Feeds

Leaked EU data protection draft SHALL. NOT. PASS.

Doubtful Commission's proposals will be enacted in this form

Boost IT visibility and business value

Analysis The first impression of this leaked text is that this version of the Regulation is more prescriptive than Directive 95/46/EC and will get up most data controllers and governmental noses. I think the text makes far too many fundamental changes than can be reasonably done via a "Regulation" (which has three times as many Articles as the Directive it replaces). And this conclusion is from someone who thinks changes to the UK data protection regime are badly needed*.

I think this text is open to the argument that the Regulation is so long that it should be discussed as a new Directive which can be debated by member states and national parliaments; this ensures the issue then goes into the long grass.

Another risk is that many governments will respond to data controller complaints and argue that in the current economic circumstances that this Regulation should be shelved. I can see the Greeks, Spanish, Portuguese, Irish, Italians and UK opposing the text for this reason. Indeed, I wonder whether this is the intent of the leak, but that is perhaps too Machiavellian.

I cannot see the UK accepting this – and to be honest, I doubt whether it will make progress in its current form!! However, this is a summary of its content for what it's worth. Remember it is a leaked version and I would not depend on it; wait until you see the real McCoy (on Data Protection Day, 25 January).

In summary:

  • Article 3 contains new definitions ("personal data breach" based on Article 2(i) of the e-privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, "genetic data", "biometric data", "data concerning health" which is based on the definition of "health data" provided for by ISO 27799, "main establishment", "representative", "enterprise", "group of undertakings", "binding corporate rules", and of a "child" which is based on the United Nation’s Convention on the Rights of the Child.)
  • Article 4 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.
  • Article 5 sets out – based on Article 7 of Directive 95/46/EC – the criteria for lawful processing, which are further specified as regards the balance of interest criterion and processing for the purposes of direct marketing for commercial purposes, the compliance with legal obligations and public interest.
  • Article 6 clarifies the conditions the change of purpose of the processing, ie, for another purpose than that for which the data have been initially collected.
  • Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing. Public authorities cannot rely on consent.
  • Article 8 sets out the general prohibition for processing special categories of personal data and the exceptions from this general rule, building on Article 8 of the Directive 95/46/EC.
  • Article 9 introduces the obligation for transparent and easily accessible and understandable information, inspired in particular by the Madrid Resolution on international standards on the protection of personal data and privacy.
  • Article 10 obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined a deadline, and the motivation of refusals.
  • Article 11 provides rights in relation to recipients, based on Article 12(c) of Directive 95/46/EC, extended to all recipients, including joint controllers and processors.
  • Article 15 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.
  • Article 16 introduces the data subject's right to data portability – ie, to transfer data from one automated processing system to and into another – without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format.
  • Article 17 provides the data subject's rights to object. It is based on Article 14 of Directive 95/46/EC, with some modifications, including as regards the burden of proof and its application to non-commercial direct marketing, in contrast to Article 5(2) which provides that for purposes of commercial direct marketing the data subject's consent is required to make the processing lawful. There is also to be a right to object to profiling.
  • Article 19 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
  • Article 20 sets out the obligations of the controller arising from the principles of data protection by design and by default.
  • Article 21 – on joint controllers – clarifies the responsibilities of joint controllers as regards their internal relationship and towards the data subject.
  • Article 22 obliges controllers not established in the European Union – where the Regulation applies to their processing activities – to designate a representative in the Union.
  • Article 27 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC and extending that obligation to processors, irrespective of the contract with the controller. There is an obligation of controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects within 24 hours if the breach endangers their personal data.
  • Article 32 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is to be a stronger data protection authority, more trans-European co-ordination on data protection issues (a European Data Protection Board), higher penalties and more powers to the Commission – to get consistency and an obligation on national governments to give their supervisory bodies sufficient monies to operate effectively.

An that is why I think it won’t see the light of day in this form. I am not doing a further analysis of it; I await the final text. I suggest you do likewise.

References *

Draft leaked version of a Regulation is on Statewatch here (PDF).

See also "European Commission explains why UK’s Data Protection Act is deficient".

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.