«

»

Data protection enforcement vote by EU Ministers is a two-edged sword

internet data information visualisation image flow mapBy Simon Davies

At a meeting earlier today in Brussels, EU Justice Ministers agreed to support significant enforcement powers for a future pan-European data protection authority.

Under the new understanding, the proposed European Data Protection Board (EDPB) would be empowered to review decisions where a conflict of opinion arises between national data protection regulators. That is, a decision by a national regulator concerning the activities of a multinational company could in effect be “appealed” by any other regulator who disagreed with the ruling (in an original proposal, one third of national regulators would have to object).

At first sight this development could be seen as good news in terms of more consistent enforcement of global corporations such as Google and Apple, but privacy campaigners shouldn’t rush for the champagne just yet. As with any court of law, appeals can be lodged from either side.

 If this chasm continues to widen on the present trajectory, there is every chance that the emerging DP Regulation could well end up providing a weaker level of citizen protection than the 1995 Directive that forms the current data protection framework for European nations.

Paula Barrett, a partner at law firm Eversheds told Reuters: “The revised approach seems to open the door to more conservative voices amongst the data protection authorities having an even greater say,”

The fact that countries that have been opposed to strong data protection (such as Ireland and Britain), argued in favour of the now defunct “one-third equation” indicates that the new agreement by Ministers should be a plus for privacy, but the end result is likely to be a lottery.

Opponents of today’s vote argued that the new condition would invite a flood of appeals to the EDPB, causing substantial bureaucracy and delay. Those in favour argued that national regulators should not lose control of their jurisdiction just because a company was headquartered in another country and cases were decided entirely by the DPA in that country.

Whatever the situation, the new Regulation is dependent on a core condition: “Nothing is agreed until everything is agreed”, meaning that today’s vote could be reversed when Ministers meet again in June.

Today’s development should be viewed on a much wider perspective. Over recent months, a deep chasm has emerged over Europe’s proposed new data protection framework. If this chasm continues to widen on the present trajectory, there is every chance that the emerging DP Regulation could well end up providing a weaker level of citizen protection than the 1995 Directive that forms the current data protection framework for European nations.

At the heart of this chasm is a conflict between the EU Council, representing governments, and the European Parliament (EP). This conflict has resulted in a challenge to the core principles of data protection rights.

A year ago the EP overwhelmingly voted for a Regulation that would substantially improve the standard for rights protection while strengthening enforcement powers for DP regulators. These improved conditions included increased obligations on organisations that control data and a greater range of sanctions and powers for enforcement authorities. These provisions are now in freefall, both in the private sector and public sector domains.

After analysing the present state of the Regulation, data protection expert Chris Pounder observed several collapse points for data protection in the public sector:

  • A carve out for the public sector (this allows Member States to legitimise processing that otherwise could be in breach of a data protection requirement).
  • The “risk based” approach and consent (this transfers some of the risks arising from the processing to the data subject).
  • The right to object to the processing (this right which currently exists under the Data Protection Act is removed for public sector data controllers).

    The present data protection environment is far less predictable than that, and the negotiated outcome could well be more complex and messy than we imagine.

  • There is no requirement in the Regulation to maintain the Directive level of protection.

This analysis was confirmed and extended earlier this month by lobbyplag.eu which published a high-level assessment of the current state of the Regulation. It advised that of the hundreds of amendments being adopted by Council, the overwhelming majority were intended to weaken existing protections. The crucially important elements of the Regulation – chapters one to three – have been gutted, while the obligations on data controllers imposed in chapter 4 have been badly savaged.

Surprisingly, the country which was identified as the worst offender in this Scorched Earth spree is Germany, which has traditionally supported a high level of data protection. This hostility to the Regulation was later confirmed by Berlin DP commissioner Alexander Dix.

By way of example, Germany wants to change the rules that presently limit data sharing to “specified and explicit purposes”, and instead wants to allow sharing with third parties without any requirement for explicit consent.

The next few months will be pivotal for data protection. In some respects Ministers are hedging the negotiated outcome of discussions over the Regulation by setting a vastly lower data protection standard in advance of those negotiations. Having said that, it would be folly to rely on the idea of a mathematical ‘half way’ point between the positions of the Council and the Parliament. The present data protection environment is far less predictable than that, and the negotiated outcome could well be more complex and messy than we imagine.