New Rights for Individuals in upcoming Data Protection Reform
Doing business online gives Irish companies access to potential customers far beyond our own tiny domestic market. A recent survey indicates that 33 per cent of ecommerce revenue for Irish retail companies was generated internationally1. “But this doesn’t happen by chance”, the article goes on to say. It talks about the importance of search advertising for those competing for a slice of the global pie. However, preparation to enter the export market also requires awareness of regulatory structures likely to be encountered abroad, such as laws around treatment of personal data.
National Data Protection Laws
A business established here and which collects and processes personal data in the course of business is considered to be a “data controller”. Thus, it must abide by the Data Protection Acts of 1988 and 2003.2 But for those companies engaging in business in other EU countries, there is room for confusion. This is because, depending on how the business is set up, the data protection rules in other Member States may apply and these rules differ somewhat from State to State.
Laws in Other Member States
Legislators interpreted the Data Protection Directive [95/46/EC] differently when incorporating it into national legislation. This has led to variations in the laws on data protection from Member State to Member State. This places a considerable administrative burden on the data controller of a company which operates or wishes to expand its business outside its own country e.g., in having to fulfil the notification requirements to national Data Protection Authorities.
In recent decisions, the European Court has given further clarity on how to decide if a business based in one country, is bound by the data protection laws of another Member State. If a company is found to be “established” in a Member State, implying “the effective and real exercise of activity through stable arrangements”3 e.g., if it uses equipment, domain names, or advertises and/or has a representative or a bank account in a State, then it will find itself subject to that State’s data protection laws. It is noteworthy that wherever a complaint is made, the national Data Protection Authority is entitled to investigate it, although it cannot impose penalties. If it finds that a breach has occurred, it must request that the matter be taken up by the supervisory authority in the State where the errant company is established.
The new General Data Protection Regulation: Benefits for Business
Consider how much the digital world has changed in the twenty odd years since the 95/46/EC Directive, with mobile technology, social media, cloud computing, smart cards not even envisioned back then. Europe must belatedly try to catch up with data protection legislation for commerce and to ensure rights to privacy are properly protected.
And now, with political agreement reached in December 2015 on the European Commission’s proposed new General Data Protection Regulation, there may be light – and it is hoped more clarity – at the end of the tunnel. The Council is due formally adopt it in April 2016 after which the Parliament will vote on it, to be followed by a two year implementation period.4 The regulation itself will become law in all Member States, obviating the need for it to be interpreted into domestic legislation. This should leave less scope for national variation and nuance.
The Regulation is being heralded by the European Commission as a “one-stop-shop”, referring to the necessity for a company to deal with one supervisory authority only, in the State where the company is established. That authority would be competent to deal with all of that company’s data protection issues relating to its activities in all Member States. Where there are cross-border issues to be decided, the authority where the company concerned is established would be the ‘lead supervisory authority’. However, it is envisaged that, in such cases, the opinion of the European Data Protection Board would be sought, so as to have consistency and harmonisation in enforcement of the regulation. This Board has yet to be constituted and established. The separate office of the European Data Protection Supervisor (EDPS), already in existence, is to provide its secretariat.5 Giovanni Butterelli, the Supervisor appointed in December of last year, aims to have a key role in the workings of the new regulation, saying that “everything is down to the details – each word can change a lot.”6
Companies based outside the EU, but who engage in business in Europe, will have to abide by the proposed regulation, providing a more level playing field. The possibility of fining a company in a Member State for “the sins of its [for example – US] parent” brings pressure to bear on international commercial goliaths found to be in breach of the data protection laws of individuals inside Europe’s borders.7
The aim of the General Data Protection Regulation is to strengthen privacy rights of individuals. This may increase the workload of data controllers in some respects, but in the wider context, the new legislation will be set as a cornerstone for the anticipated single market in digital services. “The digital future of Europe can only be built on trust,” according to Andrus Ansip, vice-president of the Digital Single Market.8
The majority of EU citizens are concerned about the use to which their personal data is put by internet service providers.9 If the regulation boosts confidence in the control and safety of personal data, it is likely to lead to increased commercial activity online. Europe’s image as a safe place to do business will be of huge benefit to business in tapping the rest of the global market as well.
The Regulation’s Benefits for Individuals and Consumers: ‘the right to be forgotten’
These rights for individuals will include the ‘right to be forgotten’, where a person can ask for his/her outdated, incorrect or irrelevant data to be deleted, where there are no grounds for it to be kept. Valid grounds for retention of data include data held under a contractual or legal obligation or information that is in the public interest. The ‘right to be forgotten’ will be welcomed by people who may have shared information online, perhaps as children, and who were not fully aware of the implications of doing so at the time. The encoding of this new right in the regulation comes in the wake of the controversial Google Spain decision on ‘the right to be forgotten’ by the European Court10 and of the intriguing case of Dan Shefet. In that case, the Tribunal de Grande Instance in Paris ruled in September 2014 that the search engine, Google, had to remove links to defamatory postings about Mr Shefet, a Paris lawyer, which postings falsely alleged that he had lost his licence to practice law among other things. The court imposed daily fines of €1,000 in default.11 Google, being a search engine, does not have a right to remove the defamatory postings themselves, only the links to them. Google had already launched a removal of links request process on 29 May 2014. Presumably this was in response to the Google Spain decision, apparently accepting its duty to take down defamatory material. Other search engines have followed suit.
Google then sought legal advice and guidance from data protection authorities on its protocol for acceding to such requests. It even had an Oxford professor of philosophy and ethics of information on its think-tank panel.12 Recently however,13 Google has been ordered by the UK’s Information Commissioner to take down new links about links it had removed already on foot of a request by the data subject. The stories about links being taken down may be newsworthy but must not appear in search results for the data subject’s name, according to the Deputy Commissioner, David Smith.14 So, what a search engine cannot do is to directly link news of links being removed back to the original article or the individual concerned. However, there remains the tricky problem of the application of ‘the right to be forgotten’ to internet domains outside the reach of EU Law.
Individuals more in control of Personal Data
Under the new Regulation, data subjects will have more control of their personal data. They will be entitled to information about the purpose for which their data is being kept. Individuals will have a right to “data portability”, meaning that a data controller will be obliged to give back personal data in a format that can be accessed by another company. It is envisaged that this will benefit consumers as well as smaller companies who wish to break into markets currently dominated by big multinationals.
Where data has been hacked, giving rise to a high risk to personal data, the individuals concerned must be notified by the data controller as soon as possible.
There will be a requirement to incorporate into products and services “data protection by design and by default”, so that the default settings will be pro-privacy.15 Data controllers will be encouraged to adopt technology that allows for anonymisation, ‘pseudonymisation’ and encryption of data. This may result in that data being available for use in “big data” analysis, such as for statistics for research and so on, while keeping data subjects anonymous.
There is growing concern in this digital age that we, as individuals are being treated almost as commodities. Our own online data is being used for marketing purposes to direct products and service back to us, giving credence to the phrase “data is the new oil.” The EDPS has established an Ethics Advisory Group to consider how we can embrace new technology and use it in ways that ensure that human rights such as human dignity and privacy are respected “so that individuals are no longer reduced to mere data subjects in the digital environment.”16 This involves finding the delicate balance between the common good and a person’s rights as an individual and the need for consent. It is hoped that its work will extend into areas such as the ethical issues arising out of the proposed new Directive on a harmonised approach to recording of European flight passenger names, national smart medical cards and the way in which personal data may be used in “big data” projects.
The Police Directive
A new data protection directive relating to policing and criminal justice will also come into force. It will provide a framework for the efficient flow of information between the policing and judicial authorities both domestically and across European borders about individuals such as criminals, suspects, victims or witnesses.17
Increased Powers for Supervisory Authorities
Data Protection Authorities are to be granted stronger powers and higher budgets: the budget of Ireland’s Data Protection Commissioner will rise by nearly 50% and her staff will increase from 29 to 50.18 The supervisory authorities will be able to levy hefty financial penalties on companies in breach, of up to €20 million or 4% of their annual global turnover, whichever is greater. It may be worth considering the merits of the Commissioner’s office being or becoming self-funding through the fines it imposes, with some surplus going to the Exchequer. This arrangement could provide the authority with room for growing its policing role.
The workings of the proposed European Data Protection Board are as yet unclear, but it is likely that its decision-making role on issues affecting several Member States will make the laws more cohesive. Hopefully this will streamline the decision-making process so that companies can expect timely and consistent information on compliance.
Copyright © McKeever Solicitors, 12th April 2016.
This article is a general review of the law and is not intended to be a complete statement of the law. Specific legal advice must be sought on a case by case basis. For further queries about data protection, please contact Robert Browne or Ciara Meskell.
2 Data Protection Act, 1988 and Data Protection (Amendment) Act 2003.
3 Weltimmo s.r.o. v Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, C – 230/14. Judgment of the Court (Third Chamber) of 1 October 2015, EU:C:2015:639
4 European Commission: Fact Sheet, Brussels, 21 December 2015
6 “EDPS hopes to become ‘centre of gravity for data protection’, Julie Levy-Abegnoli, The Parliament Magazine, 15 February 2016
8 “Agreement on Commission’s EU data protection reform will boost Digital Single Market.” European Commission – Press Release, 15 December 2015.
10 62012CJ0131 C – 131 Judgment of the Court (Grand Chamber) of 13 May 2014. EU:C:2014:317
11 “Still fighting for the right to be forgotten online”, Mark Scott, irishtimes.com, 5 February 2015 “Lawyer who won against Google takes privacy case to Brussels”, Julia Fioretti, 11 June 2015; “Google fined for not taking down “right to be forgotten” links worldwide”, Lisa Vaas, naked.security.sophos.com, 19 November 2014
15 “Questions and Answers – Data protection reform”, European Commission – Fact Sheet, 21 December 2015
16 “EDPS starts work on a New Digital Ethics”, Press Release, 28 January 2016, EDPS/2016/05
17 Ibid at 15
T: +353 (0) 1 859 0100
F: +353 (0) 1 670 2988