ICO?  

Representatives from the ICO stated bluntly that they would not be able to resource their new role under the Regulation. Additionally, the MoJ made it clear that the ‘wish list of extra responsibilities and tasks‘ for the ICO under the Regulation was ‘genuinely wishful thinking’. Likewise, the ICO objected to having its hands tied by the Regulation when it came to identifying and dealing with compliance failures and wanted regulators to have more discretion to apply their own judgement and experience.   

The European Commission

In the Commission’s view enhanced harmonisation would make global processing of personal data simpler and cheaper and thus lead to increased business for the EU. However, this picture of harmonisation downplays the efforts that organisations will have to go to in order to strive for this end.  The MoJ and others sharply criticised the impact assessment that the Commission provided as inadequate and the Justice Committee called for a full assessment of the impact of the proposals.

The Commission also argued that they had sought to technology-proof the Regulation by leaving flexibility in the form of delegated Acts for the Commission to implement later. However, there was significant criticism from witnesses on the extent and scope of provisions for delegated Acts which potentially gave power to the Commission to prescribe technical formats, standards and solutions. There appears to be some scope for movement on this point given Viviane Reding’s recent announcement that she was willing to review the delegated Acts individually and to limit them to only what is truly necessary for future technological developments.

The right to be forgotten

Comments from the ICO provided insight into this controversial concept as Christopher Graham indicated (to his surprise) that Viviane Reding had told him that the right to be forgotten was ‘more of a political slogan’ which actually represented something that already existed. So amidst all the excitement and debate that the trumpeting of the right to be forgotten had stirred up, there was now a suggestion that it wasn’t really a big deal after all. The MoJ strongly emphasised that it would resist the implementation of the right to be forgotten since it would raise unrealistic expectations that will prove impossible to fulfil. More cautiously, the Justice Committee recognised the importance of an individual’s right to delete their data but recommended that the phrase ‘right to be forgotten’ should be avoided since it was misleading. Since the right to be forgotten is inextricably linked in most people’s minds with social media, it was significant that the MoJ considered that parts of the Regulation appeared to be overly-concerned with social media (an anxiety that has perhaps infected the tenor of the drafting).

Subject access rights

Although there were objections from the Federation of Small Businesses to the abolition of the £10 fee for access to personal data and the MoJ was clearly sympathetic to these concerns, the Justice Committee (along with privacy and consumer lobbyists) supported the Commission’s position that the right of access should be free. The MoJ was urged to change its negotiating position on this point.

Justice Committee’s conclusions

In the Committee’s view, the draft Regulation does not produce a proportionate, practicable, affordable or effective system of data protection. Therefore the Committee lay out a stark choice for the Commission: either pursue harmonisation under a Regulation by focusing on the elements essential to harmonise and deploy the consistency mechanism and the European Data Protection Board to achieve this, or use a Directive to set out the outcomes to be achieved and leave implementation down to Member States, thus forgoing an element of harmonisation and consistency. With respect to the new draft Directive on processing personal data for law enforcement and judicial co-operation purposes, the Committee queried whether there is a pressing need to amend EU law in this area. 

What next?

The Justice Committee was asked by the European Scrutiny Committee to provide an opinion on the new data protection framework proposals. Although it has delivered its opinion, the opinion contains a number of outstanding actions on the MoJ to clarify its view or provide responses to the Committee on certain aspects of the new data protection framework. This may well inform the MoJ’s position as it continues to negotiate at European level on the shape of the data protection framework proposals.

Posted in 95 directive, Right to be forgotten, Sanctions

Brussels calling: news on the Regulation

avatar Posted on October 12th, 2012 by Olivia Harrisson

There was a definite data protection buzz in Brussels this week as the European Parliament hosted a two-day Inter-parliamentary Committee Meeting to discuss the new EU Data Protection framework, proposed by the European Commission in January.

Representatives of global technology organisations, consumer protection groups, members of national parliaments and members of the EU institutions were prominent among the innumerable stakeholders there, each eager to present their views and contribute to the debate.

The conference was organised by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the body appointed by the European Parliament to assist with the data protection reforms, headed up by rapporteurs Jan Albrecht and Dimitrios Droutsas.

Since the Lisbon Treaty came into force in 2009, the European Parliament and the Council of the European Union are jointly responsible for negotiating and agreeing upon legislative proposals put forward by the Commission. It follows then that this conference provided a fundamental platform upon which stakeholders could share their opinions and concerns, and an important means by which legislators could gain insight into the practical, legal and economic realities behind the proposals. These contributions will feed directly into the legislative process, and LIBE will no doubt consider them when preparing its draft opinion on the reforms which is expected later this year.

So what then was the outcome of the conference? There are certainly many questions that remain unanswered and it was pointed out by Simon Davies from the London School of Economics that there is almost no agreement among stakeholders on any single point. A huge amount of re-thinking and re-drafting will no doubt ensue. That said, what was abundantly clear was an overwhelming support in principle for the reforms and, despite there being some way to go in terms of getting the legislation right, a sense that the key people responsible for drafting it are listening to what people have to say.

For instance, Viviane Reding (the Vice President of the Commission) made it clear that the Commission would consider reducing the vast number of delegated acts. This will no doubt have come as welcome news to many. Delegated and implementing acts enable the Commission to supplement and amend certain non-essential elements of the legislation once it has come into force. In other words, they achieve flexibility and enable clauses to be drafted in a technologically neutral manner, making way for new technological innovations that will be prevalent in the years to come. The counter argument though is that delegated acts give the Commission excessive (and in many cases unnecessary) powers, which would constitute a bar to strengthening democracy and promoting transparency across the EU.

Francoise Le Bail (the Commission’s Director General for Justice), whilst defending the number of delegated acts currently drafted, recognised there were a lot of question marks and problems outstanding but stressed that stakeholder contributions were valued by the Commission which is determined to take into account the proposals and comments made. There is still room then for voices to be heard.

The debate on delegated acts was one thing, and there are no prizes for guessing some of the other controversial elements that repeatedly cropped up. The “right to be forgotten”, “one-stop-shop”, “consent”, “profiling” and “data protection by design” were all key concepts which unsurprising featured in the debate and, whether for or against them, the general view was clear. The drafting needs to be tightened up, and greater clarity is needed in many cases so as to be sure of the exact rights and obligations of everyone concerned.

The proposed legislation does after all affect a huge number people; not just citizens, but consumers, SMEs, global organisations and public authorities are all affected, and this was also a key feature of the debate. On the one hand, we were reminded that data protection is a fundamental right of each citizen in the EU and measures must be taken to protect that right; on the other we were reminded that data, which flows across the digital environment in ever-increasing volumes, is a hugely important economic asset, not-to-mention a vital component in terms of law enforcement.

So a balance needs to be struck. There are clearly business incentives for building trust in the digital environment, and similarly there is an undisputed recognition of the fact that we need to bolster the rights of individuals. It seems that all stakeholders are recognising the need to be flexible in their approach and response to these reforms, and are working hard to achieve a robust and coherent legal system that will, over the coming years, facilitate innovation whilst providing people with protection and control of their data, to enable the EU to continue to be a major player in the digital economy.

LIBE is expected to present its draft report on the proposed legislation by the end of this year, after which Member States will be invited to table their amendments. LIBE will then meet to discuss those amendments and it is expected that an orientation vote (where the committee votes and concludes upon its initial position in light of the negotiations) will be held in April 2013.

Tags:
Posted in Consent, Privacy by design, Profiling, Right to be forgotten, Uncategorized

What to do when you can’t delete data?

avatar Posted on October 2nd, 2012 by Phil Lee

How many lawyers have written terms into data processing contracts along the following lines:  “Upon termination or expiry of this Agreement, the data processor shall delete any and all copies of the Personal Data in its possession or control“?

It’s a classic example of a legal clause that’s ever so easy to draft but, in this day and age, almost impossible to implement in practice.  In most data processing ecosystems, the reality is that there seldom exists just a single copy of our data; instead, our data is distributed, backed-up, and archived across multiple systems, drives and tapes, and often across different geographic locations.  Far from being a bad thing, data distribution, archival and back-up better preserves the availability and integrity of our records.  But the quid pro quo of greater data resilience is that commitments to comprehensively wipe every last trace of our data are simply unrealistic and unachievable.

Nevertheless, once data has fulfilled its purpose, deletion is seemingly what the law requires.  The fifth principle of the Data Protection Act 1998 (implementing Article 6(e) of Directive 95/46/EC) says that: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.“  So how to reconcile this black and white approach to data deletion with the reality of modern day data processing systems?

Thankfully, the ICO has the answer, which it provides in a recently-published guidance note on “Deleting personal data” (available here).  The ICO starts off by acknowledging the difficulties outlined above, commenting that “In the days of paper records it was relatively easy to say whether information had been deleted or not, for example through incineration. The situation can be less certain with electronic storage, where information that has been ‘deleted’ may still exist, in some form or another, within an organisation’s systems.

The sensible answer it arrives at is to say that, if data cannot be deleted for technical or other reasons, then it should instead be put ‘beyond use’.   Putting data ‘beyond use’ has four components, namely:

  1. ensuring that the organisation will not and cannot use the personal data to inform any decision in respect of any individual or in a manner that affects the underlying individuals in any way;
  2. not giving any other organisation access to the personal data;
  3. at all times protecting the personal data with appropriate technical and organisational security; and
  4. committing to delete the personal data if or when this becomes possible.

Broadly speaking, you can condense the four components above into: “Delete it if you can and, if you can’t, make sure it’s stored securely and don’t let anyone use it”. Which is, of course, entirely sensible advice.

It does raise one interesting problem though:  what to do when the individual data subject requests access to his or her data that has been put beyond use?  Here, the ICO again takes a business-friendly view saying simply that “We will not require data controllers to grant individuals subject access to the personal data provided that all four safeguards above are in place.“  In other words, the business does not need to instigate extensive (and expensive) searches of records that have been put beyond use just because an individual requests access to his or her data – for the purposes of subject access, this inert data is treated as if it had been deleted.

But the ICO does issue a warning: “It is bad practice to give a user the impression that a deletion is absolute, when in fact it is not.” So the message to take away is this: make sure you do not commit yourself to data deletion standards that you know, in all likelihood, you can’t and won’t meet.   And, by the same token, don’t let your lawyers commit you to these either!

Posted in Data as an asset, Data minimisation, Data ownership, Data security, Right to be forgotten

The Justice Committee’s first bite of the new Data Protection Framework Proposals

avatar Posted on September 4th, 2012 by Victoria Hordern

This morning the UK Parliament’s Justice Select Committee held its first evidence session on the EU Data Protection Framework Proposals. Representatives from the Association of Chief Police Officers, the Met Police, the Federation of Small Businesses, Microsoft as well as the Information Commissioner’s Office provided their views on the two draft EU legal instruments – the Directive (concerned with criminal data) and the Regulation (concerned with pretty much everything else).

Criticism

While the witnesses accepted that the Regulation did bring welcome changes to reduce certain aspects of the current regime’s bureaucracy (for instance, around notifying DPAs), the overwhelming response was to criticise the overly-engineered text of the Directive and Regulation (including the numerous delegated powers given to the EU Commission).  A key tension in the Regulation exists between the drive towards harmonisation (particularly dear to the Commission) and the consequent prescriptive practices and procedures that the Commission’s version of harmonisation requires.

The Business view

Although international businesses are keen on a single data protection standard across the EU, this becomes less palatable when the requirements for that standard are set out in precise detail. Additionally, while the Regulation appears to hold out all sorts of new rights to individuals as data subjects, industry queried what incentives the Regulation contained for them to comply and what compensation they would receive for the additional administrative burdens they would have to bear (such as maintaining detailed documentation about their data processing and responding to subject access requests if the fee is abolished). Industry supported an approach that encouraged codes of conduct and certification to promote trust between consumers and business.

The Regulator’s view

In his evidence, Christopher Graham, the Information Commissioner, was particular trenchant in his view that full compliance by the Information Commissioner’s Office with the requirements of the Regulation was not only unworkable but also exorbitantly expensive. He indicated that potentially millions more pounds would need to be allocated to the ICO for the office to fulfil its obligations under the Regulation such as checking that data controllers appoint DPOs or carry out PIAs. The ICO emphasised the need for the Regulation to focus on good data protection outcomes rather than prescribing the means by which this is achieved. For the ICO, the Regulation should promote a risk-based rather than one-size fits all approach.

The ICO was optimistic that its view during the negotiations on the Regulation would make some headway.  In particular the ICO was not keen to see its reputation as a regulator that advises and assists transformed into an administrative centre where it is obliged to punish compliance failures with no ability to apply discretion and judgment.

The right to be disappointed….

Although there was some discussion amongst the Committee and witnesses on the impact of the right to be forgotten, some witnesses considered this would swiftly become a ‘right to be disappointed’. Though packaged up as a new right, witnesses made the point that a similar if not identical right already exists in the current regime. Additionally the practical feasibility of organisations scouring the internet to identify and delete every reference to an individual means that it will be well nigh impossible for an organisation to conclusively delete every reference to an individual. Disappointment and disenchantment would inevitably set in. The ICO also mentioned that it is still unclear whether search engines would be caught by the obligation to implement an individual’s right to be forgotten.

Posted in 95 directive, Right to be forgotten

Why the Big Buzz about Big Data?

avatar Posted on June 29th, 2012 by Phil Lee

Another year, another buzz word, and this time around it’s “Big Data” that’s getting everyone’s attention. But what exactly is Big Data, and why is everyone – commercial organisations, regulators and lawyers – so excited about it?

Put simply, the term Big Data refers to datasets that are very, very large – so large that, traditionally, supercomputers would ordinarily have been required to process them. But, with the irrepressible evolution of technology, falling computing costs, and scalable, distributed data processing models (think cloud computing) Big Data processing is increasingly within the capability of most commercial and research organisations.

In its oft-quoted article “The Data Deluge”, the Economist reports that “Everywhere you look, the quantity of information in the world is soaring. According to one estimate, mankind created 150 exabytes (billion gigabytes) of data in 2005. [In 2010], it will create 1,200 exabytes.“  Let’s put that in perspective – 1,200 exabytes is 1,200,000,000,000 gigabytes of data. A typical Blu-Ray disc can hold 25 gigabytes – so 1,200 exabytes is about the equivalent of about 48 billion Blu-Ray discs. Estimating your typical Blu-Ray movie at about 2 hours long (excluding special features and the like), then there’s at least 96 billion hours of viewing time there, or about 146,000 human life times.  OK, this is a slightly fatuous example, but you get my point – and bear in mind that global data is growing year-on-year at an exponential rate so these figures are already well out of date.

Much of this Big Data will be highly personal to us: think about the value of the data we all put “out there” when we shop online or post status updates, photos and other content through our various social networking accounts (I have at least 5). And don’t forget the search terms we post when we use our favourite search engines, or the data we generate when using mobile – particularly location-enabled – services. Imagine how organisations, if they had access to all this information, could use it to better advertise their products and services, roadmap product development to take account of shifting consumer patterns, spot and respond to potentially-brand damaging viral complaints – ultimately, keep their customers happier and improve their revenues.

The potential benefits of Big Data are vast and, as yet, still largely unrealised. It goes against the grain of any privacy professional to admit that there are societal advantages to data maximisation, but it would be disingenuous to deny this. Peter Fleischer, Google’s Privacy Counsel, expressed it very eloquently on his blog when he wrote “I’m sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don’t care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we’ve barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it’s a mistake to try to minimize data generation and retention. Maybe the privacy community’s shibboleth of data deletion is a crime against science, in ways that we don’t even understand yet.” (You can access Peter’s blog “Privacy…?” here.)

This quote raises the interesting question of whether the compilation and analysis of Big Data sets should really be considered personal data processing. Of course, many of the individual records within commercial Big Data sets will be personal – but the true value of Big Data processing is often (though not always) in the aggregate trends and patterns they reveal – less about predicting any one individual’s behaviours, reactions and preferences, and more about understanding the global picture. Perhaps its time that we stop thinking of privacy in terms of merely collecting data, and look more to the intrusiveness (or otherwise) of the purposes to which our data are put?

This is perhaps something for a wider, philosophical debate about the pros and cons of Big Data, and I wouldn’t claim to have the answers. What I can say, though, is that Big Data faces some big issues under data protection law as it stands today, not least in terms of data protection principles that mandate user notice and choice, purpose limitation, data minimisation, data retention and – of course – data exports. These are not issues that will go away under the new General Data Protection Regulation which, as if to gear itself up for a fight with Big Data proponents, further bolsters transparency, consent and data minimisation principles, while also proposing a new, highly controversial ‘right to be forgotten’.

So what can and should Big Data collectors do for now? Fundamentally, accountability for the data you collect and process will be key. Your data subjects need to understand how their data will be used, both at the individual and the Big Data level, to feel in control of this and to be comforted that their data won’t be used in ways that sit outside their reasonable expectations of privacy. This is not just a matter of external facing privacy policies, but also a matter of carefully-constructed internal policies that impose sensible checks and balances on the organisation’s use of data. It’s also about adopting Privacy Impact Assessments as a matter of organisational culture to identify and address risks whenever using Big Data analysis for new or exciting reasons.

Big Data is, and should be, the future of data processing, and our laws should not prevent this. But, equally, organisations need to be careful that they do not see the Big Data age as a free for all hunting season on user data that invades personal privacy and control. Big issues for Big Data indeed.

Posted in 95 directive, Accountability, Cloud computing, Data minimisation, Right to be forgotten, Targeted advertising

Have your say on the draft Data Protection Regulation

avatar Posted on February 8th, 2012 by Hannah Jackson

Is a fine of up to 2% of annual worldwide turnover too big? Is it possible to report data breaches within 24 hours?

The Ministry of Justice has opened a call for evidence on the European Commission’s draft General Data Protection Regulation. The information obtained from the four-week long evidence gathering exercise will be used to help inform the Government’s negotiating position on the Regulation.

The call for evidence itself is wide-ranging and comments are requested on:

- the potential consequences of the Regulation on the processing of personal data;

- the likely benefits to individuals and the effect on their data protection rights;

- the extent to which the proposal builds “trust in the online environment”; and

- the impact of the proposal on economic growth.

Stressing the need for responses to include “quantifiable costs and benefits” and “real life examples”, the Ministry of Justice appears receptive and keen to hear views on the proposed Regulation.

To make the most of this opportunity, we suggest that you review the draft Regulation in the context of your industry and think about how the rights and obligations it creates will apply to your business. For example, how will an individual’s ‘right the be forgotten’ sit with the way that your sector uses personal data? Will the changes regarding the use of data processors affect the way that you operate? We can of course help you decode the Regulation and consider how it may apply – we also recognise from our own experience working on the Regulation that the challenge for business will be in framing a response which clearly sets out its impact.

Although time is short (there is a four week window) in which to delve through the Regulation and draft an effective response to the call for evidence, the willingness on the part of the Ministry of Justice to engage with stakeholders suggests that it will be worth it. Given the scale of the proposed changes and on the premise that if ‘you don’t ask, you don’t get’, the call for evidence offers interested parties a valuable opportunity to engage with, and help shape the future of data protection both in Europe and, if the current draft Regulation is anything to go by, worldwide!

The call for evidence closes on either 4 March 2012 (according to the Call for Evidence paper itself) or 6 March 2012 (the date provided on the Justice website). Further information, including the call for evidence questionnaire can be found at http://www.justice.gov.uk/consultations/data-protection-proposals-cfe.htm.

Posted in 95 directive, Financial penalties, Privacy professionals, Right to be forgotten

More indications about the new EU data protection rules

avatar Posted on November 17th, 2011 by Antonis Patrikios

In an interview with the Washington Post, Viviane Reding, the EU Justice Commissioner, gave more indications about what we can expect from the tougher European regime that is in the pipeline.

The key points are:

* “Our reforms are aimed at getting rid of the fragmentation and providing consistency and coherence for the whole of the continent”. This is the clearest sign yet that we can expect a Regulation directly applicable in all Member States, as opposed to a Directive, which is subject to national implementation.

* “Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place”. Not only tougher substantive rules, but also more heavy-handed regulation are likely to be on their way. If so, we can expect more disputes and litigation.

* “We do have a set of rules today that is not always applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules”. The proposals may also include a mechanism to ensure at least some degree of consistency in the application of data protection rules across Member States; a supra-national data protection regulator perhaps?

* “It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union”. As expected, the new instrument will attempt to further empower consumers, particularly by imposing a requirement for explicit consent before their data are used and by introducing a right to have their data deleted at any time.

* “Data breaches is one of the questions that is very high on the agenda [...] We will extend the telecom rules to the Internet”. As expected, the mandatory breach notification obligations currently applying to Telcos and ISPs will be extended to internet services, online traders and private-sector medical records, and possibly to the broader economy.

The interview can be found here: http://www.washingtonpost.com/blogs/post-tech/post/qanda-eu-chief-privacy-regulator-on-new-internet-rules/2011/11/15/gIQAOeZzRN_blog.htm

Posted in 95 directive, Applicable law, Breach Disclosure, Data ownership, Data security, Right to be forgotten

The guessing game

avatar Posted on August 26th, 2011 by Eduardo Ustaran

It has been a busy year for the European Commission’s Data Protection Unit so far.  Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework.  Despite all this hard work, it seems that we may not see a formal proposal until the end of the year.  The reason for this – in addition to the massive pressure to get the first draft right – is that the Commission would like to feed into the proposal the outcomes of the current public consultations on cloud computing and data breach notification.  That is understandable but in the meantime and to temper our anxiety, we can make an informed guess of what we will be presented with.

Much of the debate surrounding this process so far has been around the form that the new legislative framework will take.  If, as it has been made patently clear, the primary objective of the legislative reform is to achieve the greatest possible degree of harmonisation, the Commission is likely to favour a Regulation over another Directive.  The effect of this would be a single piece of legislation immediately applicable across the European Union without the need for implementation at a national level.  If the extremely clumsy implementation process of the revised e-privacy directive is anything to go by, the prospect of a Regulation seems very possible indeed.  However, even a Regulation would be enforced at a national level by each data protection authority, so an element of local interpretation will always exist.

A crucial building block of the new regime will be the rules determining the applicability of the law.  For EU-based organisations, a Regulation would solve the problem of facing multiple national laws and the ‘country of origin’ principle seems the way forward in terms of determining the competent data protection authority.  The big change in this respect will be for overseas organisations, which will find themselves subject to EU law, not when they happen to serve a humble cookie on an EU-based machine, but when they target people in Europe, for example by employing them or marketing to them.

With regard to the substantial content of the new framework, much of our beloved law will stay with some tweaks.  An important objective of the new legal framework will be to give greater control to individuals.  The cornerstone of this, as trumpeted by Viviane Reding, is the so-called ‘right to be forgotten’ which is meant to allow individuals to get their personal information removed from publicly available platforms like networking sites and other websites.  However, the huge two-fold difficulty with extending this beyond the current right to object is how to reconcile it with the freedom of expression of others to disseminate information and the intermediary roles of those which only act as conduits for this information.

As for transparency and consent, expect clever attempts to make these two aspects truly meaningful.  Once again, the emphasis will be on putting people in control, but let’s hope that the Commission’s efforts to make legal obligations clear cut do not translate into unachievable targets like the Working Party’s unqualified interpretation of consent as prior, express opt-in and nothing else.  At the very least, it is reasonable to assume that the legal grounds for processing personal data will continue to include – and possibly expand – the legitimate interest condition to justify such processing.

However, for most organisations the key new ingredient will no doubt be the ‘accountability package’.  Not that it will be ever called that, but it is almost certain that a whole range of practical measures – from mandatory data protection officers to  privacy impact assessments, and possibly internal audit and training requirements – will make its way into the black letter of the law.  An outstanding question is to what extent this will be linked to the provisions affecting international data transfers.  With all probability, the Commission is likely to retain some restrictions but widen the mechanisms available to ensure that such transfers are lawful.  The greatest hope of all is that at the end of the day, the EU legislative bodies manage to come up with a regime that shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations.  Time will tell.

This article was first published in Data Protection Law & Policy in August 2011

Posted in 95 directive, Accountability, Applicable law, Article 29 Working Party, Audits, Right to be forgotten