Feeds

Leaked EU data protection draft SHALL. NOT. PASS.

Doubtful Commission's proposals will be enacted in this form

Secure remote control for conventional and virtual desktops

Analysis The first impression of this leaked text is that this version of the Regulation is more prescriptive than Directive 95/46/EC and will get up most data controllers and governmental noses. I think the text makes far too many fundamental changes than can be reasonably done via a "Regulation" (which has three times as many Articles as the Directive it replaces). And this conclusion is from someone who thinks changes to the UK data protection regime are badly needed*.

I think this text is open to the argument that the Regulation is so long that it should be discussed as a new Directive which can be debated by member states and national parliaments; this ensures the issue then goes into the long grass.

Another risk is that many governments will respond to data controller complaints and argue that in the current economic circumstances that this Regulation should be shelved. I can see the Greeks, Spanish, Portuguese, Irish, Italians and UK opposing the text for this reason. Indeed, I wonder whether this is the intent of the leak, but that is perhaps too Machiavellian.

I cannot see the UK accepting this – and to be honest, I doubt whether it will make progress in its current form!! However, this is a summary of its content for what it's worth. Remember it is a leaked version and I would not depend on it; wait until you see the real McCoy (on Data Protection Day, 25 January).

In summary:

  • Article 3 contains new definitions ("personal data breach" based on Article 2(i) of the e-privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, "genetic data", "biometric data", "data concerning health" which is based on the definition of "health data" provided for by ISO 27799, "main establishment", "representative", "enterprise", "group of undertakings", "binding corporate rules", and of a "child" which is based on the United Nation’s Convention on the Rights of the Child.)
  • Article 4 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.
  • Article 5 sets out – based on Article 7 of Directive 95/46/EC – the criteria for lawful processing, which are further specified as regards the balance of interest criterion and processing for the purposes of direct marketing for commercial purposes, the compliance with legal obligations and public interest.
  • Article 6 clarifies the conditions the change of purpose of the processing, ie, for another purpose than that for which the data have been initially collected.
  • Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing. Public authorities cannot rely on consent.
  • Article 8 sets out the general prohibition for processing special categories of personal data and the exceptions from this general rule, building on Article 8 of the Directive 95/46/EC.
  • Article 9 introduces the obligation for transparent and easily accessible and understandable information, inspired in particular by the Madrid Resolution on international standards on the protection of personal data and privacy.
  • Article 10 obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined a deadline, and the motivation of refusals.
  • Article 11 provides rights in relation to recipients, based on Article 12(c) of Directive 95/46/EC, extended to all recipients, including joint controllers and processors.
  • Article 15 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.
  • Article 16 introduces the data subject's right to data portability – ie, to transfer data from one automated processing system to and into another – without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format.
  • Article 17 provides the data subject's rights to object. It is based on Article 14 of Directive 95/46/EC, with some modifications, including as regards the burden of proof and its application to non-commercial direct marketing, in contrast to Article 5(2) which provides that for purposes of commercial direct marketing the data subject's consent is required to make the processing lawful. There is also to be a right to object to profiling.
  • Article 19 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
  • Article 20 sets out the obligations of the controller arising from the principles of data protection by design and by default.
  • Article 21 – on joint controllers – clarifies the responsibilities of joint controllers as regards their internal relationship and towards the data subject.
  • Article 22 obliges controllers not established in the European Union – where the Regulation applies to their processing activities – to designate a representative in the Union.
  • Article 27 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC and extending that obligation to processors, irrespective of the contract with the controller. There is an obligation of controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects within 24 hours if the breach endangers their personal data.
  • Article 32 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is to be a stronger data protection authority, more trans-European co-ordination on data protection issues (a European Data Protection Board), higher penalties and more powers to the Commission – to get consistency and an obligation on national governments to give their supervisory bodies sufficient monies to operate effectively.

An that is why I think it won’t see the light of day in this form. I am not doing a further analysis of it; I await the final text. I suggest you do likewise.

References *

Draft leaked version of a Regulation is on Statewatch here (PDF).

See also "European Commission explains why UK’s Data Protection Act is deficient".

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Intelligent flash storage arrays

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.