I followed the twists and turns of the passage of the original 1995 EU Data Protection Directive earlier in my career, and wrote about the politics of the process at some length. By 1995, I was so tired of the process that I almost did not care what was in the Directive so long that it was an instrument that “traded-up” international standards and set a goal for other countries. Back then, Canada did not have a comprehensive data protection law. The EU Data Protection Directive, and especially the “Damocles Sword” of Article 25, was a very useful instrument in domestic lobbying efforts.
And it worked. EU pressure was not only factor that prompted Canada to develop a more comprehensive system of data protection for its private sector, by passing the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000. But it was significant. And 3 years later, Canada was judged an adequate jurisdiction under the procedures established under Article 25 of the Directive, and remains a safe harbor for Europeans to send their personal data.
And now we have the Draft Regulation and an equally tortuous and complicated process. Nobody knows whether it will survive in anything like its current form. It will be left to the Civil Liberties Committee (LIBE) of the European Parliament to consider the thousands of amendments that have been, and are yet to be, crafted by parliamentary committees, and to table a final opinion that can pass a plenary vote in the Parliament.
But the debate now seems quite polarized, especially between the LIBE committee and that of Industry, Research and Energy (ITRE), with warring accusations about motivations and the undue influence of lobbyists on both sides.
On 20th February, the ITRE committee approved an opinion with around 900 amendments to the original Commission proposal. Some of these are quite reasonable and practical; others self-defeating, and one in particular, completely undermines the purpose of the Regulation and the main principle and philosophy of privacy protection. And it has prompted a storm of protest from the civil liberties community. It all has to do with the legitimate grounds for processing personal data.
Article 6 of the Regulation in the original Commission version states that: Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: consent, performance of contract, compliance with a legal obligation, vital interests of the data subject, for a task carried out in the public interest or (para f): processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
The LIBE committee proposed to remove this entire paragraph completely in favour of more detailed and precise guidance about legitimate interests in the prior paragraphs.
This is what the ITRE Committee wants to do with para (f) (amendments in bold):
processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.
So, what does this mean? Processing can be justified, it seems, if the controller has a legitimate interest, if a processor has a legitimate interest and/or if a third party has a legitimate interest. It also appears, if my understanding of legal drafting is correct, that these interests may be unrelated to the purposes of the legitimate interests pursued by the controller.
And this seems to be confirmed by the ITRE committee’s proposed amendment to paragraph 4 of the same Article: Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (f) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Thus, where data is processed for incompatible purposes, it can now be justified according to the legitimate interests of the controller, the processor or a third party. Circularity upon circularity….
And what of the balancing test? where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. How exactly is the average citizen supposed to know if his/her personal data were processed by a third party with which he/she did not have a relationship? AccessNow gives the following example: a company that makes its money from targeted online advertising could argue that their interests are more important than the interests of the individual and obtain user data.
Let me give an example from the world of pharmaceuticals. In some countries, medical informatics firms purchase prescription data from pharmacies. It is in their “legitimate interests” to process this data to: support research, inform pharmaceutical companies about prescribing patterns, make money etc. and all incompatible with the original purpose for which the prescription was filled, to treat the medical needs of the patient. If one challenged that processing as being incompatible, it would still be justified under the legitimate interests of the third party justification.
EDRI’s take on ITRE’s proposal is as follows: As an example of the bizarre proposals adopted was that third parties should be able to grant themselves the right to process data for purposes that are incompatible with the original purpose of the collection. This basically removes all power from the citizen to control their own data. This amendment on its own would render the entire legislative measure close to meaningless.
I can’t imagine that this absurdity will survive the EU parliamentary process, but it does offer some lessons about where the European debate stands at the moment.
First, one cannot possibly support such a proposal and say that you are in favour of privacy protection. And yet nobody, and really nobody, will say that they are against privacy. It is all a matter of “balancing.”
Second, this proposal does fit with a broader strategy by industry to push data protection regulation to a point where it concedes that there can be no realistic control on the capture of personal data. The genie is out of the bottle. Too much information is already online. All you can do is ensure that it is processed in an “accountable” manner.
Third, and getting back to the adequacy argument, such a proposal would significantly weaken the EU system of data protection in comparison with others around the world, including, I would submit that of Canada.
Thus, when the dust settles on the Regulation and if this legitimate interests provision remains, I am half-minded to do an adequacy test on behalf of Canadian citizens. Would Europe be a safe harbor to send personal data on Canadian citizens? I am not sure….