In our “Guidelines” published on 7.9.2011, we pointed out some of the major shortcomings of the current Data Protection Legislation. If these Guidelines are applied to the draft Data Protection Regulations (GDPR) published by the EU Commission on 25.1.2012 (COM (2012)11 final), an initial analysis produces the following results:
- Freedom of Communication: The guidelines relating to the processing of data solely for journalistic purposes, the so-called media privilege is no more sharply defined. Article 80 of the GDPR is largely the same as Article 9 of the EU Data Protection Directive (DPD). Recital 121 makes it clear that according to the ECJ ruling, the provisions of the media privilege are open to wide interpretation. There is a lack of clear criteria on which to differentiate between personal data and freedom of expression as required by the decision of the European Court of Human Rights (ECHR) which states that the interests of Article 8 (the right to privacy) must be weighed against those of Article 10 of the European Commission on Human Rights (ECHR) (freedom of expression).
- Subject matter: Data reflects the social reality. It is not a protected resource that is assigned – owned – by an individual. Article 1 of the GDPR is mainly concerned with protecting personal data and is therefore “data-fixated”. The subject matter is not clearly defined at all. Article 1 of the GDPR hardly differs from Article 1 of the DPD. Contrary to Article 1 of the DPD, the individual’s right to privacy is not mentioned at all as being protected by Article 1 of the GDPR. The wording of Article 1 of the GDPR is more likely than ever to lead to the misapprehension that data is to be protected for its own sake.
- Yes or No Principle: The applicability of the data protection law is intended –as previously – to depend on whether or not the data is personal or not. This relationship is laid down on the Yes or No Principle. The definition of “personal” remains as unclear as before. Article 4 no. 1 of the GDPR suggests an objective (abstract) and thus broad definition. According to recital 24 sentence 2, online identifiers (i.e. internet protocol addresses) “need not necessarily or in all circumstances” be seen as personal data. Recital 24 thus suggests a subjective (relative) understanding of the definition of personal data. This is confusing and leads to the expectation that the scope of the GDPR will remain unclear.
- Per se Illegality: Per se illegality is isolated and separated from fundamental freedoms as before (Article 6 of the GDPR). Data-based communication of personal data remains illegal. Per se illegality is in fact applied even more stringently through the provisions of Article 7 para. 4 of the GDPR, as the consent of the subject of the data to be processed (and transmitted) does not provide a legal basis for the processing, “where there is a significant imbalance between the position of the data subject and the controller”. This negates consent given by employees, insured persons and bank customers etc. and creates confusion as it is necessarily possible to demonstrate “imbalance” in every consumer contract.
- Equal Treatment of all Data: The GDPR do not provide for any flexibility in the treatment of or any differentiation in type of data. Article 9 para.1 of the GDPR does list particularly sensitive data. This list is largely a repetition of Article 8 of the DPD and contains an incoherently collated collection of heterogeneous data of varying importance and sensitivity (from trade-union membership to genetic data). There is no common denominator or principle on which to base a premise for general use or application (the list is far too arbitrary to be conclusive). The level of protection applied is also only marginally greater than that awarded to far less sensitive data; for example, per se illegality is applied in the same measure to IP addresses as to sexual preference.
- Privacy by Design: Article 23 para. 1 of the GDPR is intended to make “Privacy by Design” standard. In fact, this is nothing more than a proposal as the appropriate technical and organisational measures and procedures are to be implemented in such a way as to “meet the requirements of this regulation”. This is significantly weaker than the provisions of § 3 of the German Federal Data Protection Act (BDSG) which instructs processors to seek to attain data avoidance and data economy. Contrary to the provisions of § 3 a. of the BDSG, Article 23 para. 1 of the GDPR does not set any benchmarks that data processors should be striving to attain. This demonstrates quite clearly (among other things) that the lack of a concrete definition of the subject to be protected (see no. 1) automatically inhibits the deduction of concrete criteria for assessing risks and the necessity of preventative measures. Measures that would result in the real protection of privacy are not given.
- Official Risk Assessment without Standards: In Article 33 of the GDPR, the data processor is required to make an assessment of the impact of the envisaged processing operations on the protection of personal data in cases of particularly “high risk” processing operations. There are no standards provided for this procedure. It is further complicated by the fact that Article 34 of the GDPR requires that in the case of particularly risky processes, permission be first obtained from the Data Protection agency. The Data Protection Agencies are thereby placed in the position of having to assess risks on the basis of no clear criteria. If the criteria for this assessment are not provided to public authorities, who are required to carry out the authorisation of such processes, these authorities will end up setting their own standards. In constitutional terms, this is most alarming.
- Consent: The principle of per se illegality is to be retained (see no. 4). Consent as a key tool for circumventing processing prohibitions (Article 6 para. 1 lit. a in conjunction with Article 7 of the GDPR) is also to be retained. Independent decisions made by the affected persons, however, are at the same time viewed with suspicion: Article 7 para. 4 of the GDPR serves to negate consent as a legal basis for processing, “where there is a significant imbalance between the position of the data subject and the controller. The aim of increasing the individual autonomy is thereby weakened.
- Transparency (Standards): It would be desirable and would lead to more transparency in the internet if standards were set for informing data subjects of the type, scope and purpose of the processing of their data. Article 14 of the GDPR unfortunately fails to provide any more transparency than the requirement to inform as set out in Articles 10 and 11 of the DPD, which are adopted, largely unchanged but with the addition of various instructions regarding procedural rights and remedies. Article 14 of the GDPR would also result in a weakening of current German Law as there is not even a (general) instruction regarding the „type and scope“ of processing permitted cf. § 13 para. 1 of the German Telemedia Law (TMG).
- Sanctions: The GDPR would bring about a significant tightening up of implementation of data protection law. The draconian fines alone that are set out in Article 79 of the GDPR would lead one to expect this to be so. The GDPR exclusively empowers the supervisory authorities to enforce these sanctions. There are no new tools provided to individuals to assist them in protecting their privacy. Civil liability for data protection violations remains weak. Articles 77 and 78 of the GDPR adopt the provisions of Articles 23 and 24 of the DPD.
- Stringency and Legal Certainty: Standardising of European data protection legislation by means of a regulation is to be welcomed. Without bold reforms of material rights the law cannot be strengthened in terms of stringency or logic. The GDPR will do little to contribute to legal certainty as regards data processing and protecting the individual right to privacy.