Category: Data Protection (page 2 of 2)

About the last meeting of the Council of the EU on JHA

The European Council

The Council of the EU

On the last 4 and 5 December, the Council of the European Union held its 3354th meeting on Justice and Home Affairs.

A partial general approach on specific aspects of the draft regulation setting out a general EU framework for data protection was reached, on a “nothing is agreed until everything is agreed” basis, namely regarding provisions related to the public sector and specific data processing situations.

Moreover, the proposal presented by the Italian Presidency on the ‘one stop shop‘ mechanism was discussed and a “majority of ministers endorsed the general architecture of the proposal and the Presidency concluded that further technical work will need to be done in the coming months“.

Regarding the EU PNR Directive, it is expected of the European Parliament to adopt as soon as possible its position so as to start negotiations with the Council.

In addition, the Council was updated on the state of play concerning the Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and free movement of such data.

You can find the press release here and the compromised proposals agreed on here.

The ‘One Stop Shop’ mechanism reloaded

Get all your data protection matters handled here!

Get all your data protection matters handled here!

The ‘one stop shop’ mechanism is one of the most heralded and yet most controversial features of the General Data Protection Regulation which draft is currently being negotiated within the Council of the European Union.

According to the most recent proposal of the Italian Presidency of the Council of the European Union, where data protection compliance of businesses operating across several EU Member States’ is in question or where individuals in different EU Member States are affected by a personal data processing operation, it would allow businesses to only deal with the Data Protection Authority (DPA) of the country where they are established.

Cases of pure national relevance, where the specific processing is solely carried out in a single Member State or only involves data subjects in that single Member State would not be covered by the model. In such circumstances, the local DPA would investigate and decide on its own without having to engage with other DPAs.

These are, however, deemed to be the exemption as the mechanism aims for a better cooperation among DPAs of the different EU Member States concerned by a specific matter.

Therefore, in cross-border cases, the competence of the DPA of the EU Member State of the main establishment does not lead to the exclusion of the intervention of all the other supervisory authorities concerned by the matter. In fact, while the supervisory authority of the Member State where the company is established will take the lead of the process which will ensue, the other authorities would be able to follow, cooperate and intervene in all the phases of the decision-making process.

In this context, if no consensus is reached among the several authorities involved, the European Data Protection Body (hereafter EDPB) will decide on the binding measures to be implemented by the controller or processor concerned in all of their establishments set up in the EU. Similarly, the EDPB will have legally binding powers in case of failure to reach an agreement over which authority should take the lead.

Multi-jurisdictional operating businesses operating in the EU, which handle vast amounts of personal data, would highly benefit from this ‘one stop shop’ concept, which would enable to reduce the number of regulators investigating the same cases. Indeed, as things stand presently, a company with operations in more than one EU Member State has to deal with 28 different data protection laws and regulators, which unavoidably leads to a lack of harmonization and legal uncertainty.

The Article 29 Working Party has already manifested its support for a ‘one stop shop’ mechanism under the proposed EU General Data Protection Regulation.

However, in the past, Member States have manifested numerous reservations regarding this mechanism. Among the main concerns expressed were the following: businesses would be able to ‘forum shop’ in order to ensure that their preferred DPA leads the process; a DPA would not be able to take enforcement action in another jurisdiction; individuals’ rights to an effective remedy under EU laws would not be appropriately recognised; authorities without the lead position would not be able to influence processes related to data protection breaches involving nationals of their Member States.

As the way the ‘one stop shop‘ mechanism would be implemented in practice is one of the main causes of the hindrance for the Member States to reach an agreement on the wording of a new EU General Data Protection Regulation, let’s hope that the solution proposed by the Italian Presidency of the Council of the European Union does get closer to a suitable accommodation of the various concerns expressed by Member States.

The ‘risk-based’ approach to Data Protection, too risky for SMEs?

Balance is hard, very hard.

Balance is hard, very hard.

For those businesses which collect, process and exploit personal data, the draft of Chapter IV of the forthcoming EU General Data Protection Regulation is particularly relevant as it foresees the possible future compliance obligations of data controllers and data processors.

Considering the last position of the Council of the European Union regarding this chapter, a ‘risk-based‘ approach to compliance is a core element of the accountability principle itself.1)See article 22 of the Council’s document.

In fact, the Article 29 Working Party2)The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission. recently issued a statement supporting a ‘risk-based‘ approach in the EU data protection legal framework.

But what is it meant by the concept of a ‘risk-based‘ approach?

It mainly refers to the consideration of any potential adverse effects associated with the processing and implies different levels of accountability obligations of data controllers, depending on the risks involved within each specific processing activity. It is therefore quite different from the ‘one size fits all‘ approach, as initially proposed by the European Commission.

In this context, the respect and protection of the data subjects’ rights (for instance, right of access, of objection, of rectification, of erasure, and rights to transparency, to data portability and to be forgotten) shall be granted throughout the data processing activities, regardless the level of risks involved in these activities.

However, principles as legitimacy, transparency, data minimization, data accuracy, purpose limitation and data integrity and the compliance obligations impending upon controllers shall be proportionate to the nature, scope, context and purposes of the processing.

This ‘risk-based‘ approach is developed throughout Chapter IV, namely regarding provisions related to the data protection by design principle3)See article 23., the obligation for documentation4)See article 28., the obligation of security5)See article 30., the obligation to carry out an impact assessment6)See article 33., and the use of certification and codes of conduct7)See articles 38 and 39..

These accountability obligations, in each phase of the processing, will vary according to the type of processing and the risks to privacy and to other rights and freedoms of individuals.

In this context, the proportionality exercise will have an effect on the requirements of privacy by design8)See article 23., which consists on assessing the potential risks of the data processing and implementing suitable privacy and data protection tools and measures in order to address that risk before initiating these activities.

Besides, the introduction of the ‘risk-based‘ approach is also likely to be relevant in respect of controllers not established in the EU, as they most surely won’t be required to designate a representative in the EU, regarding occasional processing activities which are unlikely to result in a risk for the rights and freedoms of individuals 9)See article 25..

Moreover, a ‘risk-based‘ approach will be implemented as well regarding the security of the processing, as technical and organisational measures, adequate to the likelihood and severity of the risk for the rights and freedoms of individuals, shall be adopted10)See article 30..

In parallel, it has been foreseen that the obligation to report data breaches is restricted to the breaches which are likely to result in an high risk for the rights and freedoms of individuals. In this context, if the compromised data is encrypted, for instance, the data controller won’t be required to report a verified breach.11)See article 31 and 32.

The weighing assessment is expected to be also relevant regarding the data protection impact assessment12)See article 33. required for the processing activities that will likely result in a ‘high risk’ to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.

Another important requirement is the consultation of a Data Protection Authority prior to the processing of personal data when the impact assessment indicates that the processing would result in a high degree of risk in the absence of measures to be taken by the controller to mitigate the risk.13)See article 34.

Of course “nothing is agreed until everything is agreed” and this chapter will be subjected to further revisions. There is, indeed, a vast room for improvement.

For instance, it is questionable if a ‘risk-based‘ approach does make data protection standards stronger, considering the inadequacy of the risk assessment methodology regarding fundamental rights.

In parallel, the definition of ‘high risk‘ is still too broad, including almost all businesses which are operating online. Similarly,  the impact assessment process presents itself as complex, burdensome and costly. At the current state of play, small businesses and start-ups are most likely to be negatively affected by the administrative and financial burden that some of the abovementioned provisions will entail. This is quite ironic, considering that it was precisely that concern that is at the core of the understanding according to which SMEs should be exempted from the obligation to assign a Data Protection Officer.

However, it is important for businesses to try to anticipate how the compliance requirements will be set in the future in order to be prepared for their implementation.

We will see in due time how onerous the regime will be. Whilst we do not know the exact content of the text that will eventually be adopted, it is evident now that substantive accountability obligations will be imposed upon businesses handling personal data.

References   [ + ]

1. See article 22 of the Council’s document.
2. The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission.
3. See article 23.
4. See article 28.
5. See article 30.
6. See article 33.
7. See articles 38 and 39.
8. See article 23.
9. See article 25.
10. See article 30.
11. See article 31 and 32.
12. See article 33.
13. See article 34.

The Google Affair – Crossing the Border

You will cross the border. Just saying.

You will cross the border. Just saying.

Today I am referring again to the famous Google Spain judgement, better known for ruling on what press has been popularly calling the ‘right to be forgotten’. The amount and the complexity of the questions raised in that decision enabled me to address all of them in the previous posts (here, here, here, and here)… And as I like to honour my promises, I will not  promise that this will be the last post regarding that matter.

So, although the worldwide attention has been focusing on the fact that individuals may directly address, to search engines, requests for deletion of links from search results, the ruling also dealt with a key topic that seemed to have been undervalued, even if as equally important for businesses.

I am specifically referring to the territorial scope of the Directive 95/46 1)Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, i.e., whether it applies to Google Spain, a subsidiary of Google Inc. or not, given that the parent company is based in Silicon Valley.

In order to fall within the territorial scope of the national provisions implementing the above mentioned Directive, the data processing shall be namely carried out in the context of the activities of an establishment of the data controller on the territory of the Member State, as stated in its article 4(1)(a).

As foreseen in its recitals, “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements” and “the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor.2)Recital 19 of the Directive

In this regard, the main relevant facts that the ECJ took into consideration were that Google search engine is operated by Google Inc. outside of the EU and that it has a subsidiary on Spanish territory which sells advertising connected to the Internet-related activities of Google Inc.

In parallel, the ECJ rejected the argument according to which Google does not carry out its processing of personal data activities in Spain and that Google Spain is a mere commercial representative for its advertising actions. Instead, the ECJ noted that, pursuant to recital 19 of the Directive, an establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements. 3)Paragraph 48 of the ruling

Moreover, it held that Google Spain engages in such activity and, as a subsidiary of Google Inc., with its own legal personality, constitutes an establishment.4)Paragraph 49 of the ruling

According to the ECJ, Article 4(1)(a) of the directive does not require the processing of personal data to be conducted by the subsidiary itself, but only that it be carried out ‘in the context of the activities’ of the subsidiary.5)Paragraph 52 of the ruling That would be the case, for instance, if the subsidiary promotes and sells advertising space offered by the parent company which serves to make the service offered by that engine profitable.6)Paragraph 55 of the ruling Since the advertisements are displayed next to search results and finance the website, both activities are inextricably linked.7)Paragraph 56 of the ruling

Furthermore, the court considered that the very display of personal data on search results page constitutes processing of such data. As results are displayed, on the same page, with advertising linked to the search terms, the Court concluded that the processing of personal data is carried out in the context of the commercial and advertising activities of the controller’s establishment on the territory of a Member State.8)Paragraph 57 of the ruling

For all these reasons, the ECJ concluded that the processing of personal data in the context of the activities of a subsidiary of the controller established in a EU Member State, which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State, does fall within the territorial scope of application of the Directive.9)Paragraph 60 of the ruling

Last but not the least, the Court noted that, in light of the objectives of the Directive, the rules on its scope ‘cannot be interpreted restrictively’, and that it had ‘a particularly broad territorial scope’.

I must confess that I wasn’t particularly surprised by the conclusion that the Directive is applicable to companies based outside the EU, as long as it conducts a noteworthy local activity that has some link to the Internet activities of the parent body.

In fact, none withstanding the divergence of viewpoints regarding ‘right to be forgotten’ issue, the ECJ broadly confirmed the Advocate General opinion regarding jurisdiction.

The Advocate General had previously established the scope of application of the Directive, pointing out the very nature of the business model of search engines, and the inextricable link between Google Inc. and its subsidiary. Thus, the consideration according to which a controller should be treated as a single economic unit would lead to conclude that a controller is established in a Member State if the subsidiary which generates its revenues is established in that Member State. In this context, it was also disregarded that the technical data processing operations were conducted outside the EU. 10)Paragraphs 64, 65, 66 and 67 of the opinion

As a result, the ruling has broadened the territorial scope of the Directive. Not referring specifically to search engines, it applies to every data processing “in the context of the activities of an establishment”. Hence, it means that businesses with operations in the EU might generally be subjected to EU Data Protection rules.

The concept of establishment may therefore include non-EU businesses which have branches set up in a Member State. This is particularly relevant as it might affect foreign companies simply by virtue of having local sales subsidiaries in the EU. Moreover, it might potentially extend to every business that has a stable presence in the EU market, even if no European representation.

This is in line with the wider reach of the territorial scope of the forthcoming General Data Protection Regulation, which is intended to be applicable not only to businesses established in the EU. The Regulation will, in fact, introduce some key changes to the existing legal framework.

Firstly, while the current Directive applies to the data processing conducted by an establishment of a data controller in the EU, the new legislation will cover as well the personal data processing in the context of the activities of an establishment of a controller or a processor established in the Union.

In addition, the Regulation will also be applicable to the processing of personal data of individuals residing in the EU, by data controllers who are not established in the EU, when the processing activities are related to the offering of goods and services to data subjects in the EU or the monitoring of their behaviour (profiling), as far as their behaviour takes place within the EU.

If implemented, the proposed changes will bring all foreign companies who process EU citizens’ data, many of which have kept their data processing abroad to avoid being subjected to the current Data Protection Directive, within the scope of EU law.

As a consequence, non-EU based businesses will have to reconsider their arrangements for subsidiaries to ensure full compliance with EU Data Protection requirements.

References   [ + ]

1. Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
2. Recital 19 of the Directive
3. Paragraph 48 of the ruling
4. Paragraph 49 of the ruling
5. Paragraph 52 of the ruling
6. Paragraph 55 of the ruling
7. Paragraph 56 of the ruling
8. Paragraph 57 of the ruling
9. Paragraph 60 of the ruling
10. Paragraphs 64, 65, 66 and 67 of the opinion

♫ I just call to say…la la la ♪: The unromantic side of telemarketing

Not another one!

Not another one!1)Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

Missed anonymous calls that leave you wondering who it may have been… Calls from unknown numbers at the most inconvenient moment… Wasting money in returning the call… The displeasure of discovering, mainly if we were expecting a specific important call, that it is only a marketing communication… The frustration of spending long and precious minutes repeating that we are not interested in whatever product the interlocutor is trying to sell…

It most certainly sounds familiar…

Out of my personal experience I can refer quite a few examples of unsolicited marketing, some of which actually could have been qualified as marketing harassment. Not the best publicity, if you ask me…

From evening calls, to anytime calls, from participating in a raffle only to be attacked by unwanted marketing initiatives, from registering in an online shopping website only to be contacted by financial institutions intending to sell you some credit card, from ordering a body lotion only to start receiving advertising of completely unrelated products…

I am specifically referring to business-to-consumer (B2C) advertising and marketing, through all the channels technologically available to promote companies’ commercial campaigns of products and services among individual buyers.

However, telemarketing is, in my very personal opinion, among the most annoying direct marketing initiatives. It gets worse when calls are repetitive, insistent, and even aggressive, as many of them usually are.

Worse than that? Well, I can easily point out having a salesperson ringing on your bell door right before or, even worst, during dinner time…

If the assumption that consumers purchases are usually based on personal emotions is correct, despite not being a marketing genius myself, I am pretty sure that bothering potential clients is never (ever!) the way to go when it comes to attract consumers. As a matter of fact, I am certain that it can actually lead to the opposite effect. So, if you own a business and somehow your marketing campaign is not working, you might want to check this criterion.

Nevertheless, it is astonishing how abusive and unlawful marketing initiatives frequently are. It never ceases to amaze me the number of businesses that seem to be completely unaware of their responsibilities as data controllers. I always fail to understand if they actually ignore their duties or if they just pretend so in order to take advantage of the data subject most likely ingenuousness on the matter.

Legal requirements, as those foreseen in the E-Privacy Directive, i.e., the Directive on privacy and electronic communications and the Directive 95/46, which is applicable as direct marketing requires personal data processing, are not suitably taken into consideration. It is like some companies do not acknowledge that individuals have any rights over their personal data, including the absolute right to object to their personal data being used for marketing purposes.

However, while it is merely an inconvenience for me, as I know which reasoning I shall refer to and which means are required in order to cease any further annoyance quickly, not everybody does. Sometimes it takes people months before being able to get definitely rid of any undesirable contact.

The very basic requirement that is applicable to direct marketing – the prior consent of the data subject – seems to be easily overlooked as many companies sell or share data from customers without their authorisation. Most of the time, individuals do not even fully appreciate that they giving their consent or what they are consenting to or are not even given the possibility to refuse such use of their personal data.

This is particularly worrying considering all the changes which are on the way. If businesses keep ignoring or refusing to acknowledge the requirements they owe to comply with, they will commit the offences and suffer the sanctions which most likely will be foreseen, for instance, in the future EU General Regulation on Data Protection.

I already had the opportunity to address some of those forthcoming changes here. However, these are particularly restrictive regarding marketing initiatives.

All forms of marketing communications, including telemarketing and direct mail, will be subjected to the individual’s consent. Indeed, the current ‘opt-out’ checkboxes system will be replaced by an ‘opt in’ permission method. This means that any communication which hasn’t been the object of a previous, free, explicit and informed consent of the data subject will therefore be forbidden.

The criterion of explicit consent requires a clear statement or an affirmative action. In this context, companies collecting information will have to ensure that the data subject is well aware of the specific purposes of the data collection, namely for marketing purposes.

In parallel, the data subject would be able to access the data collected without being charged any fee. Moreover, if a data subject decides to opt out of marketing communications, marketers will have to delete any records they hold, if requested. Marketers won’t be able to retain, in that case, any detail, unless they can show legitimate grounds for retaining the data.

As a direct result, if companies cannot demonstrate that consent has been previously explicitly given to marketing purposes, they will have to delete it. Databases and contacts lists will most certainly be severely reduced.

The forthcoming changes will obviously make the conducting of marketing campaigns more difficult and, consequently, will require a shift in the marketing strategies in order to be compliant with the law.

As a consumer, I am always favourable of legislation which protects individuals regarding ambiguities related to the use of their personal information.

As lawyer, I can only provide timely and relevant information that will help my clients to comply with the law while (hopefully) simultaneously making a profit for their company.

The unpleasant side of non compliance with the rules on direct marketing does not limit itself to bad publicity or reputation. Fines, legal action and financial damages also have strikingly negative effects on businesses. For this reason, companies should start preparing for the forthcoming changes in advance in order to avoid any surprises, save time and money and make the most out of a new situation.

References   [ + ]

1. Copyright by methodshop .com under the Creative Commons Licence – Attribution-ShareAlike 2.0 Generic.

The match of the year: Right to be Forgotten vs Right to know

Round 1, Fight!

Round 1, Fight!

As it is well-known, the ‘right to be forgotten’ ruling extended the possibilities foreseen under the current EU Data Protection Directive for data subjects to exercise their rights to erasure of data and to object to personal data processing with regard to search engine services providers, which were deemed as controllers.

Therefore, facing a deletion request, search engines will have to decide on the balance of the rights at stake, namely freedom of expression and right to privacy, weighing up whether it is in the public interest for the information indexed in its search results to remain.

From the very beginning, the public opinion thrived both with enthusiasm and concern. The main question was: how would the decision be enforced? Isn’t the removal of links to legal and accurate information damaging for freedom of speech and right to access to the information? The debate was mostly vivacious between free speech advocates and privacy campaigners and hasn’t faded away with the course of time. The firsts insist that it will lead to a whitewashing of the past, whereas the latter uphold that it will enable individuals to limit the visibility of some personal information.

Google, despite affirming that the enforcement of the ruling could hamper free speech, alerting for the potential abuse of those looking for the deletion of important information and complaining that the ruling requirements for conformity were vague and subjective, started dealing (efficiently?) with the astonishing amount of requests for suppression of links received, rejecting some and admitting others.

In fact, Google says it has received approximately 143,000 requests, related to 491,000 links, to take down links in the last five months, involving everything from serious criminal records to embarrassing photos and negative press stories. Considering the data revealed by Google itself, the company has refused about 30 per cent of demands and about 50 per cent were taken down. According to its online transparency report, Google has removed more links to content on Facebook from its search results than from any other site. In this regard, Reputation VIP — the company that provided Forget.me, the first “Right To Be Forgotten” Removal Service – outlined that, ironically, most requests do not refer to unflattering or inaccurate web pages written by third parties, but, instead, to content authored by the requestor.

Google even set up an advisory committee to handle the requests. This council is headed by the company’s executive chairman, Eric Schmidt, and chief legal officer, David Drummond, and includes academics, technologists, legal experts and a journalist.

Most recently, Google decided to launch a public debate regarding the balance to be achieved between a person’s right to be forgotten and the public’s right to information. To that end, it organized a grand tour of hearings across Europe and has been on the road for about a month now.

The good intentions beneath this initiative failed to convince everyone. For instance, Isabelle Falque-Pierrotin, who heads the Article 29 Working Party, which gathers all 28 EU national data protection authorities, didn’t hesitate to share her scepticism about the Google initiative, which she described as part of a “PR war”:

Google is trying to set the terms of the debate. They want to be seen as being open and virtuous, but they handpicked the members of the council, will control who is in the audience, and what comes out of the meetings.

Although I do not share such a pessimist viewpoint of the initiative, I actually also have some doubts regarding the openness and transparency that it is intended. Indeed, when the public debate was firstly announced, I expected that it would allow for a better understanding Google’s current processes for dealing with requests. But, as far as I am aware, hearings have centred themselves in abstract and rather philosophical discussions.

Considering the ongoing negotiations regarding the EU data protection reform, already well advanced, the question which should be asked is: how much could the ruling and Google’s efforts in fact influence the direction of the discussions?

According to the European Commission’s initial proposal, the right to be forgotten would be built on the right to erasure of personal data and the right to object to data processing operations, which already exist under the current Data Protection Directive. Therefore, the data subject could exercise the right against the original data controller when and if: the data is no longer necessary; consent is withdrawn or when the storage period has expired; the data subject objects to the processing on specified grounds; or the processing is no longer valid on some other ground. Freedom of expression was among the exemptions foreseen.

The European Parliament was quite favourable to this proposal, having voted its opinion  last spring. However, it ensured that the right could also be exercised directly against third parties and the possibility to exercise the right following an order by a court or regulatory authority.

The Council of the European Union had already discussed the issue before but decided to suspend the respective debates in order to wait for the CJEU’s ruling. However, negotiations regarding other issues of the reform kept going and Member States even agreed on partial general approach since then.

An afterwards statement issued by the Italian Presidency made clear that the provision concerning the right to erasure would take into account principles set out by the CJEU. Indeed, the revised version issued recently left no doubt about it.

I thought this utterly confusing as it is for the Council of the European Union and for the European Parliament, as co-legislators, to make the law as it will stand in the future and for the CJEU to interpret the law as it exists. To take into account the judicial interpretation of the law that we are about to replace for the definition of the upcoming legislation is, in my opinion, quite puzzling. The ruling should not dictate the content or drafting of the future Regulation.

Nevertheless, something has to be done regarding the enforcement of the ruling. As things stand at the moment, it has been up to Google to determine the balance between the conflicting interests at stake. The criteria as defined by the CJEU are undoubtedly insufficient.

And if the ruling shall be taken into account regarding the upcoming legislation regarding anything, it most certainly has to address the scope of the right to be forgotten, the grounds on which it can be exercised and the need to balance this right with the freedom of information, as the judgement itself doesn’t establish with rigour how it shall be applied in practice.

In this context, it must be noted that the regulation has a horizontal nature and, thus, is intended to be applied to all controllers, independently of their nature. Search engines are not the specific aim of the future legislation although, as controllers, they are covered by its scope.

Regarding the scope, one may wonder if the distinction made by the European Commission between personal data which have been initially disclosed or uploaded by the data subject and the personal data which have been disclosed by third-parties will be kept.

Moreover, as it seems that there is no doubt that search engines – now considered as controllers – may receive deletion requests, it is important to clarify what about providers of social media, as Facebook, for instance, where it is possible to argue that the processing is based on consent or a contract.

As for the grounds on which the right can be exercised, I think it won’t be easy to determine who will be required to conduct the assessment in order to consider if the initially lawful processing of accurate data became unnecessary, inadequate, irrelevant or no longer relevant, or excessive in the light of the purposes for which they were collected or processed and of the time it has elapsed. Who is better suited for that role: search engines or the first controller?

In this context, one cannot assume that, if the initial processing is lawful, that the second processing is also legal. There might be cases where both might have reached different outcomes of lawfulness. What then?

Furthermore, should requests for deletion be addressed directly to the controller? Should they be addressed, instead, to the supervisory authority? Or to the competent courts? And if so, which court would be the competent one?

In addition, should the data subject have the right to choose any of the controllers to exercise the right to be forgotten and erasure? I believe that, at least theoretically, it should be possible for the data subject to exercise the rights against the processing carried out by the search engine before, after or independently from exercising the same or other rights against the original controller. But one should bear in mind that it is quite unrealistic to ask operators of search engines to track information and replication of data across the web.

As we can see, many questions are yet to find their answers.

The most popular is:

How will be the right to the protection or personal data fairly articulated with the right to freedom of expression?

Understandably, certain Member States have shown legitimate concerns regarding the freedom of expression and the interest of the public at large to have access to information, which may end up being underweight in the balancing process. So the debates are currently ongoing.

One of the big issues at stake is that, according to the spirit of the founding treaties, the conciliation of the right to the protection of personal data and the freedom of expression should remain in Member States’ legislative power. This implies that the European co-legislative institutions, the Council of the European Union and the European Parliament, are not entitled to regulate in detail this matter. However, if it is up to Member States to reconcile the two potentially conflicting rights, nor harmonization nor a unified application of law is ensured.

In this context, it will be important to delineate the concept of ‘public interest’ and ‘public figure’, which scope is not satisfactorily developed in data protection due to the swiftly evolved digital era.

Moreover, it will be important to establish that bloggers and individuals generally expressing themselves online fall within the scope of the ‘freedom of expression’ exception, even if they are not professional journalists. After all, article 11 of the Charter of Fundamental Rights of the European Union establishes that everyone has the right to freedom of expression, including the freedom to hold opinions and to receive and impart information and ideas, establishing the freedom and pluralism of the media.

On another level, and as it is well-known, Google has been systematically alerting websites when it cuts links to their pages from results presented based on searches for a person’s name, which is in line with the European Commission’s proposal. But should search engines be barred to inform publishers, as Google has been doing, when articles have been delisted from search results? Are they cases where it would be appropriate to involve a publisher? Which ones?

These notifications are mostly problematical due to the possibility of republication, which could cause additional harm or distress for the data subject. And indeed, it often leads to a republication of a version which indicates what URLs are being removed from the search index.

In my opinion, it is preferable for the data subject that the search engine, as a second controller, contacts the controller which has firstly published the information (preliminary controller), as, otherwise, it might not be always easy to establish the correct balance.

In parallel, Google has unilaterally restricted the deletion of internet links to European websites only, for instance Google.es, Google.de, Google.uk… Well, you get the idea… But shouldn’t the removal be global, considering the very nature of Internet? Shouldn’t links be removed from all versions of Google, such as Google.com? This is particularly important considering that most of European users of the search engine use local domains, rather than referring to google.com.

The Justice and Home Affairs Council gathered in Luxembourg, on the 10th of October, to discuss the regulation and directive. A partial general approach on chapter IV of the general data protection regulation, which deals with the obligations for data controllers and processors, was agreed. There is, nevertheless, still plenty to be agreed on, so one may wonder if the deadline established by the incoming European Commission President Jean-Claude Juncker for the end of negotiations – within six months of the commission starting work – will be enforceable.

Meanwhile, the Article 29 Working Party is preparing some guidelines which will set out a common record to deal with different types of appeals coming in from citizens. To that end, it has met with media and search engine companies, Google, Microsoft and Yahoo, to gather their views on how to strike a balance between the freedom of information and privacy. The guidelines are expected to be finalized by the end of November.

Considering the current state of play, let’s hope that some thorny questions would have been answered by then…

Data Protection Reform: Change is coming… slowly

EU Data Protection Reform is about to happen... eventually.

EU Data Protection Reform is about to happen… eventually.

Although subjected to the well-known saying ‘nothing is agreed until everything is agreed’, data protection reform is slowly taking shape and businesses should prepare themselves for what is coming, as activities which involve the processing of personal data will have to comply with the new data protections laws.

In June, the Council’s Justice and Home Affairs Committee reached  an agreement on the rules concerning data transfers and on the territorial scope of the future new Regulation.

In the last meeting held in Luxembourg, earlier this month, Justice and Home Justice Ministers have reached a broader partial agreement regarding the wording of chapter IV of the draft General Data Protection Regulation, which includes new rules on personal data breach notifications that businesses operating in the European Union will have to comply with.

Therefore, in the light of the new approach, contractual freedom regarding the content of contracts will be restricted and the liability of processors regarding controllers over subcontracting activities will be further elaborated.

Addittionnally, pseudonymisation of personal data will be included as a  technical and organisational measure to ensure an appropriate level of security.

In this context, businesses will have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that “may result in physical, material or moral damage” to individuals. This will include disparate situations such as loss of confidentiality of the data, damage to the data’s subject reputation and identity theft.

Moreover, although businesses will have to inform without undue delay data subjects in case of a data security breach which could affect severely their rights and freedoms, they will be exonerated of this obligation when appropriate technological protection measures have been implemented to protect its access, even if lost or stolen, namely through encryption.

Furthermore, the processing of personal data which is likely to represent a high risk for the rights and freedoms of individuals, such as health data or personal data which can be used for profiling, will have to carry out a data protection impact assessment.

If businesses based outside the European Union process personal data of citizens of the European Union, they will have to appoint a representative based in the European Union, except if the processing is occasional and unlikely to result in a risk for their rights and freedoms.

Of course, negotiations with the European Parliament and the European Commission in order to finalize the instrument will only begin once a consensus on the whole draft has been reached within the Council.

If slowly is the best way to go further, we will get there… eventually.

Newer posts

© 2018 The Public Privacy

Theme by Anders NorenUp ↑