Author: Fabio Di Resta (published in 2012 by Data Guidance)
In the new proposed regulation on EU data protection law there are many relevant provisions, most of them are necessary to address the future challenges of data protection in the Internet environment. The principles of effectiveness (i.e. stronger powers to DPAs, PIAs, Privacy by design and by default), accountability and transparency are the founding stones on which the new proposed regulation was built.
The main objectives of EC regulation draft is to fulfill the ambitious harmonisation of the data protection laws of EU/EEA Member States and to enhance the consumers’ trust on the Internet through stronger data protection rules at the EU/EEA level. However, there are points that are not totally clear and to which much attention should be paid.
Extra-territorial criterion: the need of specific exemptions
For instance, the choice of the European Commission to enhance the threshold – as recently amended in the published draft – to trigger the application of EU law outside the EU/EEA seems appropriate to address the future challenges of Internet but still could use some amendment, such as more structured exemptions for complex organizations. In respect of this point different situations are exempted from the EU law application (article 3 par. 2 and article 25): any controller established in a third countries which ensures an adequate level of data protection; any public body; any controller only occasionally offering goods and services to data subjects residing in the EU and all enterprises employing fewer than 250 persons.
This last exemption – which referred particularly to SMEs – could use some amendment. Also to be considered is the complexity of organizations which operate through the Internet and offers of specific products or services often come from single departments or business units which belong to an organization as a single controller, these departments and units – also with limited staff – have their own budget connected to specific activities (products and services). Thus the quantitative or dimension criterion of 250 persons with regard to the overall activity of big organizations should probably be rethought and the relevance (ancillary or otherwise) in the specific organization of the products or services offered in EU (recitals 20, 63 and 64 of the EC regulation draft) should be taken into account.
The mandatory appointment of a representative established in the EU/EEA could impact negatively on the activity of these departments and business unit – in case they are considered data processor and not a controller – and this provision could be considered too dissuasive by big organizations which only have ancillary activity in Europe, especially owing to the fact that these rules already apply to SMEs
Consequently, without an enlargement of the exemption there could be several negative effects, for example, the representative appointment could be an economic barrier which restrict the choice of EU/EEA consumers who will not be able to purchase on-line products and services coming from organizations located outside of the EU.
Privacy by design and by default
The experience so far demonstrated that using software application and afterwards trying to comply with data protection law requirements was costly, inefficient and often ineffective because of the application limits related to the design features. The principles of privacy by design and by default have the target to solve this problem, especially embedding in software systems all privacy requirements. More in detail, the concept of privacy by design is becoming worldwide a new proactive and user-centric approach which represents: “a significant shift from traditional approaches to protecting privacy, which focus on setting out minimum standards management practices and providing remedies for privacy breaches, after-the fact” (A Foundational Framework For Privacy by Design – Privacy Impact Assessment, Guidelines proposed by Information & Privacy Commissioner, Ann Cavoukian).
In this context, article 23 of the regulation draft requires the adoption of appropriate procedures, organisational and technical measures, both at the time of the design of the processing and at the time of processing itself. While standard forms for data collector’s responsibility are already foreseen (recital no. 131), the regulation draft indicates that the Commission shall adopt delegated acts for further criteria, requirements and mechanism and the possibility to adopt technical standards. It should be considered that a globalised world often need direct-to-market solutions and especially ICT developers and Internet operators need legal certainty, a good path to take in this situation could be to publish very clear guide lines which specify requirements to fulfill the privacy by design principle. On the other hand, the adoption of a preliminary check could risk being too prescriptive, unless there were specific and limited cases.
Lastly, the problem of law enforcement outside the EU/EEA still exists. The worry is that these legal criteria will be considered merely theoretical by Extra-EU/EEA countries without further international legal agreements and strong international cooperation at the EU level. Furthermore, in respect of privacy by design and by default principles the protection of fundamental rights should not limit technological developments in the EU. A good solution would be to adopt flexible and internationally accepted guidelines, without further preliminary checks which could produce very negative effects in the EU market.