call +44 20 7096 1079

Data Protection

On 25 January 2012 the European Commission published its proposed package of reforms for the Data Protection Directive 1995, which was implemented into UK law as the Data Protection Act 1998. The LIBE committee published its final report in November 2013 and the resulting text was sent for trilogue discussion among the European Council, Commission, and Parliament. In a January 28, 2014 memo, EU Justice Commissioner Vivane Reding laid out the following schedule: adoption of the proposals by the European Parliament in the April 2014 plenary session; a mandate for negotiation agreed by the end of the Greek presidency in June 2014; and final agreement by the end of 2014. There is much uncertainty surrounding the feasibility of meeting this schedule, however, because of the European Parliamentary elections in May 2014.

Background

Data protection law is an important part of preserving personal privacy rights, which otherwise could be easily overwhelmed by the power of government agencies and corporations that hold information about individuals. Despite the many changes in the landscape since 1995 – at that time companies like Google and Facebook were yet to be founded, and mobile phones were used by only a tiny percentage of the population – the basic principles have held up well. The reforms seek to improve the consistency of the directive's operation across the EU's 28 member countries, lower compliance costs for businesses, and make data protection regulators more accountable. The package also seeks to add new citizen rights such as the right to data portability (so that you can download all the data a particular company has about you in a format you can use) and the right to delete your data, also popularised as the right to be forgotten.

The Open Rights Group believes that individual privacy is a key human right and that data protection law is both an important protector of individual privacy and a necessary part of ensuring a fair balance of power between individuals and large organisations. Citizens need the law to assure them of the ability to control the use of their data, while today's international, data-driven businesses would prefer to have as few restrictions as possible. The reform process has been greatly slowed by lobbying from large, data-driven US companies.

The data protection reforms, when finalised, will also provide an opportunity for the UK to revamp its national data protection law and the functioning of the Information Commissioner's Office, both of which are weak and ineffective compared to those of other EU countries. The UK Act is not in compliance with the 1995 directive. In 2010, the European Commission asked the UK to strengthen the ICO's powers as required by EU law.

ORG's view

"Information is the oil of the 21st century," said Mark Getty, the oil magnate's grandson, and on that basis ORG believes it is anti-competitive to allow individual companies to build up large silos of data they can use to lock users into their services. Increasingly, privacy is not only a human right but also part of the right to choose whom to do business with.

ORG has in general welcomed the Commission's proposals, in particular the increased consistency in the law's application across the EU; the clearer test for applicability of EU law; the principles of "privacy by design" and "privacy by default"; the requirement for notification when there are data breaches; and the right for organisations to represent individuals whose privacy rights have been harmed. ORG remains concerned, however, about the rules governing the transfer of data to non-EU countries, which fail to resolve concerns that data held in the US, particularly about EU citizens' political activities, is subject to subpoena under the Foreign Intelligence Surveillance and PATRIOT Acts. ORG believes that the proposals for data portability could also be improved; greater interoperability between services is needed, particularly with respect to smartphones, whose use is often tied to a user ID on a matching online service (for Androids, Google, and for iPhones, Apple). ORG also favours increased use of privacy risk assessments when new technology systems such as Oyster and smart meter systems are deployed.

Finally, ORG is concerned that the rules permitting the use of pseudonymous data fail to recognise the ease of reidentification of such data or that pseudonymous data may still be used to target consumers and determine how they are treated.

What you can do: