2.1 Strengthening Individual's Rights
2.1.1 ENSURING APPROPRIATE PROTECTION
The Commission is right to address the concept of ‘personal data’, the issues round its definitions, and various processing and mining technologies as some of the most essential if fundamental privacy rights are to be protected.
Regarding definition of the concept of personal data, we support a wide definition, as included in the current Directive and interpreted by the Article 29 Working Party (Opinion 4/2007). This will continue to ensure the necessary flexibility and make the legislation future proof. The issue that will need to be addressed in the review is not the definition, but its different interpretations and lack of clarity on national levels, as is the case for example with IP addresses. One way to address this is to provide authoritative guidance that has to be taken on board by member countries, and the Article 29 Working Party is well placed to provide such guidance.
We are particularly concerned that the concept of personal information appropriately reflect the increasingly common use of ‘analytics’ which can select individuals for attention; e.g. for customised direct marketing, presentation of webpage content etc, even though the data controller may not know, or even be able to find out, the actual identity of the target. The effect of this sort of intrusion on individuals’ privacy, based on analysis of their behaviour, is just as much a matter of privacy concern as if the controller actually knows their identity.
We also support consideration in the future review of additional measures regarding mining techniques and technologies under Union law, such as location data. The current debates in the UK round the implementation of the e-privacy directive with regards to user consent for storing of cookies in users’ terminal equipment illustrate well the tensions between the service providers’ desire to collect as much information as possible, and the need for data protection; if implementation is going to end up passing responsibility to individuals to set their own browsers at the appropriate cookie-rejecting levels, and/or possibility to opt-out via complex multiple choices on industry websites, then meaningful protection will not be ensured and the situation will be no different from the current one.
The protection of individual’s rights requires more than just considering definitions: it is also a matter of scope. Many of the poorer decisions made by regulatory authorities have been a result of the lack of consideration of individual rights. We believe that it is necessary that the powers of each Privacy Commissioner should explicitly be extended to the processing of personal data in circumstances where the processing at issue is alleged to cause a breach of Article 8 of the ECHR.
The Directive is founded upon this concept, but the concept is poorly incorporated into enforcement. Article 1 of Directive 95/46/EC begins with these words: “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”. Recital 1 adds further clarification in that the Directive is a step towards “...preserving and strengthening peace and liberty and promoting democracy on the basis of the fundamental rights recognized in the constitution and laws of the Member States and in the European Convention for the Protection of Human Rights and Fundamental Freedoms”.
Recital 10 then amplifies what the “right to privacy” means. It states that “... the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms”. Recital 11 then adds that “the right to privacy” in the Directive is intended to “give substance to and amplify those (provisions) contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.
As the Directive already has links with Article 8, then it is a small step to specify in a revised Directive that each Privacy Commissioner should be explicitly able to enforce the Data Protection law in circumstances when Article 8 compliance is in question with respect to the processing of personal data. For example, it should have been possible for Commissioners to assess whether or not some processing is lawful (i.e. proportionate) in terms of Article 8 in cases such as international data sharing or with the retention of personal data.
The effect of this change would explicitly link the Human Rights and Data Protection regimes. It would reassure the public that Europe and law enforcement and national security agencies would be open to a constructive debate about data protection issues, whose outcome would then reassure the public that these agencies have not strayed beyond their allotted functions.
2.1.2 INCREASING TRANSPARENCY FOR DATA SUBJECTS
We would support a general requirement for transparent processing, though after years of relatively fruitless discussions regarding simple or layered privacy notices and use of plain language, we are a little cynical on whether such a requirement can succeed in practice unless presentation and contents standards are also set by the data protection authorities. So we agree in principle with the idea of model ‘privacy information notices’ providing their design, placement and contents is brainstormed with stakeholders who understand behavioural economics, and user tested prior to release.
We are also wary of good transparency without meaningful choice, as happens now in many instances, where providers tell you comprehensively how they use your information, whom they share it with and how long they are going to keep it for, but you do not in fact have a choice, unless you reject the whole service, which means no choice at all in some cases. So while we strongly support transparency and easy, accessible privacy policies, we also urge the Commission to only consider this as part of a whole package of pro-privacy measures, as all too often transparency in itself is an easy ‘win’ and only measure. In general we also think that comprehensive privacy notices should be part of the consumer contract, for e.g. in contracts for energy or cloud computing services, and as such be subject to and comply with unfair contract terms legislation.
Regarding the statement on children in the context of transparency, we do not consider that good information alone is going to help much with the specific issues around the protection of children and minors. This is in fact the only place in the Communication where children are mentioned at all, while we believe that more consideration should be given to privacy-related children’s issues.
Finally, and regarding transparency, Privacy International fully supports extending mandatory personal data breach notification from the telecommunication sector to all relevant industries and sectors (including public). We have in fact been campaigning for such a measure to be introduced during the discussions on the revision of the e-Privacy Directive, and believe that extending the rule horizontally will ensure consistency between regulations, and will serve as a deterrent and incentive to companies to strengthen their security processes.
2.1.3 ENHANCING CONTROL OVER ONES OWN DATA
Privacy International would welcome an explicit reference to data minimisation in a revised directive as well as an explicit reference to, and clarification of, the right to be forgotten, which is particularly relevant in the context of social networking sites and cloud computing. We also suggest that the right to not be identified in the first place would be more effective in preventing future unnecessary data collection. There are many circumstances in which identification is not necessary at all for the provision of a service, and technologies are available that enable people to prove they are ‘bona-fide’ without the need to reveal personal information.
We support also looking at the ways that subject access, correction and deletion of personal information can be ensured without pain (for example through introduction of maximum response time limits and charge-free access) and looking at how to achieve better consistency in this respect between different member countries and data controller practices, which vary enormously at the moment, with the result that it is often very difficult for ordinary people to identify and correct errors.
Finally data portability is highly desirable, though it is a tall order to achieve it through data protection legislation alone – as essential prerequisites include software interoperability between various platforms, and open standards. We believe that this is absolutely essential in the context of cloud computing and social networking, and we are pleased to see some leadership from industry, though there are worrying battles brewing in this space that may harm consumers.
2.1.4 RAISING AWARENESS
While not averse to raising awareness, we are doubtful that such exercises can be successful unless they involve high cost strategic, targeted multi-media campaigns over a period of time and using social marketing techniques. Lessons should be learned, for example, from other socially-related issues, such as drinking and driving and smoking awareness exercises. We suggest it would be more effective to target training and awareness raising campaigns at types of data controllers, and particularly small businesses or sole traders who increasingly monetise data without being aware of rights and obligations.
We believe that regulators have an important role in raising awareness of their own powers. Too often we are approached by European citizens seeking assistance and guidance, though are unaware of their own national regulator. We have even countered government departments with weak relationships with the regulators. Much more work is needed on promoting both privacy and the regulators. For instance, see the European Commission commissioned research on the promotional activities of national regulators.
2.1.5 ENSURING INFORMED AND FREE CONSENT
We agree with the analysis in the Communication regarding current Directive rules on consent (freely given, specific, informed) and consider that this is a fundamental issue to be resolved if data protection, especially online, is to have real teeth. So we strongly support the intention to examine, strengthen and clarify the rules on consent, including ensuring much greater harmonisation between practices and interpretation in different countries. We ask the Commission to consider specific banning of unfair trading practices such as requiring consent as a condition of receiving goods and services, as well as introducing the concept of ‘revocability’, i.e. the possibility to take away consent previously given (similar to a ‘cooling off period’ available in online shopping or consumer credit contracts).
2.1.6 PROTECTING SENSITIVE DATA
We consider that any data can become sensitive in certain circumstances and/or if linked to other available data; modern technology makes it possible to use information that is not considered sensitive under the terms of the current Directive for discriminatory purposes. So in an ideal world we consider that all personal information should be treated equally and have strong protection. However, if current distinctions are retained, we would urge the Commission to add the following categories of personal information to the list: genetic, biometric, family history, minors, financial data, granular energy consumption data from smart meters. This list should be made non-exhaustive to allow for future technological developments.
2.1.7 MAKING REMEDIES AND SANCTIONS MORE EFFECTIVE
We strongly agree with the proposal to ensure more effective enforcement, including redress, as this is the main weakness of the current data protection legal regime. Alongside other organisations, we have been advocating for the establishment of a judicial collective redress mechanism, both at national and European levels, as an efficient tool for consumer empowerment and business compliance. This should include representative actions by authorities, consumer and other civil society associations on behalf of individuals, as well as collective redress.
We also support strengthened sanctions, but a graduated range commensurate with the seriousness of data breach.