Steve Peers
The EU’s controversial data protection rules, currently in
the form of a Directive dating back to 1995, would be reformed profoundly if a Regulation proposed by the Commission is adopted. Talks on this proposal have been underway
since January 2012, with no immediate end in sight. However, in June, for the
first time the Council (consisting of Member States’ justice ministers) has
agreed its position on part
of the proposal. Of course, the Council still has to agree its position on the
rest of the text, and then negotiate with the European Parliament, which
adopted its position on the entire text this spring. But at least this recent partial Council deal offers
the first opportunity to assess the direction of negotiations.
Furthermore, this is a good occasion to assess whether the
new legislation might impact upon the application of the controversial Google Spain judgment.
The partial Council
deal
The Council deal only concerns the question of how the new EU
rules will apply to non-EU countries. However this issue is of great importance
in light of the ever-growing use of the Internet and social media, since the EU
rules are potentially liable to apply worldwide.
To place the deal in context, it is necessary to look at
four different things: (a) the current rules in the 1995 Directive, as
interpreted by the CJEU; (b) the 2012 proposal; (c) the Council’s position; and
(d) the EP’s position.
In each case, I will look at two different aspects which
were addressed by the Council deal. First, when do the standard EU data protection rules apply, even where the company
processing data is based outside the EU? Secondly, when do the special rules on external relations
apply?
The current rules
Currently Article 4 of the 1995 Directive states firstly that
the standard rules apply to a data controller established in a Member State.
According to the CJEU in Google Spain,
that concept applies at least where a non-EU company has established a
subsidiary in a Member State, and that subsidiary carries out activities linked
to the business model of the parent company. The current rules go on to say
that if the controller is established on the territory of more than one Member
State, it must comply with the national law of each of those States.
Furthermore, the standard rules in the 1995 Directive apply
where a Member State’s national law applies by virtue of public international
law, and where the controller is not established on EU territory, but uses
equipment located on a Member State’s territory, unless that equipment is used
only for the purposes of transit. This raises the question of whether the use
of ‘cookies’, for instance, amounts to
the use of equipment on a national territory, since those cookies are installed
on a Member State’s computer.
As for external transfers, the current rules provide (Article
25) that in principle data can only be transferred if there is an ‘adequate
level of protection’ in the third country concerned. The Commission can adopt decisions
either finding that there is, or is not, an adequate level of protection. By
way of derogation (Article 26), Member States must nonetheless allow (unless
their national law provides otherwise) external transfers to take place if: the
data subject has given unambiguous consent; the transfer is necessary to
perform a contract with the data controller or to implement pre-contractual
measures which the data subject requested; the transfer is necessary to
conclude or perform a contract in the interest of the data subject as a third
party; the transfer is ‘necessary or legally required on important public
interest grounds’ or related to legal claims; the transfer is in the data
subject’s ‘vital interests’; or the transfer is from a register which provides
information to the public or to persons with a legitimate interest.
A Member State may authorise an external transfer to a
country with an inadequate level of protection if the data controller can offer
‘adequate safeguards’, in particular arising from contractual clauses. The Commission
can decide that certain standard contractual clauses offer such protection.
The 2012 proposal
The 2012 proposal (Article 3) suggests that the new
Regulation should apply first of all where a controller or processor is established in the EU. Secondly, it should apply
where the data controller is not established in the EU, but the data subjects
reside in the Union, and the data controller either offers them goods or
services, or monitors their behaviour. Thirdly, as before, it would apply where
a Member State’s national law applies by virtue of public international law.
The provision concerning the ‘use of equipment’ would be dropped.
As regards external transfers, the 2012 proposal maintains
the basic structure of the current rules, but elaborates upon it. So there are
more details on what the Commission has to take into account when assessing the
adequacy of a third State, including judicial redress and supervisory
authorities. Adequacy decisions taken pursuant to the 1995 Directive would
remain in force.
External transfers would be permitted on the basis of binding
corporate rules, or standard contractual rules adopted by the Commission or a
national supervisory authority, or individually negotiated contractual rules authorised
by a national supervisory authority. Otherwise transfers would require approval
by a supervisory authority. Pre-existing authorisations by a supervisory
authority would remain valid.
A new clause would elaborate upon the content of binding
corporate rules that would be adopted unilaterally. These would require the
approval of a supervisory authority.
Finally, further derogations would be permitted. Compared to
the current rules, these would be optional, not mandatory. The new proposal
would clarify that consent could only be given after the data subject had been
warned of the risks, and that transfers in the data subject’s interest could
only be given if the data subject were unable to consent. There would be a new ground
of external transfers in the data controller’s or processor’s legitimate
interest, subject to safeguards being in place. The concept of the ‘public
interest’ justifying such transfers would be further clarified in national or
EU law.
The Council position
As regards the standard rules, the Council would amend the
Commission proposal to clarify that the rules will apply whether or not the
data controller offers goods or services for payment. However, as regards
monitoring of behaviour, the rules will only apply if the data controller monitors
behaviour within the EU.
For external transfers, the Council would add further detail
to the rules regarding the assessment of the adequacy of third states, including
a specific reference to participation in regional or multilateral data
protection treaties. The Council also wants to give an advisory role to the
planned new European Data Protection Board in this process. The Council would require
the Commission to monitor the application of its adequacy decisions, and
empower it to revoke them. However, the Commission would no longer have the
power to adopt a decision specifying that a third State had inadequate
protection.
The Council would also permit external transfers to take
place on the basis of a code of conduct or a certification mechanism. Transfers
in the private interest of the data processor or controller would be subject to
a possible override in the data subject’s interests. The Commission would lose
powers to define the public interests reasons for transfers, and Member States
would gain more powers on this point.
The EP position
The EP would amend the Commission proposal so that, where
the controller or processor is established within the EU, it would not matter
where the data was processed. Also, the standard rules would apply to the
offering of goods or services or monitoring by data controllers or data processors, and would apply to
any sort of monitoring of data subjects, not only the monitoring of behaviour. Unlike the Council,
the EP would not limit the monitoring clause to behaviour within the EU. However, like the Council, the EP would apply the rules even if goods or
services are not offered for payment.
As for external transfers, the EP agrees with the Council
that the Commission should monitor its adequacy decisions, and that there
should be a role for the new Board. However,
the EP wants to apply a ‘sunset clause’ to pre-existing adequacy decisions, and
retain the power for the Commission to adopt ‘inadequacy’ decisions.
Similarly, pre-existing authorisations of contractual clauses
would expire soon after the new rules were adopted, although the EP agrees with
the Council that a form of certification process should justify external transfers.
For binding corporate rules, the EP wants to ensure consultation of workers
where their data is involved, and apply the rules to sub-contractors (the
Council approaches the latter issue by referring to groups of companies). As
regards the derogations, the EP would reject the idea of transfers in the legitimate
interests of controllers.
Finally, the EP has proposed a new ‘Snowden clause’ which would
mean that national courts could not recognise the decisions of non-EU courts
which ordered the disclosure of personal data. However, this rule would be ‘without
prejudice’ to mutual assistance treaties or any other international agreements
between a non-EU state and the EU or any Member State.
Comments
One important point should be addressed at the outset: what
is the result of the recent EP election on the EP’s position? In the EU system,
proposed legislation does not fall simply because there is an election for the EP,
or because there will be a new Commission as from November. Rather, the newly
elected EP traditionally holds a vote at an early stage to decide whether to
reaffirm the positions taken by the previous legislature. Usually it reaffirms
almost all of the prior legislature’s positions. It should be recalled that the
EP’s position on the data protection Regulation was adopted by a huge majority, and so despite the increase in
the number of populist MEPs, a majority in favour of approving the EP’s prior
position on this proposal should in principle not be hard to find.
For its part, the incoming Commission will decide whether to
withdraw some of its pending proposals, but is very rare for an incoming
Commission to withdraw a proposal which is actively under discussion in the
Council and EP, such as the data protection proposal.
Moving on to the substance of the issues, as regards the
application of the standard rules, all three institutions agree to keep the
rule on establishment, extending it to data processors also. The EP’s suggested
amendment regarding the location of the data processing is merely a
clarification, which is probably not necessary.
The three institutions all agree to drop the ‘use of
equipment’ clause, to keep the clause on public international law, and to add a
new clause regarding goods and services and monitoring. The EP and the Council also
agree that the ‘goods and services’ clause will apply even where there is no
payment made. The institutions differ
as regards extending the new clause also to data controllers, and differ as
regards the exact scope of the monitoring of behaviour.
As for the external transfers rules, all three institutions
would keep the current basic structure. They differ as regards: the ‘Snowden
clause’ (although this rule is very weak, in light of its exceptions for any
international treaties); whether the Commission can adopt an ‘inadequacy
decision’ (it has never done so); sunset clauses for prior authorisations;
whether private interests can justify external transfers; and the process of
determining when the public interest can justify them.
Taken as a whole, the impact of the new rules depends on how
the current rules are interpreted. There is no reason to doubt that the ‘establishment’
clause would be interpreted the same way as it was in Google Spain, ie applying at least where a subsidiary’s activity is
linked to a non-EU parent company’s business model. But there is no case law
clarifying what the ‘use of equipment’ means, and so it is not easy to assess
what removal of this clause will mean in practice.
Instead the focus will be on what it means to offer goods or
services (whether or not for payment), and what it means to monitor an
individual. These concepts are clarified in the preamble, which indicates that the
‘offering goods or services’ rule will apply where there a website seeks to
sell its products or services, and its online activity is particularly directed
towards EU citizens (in light of the currency or language used). So the
intention is apparently not to cover
a non-profit body like Wikipedia, or a social network or search engine which
does not charge for its services (although some such entities would be covered
by the ‘establishment’ rule).
What about ‘monitoring’? Here, the preamble suggests that
the new clause applies when an individual’s Internet activities are tracked
with a view to profiling him or her. There is no suggestion in the preamble that
keeping records of a person’s use of social networks would count as monitoring.
But if that is not the intention, it
would be better for the EU legislature to rule it out more expressly. In any
event, it is difficult to see how the Council’s limitation regarding the
monitoring of behaviour within the EU
would work in practice, in light of the nature of the Internet.
As regards the external transfer clauses, their importance
depends on whether the standard clauses apply. The greater the number of
businesses covered by the standard rules, the less important the external
transfer rules are – and vice versa.
It is clear that the external transfer clauses will remain
broadly similar to the current rules, so any corporate or NGO strategies
regarding these clauses would only need to be amended modestly, rather than be overhauled.
The biggest issues may be the EP’s insistence on its ‘Snowden clause’ and its
rejection of the idea that external transfers can take place in the data
controller’s interest, although the former clause is weak and data controllers
can usually pursue their interests by means of obtaining consent or
establishing a contractual relationship.
Much of the most difficult work as regards the negotiation
of the new rules remains to be done. In fact, it is rather peculiar to
negotiate a new law by defining its territorial scope before agreeing on its
main substance.
While a vast number of issues will arise in the forthcoming
negotiations, the following are particularly relevant to the fallout from the
Google Spain decision, in particular as regards its possible impact on social networks and Wikipedia:
the interpretation of a ‘data processor’ (which would be particularly
significant if the EP gets its way and the entire clause on territorial scope applies
to data processors); the possible application of the ‘household exception’ to
user-generated content; the exception for journalism; and the definition of the
grounds for processing personal data (notably consent and the controller’s
legitimate interests).
Barnard & Peers: chapter 9
No comments:
Post a Comment