Leak hints at direction of Data Protection revision
Statewatch have published what appears to be a leaked draft of Commission ideas for revised data protection legislation. All the legal commentary I've seen suggests that in its current form it's very unlikely to become law, but as no one is suggesting that it isn’t a genuine Commission document I thought it was worth a look to see if the direction of travel might help or hinder our activities in the areas such as access management, incident response and clouds.
In both incident response and federated access management, we've been exploring using the legal grounds that processing of personal data is necessary in the legitimate interests of the data controller or a third party (and does not overrule the fundamental rights of the individual). This is Article 7f in the current Directive. So it's comforting to see that justification is still present in the new draft when processing information within the EEA. Even better, a similar approach now seems to be suggested for international transfers too. Here it is limited to transfers that "cannot be qualified as frequent, massive or structural" and the organisation releasing the data would have to assess the risks "giv[ing] particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination" and use safeguards appropriate to those risks. But this has moved a long way from the current prohibition on such transfers and suggests that it might in future be possible to use a common approach for sharing some types of information with partners both inside and outside Europe.
For transfers that are "frequent, massive or structural" one option seems to be a new permission for transfers that are "necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person". I suspect that has been written with an eye on outsourcing to the cloud (e.g. it seems to fit the situation where a university contracts with an overseas provider to run an e-mail service to the benefit of its students and staff) but it might also fit some of the longer-term collaborations in both the incident response and access management areas.
Given how often "consent" has been mentioned as a possible (sometimes even, the only) approach to processing personal data, it's striking that the draft has some strong and broad statements on when consent can be used. These seem to build on the recent Article 29 Working Party Opinion on Consent, which cast doubt on whether consent is an appropriate option for every circumstance. Now the draft makes explicit that consent must not be used "where there is a significant imbalance in the form of dependence" (i.e. where it might be thought that the individual was under any kind of pressure to give consent) and in particular that "consent should not provide a valid legal ground for processing in the public or employment sector". So moving away from reliance on consent looks like a good idea.
That's the good news. The bad news is that EU data controllers would need to have a lot more bureaucracy and documentation for all processing and (for those trying to read it) that the new proposal is much longer than the existing law (116 pages!). Since it is only a leaked draft I'm not going to do that in detail, so there may be other wrinkles I haven't spotted. But it does look as if the Commission's proposals would make some of our currently intractable problems a bit easier. Getting it right is going to be more important, though, as they are suggesting penalties of €100K up to 5% of turnover for those who process personal data without a proper legal basis or break some of the other provisions of the law.
The official publication of a proposed new law is expected in January 25th 2012.
[UPDATE] DLA Piper have published a commentary on the draft.
