New challenges - old problems
Commission proposals on revising the 1995 Data Protection Directive
The Commission Communication: A comprehensive strategy on data protection in the European Union (pdf) is intended to be the first step in revising the 1995 Directive in the light of shortcomings in the implementation of the 1995 Directive and to meet "new challenges" emanating from new technologies (social networking and cloud computing). Following reactions to this Communication there will be an impact assessment and legislative proposals presented in 2011.
The Communication raises two general questions. Why is the EU is negotiating an overall agreement with the USA on the exchange of personal data covering all crimes before the process of revising the 1995 Directive is completed? And why is not the revision of the general EU data protection framework being completed before considering exchanging PNR (Passenger Name Records) with third countries or an EU-PNR scheme?
The European Data Protection Supervisor (EDPS) commented:
"The global agenda should therefore concentrate first on the general EU data protection framework, then on the possible need for an EU PNR scheme, and finally on the conditions for exchanges with third countries, based on the updated EU framework." [19 October 2010]
Second, the Communication opens with the statement that the 1995 Directive:
"enshrines two of the oldest and equally important ambitions of the European integration process: the protection of fundamental rights and freedoms of individuals and in particular the fundamental right to data protection, on the one hand, and the achievement of the internal market the free flow of personal data in this case - on the other." [emphasis added]
The juxtaposing as equal, and competing, principles of the right to data protection and fundamental freedoms on the one hand and the "free flow of personal data" on the other had a very different meaning in 1995. Back then the "free flow" of information was seen as enabling citizens in their daily activities in the internal market. That was before the introduction of the "principle of availability" (the gathering and exchanging of personal data by state agencies) and the "principle of interoperability" (allowing, the often automated, exchange of personal data between EU and national state law enforcement databases). In this context the "free flow" of personal data takes on a quite different meaning.
The question also needs to be asked: Who "owns" personal data the individual or the multinational company/state agency? The answer to this question defines whose rights are being enforced.
The concept of the "protection" of personal data is effectively defined as an obligation on the part of the holder to keep it safe (eg: it should not be lost or stolen). This should not be confused with fundamental rights and freedoms of the individual - which is about the right of the individual to be informed about the data (or "intelligence") held on them (with the right of correction), how it has been "processed" (added to) and to whom it has been passed and why.
The Communication contains a number of positive proposals. The strengthening of the powers of national Data Protection Authorities, access to personal data should be "free of charge" (para 2.1.3), the "right to be forgotten" (op cit), clarifying "informed consent" (para 2.1.5), adding genetic data to protected sensitive data (para 2.1.6).
The right to be informed and the right of access
The Communication is not clear what is to be done about the "right to be informed". The "right of access" (Article 12) is clear and presumes that the individual "requests" the information held on them. Article 10 sets out what information must be provided to the data subject which is usually assumed to be covered by standard commercial templates (terms and conditions) to which the individual has to sign up to in order to obtain a service.
However, Article 11 crucially covers: "Information where the data have not been obtained from the data subject" (eg obtained from third parties or added to through data-mining) and lays down that:
"Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information."
This information includes: "the categories of data concerned" and "the recipients or categories of recipients". The standard commercial templates seek to meet the obligation to "provide" this information by general statements, in one-off terms and conditions, by saying, for example, that data may be obtained from and given to credit rating agencies - and if this data is requested you are told it is "company confidential".
In the very different worlds of the 1990s and 2010s there should be an obligation to inform the data subject each and every time data not obtained from them has been added or disclosed. Not to do so renders meaningless the right of correction because the data subject has not been told and can have no idea what has happened to their data.
The state: law enforcement and security agencies
The Stockholm Programme set out the need to guarantee fundamental rights and data protection too but then said:
"It must also foresee and regulate the circumstances in which interference by public authorities with the exercise of these rights is justified" [emphasis added]
This Commission Communication does not confront the contradiction of extending new general data protection framework to police and judicial cooperation while providing for the"interference" of these rights.
It criticises the current Framework Decision (977/2008) on the exchange of personal data for law enforcement purposes between Member States is limited to saying that it does not cover data processing within Member States. But it fails to mention that it was roundly criticised by data protection authorities and civil society for giving wholly inadequate data protection - which was not surprising as it was drawn up by police and state officials deciding what rights to give people. See: Observatory on data protection in the EU: the protection of personal data in police and judicial matters
Equally, the Communication fails to take up the distinction between law enforcement "information" and "intelligence". The Framework Decision simply uses the term "information" to encompass hard data (ie: a conviction) and "intelligence" which may be "hard" (reliable and provable) or "soft" (unreliable and unconfirmed).
Source: A comprehensive strategy on data protection in the European Union (pdf)
Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch Journal
© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.