New EU data protection laws: ok, but a tremendous missed opportunity with possible threats looming

The major overhaul of data protection laws in Europe is finally over, after three years of arduous and sustained political and lobbying activity by all those with a major stake and interest, including us at Privacy International (See our initial analysis of the two laws in 2012). We welcome this long overdue closure, but is this 91-articled, 200-paged piece of legislation been worth the enormous effort and no doubt millions of euros, dollars and pounds spent on it?

The legislative package consists of a General Data Protection Regulation (GDPR), and a Data Protection Directive that applies primarily to the law enforcement sector, police and judiciary dealing with crime and crime prevention.  Neither applies to state security, i.e. surveillance practices, or to the EU institutions themselves

The General Data Protection Regulation

With regards to GDPR, our initial reaction is that, certainly, Europe continues to be the most advanced and comprehensive legislature in terms of promoting protection of personal data as a fundamental right (in all but ‘state security’ activity).  But the initial grand ambition of making EU data protection laws fit for 21st century, the age of big data and Internet of Things, and unprecedented intrusion and profiling into people’s lives, has not been achieved. Thankfully, the new rules do not go below existing provisions, but several of our key initial concerns have not been met, and more weaknesses have been introduced to achieve compromise in the negotiations.  Compromise has also meant that some of the articles in the Regulation are so contorted and convoluted that corporate lawyers will be able to feed on them for years to come.

Some of the good:

• The rights of the people (‘data subjects’) have been reasserted and improved: for example you will be now able to demand erasure of all your information if you have left a service, or take away in an easily readable format the data you’ve given a business provider.
• The definition of  personal data has been extended and clarified, it now clearly includes IP addresses and location data for example.
• The enforcement of the law and deterrents, such as fines, are more effective.
• The redress and complaint possibilities are better: privacy and consumer groups will now be able to act on behalf of one or more individuals.
• There is a new right to object to profiling for direct marketing purposes

Some of the bad and the ugly:

• The user consent provision is confusingly mixed – defined as ‘unambiguous’, but has to be ‘explicit’ for sensitive data, such as health or political beliefs.
• The very broad and undefined  ‘legitimate’ interest provision, including for third parties (!) can still circumvent consent altogether.
• Collective redress is only possible in countries where provisions for collective redress exist in national legislation, meaning that some people may end more equal than others and opening possibilities for forum shopping for companies.
• There is a serious risk of dis-harmonisation, since there are many exceptions allowing Member States to pass their own laws.
• The most ugly is the provision in Article 21 that allows countries to introduce legal exceptions  to this law based on a loosely defined “general public interest”. This can become a crucial loophole in the legislation, and ensure a few years down the line that we have 28 laws once again.

The Directive

We have been, in the initial stages, much more critical of the Directive which applies to law enforcement authorities, including the fact that being a Directive it will still mean 28 different legal regimes for data protection--not just for those on trial or found to be guilty-- but for witnesses and victims too, so millions of people!.  The progress of this piece of legislation has been much more obscure than that of the GDPR. On a first glance, a positive aspect is that is has been aligned closer to the provisions in the GDPR with regards, for example, to the data protection principles and some of the rights of the data subjects. But many key concerns we highlighted still  remain, for example with regards to the effective supervisory role of the data protection authorities,  or potentially allowing for transfers of highly sensitive data to authorities in third countries without serious safeguards.

The final vote by the European Parliament in full plenary is due in January, but it is virtually sure to be passed. We shall be analysing both pieces of legislation in detail in the New Year.