Leaked EU data protection draft SHALL. NOT. PASS.
Doubtful Commission's proposals will be enacted in this form
Analysis The first impression of this leaked text is that this version of the Regulation is more prescriptive than Directive 95/46/EC and will get up most data controllers and governmental noses. I think the text makes far too many fundamental changes than can be reasonably done via a "Regulation" (which has three times as many Articles as the Directive it replaces). And this conclusion is from someone who thinks changes to the UK data protection regime are badly needed*.
I think this text is open to the argument that the Regulation is so long that it should be discussed as a new Directive which can be debated by member states and national parliaments; this ensures the issue then goes into the long grass.
Another risk is that many governments will respond to data controller complaints and argue that in the current economic circumstances that this Regulation should be shelved. I can see the Greeks, Spanish, Portuguese, Irish, Italians and UK opposing the text for this reason. Indeed, I wonder whether this is the intent of the leak, but that is perhaps too Machiavellian.
I cannot see the UK accepting this – and to be honest, I doubt whether it will make progress in its current form!! However, this is a summary of its content for what it's worth. Remember it is a leaked version and I would not depend on it; wait until you see the real McCoy (on Data Protection Day, 25 January).
- Article 3 contains new definitions ("personal data breach" based on Article 2(i) of the e-privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, "genetic data", "biometric data", "data concerning health" which is based on the definition of "health data" provided for by ISO 27799, "main establishment", "representative", "enterprise", "group of undertakings", "binding corporate rules", and of a "child" which is based on the United Nation’s Convention on the Rights of the Child.)
- Article 4 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.
- Article 5 sets out – based on Article 7 of Directive 95/46/EC – the criteria for lawful processing, which are further specified as regards the balance of interest criterion and processing for the purposes of direct marketing for commercial purposes, the compliance with legal obligations and public interest.
- Article 6 clarifies the conditions the change of purpose of the processing, ie, for another purpose than that for which the data have been initially collected.
- Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing. Public authorities cannot rely on consent.
- Article 8 sets out the general prohibition for processing special categories of personal data and the exceptions from this general rule, building on Article 8 of the Directive 95/46/EC.
- Article 9 introduces the obligation for transparent and easily accessible and understandable information, inspired in particular by the Madrid Resolution on international standards on the protection of personal data and privacy.
- Article 10 obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined a deadline, and the motivation of refusals.
- Article 11 provides rights in relation to recipients, based on Article 12(c) of Directive 95/46/EC, extended to all recipients, including joint controllers and processors.
- Article 15 provides the data subject's right to be forgotten and to erasure. It further elaborates and specifies the right of erasure in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.
- Article 16 introduces the data subject's right to data portability – ie, to transfer data from one automated processing system to and into another – without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format.
- Article 17 provides the data subject's rights to object. It is based on Article 14 of Directive 95/46/EC, with some modifications, including as regards the burden of proof and its application to non-commercial direct marketing, in contrast to Article 5(2) which provides that for purposes of commercial direct marketing the data subject's consent is required to make the processing lawful. There is also to be a right to object to profiling.
- Article 19 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
- Article 20 sets out the obligations of the controller arising from the principles of data protection by design and by default.
- Article 21 – on joint controllers – clarifies the responsibilities of joint controllers as regards their internal relationship and towards the data subject.
- Article 22 obliges controllers not established in the European Union – where the Regulation applies to their processing activities – to designate a representative in the Union.
- Article 27 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC and extending that obligation to processors, irrespective of the contract with the controller. There is an obligation of controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects within 24 hours if the breach endangers their personal data.
- Article 32 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
There is to be a stronger data protection authority, more trans-European co-ordination on data protection issues (a European Data Protection Board), higher penalties and more powers to the Commission – to get consistency and an obligation on national governments to give their supervisory bodies sufficient monies to operate effectively.
An that is why I think it won’t see the light of day in this form. I am not doing a further analysis of it; I await the final text. I suggest you do likewise.
Draft leaked version of a Regulation is on Statewatch here (PDF).
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.