Our response to the Justice Select Committee Inquiry on European Union data protection framework proposals

• Privacy International welcomes the Select Committee Inquiry. We approach the proposed EU Data Protection Framework from the perspective of individual citizens and consumers.
• We consider that this Inquiry and other consultations must take into account not just considerations of burdens to business and administrations, but also the fundamental rights of individuals to privacy and data protection that the UK has to comply with as a signatory to EU treaties and conventions.
• The proposed General Data Protection Regulation, on the whole, goes some way towards achieving harmonised rules across the EU and makes data protection law fit for the 21st century. It contains a number of good improvements, particularly on the rights of the data subject, and also in terms of enforcement and reddress. However, there are a number of weaknesses that can undermine these rights, so there is need for improvement.
• With regards to the proposed Data Protection Directive for the law enforcement sector, we consider that the Commission drafters have failed in their duty to ensure a high level of data protection for citizens across the board, as it is much weaker than the Regulation in many respects. The Directive needs radical improvement.
• In terms of specific questions asked by the Inquiry, we think that the Regulation does generally achieve the right balance between the rights of individuals and the obligations of controllers and administrations. Furthermore, considerations of possible burdens to businesses etc have to be counterbalanced by growth opportunities provided by furthering consumer trust, reduction of costs due to more consistency in 27 countries’ rules and potential increased engagement in cross-border trading by SMEs.
• The Directive on the other hand does not achieve the right balance, will result in 27 different regimes and has the potential to undermine individual rights under the Regulation.
• We agree with some, but not all the next steps proposed by the Government in its Summary of Responses to its Call for Evidence.

Privacy International (PI) is a registered charity, founded in 1990 and the first organisation to campaign on an international level on privacy issues. PI’s mission is to defend the right to privacy and individual people’s data protection across the world, and to fight unlawful surveillance and other intrusions into private life by governments and corporations.

We are therefore pleased to have the opportunity to provide our views on the European Union Data Protection Framework Proposals to the Justice Select Committee Inquiry, and address the specific questions asked by the Committee. We are fully engaged with the development of this framework legislation since it will have a long-lasting impact not just in the UK and Europe, but will influence data protection regimes for citizens and consumers across the world. The proposals have come not a moment too soon, as the current legislation is no longer fit for purpose. This is a fact that has been widely acknowledged, and does not need further elaboration.

However, as a general  observation, we are concerned to see that this Inquiry and other home consultations have been framed primarily in the context of possible large extra burdens on businesses and administrations. The fundamental rights to protection of personal data and privacy are specifically mentioned in EU charters and conventions, and have to be complied with by EU member countries signatories of the Lisbon Treaty.1 Under current legislation these rights are not respected. This is not to say that considerations of burdensome regulations and impacts on economic growth are not important, but that there is need for a more rounded analysis. We think the EU Commission has carried out such an analysis for the last three years, including numerous consultations, commissioning several studies and surveys, and a detailed impact assessment.2   

With regards to the proposed Regulation, we believe that on the whole it makes data protection law fit for the 21st century and goes some way towards achieving harmonisation of rules across the EU. We like the fact that it starts from the standards and principles set out in the current Directive (95/46/EC) and further enhances, elaborates and develops these. As a result it ensures more control on the part of the individual citizen/consumer for example with regards to access, correction and deletion and by attempting to ensure that these rights are meaningful in practice. It also attempts to ensure more effective enforcement by independent authorities with more teeth, as well as better possibilities for redress for individuals, including through the right for collective redress actions by for e.g. privacy rights and consumer groups. We also very much like the emphasis on responsibility and accountability of controllers for building privacy in their systems (“privacy by design”), and the requirement for breach notifications.

However, this is not to say that in our view the Regulation does not need improvement. It does have a number of weaknesses from the perspective of the data subject that have the potential to undermine the good points, and would need clarification or improvement. These include, for example, some of the fundamental definitions (e.g. personal data and data subject), aspects of lawful processing, enforcement and redress. (See also the answers to question 3, below).

As far as the proposed Directive is concerned, our view is very different. We consider that the EU Commission drafters have failed in their duty to ensure a high level of data protection for citizens across the board, both in the private and public sector (given the exceptions for law enforcement access in the Regulation).  Police and judicial cooperation in the context of law enforcement is an area where sensitive personal data is likely to be involved, and therefore citizens may be put at particular risk. We agree with the views of the UK Information Commissioner and the European Data Protection Supervisor in this respect. We consider that in the proposed Directive: data processing principles are less ambitious and more ambiguous than those in the proposed Regulation; the rights of the data subjects are significantly weaker than in the proposed Regulation; controllers are subject to fewer, and vaguer obligations; transfers rules are unclear and less restrictive than they could be; and supervisory authorities have fewer and weaker powers. This is problematic also in the context of the UK where currently the Data Protection Act applies across the board.

Q: Will the proposed Regulation strike the right balance between the need, on the one hand, for a proportionate, practicable but effective system of data protection in the EU, and on the other for business and public authorities not to be stifled by regulatory, financial and administrative burdens placed upon them?

Yes, we think that the proposed Regulation does on the whole achieve this goal, and it goes a good way towards re-dressing the current imbalances, such as extensive data mining and profiling without individuals’ awareness, difficulties for people to stay in control, different rights in different EU countries, authorities without clout and weak enforcement, difficulties in getting redress.3  

Claims of stifling burdens, possibly affecting economic growth and innovation are not justified in this case.  It is important to ensure that individuals are adequately and effectively protected: as behavioural studies have shown, people that feel in control are likely to share more, not less data,4 while lack of trust and concerns over data protection is a significant barrier to the growth of the digital economy.

The EU Commission in its impact assessment5 estimates that the current fragmentation of legal data protection regimes in the 27 member countries gives rise to an administrative burden costing businesses close to 3 billion Euros per year, over half of the total costs for administering the current Directive. Any increased administration under the proposed Regulation would be counter-balanced by the fact that firms won’t have the burden to comply with the different regimes in the countries they operate (this was a major source of complaint).

Furthermore, harmonisation and legal certainty would encourage more SMEs to expand their businesses in other EU countries because they would not need to engage expensive lawyers to which currently only big businesses can afford. This is also shown by EU surveys of SMEs,6 and would stimulate, not stifle, development. Finally, there are EU countries which currently have stronger and more prescriptive data protection legislation than the UK DPA, including with respect to powers of their Privacy Commissioners or obligations for business - this includes for e.g. Germany and the Netherlands, and there does not seem to be a stifling of their businesses or any direct correlation with their economic growth.

Q: Will the proposed Directive strike the right balance between the need, on the one hand, for a proportionate, practicable but effective system of data protection for police and criminal cooperation in the EU, and on the other for law enforcement authorities to be able to investigate crime without disproportionate financial or administrative burden?

No we do not believe it will, as stated in paragraph 6 above. The rights of the individual are weaker in the case of the proposed Directive than in the case of the proposed Regulation and inevitably the transposition of the Directive in the different nations will result in the very fragmentation that the new Framework aims to avoid. In addition, these weak provisions in the case of the Directive have the potential to also undermine individual rights under the Regulation, in cases where law enforcement authorities have access to data from private entities; for e.g. it remains unclear which of the two (Directive or Regulation) would apply in the case of Passenger Name Records being used for law enforcement purposes.

As the result of these two differing ‘legal instruments’, the new Data Protection Framework suffers as a whole, because the original aim of achieving harmonised and comprehensive data protection rules is not achieved.

Q: Are the next steps the UK Government proposes to take during the negotiations, set out in the Summary of responses to its Call for Evidence, the right approach?

In our view, some of the proposed steps are the right approach and others are not. 

Our concern is that the revision is not ultimately used as an opportunity to weaken fundamental principles of privacy and data protection, and result in the reduction of protections, in the name of economic growth, innovation and avoiding burdens.  As stated above, while some improvements and tweaks would be necessary, we do not believe that on the whole the new Regulation will put a major extra burden on data controllers in comparison with the current regime. Furthermore, other potential benefits and growth opportunities resulting from the more harmonised rules have not been considered at all in the published Summary of Responses. 

We are also concerned that the Directive is not addressed  in the ‘next steps’ section of the Summary of responses, while this really needs major surgery in order not to undermine the whole Framework in terms of the rights of the individuals.

Specific comments on some of the proposed next steps

• Step: “support the requirement for additional information to be provided to data subjects both proactively and in response to subject access requests (subject to consideration of the additional costs), but resist the proposal that subject access rights be exercisable free of charge”.

Comment: Currently in the UK subject access charges (£10) can result in considerable costs for individuals who e.g. have been victims of identity theft and have to repair a large number of records (sometimes 10 or more companies need to be approached); often the victims of ID theft are vulnerable people that cannot afford such costs. In addition we note that in the BIS consultation on the proposed midata legislation, similar to the subject access provisions in the proposed Regulation, the government states a preference that the data (in readable electronic format) is supplied at no cost.7 

• Step: “push for an overhaul of the proposed ‘right to be forgotten’ given the practicalities and costs and the potential for confusion about its scope for both organisations and individuals; however, the Government reaffirms its commitment to the right for individuals to delete their personal data, where this is appropriate”.

Comment: Much ado has been made about art 17 in the Regulation, but in reality it is only just a little more than the right to erasure and the right to object. It states no more that the controller ‘shall take reasonable steps’ to inform third parties in relation to data for the publication of which he is responsible. Perhaps the title is a misnomer, but clearly an effective advertising tool.

• Step:“resist new bureaucratic and potentially costly burdens on organisations which do not appear to offer greater protection for individuals; examples of this include mandatory data protection impact assessments, seeking prior authorisation from the supervisory authority for certain processing operations and the mandatory designation of independent data protection officers”.

Comment: Again, the provisions regarding privacy impact assessments (PIA, art 33) are much more nuanced in the Regulation than the above statement implies. In fact risk criteria set out in this article mean that PIAs will only be required when large-scale and/or sensitive data collection is taking place.

We hope also that the UK will strongly support the enhanced rights of the individual in the regulation and ensure there are no loopholes to weaken or undermine them. We will be pleased  to share further with the Justice Select Committee our complete positions and more detailed suggested amendments, both for the Regulation and the Directive.

Footnotes

1.Specifically Art 8 of the European Convention on Human Rights and Art 16 of the Treaty on the Functioning of the European Union (TFEU)
2.SEC(2012) 72 final, Brussels, 25.1.2012, Commission Staff Working Paper, Impact Assessment
3.For research evidence, see e.g. inter alia section 3.3 of the Commission Impact Assessment (note 3); also results of ICO annual Track Surveys (2011)
4.http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm;   for brief overview seehttp://www.heinz.cmu.edu/~acquisti/papers/acquisti_privacy_behavioral_ec...
5.As note 3; Annex 9 has the cost impact assessment for the Regulation
6.As note 3; Annex 8, results of consultation with 383 SMEs
7.http://www.bis.gov.uk/assets/biscore/consumer-issues/docs/m/12-943-midat... 1.19