At the heart of Europe’s competitiveness and its biggest economic strength is the Single Market. Nowadays, with ever-innovating technologies and services in the IT sector, there is an urgent need to adapt and innovate the Single Market rendering it a Digital Single Market. The European Parliament, indeed, believes that this market must be kept at the heart of the EU’s efforts to achieve results in the objective of job creation growth and investments. In order to achieve this goal it’s imperative for the EU to change its legislative framework, which needs to adjust rapidly to market developments. Moreover there is the need to review existing competition law instruments in order to determine weather they meet the demands of the digital age.
A sector that urgently needs to be reformed is surely the one concerning Data protection principles. This sector is still “ruled” by the EU’s data protection Directive adopted in 1995, when the Internet was in its infancy, and most or all Internet household names did not exist. Aware of the problem concerning this issue, the EU Commission proposed a General Data Protection Regulation on January 2012, in order to rapidly adjust to market developments and the increasing digitalization. 2015, should be the year where the negotiations on the EU’s proposed General Data Protection Regulation finally come to an end, but, instead of agreeing a data protection framework fully fit for this year, the Council is probably about to agree that the key principles of the law should remain as they were in 1995. The Commission’s proposal indeed suggested just some fairly modest changes to the data protection principles, if compared to the current data protection Directive. The European Parliament instead would like to go further than the Commission.
What will the new General Data Protection contain?
The basic principles of data protection as proposed and (nearly) agreed by the EU institutions are similar to the Current Directive: fair and lawful processing; purpose limitation; data minimisation; accuracy; and storage minimisation. The changes would concern: the addition of ‘transparency’; some express protection for archiving or other scientific purposes; and the insertion of data security (by both the EP and the Council). Taking a closer look to the different institutions we note that their proposed and/or expected versions of the regulation differ a bit:
Concerning the Council, it’s likely version of the future Regulation, it’s supposed to only differ from the current Regulation: adding new principles of transparency and security; a new definition of consent; a largely cosmetic clause on children’s consent, since it refers beck to national law (the Commission proposal, agreed by the EP, defines a child as anyone under 18, but the Council has not agreed this definition yet); and a small extension of the list of sensitive data, coupled with a bigger list of exceptions to the prohibition on processing that data. There are also many protections for research-related activities in the Council’s version of the text: the end is clearly not as night for research as many advocates of it have been predicting.
Concerning the Parliament instead, for its part the EP would: add a new principle of effective exercise of rights; adjust the balance of interests between the data subject and data controller; limit incompatible further processing; curtail questionable contract terms; strengthen children’s rights; and widen the scope of the concept of sensitive data. The EP also suggests that in the field of data protection, it is necessary to list the effective protection of rights as one of the principles in order to built procedural rights into the system (the so-called ‘privacy by design’). An example would be a social network that makes it easy to complain that user’s privacy has been violated.
Struggling points:
- The institutions differ greatly on what happens if the purpose of data processing is changed. On the one hand, the Commission proposes that changing the purpose should be acceptable on any of the grounds for the initial processing of the data, except for the legitimate interest of the controller. On the other hand, the Council suggests allowing a change of purpose for any of the grounds for the initial processing, including the legitimate interests of the controller; while the EP does not want to provide expressly for any incompatible processing at all.
- The definition of consent will be one of the most significant changes in the new rules. On this manner all the institutions agree that the data controller would have to prove consent. The struggling points concern the Council’s proposal to add some useful rules regarding the data controller to use plain language, while the EP instead prefer to specify that the relevant contractual terms would be void. Moreover, the Commission wants a new clause that would reject the possibility of consent if there is a ‘significant imbalance’ between the data subject and the data controller, while the EP wants to disapply contract terms which are unnecessary for supplying services.
- Another significant change will be the existence of a specific rule on children, also if the institutional positions on this manner still differ. The Commission proposes that information society services must get the consent of the parents of children under age 13, while the Council versions instead, if agreed, will refer to national laws on contract, removing the reference to a particular age. The EP, for its part, would broaden the scope of the clause to refer to all supply of goods and services, and would also add a clause concerning ‘plain language’.
- Concerning the prohibition on processing so-called sensitive personal data, namely data on racial origin, political opinions, religious beliefs, trade union membership and health or sex life, the proposed Regulation keeps it largely intact. On this issue, all institutions agree to add ‘genetic data’ to this list, in addition, the EP and Commission also want to add criminal convictions to the data while the Council instead wants to retain the current separate rule on this type of data. Furthermore, it seems that the EP wants to add sexual orientation, gender identity and biometrical data to the list.
As outlined above, one can notice that the main differences between the EP and the Council concern the balance between corporate interests and individual privacy rights, where it seems that companies have successfully lobbied the Council to make no significant changes, while privacy NGOs have convinced the EP to argue for modest improvements in individual rights. Finally it’s important to stress the point that despite all the fuss made over the proposed legislation, the Council’s changes would just correspond to a marginal change in the rules. The forthcoming negotiations, regarding basic principles of data protection and supervisory authorities, including the idea of a ‘one-stop shop’ for data protection will determine if the new rules will genuinely be different, or another all talk and no walk.
Patrick Zingerle
To know more:
-. Directive 95/46/EC:
EN: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
FR: http://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:31995L0046&from=en
-. Proposal on General Data Protection Regulation: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
EP position: http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%207427%202014%20REV%201