Protection of personal data: the slow progress of European legislative reform
By Gregory Voss
How likely is it that the reforms launched in 2012 by the European Union (EU), with the aim of ensuring a high level of personal data protection for the citizens of its 28 member states, will become applicable in 2017? It is possible, but the European Parliament, the Council of Ministers and the European Commission have yet to reach an agreement: informal three-way discussions are taking place.
Since June 2015, these three EU institutions have been jointly drafting a text for the General Data Protection Regulation (GDPR). There are still a few points on which the parliament and the council disagree, in particular with regard to obtaining an individual’s consent for the processing of personal data, the rights and responsibilities of those collecting data, and the amounts of fines for non-compliance.
A commission proposal for new legislation on personal data protection was made back in 2012. But the draft regulation, passed by the parliament on March 12, 2014, is now awaiting validation by the Council. These reforms will help protect European citizens and their personal data even with respect to international companies whose headquarters are outside the EU, but who nevertheless process data online. While the degree of personal data protection in Europe is generally quite high, the financial penalties are too low, in contrast to those enforced in the United States.
When the three EU bodies have agreed on the final draft text, it can then be adopted only after two consecutive readings of the same text by the parliament, whose members are directly elected by EU citizens and after approval by the council, which represents the governments of the 28 member states. Once adopted (most likely in 2016, though some were pushing for adoption at the end of 2015), the regulation will become applicable in the two years that follow.
This GDPR will harmonize European law and may deliver an additional benefit by triggering a broader process that leads to the standardization of international legislation on protection of personal data. Moreover, the reduction of the administrative burden arising from this single piece of legislation will enable savings of €2.3 billion per year, according to the Commission’s calculations.
The process may seem to be taking a long time, but it has to be borne in mind that it took five years to finalize the 1995 European directive on personal data protection. The GDPR is essentially at the three and a half-year mark, so there is still time for this.
The GDPR has been subject to intense lobbying efforts by the representatives of those who process data. While they may slow down the legislative process, these actors can play a legitimate role in informing legislators about the practical realities faced by the companies who collect data.
Following the Snowden revelations, efforts to reform the legislation have experienced numerous upheavals. In June 2013, Edward Snowden, a former CIA consultant and a member of the National Security Agency (NSA), revealed that the US government had collected personal data concerning individuals living outside the US from nine of the biggest American technology companies, particularly as part of an electronic monitoring program known as PRISM. On October 21, 2013, the European Parliament proposed a text in which it was stipulated that the company responsible for data processing, or its subcontractor, would have to inform the data subject about any communication of their personal data to the public authorities in the previous twelve months. This provision is clearly influenced by the PRISM case.
In general, revelations such as this one, relating to data protection, help stimulate the debate about privacy in Europe, even if they have weakened trust between the EU and the United States. On October 6, 2015, as a result of the transfer of data on an Austrian citizen to the United States, by the European subsidiary of Facebook, the Court of Justice of the European Union (CJEU) ruled against the validity of the Safe Harbor Privacy Principles, which had been used to justify the transfer and which stipulate that in the event of threats to US security, a clause allows the US authorities to access the personal data of European citizens. The CJEU’s decision, in turn, followed the conclusions of the Advocate General, , and invalidated the Safe Harbor, which according to Vossm “is a problem for more than 4,000 US and European companies that depend on the Safe Harbour Privacy Principles for the transfer of personal data to the United States.” It remains to be seen what actions the institutions and European and US companies will take following this decision.
On the other hand, even in the absence of a GDPR, the Google Privacy Policy case shows that EU member states have the tools to oblige the operator of a search engine to respect privacy and personal data protection laws. In this vein, a number of cases have led to the data protection authorities in Germany, Spain, France, Italy, the Netherlands and the United Kingdom imposing penalties on Google, including fines amounting to hundreds of thousands of euros. While the size of these fines is relatively small compared with Google’s annual turnover (€59 billion in 2014), they are examples of the more severe enforcement actions, based on the turnover of the companies sanctioned, which are foreseen in the European legislative proposals.
In France, the Commission Nationale de l’Informatique et des Libertés (CNIL – the French data protection authority) disagrees with Google about de-listing following the Google Spain decision by the CJEU. Since the court recognized this right in 2014, any person may request that the operator of a search engine erase the search results that appear in relation to their name. As a result, Google has received tens of thousands of requests from French citizens. It then proceeded to de-list results on its European search engine domains (.fr, .es, .co.uk, etc.). But it did not extend the de-listing to other geographic domains or to google.com, which any user can search. In May 2015, the CNIL requested that Google proceed with de-listing from all its geographic domains. Google, however, argues that this decision constitutes an infringement of the public’s right to information and is, therefore, a form of censorship. A CNIL rapporteur (the official who manages the case) will no doubt be appointed to resolve this issue.
While the EU is working hard to hammer out a jointly-agreed regulation on protection of personal data, its member states, such as France, continue to strengthen their legislative arsenals. On September 26, 2015, the government presented a draft document on the subject of a “digital republic”, comprising some thirty articles on the confidentiality of electronic correspondence, portability of files and open access to public data, for public consultation. Public consultation on the development of this document is an interesting approach, the effects of which deserve to be monitored.
This article, written by Gregory Voss, along with the articles “European Union Data Privacy Law Developments”, published in The Business Lawyer (Volume 70, Number 1, Winter 2014-2015); “Looking at European Union Data Protection Law Reform Through a Different Prism: the Proposed EU General Data Protection Regulation Two Years Later”, published in Journal of Internet Law (Volume 17, Number 9, March 2014); and “Privacy, E-Commerce and Data Security”, published in “The Year in Review”, an annual publication of ABA/ Section of International Law (Spring 2014), co-authored with Katherine Woodock, Don Corbet, Chris Bollard, Jennifer L. Mozwecz, and João Luis Traça.
Practical applications
The effect of GDPR on businesses will depend on the final text adopted by the EU. It is a certainty that greater accountability will be imposed on companies that manage personal data. Some companies will probably have to create new data protection officer posts (DPO) defined on a similar model to the “correspondant informatique et libertés” (CIL) in France. Companies specializing in conducting privacy impact assessments will also emerge. The author, therefore, advises business leaders to closely monitor developments in legislation protecting personal data, in order to be able to comply with new legislation as soon as it comes into force. He proposes raising the awareness of employees through training on data protection. Finally, companies will have to implement adequate procedures to comply with the legislation on personal data protection, including those that enable the data breach notifications that will be required by the GDPR.
Methodology
To produce these articles about data-protection legislation, the author has analysed many legal documents and “hundreds of pages of proposals, amendments and opinions”, especially those resulting from the work carried out by WP29, the independent EU working group on the handling of personal data. In his articles, he puts the proposals of European authorities to adopt a GDPR into perspective and offers practical advice for businesses. He has also examined the changes in opinion of various European bodies, the European Commission, Parliament and Council, and has studied the reactions of legislators to Edward Snowden’s revelations on electronic surveillance.