The Assets and Drawbacks of the Proposal for an EU Regulation on the Protection of Personal Data
By Gaëtan Cordier and Adeline Jobard
On 25 January 2012, the European Commission publicised its proposal for an EU regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
This proposal for a regulation sets out a new regulatory framework with regard to data protection within the European Union and aims at meeting the following objectives:
- modernising the European data protection framework set up in 1995 with the EU Directive 95/46/EC, which has become obsolete following the technological changes having taken place since then (such as the Internet explosion, the emergence of social networks, the appearing of new technologies that drastically changed the digital world, data processing globalisation, the increasing recourse to cloud computing, etc);
- simplifying and standardising personal data protection rules within the European Union, as the directive dated 24 October 1995 has been transposed in various ways in the various countries and this resulted in discrepancies between Member States (as an example, the CNIL, being the French data protection authority, has a power to impose sanctions, which it uses regularly, whereas numerous other European authorities have no such powers);
- unifying and improving the citizens’ data protection;
- reducing the administrative formalities imposed on the companies, which are data controllers;
- guaranteeing the free movement of data within the European Union, and
- reinforcing consumer confidence in online services, thus providing a much needed boost to growth, jobs and innovation in Europe.
It is worth noting that, as the new instrument would be an EU regulation, there shall be no need for transposition in domestic law. So, once the regulation is adopted, it shall apply throughout the European Union and, in France, it shall be substituted for the French law No. 78-17 dated 6 January 1978 on computing, files and liberties (French data protection law).
This proposal for a regulation brings numerous advances, which were both expected and necessary.
In particular, citizens will be recognised a “right to be forgotten,” and they shall expressly consent to the processing of their data (opt-in mechanism); the appointment of personal data protection officers (correspondants informatique et libertés) shall now be compulsory in public authorities and in certain companies; data controllers shall now incorporate personal data protection steps in their policies, and the penalties imposed on those undertakings, which fail to comply with applicable rules in this area, shall be considerably increased.
However, it seems that some of the provisions in this proposal for a regulation are not suited to the reality of the digital world. This is notably the case with the “one-stop-shop” mechanism.
In those circumstances, the French National Assembly (proposal for a European resolution, submitted at the initiative of Philippe Gosselin, a deputy, and adopted by the National Assembly on 23 March 2012) and the Senate (proposal for a European resolution adopted by the Senate at a public session on 6 March 2012) expressed reservations and concerns on the relevance of some of the provisions of this regulation, and they did so in a very similar way.
Besides, the French Data Protection Authority (the CNIL), which was very pleased about the unanimous commitment of French members of parliament on personal data protection issues, expressed criticisms on this regulation, which are very similar to those expressed by the National Assembly and the Senate.
In those circumstances, it seems to us it is necessary to review the proposals that are currently debated by European Parliament committees and to emphasise the assets and drawbacks of the regulation.
The Assets of the Proposal for a Regulation
The approved provisions of the regulation
- Principle of an express consent to the use of personal data
In Article 4 of the proposal for a regulation, consent is defined as “any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
So, it results from this article that silence or inactivity shall no longer be compared to implied consent.
It is also worth noting that Whereas (25) of the proposal for a regulation suggests that the person expresses consent by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
- Right to personal data portability
According to Article 18.2 of the proposal for a regulation, “where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.”
So, this article creates an explicit right for data subjects to withdraw their data; i.e., pictures or a list of friends, from an application or service and to transfer such data to another application or a third-party service; i.e., from the Facebook social network to the Twitter social network.
- Right to be forgotten
Article 17 of the proposal for a regulation provides that each citizen may obtain the erasure of all of the personal data relating to him/her/it, if the data controller has no legitimate reason; i.e., for scientific or historical research purposes, for reasons of public health, for exercising the right of freedom of expression, to store them.
So, an Internet user who would like to close their social network account should, in theory, be entitled to obtain from the website that it destroys all of the personal data relating to him/her.
The regulation also provides that the relevant company shall inform any third parties, which are processing the same data, of the data subject’s request for erasure, so as “to erase any links to, or copy or replication of that personal data.”
- Data minimization principle
Pursuant to said principle, which is mentioned in Article 5c) of the proposal for a regulation, the personal data, which are processed, must be limited to the minimum necessary in relation to the purposes for which they are processed.
So, as an example, data subjects shall no longer be required to provide their mailing address to the data controller if an e-mail address suffices for the purposes for which the data are processed.
- Simplification of the prior formalities for processing data
The regulation provides that the notification requirement, which is currently imposed on companies, shall be suppressed.
This should result in savings for approximately 2.3 billion euros per annum.
However, the following processing of data would still require prior control by the CNIL:
- transfers of data outside the European Union where the data processor and the data recipient are not bound by standard contractual clauses complying with those adopted by the European Commission;
- transfers of data outside the European Union to third countries that do not afford an adequate level of protection according to the European Commission,
- any processing of data that required the drafting of a data protection impact assessment, as well as any processing of data that is identified by the CNIL as presenting specific risks.
- Obligation to maintain documentation
In accordance with the Article 28 of the proposal for a regulation, controllers are required to maintain documentation of any processing operations under their responsibility.
This provision is the counterpart to the simplification of the prior formalities for processing data.
- Information on security breaches
According to Article 31 of the proposal for a regulation, data controllers shall be expected to notify the competent national authorities at the earliest convenience (and, where feasible, within 24 hours) of any personal data breach. A personal data breach refers to a situation where data are accidentally or unlawfully destroyed, lost, altered or disclosed to unauthorised people or where unauthorised people have access to said data.
It is worth pointing out that this new provision is necessary with the current development of cloud computing.
- Data protection by design and by default
Article 23 of the proposal for a regulation provides that, at the time of determining the means for processing, the data controller shall, having regard to the state of the art and the cost of implementation, implement appropriate technical and organisational measures and procedures in such a way that the processing will ensure the protection of the rights of the data subject.
In particular, mechanisms shall ensure that:
- only those personal data are processed which are necessary for each specific purpose of the processing;
- those personal data are not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage,
- those personal data are not made accessible to an indefinite number of individuals.
So, the data processor shall take the issue of the protection of the privacy of data subjects into account as from the time it designs the processing and then when processing the data.
- Data protection impact assessment
Pursuant to Article 33 of the proposal for a regulation, the most sensitive processing operations (children, genetic or biometric data, video surveillance, etc) shall be preceded with the carrying out of an impact assessment.
- The impact assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks and the security measures and mechanisms to ensure the protection of personal data.
- Such an obligation, which is imposed on data controllers, is therefore likely to guarantee the protection of personal data in the event processing operations present specific risks to the data subjects.
- Obligation to designate a personal data protection officer (Correspondant Informatique et Libertés, or CIL)
Pursuant to Article 35 of the proposal for the regulation, a CIL must be designated where:
- the processing is carried out by a public authority or body;
- the processing is carried out by an enterprise employing 250 persons or more, or
- the core activities of the controller or the processor “consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects”.
One will note that a group of undertakings may appoint a single CIL. The democratisation of the CIL role shall make it possible to increase the awareness of public and private entities of personal data protection issues.
- Strengthening the national protection authorities’ powers to sanction
Article 79 of the proposal for a regulation provides that the national protection authorities shall have the power to impose a fine up to 1 million euros or, in case of an enterprise up to 2 percent of its annual worldwide turnover.
The Drawbacks of the Proposal for a Regulation
The much-debated provisions of the regulation
- The “one-stop-shop” mechanism
The Article 51.2 of the proposal for a regulation provides that “where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this regulation.”
As an example, it results from this mechanism that a German person, who is in dispute with the French website “Copains d’avant,” shall have to file a complaint with the CNIL and not with the German supervisory authority, as the main establishment of the website “Copains d’avant” is established in Paris.
Strong criticisms are being made in respect of this “one-stop-shop” mechanism.
First of all, the notion of principal establishment is unclear, as Article 4.13 of the proposal for a regulation defines the main establishment as the place “where the main decisions as to the purposes, conditions and means of the processing of personal data are taken.”
Also, the CNIL sees a “risk of a distance” between the citizens of a given country and their national supervisory authority in this new mechanism, as the latter authority would then only play “the role of mailbox.” The CNIL also considers that this proposal would constitute “a real regression towards the citizens’ rights” and adds that it “would be paradoxical that the rights of citizens for data protection would finally be less protected than those he benefits of under consumption law which privileges a competence based on the place of residence of the consumer.” Besides, as the major Internet actors established in Europe seldom have their main establishment in France, the CNIL fears that numerous procedures be beyond its control.
The Senate noted that the mechanism has multiple practical drawbacks, including: “a risk of disproportion between the means allocated to the supervisory authority in view of the disputes relating to its citizens, and the extent of the international disputes it may be led to deal with” and “an asymmetry, for the plaintiff, between the administrative claims submitted to the foreign authority and the legal actions taken against the data controller in front of the domestic court.” So, for the Senate, “it is illogical that a citizen be less well-treated than the undertaking, which is the data controller, as said citizen would be deprived from the possibility that all of his claims be investigated by the supervisory authority in his own country.”
Moreover, the National Assembly opposes to the “main establishment” criterion, as, according to the National Assembly, said criterion would have “extremely damaging political and economic consequences for our country, and for the whole of the European territory.” The National Assembly also stresses that the mechanism shall encourage “forum shopping” practices and will encourage undertakings to establish in Member States, in which data protection authorities have a more “supple” approach (being mainly Anglo-Saxon and Nordic countries).
- Modalities for exercising one’s right to be forgotten
For the right to be forgotten to be effective, this would suppose that the obligations on search engines be reinforced as search engines are the main access key when looking for personal data on the Internet.
In particular, the regulation should include an obligation for search engines to “dereference;” i.e., an affirmative obligation to automatically delete the indexed contents within a maximum period of time, which remains to be set.
- Framing the investigative powers by the supervisory authorities
Framing the investigation powers of the supervisory authorities, as provided in Article 53.2 of the proposal for a regulation, would be too restrictive. This would notably be the case of the requirement to have “reasonable grounds” for presuming that an activity in violation of the regulation is being carried out by a data controller in order to start investigating.
One will indeed note that as the prior formalities data controllers had to comply with have been suppressed, said investigations are now the main source of information for supervisory authorities when identifying whether possible breaches to personal data law have been committed by data controllers.
- A great concentration of powers into the hand of the European Commission
Both the Senate and the National Assembly regret that powers shall be considerably concentrated into the hands of the European Commission, to the detriment of national data protection authorities, both in relation to the development of personal data protection guidelines and to the definition of modalities for applying the new provisions.
- Framing international transfers of data
The Senate, the National Assembly, and the G29 consider that the scope of the exceptions to the rules governing transfers of data is too wide, notably as it regards transfers that are neither frequent nor massive. The scope of said exceptions can be found in Article 44 of the proposal for a regulation.
- The principle of a full harmonisation at EU level (as the instrument is a regulation and not a directive)
This principle shall result in the Member States being deprived from a possibility to adopt domestic laws, which would better protect the rights of data subjects.
The common reflection, notably with all of the European deputies, needs to go on in order to improve and enrich the regulation before it is finally adopted. The final adoption of the regulation would probably take place in the second quarter of 2013.
As emphasised by the National Assembly, the European Union is currently at a turning point in its policy on the protection of the privacy of European citizens, and it has to fully show its ability to modernise the community legal framework in preserving at the same time its tradition consisting of guaranteeing a high level of protection to European citizens.
Once the regulation is adopted, undertakings shall only be given two years to ensure compliance with it. In the event of a breach of their new obligations, they may be imposed a fine up to 1 million euros or 2 percent of their annual worldwide turnover.
Gaëtan Cordier is a partner in the Eversheds Paris office in charge of the IT & Privacy Practice. His practice covers both litigation and transactional IT and privacy matters for all the major IT and privacy disciplines, such as IT/e-commerce, data protection and privacy issues as well as IT outsourcing and software licensing.
Adeline Jobard is an associate in the Eversheds Paris office who specializes in IT & privacy law. She advises both French and international clients in the areas of information technology, Internet and data protection law.
Read more by Gaëtan Cordier and Adeline Jobard:
Cloud Computing: CNIL’s 7 recommendations are necessary but not sufficient