Evolution or Revolution? Steps Forward to a New Generation of Data Protection Regulation
© Springer Science+Business Media Dordrecht 2015
Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_1313. Evolution or Revolution? Steps Forward to a New Generation of Data Protection Regulation
(1)
University of Pécs, Pécs, Hungary
Abstract
The birth of data protection regulation in Europe was directly linked to technological developments – mainly to the impressive IT developments of the 70s and their application in public administration. This development has challenged data protection law on every single day ever since. Now, the European data protection law is under revision. One of the most important purposes of the reform is to react to the latest technological developments and to the related social changes once again. The indicated changes are much more than the fine-tuning of the legislation: a new theoretical approach is delineating. The core element of this approach is effectively protecting the individuals’ privacy even if their privacy awareness is low, and even if they do not take steps in order to be protected (“invisible protection”). In this paper the key elements of this new generation of personal data protection regulation are shown. Although some aspects of the Proposal for a Regulation will be highlighted in order to underlay our thesis, a complete and detailed analysis of the Proposal cannot be presented within this paper.
This work was partially supported by the European Union and the European Social Fund through “Jól-lét az információs társadalomban” project (grant no.: TAMOP-4.2.2.C-11/1/KONV-2012-0005).
13.1 Introduction
The birth of data protection regulation in Europe was directly linked to technological developments – mainly to the impressive IT developments of the 70s, first applied in public administration and later in the business sphere.1 From the very beginning these developments challenged data protection law on a daily basis. Currently, however, European data protection law is undergoing long awaited revision, and one of the most important aims of reform is to react appropriately to the latest technological developments and to the related social changes once more.2
The development of data protection legislation over the past 40 years is sometimes described as being consecutive generations of data protection regulation.3 We, however, share the view of many authors4 and believe that it is time for a paradigm shift in data protection legislation, since a new generation of regulation is needed. The aim of this paper, therefore, is to draft the key elements of a framework for such a new generation of European data protection, at the same time comparing the European Commission’s Proposal for Regulation,5 as amended by the European Parliament to this concept.6
According to our thesis, most of the proposed changes fit into a relatively new philosophical framework, showing that a new approach in the field of data protection has emerged. The essence of this approach is the effective protection of the individuals’ privacy, even if their privacy (or generally legal) awareness is low, and even if they take no steps for protection (“background protection”). This approach should not count on activity on the part of the data subjects any more than previously; the emphasis is clearly shifting from the rights of the data subject to the duties of data controllers. This differs greatly from the former philosophical background of European privacy protection, which was based on the concept of the “informational self-determination”, developed by the German Constitutional Court, still heavily influencing data protection regulation in Europe.
In the first part of the paper a historical overview will be sketched in order to show how the evolution of data protection law was led by technological development. Secondly, the key elements of a new generation of personal data protection laws are introduced with respect to the Proposal for a new Data Protection Regulation.7
13.2 Historical Background and Current State of Affairs
In the 70s the development of information technology made it possible to apply computers to operate state-owned databases, and so personal information could be controlled by means of these digitalized databases much more rapidly, and different state registers could be merged and connected, showing many aspects of an individual’s life; it was even possible to create personality profiles based on these.
Although some major companies had started to introduce computerized databases processing personal data, the real threat to privacy at this time was connected to data processing by the state, often referred to as the ‘Big Brother’ effect based on Orwell’s famous novel ‘1984’. These concerns drove the first data protection law in the world to be enacted in the Land of Hesse, Germany in 1970. This Act “set the course for all further discussions”8 and served as an example for the legislation enacted in many West European states (Sweden: 1973, Germany: 1976, Denmark, Norway France: 1978, etc.).9
Data protection Acts of the 70s, sometimes referred to as the first generation of data protection regulation, were enacted in a world where few data controllers (mostly government bodies and some major companies) used automated data processing technology, and where the general purpose was to limit the state’s power by ensuring the transparency of the state’s databases.10
In the 80s and 90s the world changed a great deal – also from the perspective of privacy risks. Various developments such as the spread of personal computers (first as standalone computers, later connected by the Internet),11 the wide-spread usage of computers in the business sphere, the new (direct) marketing techniques, and, still later, the development of online marketing (based on cookies and other tracking methods),12 as well as the increasing importance of customer relationship management (CRM) and enterprise resource planning (ERP), made evidenced that demand from the business sphere (sometimes referred to as “Little Brother”) for personal data is at least as significant as a state’s “natural intention” to collect personal data.
Later, from the middle of the 90s, the rapid expansion of Internet usage and the appearance of many online services set new challenges for regulators. The establishment of the “information society” became a political programme in the European Union, and so documents were adopted in this field, all emphasising the importance of privacy. As ensuring the legal protection of personal information plays an important role also in building trust in the field of online services, its legal regulation, and, in a broader sense, the entire privacy issue of the Internet became an important element of this broadened and vaguely defined phenomenon referred to as the “information society”.13 Another significant trend at this time was the globalization of data processing, which generated the significant feature of trans-border data flow, so creating the need for international and European regulation.14
Considering the challenges to be faced and the general trends of the decade, it can be argued that the data protection legislation introduced reflected them quite well. The focus of the regulation extended from governments to new subjects, to companies and organizations. In parallel, international and European laws were adopted which assured, or at least attempted to assure, the legal certainty of international data flows,15 to strengthen the rights of the data subjects’ and to introduce some new approach to legislation. One of the most important new concepts was developed by the German Constitutional Court in 1983, the concept of informational self-determination. This should be understood as “the authority of the individual to decide himself, on the basis of the notion of self-determination, when and within what limits information about his private life should be communicated to others”.16 However this right cannot be unlimited as the data subject has to accept limitations in the case of overriding general interest when this is incorporated into a law and is clear and proportional.17
Although European countries followed different value approaches in the development of national data protection rules,18 the concept of informational self-determination strongly affected the European data protection regimes,19 and the data subjects’ control and the consent (as legal ground for data processing) became a key issue: “The notion of consent is traditionally linked with the idea that the data subject should be in control of the use that is being made of his data. […] Consent is related to the concept of informational self-determination.”20 Consent has played an important role in conceptions of data protection and privacy. At the same time, it shows that consent has not been deemed as the only legal ground for legitimising data processing operations.21
During the last 10–15 years, there have been further significant social, economic and cultural changes which EU legislation has had to face and respond to, and the Proposal for a Regulation can be seen as a milestone in this process. Its new trends have been summarised by many authors, some of whom highlight the role of Web 2.0 technologies, which clearly has had a great effect on privacy. On the one hand, it seems, that people like to “post and search for personal, often intimate, information online” about themselves, and so legislation has to focus on a “new generation of users”,22 whose attitude to privacy may be different from that of earlier generations.23 On the other hand, user generated content may result in millions of users being regarded as data controllers,24 and so they are subjects of data protection legislation – but with some of the responsibilities imposed on data controllers.
Some other trends should also be highlighted, such as ubiquitous computing, and the “internet of things”,25 the growing importance of cloud computing, mobile data processing (including location tracking and third party applications), smart grid, robotics personalized medicine and biometrics.26 The spread of sophisticated methods of profiling,27 and the new technologies of marketing (mostly behavioural advertising) should also be mentioned.
It seems that current legislation cannot respond to these challenges. Many critical opinions have been published in the past few years – and voices heard urging significant changes or a new generation of regulation to appear.28 Both technology and users have changed much, and so these trends clearly call for a new data protection regime, new laws with new concepts, precisely as in the 70s and, later, in the 90s. In our view, the Proposal for a Regulation indicates significant change and broadly meets the criteria for a new generation of regulation.
13.3 Key Elements of a Framework for a New Generation of Data Protection
Several public opinion surveys have recently focused on the individual’s approach to the processing of their personal data and the role of their (informed) consent. According to the latest results, average internet users tend to think that their privacy is threatened in a variety of ways when browsing the Internet or using online services29 and mainly express privacy-protectionist attitudes.30 Only 35 % of the respondents consider the selling of their personal data by data controllers acceptable, even with their permission, and yet the sharing of their information with third parties was judged unacceptable by 52 %.31
Nevertheless, either this opinion rarely affects their actual behaviour, or there is a lack of understanding of the possible consequences.32 The CONSENT project found that only 24 % read privacy policies, even if they are aware of their presence,33 contrary to the earlier results of EUROBAROMETER which showed 58 %.34 Moreover, only seven out of ten European reading privacy policies on a regular basis adapted their behaviour on disclosing personal information.35
In addition, we should also mention that online service providers often publish their privacy policies as part of the general terms of use, and so these are “take it or leave it” conditions for users. Although users can, theoretically, choose another service provider, they usually want to use one particular service (often because of the so-called network effect), and so they may accept the general terms and the privacy policy automatically, without any consideration. An increased need for self-disclosure can also be seen, as many individuals tend to share their low-sensitive personal data for little in the form of economic benefit, or even free of charge.36 Meanwhile, users with more control over their personal information, and better personal data management, seem to allow more use of their data.37 According to the results of projects investigating this issue, individuals tend to think that general social security, which they are used to in the offline context, is also guaranteed for their privacy online, and individuals mask their perceived lack of control over their personal data as a lack of interest in their privacy.38
In a more general context, the data subject may be often regarded as the weaker party, and “data subjects are often at risk of inadvertently losing control over their personal information when dealing with those on whom they depend for the provision of jobs, information, goods or services.” The power imbalance is likely to enable the stronger party “to use its power to effectively force [data subjects] to consent to certain processing activities.”39
Due to these trends, a new generation of data protection legislation is needed with a new philosophical approach. The essence of the new regime will be to effectively protect individual privacy, even if their privacy awareness is low, and even if they do not take any steps to be protected by ensuring so-called “background protection”. The new data protection regime should not count on the data subject’s activity any more than previously; the emphasis is clearly shifting from the rights of the data subject to the (accountable) duties of the data controllers.40
This approach may be similar to that followed by consumer protection,41 which also aims to protect the weaker party. This, for example, includes ‘blacklisting’ (a practice invariably regarded as unfair) which should trigger action by a strong consumer protection authority or NGOs. This means that, although freedom of contract is a generally important principle, but even if the consumer ignores the general terms and conditions, the authorities do not, and so consumers cannot enter into a totally unfair contract.42
In this chapter the core elements of this new model of data protection regulation will be sketched, whilst comparing the proposed provisions of the proposed GDPR to this model.
13.3.1 Shift in Regulation to the Compliance Responsibilities of Data Controllers
13.3.1.1 The Main Features of This Trend
Increasing the accountability of data controllers is an important issue in professional debate on the future of data protection regulation. The principle of accountability was expressed in detail in the opinion 3/2010 of Article 29 of the Working Party,43 and it arose again in the Commission’s Communication on “a comprehensive approach on personal data protection in the European Union”, which was one of the preparatory documents of the new data protection proposal. In both of these documents the approach to the principle was quite cautious: accountability was interpreted as a general principle, which does not impose cumbersome new legal requirements, but “aims at ensuring de facto, effective compliance with existing ones”.44 According to the Commission, the principle “would not aim to increase […] administrative burden on data controllers, since such measures would rather focus on establishing safeguards and mechanisms which make data protection compliance more effective”.45 Besides this both of these documents mention (as “illustration”) some accountability measures, e.g. drawing up written policies, carrying out a data protection impact assessment, setting up internal procedures to handle complaints, appointing data protection officers, etc.46
In our view these measures should be prescribed as legal requirements for some data controllers, whilst admitting that these are very concrete duties for data controllers which impose administrative burdens and cost – even if they are not new principles, but measures to ensure the realization of existing ones. These compliance costs may be regarded as investment for building trust in online services, which seems to be a key factor in the development of the online business sector.
The Proposal for Regulation clearly takes significant steps in this direction. In order to confirm this statement, some provisions of the new Proposal on the data controllers’ duties and on the rights of data subjects are reviewed and assessed.
13.3.1.2 Duties of Data Controllers/Data Processors Under the Proposed GDPR
The Proposal for a Regulation contains a variety of (new) obligations for data controllers. Further, a brief summary of the main points relating to these obligations will be provided.47
1.
The sections entitled “Responsibility and accountability of the controller” shows a general approach regarding data controller’s responsibilities, and they make it the controller’s task to adopt appropriate policies (codes of practice, rules) and to take all reasonable steps to implement compliance policies.48 Apart from this, the data controller should be able to demonstrate the adequacy and effectiveness of these measures.49
2.
The Proposal for a Regulation lays down an obligation for data controllers/processors to maintain regularly updated documentation containing basic information about the data processing carried out.50 Some further requirements proposed by the Commission concerning the content of the documentation have been moved to Article 14 on information rights in the Parliament’s Proposal, in order to merge information and documentation, “essentially being two sides of the same coin.”51 According to Article 13a data controllers shall also provide some standardized information about data processing using well-defined pictograms.52
All things considered, the data controllers need to catalogue each of his processing operations one by one in order to ensure the duties to maintain documentation and provide information.
3.
Article 30 (1) relating to data security measures imposes on data controllers an obligation which basically corresponds to the provisions of the currently effective Directive, supplementing it with the condition that the data controller shall take these measures “taking into account the results of a data protection impact assessment”.53 As a novelty, Article 30 (1a) prescribes some compulsory elements of a security policy. This means that, contrary to the current regulation, data controllers and processors should adopt (written) security policies to comply with these provisions.
4.
The Proposal for a Regulation lays down for all data controllers the obligation to carry out a risk analysis of the potential impact of the intended data processing.54 If specific risks are likely to be presented by the data processing, the controllers shall also carry out data protection impact assessment and periodical compliance review.55 The Parliament’s Proposal lists the circumstances of data processing operations which are likely to present specific risks; e.g. processing of more than 5,000 data subjects’ personal data, or processing special categories of personal data (sensitive data), or profiling, if it has legal effects on data subjects, automated monitoring of publicly accessible areas on a large scale (like CCTV systems), etc.
It may be concluded that the obligation to carry out data protection impact assessment concerns a well-defined, but somewhat wide range of data controllers: anyone with more than 5,000 clients, CCTV system operators, health care system institutions, political and religious organizations – to mention a few.
5.
Compared to the present situation a significant additional obligation is imposed on data controllers by prescribing “data breach notification” – applicable under the effective European rules only to service providers in the telecommunications sector. Its essence lies in the fact that, in the case of a breach of the rules relating to personal data56 the data controller is obliged to notify the authority and also, in some cases, those concerned.
6.
In accordance with Article 35 of the Parliament’s Proposal, the controller and the processor shall appoint a data protection officer in any case where
the processing is carried out by a public authority or body, or
processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12 month period, or
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects, or
the core activities of the controller or the processor consist of processing special categories of data, location data or data on children or employees in large scale filing systems.
The aim of presenting these six points of the planned new regulation in detail was to demonstrate, that these provisions, compared to the current regulation, impose considerable additional duties on data controllers. Complying with them will demand significant efforts from data controllers, and will generate considerable compliance costs.57
In our view, the proposed measures are suitable for ensuring the accountability principle, and will increase the actual level of privacy protection. This will arise, firstly, by enhancing the awareness of data controllers, so reducing unwanted or unnecessary data processing operations, and, secondly, by improving the transparency of data processing, which may be controlled by data subjects, and so (most importantly) making the tasks of data protection authorities and NGOs easier.
13.3.2 Distinguishing the Duties of Data Controllers
13.3.2.1 The Main Features of the Trend
Once regulations impose new requirements on data controllers, we need to be able to distinguish among them in several ways. As Article 29 of the Working Party emphasises, the “one-size-fits-all” approach should be avoided, and, rather, the “specific measures to be applied must be determined, depending on the facts and circumstances of each particular case, with particular attention to the risk of the processing and the types of data.”58
There are two main reasons for differentiating the duties of data controllers. First, it is important to avoid unnecessary administrative burdens and costs and the (potential) decrease in the competitiveness of smaller businesses processing a low volume of personal data, or processing personal data only as an activity ancillary to its main activities. Second, as mentioned above, millions of users can also be regarded as data controller in some cases, mostly due to user-generated content. It is crucial to make some difference regarding the duties of the “everyday users”, even if they fall within the scope of definition of ‘data controller’.
13.3.2.2 The Provisions of the Proposed GDPR
As shown in Sect. 13.3.1.2, some of the duties are only imposed by the GDPR on data controllers if certain criteria are met. The Proposal tries to summarize these criteria under the broad category of “Data processing likely to present a specific risk”. First of all, all data controllers should carry out a risk analysis to show if their data processing meets any of the following criteria:
1.
processing of personal data relating to more than 5,000 data subjects (during any continuous 12-month period),
2.
processing of special categories of personal data, location data or data on children or employees in large-scale filing systems,
3.
profiling, if it produces legal (or similarly significantly) effects on the individual,
4.
processing of personal data for the provision of health care, epidemiological research, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale,
5.
automated monitoring of publicly accessible areas on a large scale,
6.
other processing operations for which the consultation of the DPO or supervisory authority is required,
7.
where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject,
8.
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects,
The Proposal then imposes some of the duties only on data controllers who meet certain criteria, e.g. data protection impact assessment needs only to be carried out if any of the criteria in points 1–8 are met, and the appointment of a DPO is only compulsory in cases detailed in points 1–2 and 8.60
In our view, the list is quite problematic: while some of the criteria are objective and clear, and so the data controller can decide whether their data processing fulfils that particular requirement, the others are too general, and cannot easily be interpreted by data controllers – particularly, the requirement in point 7 is hard to interpret. Generally, it would seem that the circumstances and the duty to carry out a data protection impact assessment will apply to too wide a range of data controllers.
13.3.3 Regulating the Technology
Given the fact that European data controllers are obliged to process personal data in line with all principles of the Directive in force and will have to face a number of new duties in the planned legal framework, the use of technologies which foster the legitimate processing of data could effectively reduce the costs of meeting the obligations and the chance of being sanctioned for illegal data processing activities.61 On the other hand, it was presented that data subjects see risk in the processing of their personal data, but often practice their rights for informational self-determination irrationally,62