Ten recommendations for the data reforms of the decade

11 September 2014

As the new Commission and Parliament, and Council of Ministers, roll up their sleeves for final work on the  EU General Data Protection Regulation, Partner Ruth Boardman and Consultant Francis Aldhouse, stand back and suggest ten ideas to improve data protection.

Current changes to the EU Parliament (‘the Parliament’) and the EU Commission (‘the Commission’) mean there is an immediate opportunity to find better ways of ensuring effective protection for personal data. The elections to the Parliament inMay 2014 saw a dramatic rise in the Eurosceptic vote, although there is still a centre right and centre left group majority, committed to the European project. This change will be reflected in the Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee.

Notwithstanding the first reading resolution of the Parliament, there will be opportunities for sceptics to delay the process and secure changes. Similarly, the Commission is to be reconstituted. There will be a new Justice Commissioner: Viviane Reding’s successor may be willing to reopen discussions in order to produce an effective and efficient legal instrument. Now is the moment to suggest better ways of doing things to the Commission, the Parliament and the Council.We have set out ten proposals which we believe would provide a better legal instrument: more effective, more flexible and more protective of individuals.

Proposals
First, the Regulation should establish an Europe-wide, effective, dispute resolution mechanism for individuals. The current options, of pursuing complaints through the courts or via data protection authorities (which cannot award compensation), leave most individuals with no way of securing an effective remedy. An ombudsman approach, possibly along the lines of The Financial Ombudsman Service (FOS), would provide individual remedies, including compensation. An EUwide system would resolve the problem for individuals of having to raise a complaint in another Member State and would reduce the risk of jurisdictional variation for organisations. Data protection authorities would be left to their regulatory role.

Second, there should be a better balance between data protection and other fundamental rights. The Commission’s text asserts that it is respectful of other fundamental rights. This is not apparent. The Parliament has made some attempt to strengthen the right to freedom of expression, but there is no express reference to other rights such as religious belief. Judicial and administrative bodies must often decide which fundamental right should prevail. The Regulation should expressly recognise this duty.

Third, the Regulation should be proportionate. Data protection is a fundamental right assured by Article 7 of the Treaty on the Functioning of the European Union (TFEU). The damage to individuals can range from the utterly trivial to the lifethreatening. Both the precautionary steps to be taken by those processing personal data and the enforcement measures to be taken by data protection authorities ought to be equally varied to take account of this spectrum. This is commonly called a ‘risk-based approach,’ but in the world of fundamental rights, we should call it a respect for proportionality.

Fourth, the Regulation should be clear and principles-based. The current law leads to a focus on bureaucratic requirements and points of detail, which do little to improve substantive protection for personal data. In their bid to avoid differences inMember State approaches, the legislators have produced a hugely detailed and prescriptive text. This risks being both incomprehensible and entrenching current problems. It would be better to return to clear principles - the Regulation should restate traditional principles and individual rights (similar to those in the First Schedule to the Data Protection Act 1998 and Article 6 of the EU Data Protection Directive 95/46/EC, or the ‘DP Directive’). Other matters might be left in part to national implementation by means of a Directive - perhaps the existing Directive, suitably amended.

Fifth, a true one-stop shop should be established. The core aim of the original DP Directive was to ensure that services can be offered freely from oneMember State to another: avoiding unnecessary country specific requirements and variation is an important part of this. If an organisation is operating in multiple EU jurisdictions, it should be answerable to only one regulator - a true one-stop shop. Individuals, as in the case of consumer rights, could complain or sue in their own jurisdiction. An EU-wide ombudsman service (as stated in the first proposal) would also ensure effective and local assistance for individuals.

Sixth, there must be effective coordination of international matters with a central body which can be held to account. One of the most important elements of the Regulation is to coordinate the activities of the national data protection authorities. This will mean an enhanced role for the successor to the Article 29 Working Party, the European Data Protection Board (EDPB). The EDPB should follow the principles of better regulation. It should be transparent and accountable and should be able to be challenged. In cases where the EDPB is involved in enforcement action referred from aMember State, it will be acting in a role similar to a tribunal; it should also be subject to rules of natural justice - and organisations affected by its decisions should have a right to be heard.

Seventh, the rules for legitimate processing should be redrawn with the analogy of consumer protection in mind. A car manufacturer is not allowed to sell a supposedly roadworthy but in fact unsafe motor vehicle, even if it gave notice of the defects to the purchaser.We have also seen the consequences of mis- selling incomprehensible financial products. Similarly, consent is commonly an inappropriate model to authorise data protection processing, except as an additional element of personal control in particular cases. The principal bases for processing should be either the normal requirements of a business or the functions of a public authority.

Eighth, the increasingly irrelevant distinction between controllers and processors should be abolished: the duty to comply with those principles should fall on whosoever handles personal data to the extent they exercise any control over it.

Ninth, accountability is all the rage, but in the draft Regulation it merely imposes further duties on controllers. The new law should build on the proposals for codes of practice and seals, so that those processing personal data can obtain an audited certificate that they have taken what steps they can to ensure legal compliance. In return, they should receive a letter of comfort from their supervising authority, giving a presumption of legal compliance and an assurance of reduced sanctions if a breach were discovered.

Tenth, post Snowden, there must be an appropriate balance between privacy and law enforcement needs. This should address overseas law enforcement and related requests, and require requests for data to be handled via international conventions. However, the balance between privacy and law enforcement within the EU must also be addressed through the draft Directive on Data Protection and Law Enforcement.

Keep existing principles
Our approach to developing these proposals has been that even if the data processing context has changed over the years, there is no reason to suppose that the original objectives of data protection law have altered - nor that the principles laid out in the early international instruments are no longer applicable.

The concerns of the 1970s were firstly to allay the anxieties of the public about the potential for misuse of computing power, and secondly to ensure that legislative protective measures did not prevent the beneficial exchange of information for both economic and social purposes. Although data protection in the EU is now enshrined as a fundamental right in Article 8 TFEU, the test of effectiveness of any data protection law ought still to be whether it satisfies those original two objectives.

Whilst one might rethink data protection law from fundamental principles, there seems to be no reason to discard the work of the founding fathers. Both principle and pragmatism counsel against such radicalism. First, the current DP Directive embodies longstanding principles relating to data quality to be found in the instruments from the late 1970s; Convention 108 and the Organisation for Economic Cooperation and Development (OECD) Privacy Guidelines and those principles have stood the test of time. Secondly, it is very difficult to model and predict the full consequences of policy initiatives. A gradual approach to reform is a useful control on the extent of unforeseen consequences.

This article originally appeared in Data Protection Law & Policy and has been republished with permission.