The new EU Data Protection Regulation; Shoulda, Woulda, Coulda?

On the 13^th March 2014 the European Union (EU) Parliament voted with an overwhelming majority to approve a new Data Protection Regulation within the EU. Voting on the initial text that was put forward by the Commission, and not the text put forward by the LIBE committee, the EU Parliament seem to have taken a “middle path” with regards to how this Regulation should work. Many of the Commission’s proposed appointed powers have gone, there doesn’t appear to be any “strict” provisions in there that the LIBE committee would have wanted and yet this approved draft is proposing a comprehensive and different world for Data Protection.

A fully updated draft has not been released by the EU as yet so I went through the painstaking task of making the edits confirmed by the EU to the original commission text. I can safely say I won’t be doing that again and once the approved draft is published I highly recommend that you read through from the beginning to get a flavour of where the regulation is heading and the wording used. I have however pulled out some of the highlights below for general consumption. Before I start however, I will declare that I am from the private sector but as Data Protection & Privacy is more than just a job for me (it’s a passion) I’m not one of those people that have campaigned against it (even if I think some if it is just barmy in my humble opinion).

For those that have worked only with the UK Data Protection Act this new world comes as a bit of a shock. Instead of a principle based approach the current regulation is more of a “financial regulation” with specific stances, requirements and demonstrations that certain things are occurring within an entity. For example, Point 60 requires Data Controllers to demonstrate and ensure compliance with the regulation, with a new sentence stating “this should be verified by independent internal or external auditors”.

However having said that, the EU Parliament have edited Point 65, so that it clears up the “administrative burden” query (or tries to) by stating that yes controllers must demonstrate compliance with the regulation however “equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation”. One assumes therefore that auditing to “a check list” isn’t going to occur even though the regulation spells out some things that need to be done specifically. Interesting…

‘Data Protection Impact Assessments’ are now outlined in points 71a&b and are very similar to the commission’s proposal that assessments should be done on the lifecycle of information management for processing of personal data. Section 75 states that for public sector bodies processing sensitive personal data or data on more than 5000 data subjects in 12 months they will need to periodically monitor compliance with the regulation. Is the requirement to self-audit the same as the requirement to tick a box?

The phrase that appeared in the initial draft on ‘data portability’ has also changed. It is still there but now Point 55 changes the “right to data portability” to “controllers should be encouraged to develop interoperable formats that enable data portability”. Encouraged how and by whom still remains to be seen.

Another ‘hot phrase’ in the initial draft and current buzz word after the European Court of Justice decision is the “right to be forgotten”, and as predicted that has been changed to now Point 53 has been updated to state that “the right to be forgotten” is indeed now to be called the “right to erasure” and that this right is overwritten where processing is needed for the performance of a contract or to meet local legal requirements. Point 54 & 54a specifically make reference to “online information” and the requirement for the facilitator to block or remove such data if the data subject requests.

On that point, similar concerns around the watering down of legitimate interests have also tried to be abated in this text, and now Point 39 specifically outlines a purpose for processing personal data being a valid “legitimate interest”. Namely the processing for Information Security / Network Security purposes where strictly necessary. 39a also outlines that ‘legitimate interest’ can also include processing for the prevention or limitation of damages on the controller, providing this does not significantly go against the data subject’s rights and freedoms. 39b adds direct marketing processing as a ‘legitimate interest’ again providing this does not go against the rights and freedoms of the individual. Is it me or do some of these provisions say “You can do it, but…”.

There are some further oddities in here; for example, point 32 states that if a controller does not want to follow ‘data minimisation’ requirements there is a burden of proof to justify the processing of Personal Data for that specific purpose / scenario. Again this is nothing new as this is in line with the principles of the UK DPA but we have not seen a requirement to document and justify before. 32 also states that collecting consent on behalf of 3^rd parties is no longer seen as valid consent. Therefore if a business needs 3^rd party data alongside the initial data subject’s data would it need to contact said 3^rd party to seek consent. But then, isn’t it processing said data in order to contact them to get the consent? How would this work I wonder… citizens aren’t going to this for controllers so what other options are there?

Talking of consent, the concern that consent becomes more specific hasn’t been removed as Point 25 clarifies that consent will require “clear affirmative action” by a data subject in order to be seen as a valid consent. Silence or simply use by the data subject of a service would not be acceptable as a valid consent to process personal data. To the above point, how would a controller get such consent from 3^rd parties?

Consent has also been factored in for the use of profiling and that consent can be removed at any time. However Point 58 has been updated to state the for profiling, “Profiling which leads to measures producing legal effects concerning the data subject or does similarly significantly affect the interests, rights or freedoms of the concerned data subject should only be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent”. Now here I believe that “carried out in the course of entering or performance of a contract” means that credit profiling can continue in the UK otherwise these seems to conflict with current legal requirements on Banks and Lenders to ensure that you as the customer can afford the product they offer and that you as the lender are lending responsibly – this can only be done by credit profiling surely?

Another area of concern from the initial text was around breach notification. There is still no useful outline as to what a material breach consists of however Point 67 confirms that data breach notification to the relevant authority “should be presumed to be not later than 72 hours” – somewhat better than the initial 24 hours but still something causing concern among various industries.

On the up side however, a new point specifically referencing Freedom of Information has been added. Point 18 has been updated to make reference to relevant member states Freedom of Information (FOI) legislation and how this regulation interacts with that. That’s some concerns appeased… or is it?

The EU Parliament have also updated what is expected of us DPOs and point 75a states that DPOs should have the following experience / qualifications;

• extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures;
• mastery of technical requirements for privacy by design, privacy by default and data security;
• industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed;
• the ability to carry out inspections, consultation, documentation, and log file analysis;
• and the ability to work with employee representation.

The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.

Overall the current draft regulation has either been improved from what it was, stayed the same, or gotten worse in some places.

There are some ups and downs, and a few more changes that have been made that I have not referenced here (as I could be here all day). As for next steps for the Regulation I really don’t know who to believe. The ICO in a recent statement stated that they don’t believe there will be a tangible regulation until 2017 at the earliest. But in the same breath they also said (they being David Smith the Deputy ICO) that you should get your house in order now with current requirements as this puts you in a good place ready for the Regulation in 2017. Given how the Parliament approved the text way ahead of schedule and that this piece of legislation is the “most lobbied and campaigned on” in the EU’s history I am inclined to believe that all bets are off. I can see the case that it will come through quickly, especially as the EU is very defensive of Data Protection and Privacy of late. But then I also see the argument and stance from the European Council that they don’t want to rush this and instead want to take their time. As this Regulation would need agreement from the Council, the Parliament and the Commission I can see it rattling on for a while. But, as my favourite TV programme as a child used to say “Stand by for action; anything can happen in the next half an hour”. (For those that don’t know, that was from Stingray – and yes, I am a Geek that needs to get out more).

I have my word document unofficial text which I am happy to share on request but it is very much unofficial and really isn’t to be considered “official” in any capacity. Well worth a read though, and again I recommend that when the official text is finally updated and released (the EU moves at its own pace on such things) that you have it as some bed time reading to fill you with hope (and possibly nightmares).

Nighty night.

Scott Sammons is currently a European Data Protection Officer within the Finance Industry and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.