By Simon Davies
The powerful Council of the European Union last week released its proposals to amend the draft data protection regulation. The proposals are almost precisely in line with those suggested by industry lobbyists over the past few months.
The proposals, developed under the business-friendly Irish presidency, have dangerously wounded prospects that the new regulation will strengthen European privacy.
In short, the Council’s proposals will put the onus on industry to police itself, except in limited circumstances. The role of the Commission will be all but eliminated, national regulators will have less discretion to take action and – crucially – the rights of data subjects will be reduced.
Readers will need to judge the devastation for themselves, but here is a quick partial summary of some of the proposals. You can read a further analysis on the Hunter & Williams site. They were also foreshadowed in this blog.
From a prescriptive framework to a risk based approach. This means that instead of being required to follow a set of harmonised procedures and safeguards to protect information, data controllers can decide for themselves what constitutes a risk, and merely show that they have taken some steps to mitigate that risk. This will include the development of self regulating codes of conduct.
All or nothing. The new proposals hold a gun to the parliament by proposing that no part of the regulation should be enacted unless the entirety is agreed, and that in such an event the current Directive should be repealed and replaced in due course by another. This provision allows a widespread veto by governments to sabotage the entire regulation unless they get what they want.
In an extraordinary result for corporate lobbying, direct marketing would by default be considered a legitimate data process
Consent downgraded from explicit to unambiguous. The requirement to obtain consent has been all but eliminated, with data controllers no longer required to establish evidence that consent was received, and – in some cases – consent may be replaced by notice.
Nuclear option defused, The provisions in the current regulation that allow the Commission to create delegated and implemented acts to enable the regulation would be all but entirely removed, making the reforms almost rudderless and without any system of amendment or protection at the Commission level.
Data breach notification. The proposals extend the notification period for data breaches from 24 to 72 hours, and only those that might result in “serious” harm must be reported to the data protection authority.
Direct marketing excluded. In an extraordinary result for corporate lobbying, direct marketing would by default be considered a legitimate data process and would therefore – by default – be lawful.
Exemption for social networking. All social networking and online activities conducted by individuals will be exempt from the regulation, meaning that a vast regulatory black hole will open up across online information flows.