Published: Tue, 28 January 2014
Process of Data Privacy reform at EU level
Ladies and Gentlemen,
It is my honour to speak this morning to National Data Protection Conference. I would like to pay tribute to the Irish Computer Society for putting on such a well-organised, high level event. Today of course is Data Protection Day, so it is extremely timely that we are having a discussion on an issue that has risen to the top of the global agenda in the past 8 months.
I am centrally involved in the process at EU level to reform data privacy law, so it is in this capacity that I address you this morning. I sit on the European Parliament’s influential Industry, Research and Energy committee. In the spring of 2012, I was nominated by the committee to draft the report on the Commission’s proposal for a General Data Protection Regulation.
As many of you will know, EU law-making is a lengthy, complex and multi-faceted process, so this was to be the first step on a long journey on the road to crafting a regulation that will affect the lives of each and every one of the 508 million citizens of the European Union. In that sense, it was a huge honour and a daunting challenge to be nominated to take on this job of work.
The role of the Parliament in the drafting of a Regulation is to examine, scrutinise, propose and vote on amendments to the Commission’s original proposal. As the Parliament is divided into over 20 separate committees, in most instances 2 or 3 committees will be given the task at looking at areas which particularly affect their competence.
In this regard, I was asked to look at the proposal from an industry, research and SME point of view. The Civil Liberties committee was tasked with the overall lead, and German Green MEP Jan Albrecht was appointed to draft the committee report which would serve as the Parliament’s negotiating mandate. It was to be the start of a long, intense and productive working relationship with Jan, culminating in a broad compromise agreement in October of last year.
In the intricate world of EU law-making, procedure is both very important and very complex, so it is important to understand this point if we are to get a greater insight into EU data protection reform.
The Commission has the monopoly of initiative of new laws at EU level. So it was in this light that the choice of legal instrument was closely watched and eagerly anticipated prior to the Commission’s issuing of the proposal in January 2012. In the end, the Commission opted to go for a Regulation to cover the private sector – the so-called GDPR – and a Directive to cover the public sector.
The choice of a Regulation for the private sector was an ambitious and laudable move by Commissioner Reding and answered calls made by the European Parliament on the one hand and by industry and NGOs on the other to choose such an instrument. The reason for this being a Regulation has direct and immediate effect on all the citizens of the EU and is evenly applied across the 28 member states. By contrast, a Directive is implemented in 28 separate procedures at member state level, over a number of years and leaves further scope for member states to tailor it to their own needs, or to weaken it for that matter!
The reason Parliament was calling on the Commission to issue a draft Regulation was two-fold. Firstly, citizens’ rights to data protection differed from country to county so that there was often a mismatch between protections given in one member state over another. Secondly, and equally importantly, in an internal market of 508 million citizens, it was important for business to be able to trade and offer services on an equal footing and not have to face 28 different regimes and the resultant red tape. It thus posed a win-win scenario for citizens and business.
As an aside, some member states, most notably the UK, are pushing to water it down to a Directive. This position is hard to understand in light of the fact that a service-dominated economy such as the UK’s stands to benefit enormously from cutting trade-hindering duplication and red tape.
Regarding the choice of a Directive for the public sector, it was felt that differing national traditions in relation to police, judicial and state security matters called for a more nuanced approach.
The Commission’s proposal was then sent to the Parliament and also to the Council of Ministers, which would hold separate, parallel discussions on the draft law.
Whereas the “EU” or “Brussels” appears as one monolithic institution from outside, it is in fact a plethora of differing institutions with different prerogatives and priorities, and this applies internally to these institutions also.
For instance, whereas the Parliament represents the directly elected will of the European people, the Council represents the will of the different governments of the member states. Therefore the Parliament tends to take a more ideological, integrationist line on the big debates, whereas the Council seeks to defend member state prerogatives and is often held up by disagreements between the larger member states.
The Commission, as the executive arm, stands as proposer and also as broker between the Parliament and Council of Ministers when it comes to reaching a final agreement, in the so-called “Co-decision” or ordinary legislative procedure.
Internally to the Parliament, as mentioned already, different committees have different priorities. The Industry committee which I sit would have as its top priority the reduction of red tape and support for SMEs, research and innovation. On the other hand, the Civil Liberties committee has as its priority the implementation of the Charter of Fundamental Rights and would not usually have much regard to economic matters. As a result, you will often have turf wars across committees, which was something I was mindful of and keen to avoid, as it sends the wrong signals to citizens and industry.
The Parliament works by tabling amendments to the Commission proposal. In the Industry committee alone, there were 917 amendments tabled, 167 of which I tabled myself. Out of that, working with Shadow Rapporteurs representing the other political groups, I drafted 81 compromise amendments, all of which were voted through by the committee on February 20th last, with a majority formed by my own EPP Group, the ALDE group and the ECR group.
This report was then submitted to the Civil Liberties committee and I joined the negotiating team therein. Only 4000 amendments were tabled by Civil Liberties MEPs subsequently! What followed were six intense months of negotiating every line of every amendment and co-drafting compromise amendments with my EPP colleague Axel Voss MEP and the rapporteur Jan Albrecht. Instrumental to these discussions also was Baroness Sarah Ludford, a British Liberal Democrat MEP.
Now that I have outlined the process, I can move on to the big issues which dominated the debate in Parliament.
A well drafted law will have clear and robust definitions. One of the first political issues we debated in the Parliament was the definition of consent. I am of the belief that there is an over-emphasis on consent in the field of data protection, as it is only one of six legal grounds for processing personal data. The other five being for the performance of a task carried out in the public interest, for compliance with a legal obligation to which the controller is subject, for the performance of a contract to which the data subject is party, to protect the vital interests of the data subject and for the legitimate interests of the data controller.
There was much debate surrounding the nuances between “unambiguous” and “explicit” consent. I felt that unambiguous was sufficient, as it would represent a continuation of the status quo from the 1995 directive, however in the end we opted for “explicit” consent. I feel that we may end up with a good bit of click fatigue in the online world following this decision, and the unsatisfactory implementation of the cookies directive is perhaps an indicator of things to come.
The second contentious issue was the definition and operation of the legitimate interest ground for data processing. Considering that some say up to 80% of all data processed in the online environment is done so on the basis of legitimate interests, it was important to get this one right. A lot of third party ad servers and direct marketers use this as a way of sustaining their business model, so it was as much an economic matter as a privacy matter. Some of the more extreme members of the Parliament would have removed the legitimate interest grounds, whereas other would have favoured the status quo.
In the end, we came to the compromise of inserting a balancing clause stipulating that the legitimate interest of the data controller must be balanced by the reasonable expectation of the data subject. For example, if I buy a car, I can reasonably expect, should I not object, to be contacted with offers for tyres and other car-related accessories, but not for champagne or bed linen. We also strengthened the right to information on such offers and the right to object to further processing, which were other important balances on the legitimate interests of the data controller.
Whereas I believe this to be a pragmatic outcome, I expect that should this wording be included in the final text of the Regulation, the European Court of Justice will be asked to rule on the balance between legitimate interests and reasonable expectations in the near future in the context of data privacy.
SMEs and Red Tape
One of the biggest complaints we hear on a regular basis about “Brussels”, is the reams of red tape handed down from the bureaucrats of the EU. Oftentimes this is mere populism, but in other cases it is a valid and justified criticism of how business is done there.
When I received my mandate from the people of Ireland South in 2009, one of the commitments I gave was to work to reduce or minimise unnecessary red tape wherever possible. Thus, membership of the Industry committee, which is charged with addressing the concerns of Small and Medium Enterprises, was one of my priorities.
Red tape is often an abstract concept however, but there is one particular example in the data protection reform which is very concrete. I refer to the position of the data protection officer.
Now don’t get me wrong, I believe the role of the data protection officer is a key function in any enterprise dealing with the sensitive data of thousands of data subjects and should be incentivised and encouraged wherever possible. But nevertheless, the mandatory nature of some of the proposals would have represented an unacceptable administrative burden for the butchers, bakers and greengrocers of our small towns and villages.
I welcomed the inclusion by the Commission of the exemption for SMEs for a mandatory Data Protection officer for SMEs with fewer than 250 employees and for whom data processing was not a core business function. This second caveat was placed in the proposal to deal with the “Instragram case” – ie small company such as Instragram, with only a dozen or so employees, which nevertheless controls and processes the sensitive data of hundreds of millions of data subjects.
No, what really concerned me were some of the amendments tabled by left-wing MEPs, at the instigation of certain lobbyist NGOs, to change this to an altogether different threshold. They wanted to change the threshold to every company which has 250 or more clients per year passing through their doors. Hence our butchers, bakers and greengrocers would come under the scope of the Regulation and would have to go about learning how to become a Data Protection Officer themselves, or hire in expensive external advice. At this time I was meeting with small retailers on a separate issue, and one newsagent told me that he alone has to comply with 42 separate pieces of EU legislation. 42 are enough, without adding a 43rd!
Don’t get me wrong, the role is vital, but I firmly believe it would be extremely disproportionate to insist to a small company, not involved in the data driven sector, to hire in such expertise, based on the minimal risks to the privacy of their customers.
In the end, we settled on a workable, if not ideal, compromise. A figure of 5,000 clients per year was agreed on, above which a company would be required to have the position of a data protection officer either assigned on a part-time basis to a staff member or to be brought in from outside. A second caveat was added, following strong representations made by myself, to have an exemption for start-ups. It must be borne in mind that innovation and survival are the priorities of start-ups, so they must be allowed put down roots and flourish before the full weight of regulatory compliance should be put on their shoulders.
90% of start-ups fail in the first number of years in any case, so we must be cognisant of providing a welcoming environment for new business ideas. This is not to say that companies cannot opt to take on a DPO even if they are not obliged to do so, and indeed this can be beneficial to their business model if they are seen to prioritise the privacy of their customers above all else.
It must be borne in mind that parallel to this debate, as mentioned before, there is a similar discussion being held in the Council of Ministers, where the Irish Presidency under Minister Alan Shatter and Seamus Carroll did excellent work. In this discussion, there is debate on whether there should be a mandatory DPO at all, so it is a good example of how issues evolve in different directions in different institutions!
There was also an element of member states pushing their domestic agenda onto the EU level in order to extract a competitive benefit for their domestic industry with the DPO issue, as some of them already have a mandatory DPO for virtually all companies.
Other contentious issues
Other issues which provoked much debate included press freedom and health research. I was not 100% happy with the outcome of either. With regard to press freedom, there was a specific reference to the journalistic exemption in the Commission proposal, yet in the end, Albrecht decided to remove this explicit reference and replace it with a reference to the Charter of Fundamental Rights. Now whereas the Charter provides for journalistic freedom, I would much rather see it explicitly referenced as some governments may take this as a cue to curtail the freedoms of journalists to hold power effectively to account, citing privacy law as a defence. I believe that this must be revisited in future negotiations with the Council.
I feel the same about the potential curtailments to health research data sharing and have been working with academics and research institutions to raise awareness of this problem amongst the broader public. As with press freedom, I believe that this can be improved in the negotiations to be held with the Council of Ministers.
The one stop shop is another issue of high priority, above all for the larger tech companies based in Ireland. If it is to be a Regulation with direct and even effect across all member states, a mechanism must be put in place to ensure consistency of application. This so-called “consistency mechanism” would ensure that if, for example, a data subject in Italy wanted to make a complaint about a company in Sweden, they could write to their own Italian Data Protection Authority which then would liaise with the Swedish DPA. Whereas the Swedish DPA would issue the decision, it would be up to the Italian DPA to communicate this to the data subject in their own language. This is a practical and satisfactory mechanism, proposed by the Commission and left virtually unchanged by the Parliament.
From the business perspective, a One Stop Shop is of key importance. If it is to be the same law for all, as mentioned earlier, this will remove a lot of compliance costs in the Internal Market. Therefore, the DPA of the location where the company is established will be the unique contact point for that company.
Unfortunately, some member states seem not to trust their counterparts in implementing the law evenly, so are pushing for an odd construction which could risk becoming a 28 stop shop, which would be completely against the principle of the Regulation. We will have to be strong and united in the Parliament to resist this move.
I find it curious that you see certain member states, particularly Germany and Austria, looking to jealously hold on to full control of the regulation of companies who trade with their citizens, especially when you compare it with the situation in other, more “life and death” sectors of the economy.
Why is it that in the aviation sector for instance, which really deals with life and death in the sense that we do not wish to see faulty jets falling out of the sky, that we have a one stop shop in operation. An Irish-registered plane flying exclusively between Germany and Spain will be regulated exclusively by the Irish Civil Aviation Authority and this is considered to be an adequate and acceptable practice in aviation safety circles.
I will digress briefly to highlight one of the worrying aspects of this debate. There has been a continued, snide campaign, bordering on slander and defamation, undermining the competence and expertise of our excellent Data Protection Commission in Ireland, expertly headed by the exceptional Billy Hawkes.
It must be noted that it is not Billy Hawkes and the Irish Data Protection Commission that is before the European Court of Justice for lack of compliance with the current law, but rather German and Austrian authorities who are currently being investigated for not ensuring sufficient independence between the regulator and the government.
To draw a second parallel, Ireland was at the eye of the storm in the recent horsemeat scandal, as it was Irish Food Safety Authority which first discovered traces of horse DNA in burgers. Now, Ireland’s reputation was initially called into question, before sanity prevailed and recognition was given to the fact that it was the sophisticated DNA testing methods of the FSA, which went above and beyond what was seen in other member states, which was to credit for uncovering the scandal.
A victory for the Irish regulatory system.
Edward Snowden and the NSA
Of course any speech on data privacy cannot avoid one of the single biggest news items of the past year, namely the revelations by US renegade Edward Snowden of the vast quantities of data being gathered by the NSA.
This was to have a decisive impact on the negotiations in the Parliament. One of the immediate outcomes was the insertion of a draft of an Article that had been dropped by the Commission, the so-called Article 42a. It stipulates that foreign intelligence services must liaise with the domestic services and DPAs of a member state through Mutual Legal Assistance Treaties, or M-LATs, should they wish to mine data.
I found it an unlikely coincidence that, 7 years after I had worked so hard to abolish Rule 42 from the GAA rulebook, I was now pushing an Article 42 onto the EU rulebook!
One of the spillovers of the NSA/Snowden affair which could have a negative impact on the Irish economy is the issue of the Safe Harbour agreement. This agreement allows the free transfer of data out of the EU to US servers and is monitored and enforced by the US Federal Trade Commission. There are ongoing calls to scrap this agreement by many MEPs in the Parliament. I do not agree with this position however as it would lead to great uncertainty in the transatlantic economy without improving the protection of EU citizens’ privacy in the short to medium term. I would rather see a renegotiation of it along the lines of the 13 point plan proposed by the European Commission recently.
The issue of lobbying was also a salient factor in the discussions. There was charge and counter-charge that certain MEPs were copying and pasting amendments. I was amongst those who were accused of doing so. Indeed I copied and pasted some wording, but it was from the original 1995 Directive and also from the German Telemedia Act – such referencing is a standard practice in law-making. I received critical publicity in the Irish media and was forced to defend my integrity.
I for one was always transparent in my meetings with lobbyists. I met, amongst others, Google, Facebook and IBM on the one hand, and the European Digital Rights Initiative, the American Civil Liberties Union and many senior US and EU government officials as well as virtually all EU data protection authorities on the other. I counted more than 200 meetings alone, in additions to the 100s of hours spent drafting and negotiating the text with my MEP colleagues.
I will conclude by outlining to you the next steps before this law will see the light of day. The Parliament will vote on the Civil Liberties text on March 11th next. Thus, the Parliament will be out in the lead in terms of action to update the law. This is a credit to the work of the Parliament and recognition that it can be not only effective, but also a leader in the context of its increase powers under the Lisbon Treaty.
Meanwhile, the Council is deadlocked, bogged down in the detail surrounding the One Stop Shop. Nevertheless I was glad to see a roadmap agreed in Athens last week which will see negotiations between Parliament and Council commence in June, with a view to having the law finalised by year end – a long journey of reform, but an important one, as this is arguably the landmark law of the last five years of EU law-making, as it will have a direct effect on the lives of each every one of the 508 million EU citizens.
Thank you for hearing me out and I hope this overview gives you an insight into the Data Privacy reform ongoing in the EU.
Go raibh míle maith agaibh go léir.