By Simon Davies
It’s official. The Council of the European Union, representing Europe’s governments, is moving swiftly to cripple data protection rights for half a billion people.
As noted in a previous blog on the Privacy Surgeon, over recent months a deep chasm has emerged over Europe’s proposed new data protection framework. If this chasm continues to widen, there’s every chance that the emerging DP Regulation could well end up providing a much weaker level of citizen protection than the 1995 Directive that forms the current data protection framework for European nations. This is invariably the outcome whenever governments “modernise” rights.
At the heart of this chasm is a conflict between the EU Council, representing governments, and the European Parliament (EP). This conflict has resulted in a challenge to the core principles of data protection rights.
A year ago the EP overwhelmingly voted for a Regulation that would substantially improve the standard for rights protection while strengthening enforcement powers for DP regulators. These improved conditions were to include increased obligations on organisations that control data and a greater range of sanctions and powers for enforcement authorities. These provisions are now in freefall, both in the private sector and public sector domains.
After analysing the present state of the Regulation, data protection expert Chris Pounder observed several collapse points for data protection – particularly in the public sector:
- A carve out for the public sector (this allows Member States to legitimise processing that otherwise could be in breach of a data protection requirement).
- The “risk based” approach and consent (this transfers some of the risks arising from the processing to the data subject).
- The right to object to the processing (this right which currently exists under the Data Protection Act is removed for public sector data controllers).
- There is no requirement in the Regulation to maintain the Directive level of protection.
This analysis was confirmed and extended last month by lobbyplag.eu which published a high-level assessment of the current state of the Regulation. It advised that of the hundreds of amendments being adopted by Council, the overwhelming majority were intended to weaken existing protections. The crucially important elements of the Regulation – chapters one to three – have been gutted, while the obligations on data controllers imposed in chapter 4 have been badly savaged.
Surprisingly, the country which was identified as the worst offender in this Scorched Earth spree is Germany, which has traditionally supported a high level of data protection. This hostility to the Regulation was later confirmed by Berlin DP commissioner Alexander Dix.
By way of example, Germany wants to change the rules that presently limit data sharing to “specified and explicit purposes”, and instead wants to allow sharing with third parties without any requirement for explicit consent.
The next few months will be pivotal for data protection. In some respects, Ministers are hedging the negotiated outcome of discussions over the Regulation by setting a vastly lower data protection standard in advance of those negotiations. Having said that, it would be folly to rely on the idea of a mathematical ‘half way’ point between the positions of the Council and the Parliament.
The present situation has become so dangerous to data protection that it prompted the Working Party of EU Data Protection Commissioners to raise the alarm. Its chief concern on this occasion is the “purpose limitation principle” (this Second Principle states that any further processing of personal data cannot be for a purpose that is incompatible with the purpose of obtaining that data).
The changes to this principle include conditions when a further processing purpose is deemed to be compatible with purpose of obtaining. The Working Party observed:
“The Working Party considers that this situation would render one of the fundamental principles of the data protection framework, the purpose limitation principle, meaningless and void”.
“Such an approach, which conflates the notions of legal basis and further processing for compatible purpose, contradicts the EU data protection acquis and would be illegal under the current legal framework. It could furthermore have no other consequence but to undermine the whole new data protection framework and to dilute the level of protection for EU citizens in comparison to Directive 95/46/EC in force”.
Now Chris Pounder has produced a current analysis that presents an even more sobering picture of the state of play in data protection. Since the time of his first analysis, the collapse points for data protection have widened, providing governments with increased discretion on how to interpret rights.
The situation has reached Match Point, and it seems only an aggressive stance by the European Parliament could save the privacy rights of Europe’s citizens.