DATA PROTECTION IN THE EU: IT’S TIME FOR A CHANGE
The leaders of the member states of the European Union (EU) met in Stockholm, Sweden in 2009 to discuss the future political progress in the area of justice, freedom and security. Despite the ever-present financial crisis, the meeting did produce an action plan, the Stockholm Programme (sp), that was meant to advance ‘people’s Europe’ into the new decade. Included in the action plan was a section concerning the protection of citizen’s rights within the information society.
The leaders of the member states of the European Union (EU) met in Stockholm, Sweden in 2009 to discuss the future political progress in the area of justice, freedom and security. Despite the ever-present financial crisis, the meeting did produce an action plan, the Stockholm Programme (sp), that was meant to advance ‘people’s Europe’ into the new decade. Included in the action plan was a section concerning the protection of citizen’s rights within the information society. In this the European Council (the Council) invited the Commission of the European Union (the Commission) to “…evaluate the functioning of the various instruments on data protection and present, wherenecessary, further legislative and non-legislative initiatives to maintain the effectiveapplication of the above principles…”
Taking the initiative provided by the Stockholm Programme (sp), in conjunction with the EU growth strategy (Europe 2020), the Commission proposed two new legislative acts in the January 2012. The proposed legislation is made up of two separate legislative acts. The first is the most ambitious in its scope and in its form, and is concerned with the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). The second legislative act concerns the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
This article will focus on the General Data Protection Regulation (Regulation) because it is here that the various institutions and member states of the EU have come farthest. The proposed Regulation will follow ordinary legislative procedure according to Article 294 of the Treaty on the Function of the European Union (TFEU) and has been reviewed by the parliaments of the member states, the Committee of the Regions, the European Data Protection Supervisor (EDPB), the Council and the European Economic and Social Committee (EESC). In order to better understand the Regulation some of the stated objectives of the Regulation will be explored, as well as some of the differences between the Regulation and the current Directive (Directive 95/46/EC) and what the major criticisms of the proposed Regulation have been.
One of the primary objectives of the Regulation is to bring the legislation concerning data protection into line with current EU fundamental law. The signing of the Lisbon Treaty in 2009 has created some problems for the current Directive, particularly now that the Charter of Fundamental Rights (the Charter) from 2000 has become part of the primary legislation of the EU legal system. The Commission feels that the current Directive is not compatible with Article 8 of the Charter which is meant to protect personal data. Article 8 states, among other things, that everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. The current Directive fails to provide sufficiently for this right.
According to the Commission there are two other main objectives, besides the more general legal objective outlined above, to the proposed Regulation. The first is to strengthen the individual. The second is to enhance the Single Market. The thought is that the two main objectives are not meant to be mutually exclusive of each other, that the efficient functioning of the market should strengthen the rights of the individual and strong individual rights is good for the market.
The objectives for creating a new legislative act can be expanded beyond individuals’ rights and the Single Market to include securing a high level of data protection in all areas, ensuring proper enforcement of the rules adopted for this purpose, facilitating international transfers of personal data and setting universal data protection standards. The objectives are both local and international. On the one hand then can be seen as a combination of a fundamental right to privacy and a drive to improve the single market (with regards to lowering administrative burdens for companies through increased harmonization)and on the other hand a wish on the part of the Commission and the EU to set a global standard for personal data protection.
What then can be said about the differences between the current Directive and the new Regulation as a means of achieving the objectives of the EU? The first difference is in the legal form that the new legislative act takes. A regulation, according to the treaties of the EU, is biding in its wording and directly applicable to the member states. This is in contrast to a directive, that is not binding in its wording and usually (there are exceptions) not applicable until implemented into the laws of the member state. The result of this difference is that legislation coming from a directive looks different from one member state to the next. This means that the risk that the objective of a certain EU legislative act might be jeopardized by the differences in the application of a directive. This does not mean that there are not mechanisms to ensure objectives (the Court of Justice of the European Union is but one example of such a mechanism) but that a Regulation is meant to ensure that the domestic legislation of each member state is identical.
The differences between the current Directive and the new Regulation are found not just in the legal form of the legislative act. Differences are also found in the organizational structure of data protection. The new Regulation createsthe position of data protection officers. These officers would be required in companies with over 250 employees or at state agencies. They would monitor the application of the Regulation at the company level and ensure that the various outputs that the Regulation requires are produced.
Perhaps the most interesting innovation of the new Regulation is the application of the right to be forgotten. This rights is not new as such, it has existed previously in different forms. What is different is the scope of this right. Article 17.1 in the proposed Regulation can be compared with Article 12(b) in the current Directive. Article 17 provides specific areas in which individuals may demand that personal information be remove from databases. Article 12 in the Directive dealt with the right to access of personal data and hinted at the right to be forgotten, but did not provide sufficient legal support. Instead its focus was on the removal of inaccurate data. The Parliamentary Committee on Civil Liberties, Justice and Home Affairs pointed out that Article 17 is a balancing act between the rights of the individual in the digital environment and while maintain an exception for freedom of expression. “Where the individual has agreed to a publication of his or her data…a ‘right to be forgotten’ is neither legitimate nor realistic”. (Draft Report on General Data Protection, 2012/001 [COD])
The various institutions and member states have all had criticisms for the new Regulation. The critics have tended to turn their criticisms towards the document itself and not towards the Commission as the legislative process has been inclusive to key actors. The criticisms of the proposed Regulation have been particularly focused on three areas. Most vocal have been the criticisms of the use of power delegation found within the Regulation. Other criticisms have been on the use of risk analysis and administrative burdens that the new legislation would put on companies and state agencies.
Many have criticized the Regulation’s use of delegated acts to resolve practical issues. This is a delicate question that gets to the root of the entire EU legal system. To what extent should the Commission dictate and to what extent should the member states be free to legislate as they deem appropriate? Critics have pointed out that the Regulation makes excessive use of delegated acts that might conflict with if not the wording of the treaties than its intention. The EESC, in particular, considers that this goes far beyond the limits laid down in Article 290 TFEU which stipulates that “the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts”. EESC is concerned that the Regulation is not explicit enough in what the Commission is to legislate.
The Commission has argued that the use of delegated acts has been done in order to avoid creating legislation that was overly prescriptive, one that could be flexible with regards to developing technologies. But too vague legislation would be a threat to legal certainty. EESC suggests that certain areas could be left to the EDPB instead of the Commission as way of ensuring harmonization but removing some of the problems associated with delegating powers to Brussels.
Another critic has been that the Regulation does not take sufficient account of risk. Data protection is important, but that protection must be in proportion to that risk that the information will be misused or abused. As the Presidency(which was headed by Cyprus) put it, “where the data protection risk is higher, more detailed obligations would be justified and where it is comparably lower, the level of prescriptiveness can be reduced.” (Note from Presidency to COREPER, 26 November 2012)
There are also concerns with administrative burdens that would be created by the new Regulation. The Commission has attempted to mitigate obligations by excluding businesses employing less than 250 employees from some of the most burdensome regulations. But as the Council pointed out, the size of the company has no relation to how much personal information is going to be stored and how that information will be protected. A better determinate should be the amount of risk associated with certain data processing operations. The use of risk will reduce administrative burdens for those whose work does not make use of large amounts of personal data.
The Regulation also reflects the conflict between those member states that are concerned that a harmonized data protection system may be difficult to adapt to domestic constitutional systemsand those member states that argue that personal data has become transnational, thus requiring transnational regulation. The German Bundesrat was particularly concerned with this, as it regards to the principles of subsidiarity and proportionality that are key to the EU legal system (The principle of subsidiarity is found in Article 5.3 Treaty of the European Union [TEU] and of proportionality in Article 5.4 TEU). This debate is particularly apparent with regards to the use of personal data by the public sector. According to the German Bundesrat there is no clear mandate for the Commission to regulate the protection for personal data by the public sector. The question becomes if there should be separate legislation with regards to public agencies and their use of personal data and legislation that deals with the private sector. This issue has not been resolved.
The combination of the objectives of the Regulation and the various critiques that have been presented are all part of the democratic practice of the EU. It could be argued that the democratic process here with regard to data protection is an expression of the relativity of personal data. It is difficult to pinpoint the moment when data goes from personal to public. The key may be in providing a choice to the individual on establishing that moment.
The EU sees data protection not as an absolute right, but one that must be counter-balanced with other fundamental rights and applied in proportion to the legal relation between the EU and its member states. The Commission constantly works in the gray areabetween its given competences and its own self-asserted agenda.
The current Presidency of the Council is held by Ireland. In the Irish Presidency program it has made numerous mentions of data protection and the need to push the proposed legislation forward. However, these references are made in the context of the Single Market and not within the framework of individuals’ rights. Does this mean that the ‘rights’ of the market will take precedence now over the individual? In some way that is where we are now. The question is will the Regulation do anything about it.