Who: European Council Working Group on Information Exchange and Data Protection (“DAPIX”)
Where: Brussels
When: 19 December 2014
Law stated as at: 19 January 2015
What happened:
The latest draft of the General Data Protection Regulation currently being debated by the European Council has been leaked by DAPIX. A draft Regulation has been on the table and subject to much lobbying and negotiation since January 2012. So three years in, are we any closer to consensus on the draft? Well, the short answer is no and the latest draft reveals that far from being close to agreement there are still lots of areas being debated.
Key points:
The most striking thing about the leaked draft is the number of footnotes recording reservations and objections made by Member States, a total of 497, and in particular the number of reservations and objections made by the UK – over 80.
There has also been a great deal of additional language inserted to introduce qualifications or caveats to some of the most stringent new provisions. Although we are constantly told that nothing is agreed until everything is agreed and provisions negotiated out of the leaked draft could return, there have been some notable changes especially on key issues that have been particularly controversial. This is how the draft addresses some of the most keenly debated areas:
1. Consent is still a big issue
On the fundamental issue of consent, there is a continued emphasis that it must be “freely given” but still lots of debate about whether it should be “explicit” and that word has been removed in the face of objections by some Member States. In addition, there is some clarity that where processing has multiple purposes “unambiguous” consent must be given to processing “for one or more specific purposes”.
These three key elements of consent: whether it should be “unambiguous,” “explicit” and whether it should be given for “one or more specified purposes.” are clearly still being keenly debated and so it is difficult to predict whether all or indeed none of these will survive to the final draft.
2. Profiling
Of more concern to marketers, it looks like the requirements in Article 20, which are that for practical purposes profiling can only be done for marketing/ targeting purposes where the data subject has given their explicit consent, will remain. There is further emphasis on the requirement for data controllers to inform data subjects about the existence of any profiling and its consequences with a specific reference to the performance of a data protection impact assessment being required in some circumstances.
However, there is a possible chink of light for marketers because even without explicit consent the current draft lays down that profiling can be undertaken if it is necessary in connection with the entering into or performance of a contract with the individual – this might be a similar provision to the current prerequisites for the soft opt-in under the Privacy and Electronic Communications Regulations, but we would expect some guidance on how far this might stretch to cover pre-sales activities. The other possibility given in the draft is for profiling to be permitted if authorised by the law of a Member State where those laws adequately safeguard the data subject’s legitimate interests.
This might allow Member States to decide to relax the proposed rules relating to profiling but does not help to improve the harmonisation of laws across the EU.
3. The Right to be Forgotten is not forgotten!
On the much vaunted, and of course already in existence, “right to be forgotten”, the UK along with six other Member States wants it out of the Regulation altogether. They take the view that this right as enshrined in the proposed new Article 17, was “rather an element of the right to privacy than part of data protection and should be balanced against the right to remember [this introduces a potentially new concept!] and access to information sources as part of the [right to] freedom of expression.”
For now, it is still included and there is some guidance on how this might be achieved in an online environment, such as by temporarily moving the selected data to another processing system or making the selected data unavailable to users or removing it from the website.
4. Security breach notification
Another key area of debate has been the short timescales and triggers for notifying regulators of security breaches and according to the footnotes in the draft, a number of Member States have raised concerns about over-notification.
The current time limit for notification is 72 hours and the requirement has now been limited to a breach “which is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, [breach of pseudonymity], damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage”.
Also, in addition to a carve out from the notification obligation if the data controller has implemented appropriate technological and organisational protection measures to the data affected in particular “to render it unintelligible to persons not authorised to access it in particular by encrypting the data”, the latest draft also says that data controllers can avoid having to notify if they have taken “subsequent measures which ensure that the high risk for the rights and freedoms of data subjects … is no longer likely to materialise”.
5. The path to dis-harmonisation?
Lastly, bearing in mind that one of the key aims of the new Regulation is to address “fragmentation in the way that data protection is implemented across the Union, legal uncertainty ..” and “[D]ifferences in the level of protection of the rights and freedoms of individuals..” (quoting from recital 7 of the draft Regulation), one of the most surprising elements of the leaked draft is the introduction of some discretion at Member State level in the way that certain provisions may be changed.
A good example is the requirement that data controllers designate a data protection officer (a DPO). In earlier drafts, this was a blanket requirement for most data controllers but it seems now to be an option unless required by Member State law. This may be welcome to many businesses but they should be careful for what they wish for: whilst on the one hand giving Member States discretion could help business by removing some of the administrative burden in certain areas, it could on the other hand add to the cost and burden of compliance if a business operates across the EU and there are differences in local laws.
Another indication of some leeway at Member State level is a reference to a permitted “margin of manoeuvre” to allow Member States to maintain or introduce national provisions to further specify the application of the Regulation. This could lead to some gold plating by certain Member States and lead to a lack of uniform protections.
Why this matters:
Once agreed the General Data Protection Regulation will replace the existing EC Directive from 1995 and will be effective in each Member State without needing any local laws to implement it. Given the sweeping changes contained in the Regulation and taking into account the extent to which organisations collect, use and share personal data in increasingly sophistically and complex ways, we continue to advise companies to prepare now. Companies should assess the impact of the new law and ensure that their existing compliance processes provide a solid foundation for the new laws to avoid getting caught out.
At European level, the negotiations will continue, most likely for the rest of 2015, before a draft has finally been agreed. There will then be a period of two years before it is in force and companies have to comply. We will continue to monitor progress and the release of any further drafts and report them on marketinglaw.co.uk.