Legal analysis of the new proposed EU regulation on data protection
By Fabio Di Resta and Nicola Fabiano
In the new proposed regulation on EU data protection law, there are many important provisions. Most of them are necessary to address the future challenges of data protection in the Internet environment. The principles of effectiveness; i.e., stronger powers to DPAs, PIAs, mandatory appointment of DPOs, the principles of privacy by design and by default; accountability, and transparency are the founding stones on which the new proposed regulation was built.
The main objective of the regulation draft is to fulfill the ambitious harmonisation of the data protection laws of EU Member States and enhance consumers’ trust on the Internet through stronger data protection rules at the EU level.
In this article, different legal aspects of the proposed framework will be analysed.
Extra-territorial criterion: More specific exemptions
With respect to external scope, it should be considered that the main reason of the broad scope of the existing 95/46/EC Directive is to ensure that individuals are not deprived of EU data protection law and to prevent actions to circumvent the EU law.
The choice of the European Commission to enhance the threshold—as recently amended in the published draft—to trigger the application of EU law outside the EU/EEA seems appropriate to address the future challenges of the Internet but still could use some amendment, such as more structured exemptions to prevent discriminating against complex organisations. In respect of this point, different situations are exempted from the EU law application—Article 3 par. 2 and Article 25: Any controller established in third countries which ensures an adequate level of data protection; any public body; any controller only occasionally offering goods and services to data subjects residing in the EU, and all enterprises employing fewer than 250 persons.
This last exemption—which refers particularly to SMEs— also could use some amending. The complexity of organisations that operate through the Internet, where single departments or business units sometimes operate—with limited staff and an independent budget—as a controller, offering specific products or services, should be considered. Thus, the quantitative or dimension criterion of 250 persons with regard to the overall activity of big organisations should probably be rethought and the relevance—ancillary or otherwise—in the specific organisation of the products or services offered in EU (recitals 20, 63 and 64 of the EC regulation draft) should be taken into account.
The mandatory appointment of a representative established in the EU/EEA could have a negative impact on the activity of these departments and business units if they are considered data processors rather than controllers, and this provision could be considered too dissuasive by big organisations, which have only ancillary activity in Europe, especially owing to the fact that these rules already apply to SMEs.
Consequently, without an enlargement of the exemption, there could be several negative effects; for example, the representative appointment could be an economic barrier that restricts the choice of EU/EEA consumers who will not be able to purchase online products and services coming from organisations located outside of the EU.
Cloud computing scenario: Comparative analysis under the existing 46/95/CE Directive and under the regulation draft—one-stop shop and the main establishment criteria
In the following paragraphs, one scenario will be analysed—both under the existing EU/EEA directive and the new regulation draft.
In this IT model, personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known, and it can change over the time. In order to trigger the applicability of EU law, the relevant information is the context of activity of the establishment within the EU (principle of establishment) and the location of the equipment.
In order to deeply understand the applicable legal issues, the first step is to identify the data controller and its activities. For example, the buyer of a cloud service could be a data controller. Say a company uses an online agenda service, if the company uses the agenda service in the context of the activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be, under some circumstances, a data controller. Such is the case when it provides for an online agenda and document sharing, where private parties can upload all of their personal appointments and contacts, synchronize them and upload documents to store or share with selected persons. In this context, different key factors should be taken into account: the context of the activity of the establishment, its degree of involvement and the nature of its activity. Let’s say the cloud provider is a data collector located in the UK, Germany and Italy—and all of them are establishments—but server and technical staff for the online agenda are located in the UK, while the servers, software and technical staff for the document sharing activities are located in Germany. The establishment in Italy is not involved in this activity. According to Article 4 of the existing directive, English law is applicable to the establishment located in UK and, likewise, German law applies to the establishment located in Germany, with the further to obligation to deal with German and English DPAs. Italian law is not applied as this data processing not being the Italian establishment involved.
One of the implications of the approach mentioned above is the risk of overlapping national laws applicable to the same data processing with the further consequence to deal with several jurisdictions and data protection authorities. In order to overcome this problem and to give more legal certainty, in the EU regulation draft the main establishment principle—also called one-stop shop criterion—was worded in such a way that it will apply when a data controller or processor is established in more Member States (Recitals 13 and 98 – Article 51, Paragraph 2).
This is a good principle because it gives legal certainty to companies that do business in Europe with the possibility to comply with one law for the whole of the EU territory and to deal with a single data protection authority (lead authority). Analysing the above-mentioned cloud computing scenario in light of the EU regulation draft, once the context of establishments’ activity has been identified, the purpose, means and conditions should be taken into account. Thus, it could be considered that all the services offered by the cloud provider to users—who upload data for the agenda and documents for storing and/or sharing—has the same purpose, so it should be regarded that only one process is operated. Furthermore, considering that the English establishment manages the main activity—being the place of central administration, which decides in order of the processing of the users—then only the English law will be applicable and the English information commissioner will be the lead authority to address all complaints from data subjects residing in the EU territory.
The principles of privacy by design and default and the commission’s controls
The new data protection legal framework proposed by the European Commission introduces, with respect to the Directive 95/46/EC, the reference to “data protection by design and by default” (Article 23 of the Proposal for a Regulation and Article 19 of the Proposal for a Directive). Also, even though these articles do not describe the data protection by design and by default, they compel the controller to “implement appropriate technical and organisational measures and procedures” and to “implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing…” The commission preferred to describe the controller duties instead of setting legal status of data protection by design and by default. It is very important to clarify the meaning of “data protection by design and by default,” focusing on the true sense of these terms. On the other hand, it is as interesting to distinguish the expression “data protection by design” from “data protection by default” and to find the actual meaning of each term, because the phrase used by the commission seems to highlight a difference between the two terms. According to the text of the article, it is clear that the commission shall consider “by design” and “by default” as different concepts, even if they are used in the same sentence.
This approach seems quite different from the one officially used by the International Conference of Data Protection and Privacy Commissioners, which last year adopted a resolution on Privacy by Design proposed by Ontario, Canada, Information and Privacy Commissioner Ann Cavoukian.
In this context, the expression “Privacy by Design” is used to describe a method to deal with privacy issues in this new era, where a correct approach to privacy is most valuable. In this respect, it should be said that in the EU legal framework approach “by design” or “by default” the term “data protection” is used instead of “privacy.” Furthermore, the commission’s proposal seems to pay a lot of attention to the technical and security aspects instead of the legal concerns. The specific reference to “measures and procedures” seems oriented towards the PETs (privacy-enhancing technologies), which are certainly important, but the future of privacy is Privacy by Design. In conclusion, the hope is that the expression “by design and by default” will not represent a cutting-edge movement or a system founded on technological and security support but a real, methodological approach to the future handling of our privacy, according to the international commissioners’ statement, and to becoming a worldwide privacy standard in the near future.
The right to judicial remedy against data controller
Article 75, Paragraph 2 provides that in case of infringements of data protection rights, “proceedings may be brought before the courts of the Member States where the data subject has its habitual residence.”This article also entails that jurisdictional and international issues will be also brought before the national courts, which will decide on the compensation of damages of data subjects—requiring judges highly specialised both in EU data protection law and in international issues, and even to decide in the event of an appeal of the decision of other countries’ DPAs.
On the other hand, the new consistency mechanism increases the power of the European Commission a lot. It becomes the ultimate supervisory authority on the protection of data subjects, with the power to suspend the draft measures adopted by national DPAs through both the presence of serious doubts on their consistency with the EU regulation and a reasoned decision. Furthermore, with regard to the cloud computing scenario analysed above, more and more EU-based data subjects will be able both to access one national lead authority and to take action against national courts of that country in which the main establishment is located. Lastly, as stated in Paragraph 4 of Article 75, “all the Member States shall enforce final decisions by the courts.” This paragraph underlines further consequences of the regulation draft adoption, both stronger free movements of judgements on data protection and the need to assure the recognition of the judgments on data protection from other countries’ courts.
Data protection officer requirement and its impact on the national laws
The EU legal framework introduces the data protection officer and, according to the article 35 of the proposal for a regulation, this rule is mandatory if
- processing is carried out by a public authority or body;
- processing is carried out by an enterprise employing 250 persons or more;
- core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
There is no doubt about the relevance of the choice to set up the data protection officer. This solution, strongly hoped for by some Italian privacy professionals, shows how the European Commission has taken the data protection officer into account, demonstrating that there is a great need to pay attention to privacy matters. It is necessary for people dealing with privacy to have specific expertise and proficiency. This will obviously have consequences on the national law that will need to be implemented to set up the data protection officer. According to the EU legal framework, public bodies and enterprises will have a specific department for the competence on privacy matters. Although not mandatory, the data protection officer rule should be regarded as very important for organisations with less than 250 employees, too, because privacy is a fundamental right that is not related to the size of a company. Furthermore, this measure would go in the direction of making the EU data protection law more user-centred.
Data protection impact assessment requirement
A valuable concept introduced by the EU proposal is the assessment of the data protection impact. The main reference is Article 33 of the proposal for a regulation, “where processing operations present specific risks to the rights and freedoms of data subjects” the controller “shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” Certainly the PIA (privacy impact assessment) is well-known in the international context. Recently, EU public bodies began talking about impact assessments, particularly about the PIA. The privacy legal framework in force (Directive 95/46/EC) does not contain reference to the impact assessment, and there are only a few recent official European documents on this topic. Therefore, the choice of the European Commission to include the data protection impact assessment in the proposal for a regulation and directive is key. The aforementioned Article 33 describes when and how it is necessary to set up a data protection impact assessment (DPIA).
Explicit consent requirement and navigation over the Internet
According to the aforementioned EU legal framework, Article 7, the controller shall acquire the data subject’s consent for specified purposes and the “data subject shall have the right to withdraw his or her consent at any time.” In this respect, Article 4 states that consent “means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” In case of minors, a “child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian.” Last but not least, the provision about a right to be forgotten is very relevant in the Internet environment, and this also guarantees users the right to withdraw their consent when “there are no other legitimate grounds for retaining the data.”
The European Data Protection Board
The EU regulation shall establish a European Data Protection Board that, according to Article 66 of the proposal for a regulation, “shall ensure the consistent application of this regulation...on its own initiative or at the request of the commission.” This article describes different actions that the DPB can realise, and that it shall frequently inform the commission about the outcome of its activities. Finally, it should be pointed out that this supervisory authority will supersede the current Article 29 Working Party and it will play a relevant role in the consistency mechanism to guarantee the unity of EU law application.
The European Commission’s proposal deserves to be appreciated especially because it addresses the main crucial challenges for data protection law in a globalised world. However, a detailed analysis shows that this proposal could use some amendments. Particularly, more attention should be paid to widespread involvement of all stakeholders, especially multinationals and overseeing authorities, such as the U.S. Federal Trade Commission. Furthermore, with respect to the extra-territorial jurisdiction of EU law, there is concern that all the provisions will be considered mere theoretical principles by extra EU/EAA countries, without further international legal agreements and worldwide cooperation, which will probably require an amended text in favor of the enforceability of EU law.
Fabio Di Resta is an attorney at Di Resta law firm where he specialises in data protection and ICT law. Nicola Fabiano is an attorney at Studio Legale Fabiano; counsel at Panetta & Associati, and a Privacy by Design Ambassador, and specialises in privacy and ICT.
Read more by Fabio Di Resta: