EDRi Initial Comments on the Proposal for a Data Protection Regulation
EDRi welcomes the European Commission's proposal for a new data protection Regulation. Europe needs a comprehensive reform in order to ensure the protection of its citizens’ personal data and privacy, while enhancing legal certainty and competitiveness in a single digital market. Since the “inter-service” draft was leaked in December, there has been a significant lobbying effort by certain foreign governments and industries. Although, as a result, some of the provisions seem to have been watered down or downgraded, and although there are still areas of concern, we are pleased to see that the proposal still highlights the importance of key principles such as the need for a clear “legitimate ground” for processing, transparency, fairness, “purpose-limitation”, "privacy by design", and data minimisation. This is a first, positive step in a long legislative process that in the end will hopefully secure greater respect for and awareness of the fundamental right to data protection and to privacy for European citizens.
Why we need a Regulation (and not a Directive)
An EU wide, unified approach to securing an appropriately high level of data protection, and to the safeguarding of essential elements of democratic societies such as privacy and free speech is long overdue. It is crucial in a fast changing digital environment.
European Court of Justice case-law over the past 15 years shows that many Member States met neither the substantive nor the procedural/enforcement requirements of EU data protection law in full. Data protection legislation is moreover highly fragmented: legislators and regulators in the 27 EU Member States implement the Directive in 27 different ways. Harmonisation in the form of a single, directly applicable instrument is indeed needed to ensure legal certainty in the single European market – for citizens and businesses alike.
According to Article 3(2) of the Regulation, its provisions will also apply to processing by non-EU entities if the processing activities of those entities are related to the offering of goods or services to EU data subjects, or to the monitoring of EU citizens’ behaviour. This replaces the rather unclear “use of equipment” test of the Directive. EDRi welcomes these new rules on territorial scope.
The right to be forgotten and free speech issues
The"right to be forgotten" (Art. 17) is basically a re-affirmation and strengthening of the already existing right to deletion of personal data after the purpose for which they were processed has been fulfilled (Art.12 of Directive 95/46/EC). The current draft proposal goes further than the 1995 Directive by proposing the right to erasure if the data are no longer necessary or if the data subject withdraws his/her consent, and by including rules aimed at the erasure of any public Internet link to, copy or replication of the personal data relating to the data subject which the data subject is seeking to have removed. This especially applies "in relation to personal data which are made available by the data subject while he or she was a child". However, the provision has been weakened since the last leak, now requiring merely that the data controller “shall take all reasonable steps” to inform third parties that the user wishes to erase any links to or copies of the material.
EDRi also believes that as currently draft, the article could have serious (if perhaps unintended) implications for freedom of speech. Even though one of the aims of this article is to counter the loss of purpose limitations in social media, it must be carefully drafted to avoid its potential misuse as a tool for censorship.
Overall, in EDRi’s view, the “right to be forgotten” article was not particularly well drafted. EDRi would therefore like to see the text clarified and strengthened, but also feels that the underlying thinking is a step in the right direction.
Data portability in general (Article 18)
Individuals will be given the right to demand that an organisation should transfer any or all information held about them to a third party in a format which the individual determines. This increases the control that individuals have over data which identifies them and makes it easier for them to transfer business or employment relationships. The text does not clarify who will be required to cover associated costs of such an exercise. In EDRi’s view, this should not be at the expense of the data subject. Other than that, EDRi welcomes this new principle.
Right to Data Portability in relation to social networks
The right to data portability mentioned above includes the right to move account information from one social media service to another and to benefit from privacy-friendly alternatives. This right is limited by a rather poorly-drafted requirement on the format to be used for stored data. It is important that users have a right to their electronically stored data, "in an electronic format which is commonly used" rather than only having the right to obtain the data if they are stored in such a format. This is a very good start to deal for dealing with the network externalities and related natural monopolies of networking platforms such as social networks. But in EDRi’s view, in order to work, this should include an inter-connection or inter-operability provision.
Privacy by Design/Default
EDRi also welcomes the new provisions regarding privacy by design / by default of Article 23, since it is essential that companies consider privacy at each stage of product development. However, in EDRi’s view, an effective implementation mechanism of “privacy by design” is needed. This could be created by the introduction of an obligation to conduct privacy impact assessments, which aim to ensure that privacy concerns are built into every part of the life cycle of a product or service.
EDRi also welcomes the support given by the proposed Regulation to European Certification processes, provided that (like the current European Privacy Seal, EuroPriSe), they apply the highest and strictest European data protection standards.
Data breach notification
Articles 31and 32 introduce an obligation to notify personal data breaches, in principle within 24 hours (but with some sensible flexibility built in). Moreover, individual users should be notified of a leak if the leak is "likely to adversely affect the protection of the personal data or privacy" of the users. In EDRi’s view, it is essential that customers are informed if their personal information have been compromised, so that they can protect themselves by, for example, changing passwords or getting new credit cards. This broad obligation to report data breaches is very important, but the articles do not provide for a central public register of data leakage. In EDRi’s opinion, this provision can therefore be further improved.
Transfer of personal data to a third country (Article 42)
Under the proposed new Regulation, as under the current Directive, personal data may only be transferred to a third country if certain criteria are met to ensure an appropriate level of protection of those personal data. However, Article 42 has been watered down and, in EDRi’s opinion, rendered almost meaningless since the very first leaked draft of the Regulation. The leaked version of the new Regulation indicated that barriers imposed on for foreign judicial authorities regarding the to access of European data outside fell beyond the scope of the agreed legal frameworks. It stated that in cases where a third country requests the disclosure of personal data, the controller or processor had to obtain prior authorisation for the transfer from its local supervisory authority. The initial goal of this article was clearly to address extra-territorial actions by third countries such as the USA, acting under the PATRIOT Act or the Foreign Intelligence Surveillance Act (FISA). The Article has, however, been totally emasculated, by only imposing the condition that the third country has "adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument”. EDRi and other civil society groups will forcefully oppose this new text.
According to the US Department of Commerce recent lobbying , Article 42 of the proposed Regulation might affect US-registered companies located in the EU and their ability to conduct business in the US. It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act to retrieve data on (e.g.) the political activities of foreign individuals, who may have no links whatsoever with the USA, via companies with US offices. This legal vacuum was meant to be addressed by article 42. It has not been. EDRi believes that this will be one of the most important areas of debate. We will insist that the EU rules will ensure full respect for the civil and political rights of EU citizens, also against encroachment from U.S. authorities.
EDRi welcomes the idea of having a range of different sanctions available for specific types of data protection violations (Art. 79). As part of the European harmonisation of data protection legislation, national authorities will have greater power to impose penalties for infringements. The fines clearly need to have a serious dissuasive effect, therefore it is sensible (as in with competition policy) to make them dependent on the gross annual turnover of a company. However we note that, since the last leak, the maximum fine of 5% of global turnover has regrettably been reduced to 2% and minimum fines have been deleted. In EDRi’s view, this reduction in maximum fines is unwarranted.
EDRi will provide it’s a comprehensive analysis later, on the full proposed framework, Regulation and Directive. In the meantime, we welcome Commissioner Reding's proposals as a positive first step in the a long process of updating privacy and data protection for EU citizens in the digital environment.