Authors: Fabio Di Resta and Nicola Fabiano (published in 2012 by IAPP)
In the new proposed regulation on EU data protection law there are many important provisions, most of them are necessary to address the future challenges of data protection in the Internet environment. The principles of effectiveness (i.e. stronger powers to DPAs, PIAs, mandatory appointment of DPO, the principles ofprivacy by design and by default, etc.), accountability and transparency are the founding stones on which the new proposed regulation was built.
The main objectives of the regulation draft is to fulfill the ambitious harmonisation of the data protection laws of EU Member States and the enhance to consumers’ trust on the Internet through stronger data protection rules at the EU level.
In this article different legal aspects of the proposed framework will be analysed.
Extra-territorial criterion: more specific exemptions
In respect of external scope, it should be considered that the main reason of the broad scope of the existing 95/46/EC Directive is to ensure that individuals are in any case not deprived of EU data protection law and to prevent actions from circumventing the EU law.
The choice of the European Commission to enhance the threshold – as recently amended in the published draft – to trigger the application of EU law outside the EU/EEA seems appropriate to address the future challenges of Internet but still could use some amendment, such as more structured exemptions to not discriminate complex organizations. In respect of this point different situations are exempted from the EU law application (article 3 par. 2 and article 25): any controller established in third countries which ensures an adequate level of data protection; any public body; any controller only occasionally offering goods and services to data subjects residing in the EU and all enterprises employing fewer than 250 persons.
This last exemption – which referred particularly to SMEs – could use some amendment. Also to be considered is the complexity of organizations which operate through the Internet and offers of specific products or services often come from single departments or business units which belong to an organization as a single controller, these departments and units – also with limited staff – have their own budget connected to specific activities (products and services). Thus the quantitative or dimension criterion of 250 persons with regard to the overall activity of big organizations should probably be rethought and the relevance (ancillary or otherwise) in the specific organization of the products or services offered in EU (recitals 20, 63 and 64 of the EC regulation draft) should be taken into account.
The mandatory appointment of a representative established in the EU/EEA could impact negatively on the activity of these departments and business unit – in case they are considered data processor and not a controller – and this provision could be considered too dissuasive by big organizations which only have ancillary activity in Europe, especially owing to the fact that these rules already apply to SMEs
Consequently, without an enlargement of the exemption there could be several negative effects, for example, the representative appointment could be an economic barrier which restrict the choice of EU/EEA consumers who will not be able to purchase on-line products and services coming from organizations located outside of the EU.
Cloud computing scenario: comparative analysis under the existing 46/95/CE Directive and under the Regulation draft (one-stop-shop and the main establishment criteria)
In the following paragraphs one scenario will be analysed, both under the existing EU/EEA directive and the new regulation draft.
In this IT model personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known and it can change over the time. In order to trigger the applicability of EU Law the relevant information is the context of activity of the establishment within the EU (principle of establishment) and the location of the equipment.
In order to deeply understand the applicable law issues, the first step is to identify the data controller and its activities. In this context, the buyer of the cloud service could be a data controller. A company uses an agenda service on-line: if the company uses the agenda in the context of activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be, under some circumstances, a data controller. This is the case when it provides for an agenda on-line and document sharing where private parties can upload all their personal appointments and contacts, theirsynchronization and they can upload documents storing them and sharing with them selected persons. Different key factors should be taken into account: the context of activity of the establishment; its degree of involvement and its nature of activity. Where the cloud provider is a data collector located in the UK, Germany and Italy and all of them are establishments, server and technical staff for the agenda on-line are located in UK, meanwhile the servers, software and technical staff for the document sharingactivity are located in Germany. On the contrary, the establishment in Italy is not involved in this activity. According to art. 4 of the existing Directive, English law is applicable to the establishment located in UK, likewise German law applies to the establishment located in Germany with the further consequence to obliged to deal with German and English DPAs, lastly, Italian law is not applied the this data processing not being the Italian establishment involved.
One of the implications of the approachmentioned above is the risk of the overlap of national laws applicable to the same data processing with the further consequence to deal with several jurisdictions and Data Protection Authorities. In order to overcome this problem and to give more legal certainty, in the EU regulation draft the main establishment principle was worded, this principle – also called one-stop shop criterion- will apply when a data controller or processor is established in more Member States (Recitals 13 and 98 – article 51 paragraph 2).
This is a good principle because it gives legal certainty to companies who do business in Europe with the possibility to comply with one law for the whole of the EU territory and to deal with a single data protection authority (lead authority). Analysing the mentioned cloud computing scenario – in light of the EU regulation draft –once the context of activity of establishments has been identified, also the purpose, means and conditions should be taken into account. Thus, it could be considered that all the services offered by the cloud provider to users – which upload data for the agenda and documents for storing and/or sharing them- has the same purpose, so it should be regarded that only one process is operated. Furthermore, considering that the English establishment manages the main activity, being the place of central administration which decides in order of the processing of the users, then only the English law will be applicable and the English Information Commissioner will be the Lead Authority to address all complaints from data subjects resident in the EU territory.
The principles of privacy by design and by default and the Commission’s controls
The new legal framework about data protection proposed by the EU Commission introduces, with respect to the Directive 95/46/EC, the reference to “data protection by design and by default” (article 23 of the Proposal for a Regulation and article 19 of the Proposal for a Directive). Also, even though these articles do not describe the data protection by design and by default, they compel the controller to “implement appropriate technical and organisational measures and procedures…” and also to “implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing…”. The EU Commission preferred to describe the controller duties instead of setting legal status of the data protection by design and by default. It is very important to clarify the meaning of “data protection by design and by default”, focusing on the true sense of these terms. On the other hand, it is as interesting to distinguish the expression “data protection by design” from “data protection by default” and to find the actual meaning of each term because the phrase used by the EU Commission seems to highlight a difference between the two terms. According to the text of the article it is clear that the EU Commission shall consider “by design” and “by default” as different concepts even if they are used in the same sentence.
This approach seems quite different from the one officially used by the International Conference of Data Protection and Privacy Commissioners, that last year adopted a resolution on Privacy by Design proposed by Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario – Canada).
In this context the expression Privacy by Design is used to describe a method to deal with privacy issues in this new era, where the most valuable aspect is a correct approach to privacy. In this respect, it should be said that in the approach “by design” or “by default” of the new EU legal framework the term “data protection” is used instead of “privacy”. Furthermore, the Commission’s proposal seems to paya lot of attention to the technical and security aspects instead of the legal concerns.The specific reference to “measures and procedures” seems oriented towards the PETs (Privacy Enhancing Technologies) that are certainly important but the future of privacy is Privacy by Design. In conclusion, the hope is that the expression “by design and by default” will not represent a cutting-edge movement or a system founded on the technological and security support, but a real methodological approach to handle the future of our privacy according to the International statements and to become a worldwide privacy standard in the near future.
The right to judicial remedy against data controller
The article art. 75, paragraph 2 provides that in case of infringements of data protection rights: “proceedings maybe be brought before the courts of the Member States where the data subjects has its habitual residence” . This article also entails that jurisdictional and international issues will be also brought beforethe national courts- which will decide in order to the compensation of damages ofdata subjects – requiring judges highly specialized both in EU data protection law and in international issues and even to decide in order of the appeal the decision of other countries’ DPA.
On the other hand, the new consistency mechanism increases the power of the European Commission a lot, which becomesalso the ultimate supervisory authority on protection of data subjects, including the power to suspend the draft measures adopted by national DPA through both the presence of serious doubts on the their consistency with the EU regulation and a reasoned decision. Furthermore, with regard to the cloud computing above analysed, more and more data subjects resident in the EU will be able both to access one national lead Authority and to take action against national courts of that country (in which the main establishment is located). Lastly, as stated in the paragraph 4 of the article 75: “all the Member States shall enforce final decisions by the courts”. This paragraph underlines further consequences of the regulation draft adoption, both a stronger free movements of judgments on data protection and the need to assure the recognition of the judgments on data protection from other countries’ courts.
Data protection officer requirement and its impact on the national laws
The EU legal framework introduces the data protection officer and, according to the article 35 of the proposal for a Regulation, this rule is mandatory if:
- a) processingis carried out by a public authority or body;
- b) processing is carried out by an enterprise employing 250 persons or more;
- c) core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
There is no doubt about the relevance of the choice to set up the data protection officer; this solution, strongly hoped by some Italian privacy professionals, shows how the EU Commission has taken the data protection officer into account, demonstrating that there is a great need to pay attention to privacy matters. It is necessary for people dealing with privacy to have specific expertise and proficiency. This will obviously have consequences on the national law that needs to be implemented to set up the data protection officer, according to the EU legal framework; in this way public bodies and enterprises will have a specific department for the competence on privacy matters. Although not mandatory, data protection officer rule considerationsshould be regardedas very important also for the other organizations with less than 250 employees because privacy is a fundamental right that is not related to the size of a company. Furthermore, this measure goes in the direction of making the EU data protection law more user-centred.
Data protection impact assessment requirement
A valuable concept introduced by the EU proposal is the assessment of the data protection impact. The main reference is article 33 of the proposal for a Regulation: “where processing operations present specific risks to the rights and freedoms of data subjects” the controller “shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. Recently, the EU public bodies started talking about impact assessments and particularly about the PIA (Privacy Impact Assessment). The privacy legal framework in force (Directive 95/46/EC) does not contain reference to the impact assessment and there are only a few recent European official documents about this topic. Therefore, the choice of the EU Commission to include the data protection impact assessment in the proposal for a Regulation and for a Directive is very key but certainly the PIA (Privacy Impact Assessment) is well-known in the international context. The aforementioned article 33 describes when and how it is necessary to set up a data protection impact assessment (DPIA).
Explicit consent requirement and navigation over the Internet
According to the aforementioned EU legal framework (article 7) the controller shall acquire the data subject’s consent for specified purposes and “The data subject shall have the right to withdraw his or her consent at any time”. In this respect, article 4states that consent “means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. In case of minors, “child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian”. Last but not least, the provision about rights to be forgottenis very relevant in the Internet environment,this also guarantees to users the right to withdraw their consent when “there are no other legitimate grounds for retaining the data”.
The European Data Protection Board
The EU regulation shall establish a European Data Protection Board that, according to article 66 of the proposal for a Regulation; “shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission”. This article describes different actions that the DPB can realise, and that it shall regularly and frequently inform the Commission about the outcome of its activities. Finally it should be pointed out that the Supervisory Authority will supersede Art. 29 Working Party and it will play a relevant role in the consistency mechanism to guarantee the unity of EU law application.
The European Commission’s proposal deserves to be appreciated especially because it addresses the main crucial challenges for data protection law in a globalised world. However, a detailed analysis shows that this proposal could use some amendments. Particularly, more attention should be paid to widespread involvement of all stakeholders, especially multinationals and oversee Authorities, such as Federal Trade Commission. Furthermore, in respect of the exterritorial jurisdiction of the EU Law, the worry is that all the provisions will be considered a mere theoric principles by Extra EU/EAA Countries without further international legal agreements and a worldwide cooperation which will probably require to amend the text in favor of the enforceability of EU law.