«

»

EU Data Protection reforms go into meltdown as legal advice triggers a fundamental conflict

ikYfyDhQHruMBy Simon Davies

The tortuous path of European data protection reform took an unexpected turn into a ravine on Friday as the senior legal advisor to the influential Council of Ministers (representing EU governments) drove a bulldozer through the controversial proposals. The advisor is now arguing that the mechanism being proposed to create privacy harmonization across Europe contradicts the fundamental legal rights of EU citizens.

With this action the Council has run headlong – perhaps fatally so – against the European Commission over legal interpretation of a central pillar of the proposals. In short, the Council’s legal advice says the framework is legally unsustainable, the Commission says that view is rubbish – and stalemate has ensued. Importantly, that stalemate is happening on the eve of the European Parliament general elections.

Viviane Reding: "Data protection has taken a step back"

Viviane Reding: “Data protection has taken a step back”

The reform agenda is intended to create a more consumer-focused legal toolkit for privacy protection across Europe – one that is more relevant, effective and harmonised. But dogged by hostility and staling tactics the initiative is running out of time – and into trouble.

Before continuing, it’s worth suggesting that anyone needing a briefing on the ins and outs of the Regulation should consider listening to the Privacy Surgeon’s interview with Europe’s Head of Fundamental Rights, Paul Nemitz. He explains how the process works, its internal dynamics and what the Commission hopes to achieve through the proposed changes.

It’s hard not to mix one’s metaphors when trying to assess what has just happened. “Torpedo” and “time bomb” should be included – and if you’re into conspiracy, “brilliantly calculated sabotage”. But however you choose to describe it, the proposals are now buried in an even deeper pile of rubble than before – and quite conveniently so for some stakeholders.

The proposed new data protection framework – in the form of a Regulation that binds all EU nations – has been ripped and compromised ever since it was presented by the European Commission two years ago. Big Business (generally) tried tearing it apart through a barrage of lobbying while the Council of Ministers, under the leadership of a hostile Irish presidency, gutted many of its key protective provisions. The European Parliament was sharply divided over several fronts.

It’s hard not to mix one’s metaphors when trying to assess what has just happened. “Torpedo” and “time bomb” should be included – and if you’re into conspiracy, “brilliantly calculated sabotage”.

European Commission officials have attempted to put on a brave face over the mess, insisting that everyone is heading in the same direction, but the latest conflict between the Commission and the Council has put an end to such cosmetics. Even the Great Champion of the reforms, EU Justice Commissioner Viviane Reding, appears to be despondent about any hope of a cheerful resolution to the latest episode.

So what precisely is this about?

For the benefit of those who aren’t legal experts in this domain we should briefly explore the Facts of Life of the present EU data protection regime. How does data protection in Europe actually work?

Well, it sort of works and it sort of doesn’t work, hence the push for reform. When the 1995 EU data protection “Directive” was created each member state had to transpose that document into its own national law. What emerged were some fairly stark differences in the way each state regulates and enforces data protection. At one level this is a hugely confusing situation both for business and for consumers.

True, each nation has its own DP regulator, but there’s little consistency in the powers, functions and limitations of each one. What binds them is a set of principles (Proportionality, Fairness etc). Add to that fifteen years of internal cultural evolution and you get 28 national regulators with wildly different approaches to data protection enforcement.

Germany and the Scandinavian and Nordic countries, for example, have a wide degree of power and autonomy while Ireland has a business-friendly culture that is shaped in part on a more cumbersome and restrictive legal process. The German lander of Schleswig-Holstein and Berlin often exhibit progressive and technically aware enforcement policies while smaller nations such as Slovakia can barely keep up with the day-to-day workload. There is therefore a disproportionate load on such countries as Spain and France to take on major issues such as globalisation of data.

The idea of the new Regulation was to create a consistently higher universal standard of data protection that gave a predictable high standard of rights across the Union. Well, that was the theory.

European Commission officials have attempted to put on a brave face over the mess, insisting that everyone is heading in the same direction, but the latest conflict between the Commission and the Council has put an end to such cosmetics.

At present, because of this diversity, there’s a system of regulatory arbitrage happening across the 28 EU states, with only an informal arrangement to achieve a harmonised approach for consistency of decision-making across the Union. For example, the French regulator (CNIL) has been loosely coordinating an investigation into Google’s new Terms of Service on behalf of all other EU States, but such arrangements have no specific legal framework (which is not the same as saying – as Google insists – that the operation is without legal foundation).

Companies are free to headquarter themselves in “soft” regulatory jurisdictions like Ireland and the UK (where their interests are more likely to be taken into account) while citizens these days are often free to lay a complaint in whatever state is more likely to take their concerns seriously.

It wasn’t always this way. Even as recently as a decade ago some national regulators refused to receive complaints from outside their jurisdiction, but as it became clear that data (and data abuses) recognised no national boundaries the authorities realised that information practices affected every EU state. The emergence of vast global corporations made this fact abundantly clear.

This makes for an interesting and important equation. When, for example, Privacy International took EU-wide action against Google over Street View it very soon became clear that the UK Information Commissioner’s Office had not the slightest intention of coming down hard on the company – even over the most controversial violations such as the Wi-Spy scandal. That level of enforcement was left to other more tenacious national regulators who understood the technology and had a less pragmatic philosophy about the antics of American global corporations. Likewise, Ireland – where Facebook has its key EU office – has been far more lenient on the company than has Germany.

Such flexibility is crucial. The global financial giant SWIFT was forced into partial submission by Benelux regulators who actually understood the ramifications of the corporation’s secret deal with the White House to covertly transmit transaction data on possibly millions of innocent bank consumers. Others stood by and collectively shrugged their shoulders.

The original complaint against SWIFT had been brought by Privacy International to every EU regulator and they simply had no choice but to figure out through a test of fire how to deal with this sudden complex challenge. What emerged from the SWIFT case was a reorganisation of EU regulation in which the collective body of regulators (known as the Article 29 Working Party) took a greater role in coordinating complex complaints that affected all EU countries. In essence, many cases that involve violations in multiple jurisdictions are coordinated through Article 29.

The idea of the new Regulation was to create a consistently higher universal standard of data protection that gave a predictable high standard of rights across the Union. Well, that was the theory.

The relationship between the economic power of industry and the tenacity of local regulators is not an unusual equation. Delaware goes easy on companies sheltered in that state, Nevada looks after its casino interests – and for years Switzerland gave special treatment to big investors. Almost all online gambling companies are headquartered in tiny regulatory jurisdictions such as Jersey where they are simply left alone to continue their demonstrably unlawful data practices.

Such arbitrage is a game anyone can play. The US knows this dynamic all too well. Public prosecutors there routinely seek to have prosecutions heard in jurisdictions that statistically give them a greater chance of a conviction (for example by locating the Grand Jury for a drugs trial in Missouri rather than Washington State).

So in a way it’s only right that EU consumers should enjoy the same right. We are, after all, moving in theory to a borderless Europe.

There are some conditions imposed on this freedom. In principle a consumer can lay a complaint with any national regulator as long as the issue affects people in that country, but in practice complainants are expected to deal directly with the regulator of the country in which the company (or government agency) has its base. This is known as the “country of main establishment”.

Under the new proposals the complainant would merely have to notify her own national authority which would then – in theory – coordinate the complaint and forward it for action by the relevant jurisdiction.

Europe faces more than a conflict of legal opinion in this matter; it faces a test of the viability of the Union itself and the concept of true harmonization in a borderless environment.

Sounds simple, but according to the new advice to the Council of Ministers this “One Stop Shop” concept works against the interests of consumers. The legal advice suggests that rather than creating a simpler process, the proposed approach involves a three-stage obstacle course for complainants.

First, complainants would have to approach their home Data Protection Authority – which would usually have no knowledge or competence in the relevant matter – and hope that details would be passed to the Authority in the data controller’s main establishment.

Second, if the complaint failed complainants would have to approach the Data Protection Authority and the – perhaps – unfamiliar courts of the territory of the main establishment jurisdiction, expending “disproportionate” resources protecting their rights and therefore being possibly dissuaded from exercising those rights.

Finally, the court of the country of origin of the data subject could be bound by a decision made in the county of the main establishment; this could lead to “conflicts of jurisdiction” which would be “disastrous” for the administration of justice.

Europe faces more than a conflict of legal opinion in this matter; it faces a test of the viability of the Union itself and the concept of true harmonization in a borderless environment. Whether it can resolve this challenge any time soon is an uncertain bet either way.