I have returned from the Data Protection Congress on personal data organised by IAPP Europe (International Association of Privacy Professionals) held on 13, 14 and 15 November, which after 2 years in Paris took place this time in Brussels. The event brought together American and European compliance officers , IT security officers and specialised European lawyers, as well as representatives from the different data protection authorities. Among the speakers the CNIL was particularly well represented, both in terms of numbers and through the attendance of its President, Mrs Falque Pierrotin. The European institutions, i.e. Parliament, the Commission, WP 29 and EDPS (European Data Protection Supervisor), had also sent several of their most active and charismatic representatives.
Data protection law is in a constant state of evolution and ties in with all economic activities, so there were presentations and discussions on a variety of interesting topics. But clearly at the heart of discussions is the draft European Regulation. This Regulation is both wished for and dreaded. It represents a much-needed harmonisation of rules, in a world where data is no longer confined within national borders. However, the text appears too prescriptive and, despite being very detailed, concerns have been expressed that it is not suited for each and every situation, nor for technological evolution.
With so many participants the debate remained relatively general, but below are some points gleaned for you:
• It has been confirmed that this will be a “regulation”, therefore directly applicable in the law of Member States, and not a directive
• The Regulation will apply equally to public persons and private persons, even if the member States seem to show little enthusiasm for this idea
• It is intrinsically linked with the draft Directive (much less notorious and often forgotten, but nevertheless essential) on the processing of personal data for the purposes of prevention and detection of criminal offences, enquiry, proceedings and related legal procedure
• The work in progress should allow for an amended version of the Regulation to be published this summer, but it could be that delays arise from regulating the public and policing domain
• The one-stop-shop principle will remain in the Regulation: everyone, including the CNIL agrees that it is a good thing to have a single point of contact for formalities. However, there should be additional criteria for determining the “principal establishment” of a group (similar to those used for defining the lead country for BCR approval). Additionally, the role of the so called “lead authority” must be clarified in the context of offences that affect several countries or complaints from people living in countries other than that of the lead DPA. The balance and collaboration with other EU DPAs is yet to be defined more clearly. Finally, to avoid any forum shopping it is not up to the Group to “choose” the country of its “principal establishment” but up to the authorities to determine where this principal establishment effectively lies.
• A debate has clearly emerged on the issue of accountability; are the relevant rules for accountability to be considered as a flexible set of rules, whose use will vary depending on the specificities of the business or the processing in question (position favoured by the stakeholders), or are they rules to be followed and implemented in a systematic way (position favoured by the authorities)?
• Another debate concerned the criteria based on which a Data Protection Officer becomes obligatory. The figure of 250 employees corresponds to the threshold indicating an SME and will not be re-evaluated. The more delicate and fundamental issue is the type of processing in question, regardless of the number of persons.
• The Regulation must incentivise greater use of “pseudonymised” data, even if it would still remain, by definition, personal data
• Impact assessment is particularly necessary in the event of major technological evolution or introduction of new technology (such as facial recognition), but less so in other situations.
• The “legitimate interests” of the data controller, which can legitimise processing, must always be overridden by the data subject’s fundamental rights, which are now enshrined in constitutional law. For some this balance between the conflicting interests of the data controller and data subjects creates a grey area and more legal uncertainty; they would prefer a risk based approach (i.e. as long as there is no real risk the legitimate interest should prevail over the data subject’s rights). But this approach has been refuted; there must be principles and respecting them is essential.
• Consent remains an exception in order to legitimise international transfers
• The fact that “Safe Harbor” is not mentioned in the Regulation does not call into question its validity as a means to legitimise and safeguard an international transfer of data
• Financial sanctions will remain high
• The issue of leniency for those who are generally compliant with the data protection rules, and in particular the accountability principles, has not yet been elaborated but its supporters are convinced that it will, and should be, an accepted principle (as is already the case in anti-trust law).
More generally
• Judging individuals on a prediction of their behaviour must be avoided (especially when it comes to prevention of crimes or intelligence)
• Authorities digging into and using with impunity the files of private businesses must be avoided
• Individuals must be able to retain control over their data, particularly in a purely commercial context, and the use of their data must be reasonably foreseeable
• If there is a need today for the Regulation, it is because this is become necessary to respond and fight against existing abuses (and not for the pleasure of legislating). It is “privacy by disaster”
• The Regulation must not, however, constitute a restraint on innovation
On a pragmatic note
• It is no longer the time to be debating on principles. Those asking for changes will need to present in writing actual proposed amendments to the Regulation
• Truly efficient laws are needed. The Data Retention Directive requiring communications operators to retain data to combat terrorism represents a significant cost for industries with little or no utility.
And finally on a more optimistic note
• Regulation and the level of protection it will bring will become a commercial factor and a competitive asset (just as with sustainable development and environmental protection).
For many people data protection is a tiresome subject of minor significance. They are, however, much mistaken – it represents a major issue. On the one hand it has real economic value and technology has enabled extraordinary things to be achieved that will revolutionise our way of living and working. On the other hand, data protection and the right to privacy represent the safeguarding of our personal freedoms, so that individuals do not become “things”.