Do we need to regulate generally accepted, low risk forms of data processing that individuals are now comfortable with as part of daily life (e.g. on-line orders, payroll processing and employment contract administration) to the same standard as types of processing that intrude more clearly on an individual’s privacy (e.g. tracking user preferences, monitoring communications etc.)? Should the draft European Data Protection Regulation impose differing standards depending on the risk to the individual from the processing in question, rather than adopt a blanket approach to any processing of personal data? If a risk-based approach is preferable, how would ‘risky’ data processing be distinguished from ‘non-risky’ data processing?
Given the onerous obligations on businesses imposed in the draft Regulation, these are some of the questions regulators and industry are beginning to ask. Is there a better way for both regulators and businesses to target resources to achieve the overall objective of the draft Regulation — that is, giving individuals stronger rights over their data. Whilst the draft Regulation goes through the legislative process, regulators and industry all are putting their own views forward.
The draft Regulation was the central topic of a day of panel discussions that wrapped up the recent Privacy Laws & Business Annual Conference (we covered day 1 and day 2 of the conference back in July). A number of key players in the development of the Regulation took to the stage to offer their official views, including Laura Corrado, the Deputy Head of the Data Protection Unit, Directorate-General for Justice of the European Commission, who also responded to criticism of the draft Regulation.
Isabelle Falqeu-Pierrotin, President of the Commission Nationale de l’Informatique et des Libertés (the CNIL, the French data protection regulator) kicked off the day’s lively discussions with the CNIL’s view of the pros and cons of the draft Regulation. Falqeu-Pierrotin emphasised the need for real accountability for data controllers and processors and real protection of data subject rights–she is unconvinced that the current draft will provide these protections in a workable way. She raised concerns in particular that pan-European businesses would still face a range of different privacy rules and a disproportionately restrictive and burdensome regime.
These concerns were shared by David Smith, Deputy Information Commissioner for the UK, who emphasised the lack of flexibility in the draft Regulation to account for varying levels of privacy risk. The ICO favours the adoption of a more contextual approach to regulation, where risk is evaluated and, where there is little perceived risk, less onerous obligations should apply. Smith also focused on another ICO bugbear; the outdated approach in the draft Regulation to international data transfers, using cloud computing as an example. The current linear approach focussing on each exporter and importer simply does not take into account the complex nature of international groups comprising large numbers of legal entities and the global ecosystem of technology providers they use today.
The lack of a risk based approach in the draft Regulation was touched upon repeatedly throughout the day, with Michael Hopp, a partner with the Plesner law firm in Copenhagen, Denmark, arguing that thousands of SMEs would be adversely affected by the Regulation’s restrictive, administratively burdensome obligations, when the vast majority of their business operations present little or no risk to the privacy of individuals.
A variety of views on adopting a risk based approach emerged from the discussions: from the view that any data collection and processing carries inherent risks to individuals so some obligations should apply uniformly (e.g. we would not want a sectorial approach similar to that in the United States) to the ICO’s view that privacy regulation must be based primarily on risk, and that absolute harmonization to the highest standard damages businesses without any real gain for the individual. The CNIL seemed to sit somewhere in the middle, with a desire for proportionality, but also for a relatively high minimum standard of protection to apply across the board.
At a more practical level, the distinction that has to be made to implement a risk based approach to delineate between ‘risky’ and ‘non risky’ data processing would not be an easy one, but should be possible in practice by focussing on those sectors with obvious privacy risks, such as those that monitor or track behaviour or deal with sensitive personal data such as health data. Such a distinction would be no more difficult to implement than the other artificial distinctions imposed under European law, such as the data controller / data processor distinction, and in any event there would be a base level of protection for all processing (for example, in relation to security, data subjects rights and data retention).
Perhaps the argument is somewhat moot in reality as given the limited resources of the national regulators, they will have to focus enforcement in the areas which they feel cause give rise to the greatest risk of harm to individuals. That does not solve the problem for businesses, who would prefer clear guidance about the steps they must take to implement some of the more onerous administrative requirements in the draft Regulation (such as appointing a data protection officer, updating documents and conducting privacy impact assessments), rather than being left in the position where they have to hope they will not fall foul of the regulator if they are unable to secure resource to comply with all the onerous obligations imposed by the Regulation despite operating in a low risk area.