The EU’s controversial data protection rules, currently in the form of a Directive dating back to 1995, would be reformed profoundly if a Regulation proposed by the Commission is adopted. Talks on this proposal have been underway since January 2012, with no immediate end in sight. However, in June, for the first time the Council (consisting of Member States’ justice ministers) has agreed its position on part of the proposal. Of course, the Council still has to agree its position on the rest of the text, and then negotiate with the European Parliament, which adopted its position on the entire text this spring. But at least this recent partial Council deal offers the first opportunity to assess the direction of negotiations.
Furthermore, this is a good occasion to assess whether the new legislation might impact upon the application of the controversial Google Spain judgment.
The partial Council deal
The Council deal only concerns the question of how the new EU rules will apply to non-EU countries. However this issue is of great importance in light of the ever-growing use of the Internet and social media, since the EU rules are potentially liable to apply worldwide.
To place the deal in context, it is necessary to look at four different things: (a) the current rules in the 1995 Directive, as interpreted by the CJEU; (b) the 2012 proposal; (c) the Council’s position; and (d) the EP’s position.
In each case, I will look at two different aspects which were addressed by the Council deal. First, when do the standard EU data protection rules apply, even where the company processing data is based outside the EU? Secondly, when do the special rules on external relations apply?
The current rules
Currently Article 4 of the 1995 Directive states firstly that the standard rules apply to a data controller established in a Member State. According to the CJEU in Google Spain, that concept applies at least where a non-EU company has established a subsidiary in a Member State, and that subsidiary carries out activities linked to the business model of the parent company. The current rules go on to say that if the controller is established on the territory of more than one Member State, it must comply with the national law of each of those States.
Furthermore, the standard rules in the 1995 Directive apply where a Member State’s national law applies by virtue of public international law, and where the controller is not established on EU territory, but uses equipment located on a Member State’s territory, unless that equipment is used only for the purposes of transit. This raises the question of whether the use of ‘cookies’, for instance, amounts to the use of equipment on a national territory, since those cookies are installed on a Member State’s computer.
As for external transfers, the current rules provide (Article 25) that in principle data can only be transferred if there is an ‘adequate level of protection’ in the third country concerned. The Commission can adopt decisions either finding that there is, or is not, an adequate level of protection. By way of derogation (Article 26), Member States must nonetheless allow (unless their national law provides otherwise) external transfers to take place if: the data subject has given unambiguous consent; the transfer is necessary to perform a contract with the data controller or to implement pre-contractual measures which the data subject requested; the transfer is necessary to conclude or perform a contract in the interest of the data subject as a third party; the transfer is ‘necessary or legally required on important public interest grounds’ or related to legal claims; the transfer is in the data subject’s ‘vital interests’; or the transfer is from a register which provides information to the public or to persons with a legitimate interest.
A Member State may authorise an external transfer to a country with an inadequate level of protection if the data controller can offer ‘adequate safeguards’, in particular arising from contractual clauses. The Commission can decide that certain standard contractual clauses offer such protection.
The 2012 proposal
The 2012 proposal (Article 3) suggests that the new Regulation should apply first of all where a controller or processor is established in the EU. Secondly, it should apply where the data controller is not established in the EU, but the data subjects reside in the Union, and the data controller either offers them goods or services, or monitors their behaviour. Thirdly, as before, it would apply where a Member State’s national law applies by virtue of public international law. The provision concerning the ‘use of equipment’ would be dropped.
As regards external transfers, the 2012 proposal maintains the basic structure of the current rules, but elaborates upon it. So there are more details on what the Commission has to take into account when assessing the adequacy of a third State, including judicial redress and supervisory authorities. Adequacy decisions taken pursuant to the 1995 Directive would remain in force.
External transfers would be permitted on the basis of binding corporate rules, or standard contractual rules adopted by the Commission or a national supervisory authority, or individually negotiated contractual rules authorised by a national supervisory authority. Otherwise transfers would require approval by a supervisory authority. Pre-existing authorisations by a supervisory authority would remain valid.
A new clause would elaborate upon the content of binding corporate rules that would be adopted unilaterally. These would require the approval of a supervisory authority.
Finally, further derogations would be permitted. Compared to the current rules, these would be optional, not mandatory. The new proposal would clarify that consent could only be given after the data subject had been warned of the risks, and that transfers in the data subject’s interest could only be given if the data subject were unable to consent. There would be a new ground of external transfers in the data controller’s or processor’s legitimate interest, subject to safeguards being in place. The concept of the ‘public interest’ justifying such transfers would be further clarified in national or EU law.
The Council position
As regards the standard rules, the Council would amend the Commission proposal to clarify that the rules will apply whether or not the data controller offers goods or services for payment. However, as regards monitoring of behaviour, the rules will only apply if the data controller monitors behaviour within the EU.
For external transfers, the Council would add further detail to the rules regarding the assessment of the adequacy of third states, including a specific reference to participation in regional or multilateral data protection treaties. The Council also wants to give an advisory role to the planned new European Data Protection Board in this process. The Council would require the Commission to monitor the application of its adequacy decisions, and empower it to revoke them. However, the Commission would no longer have the power to adopt a decision specifying that a third State had inadequate protection.
The Council would also permit external transfers to take place on the basis of a code of conduct or a certification mechanism. Transfers in the private interest of the data processor or controller would be subject to a possible override in the data subject’s interests. The Commission would lose powers to define the public interests reasons for transfers, and Member States would gain more powers on this point.
The EP position
The EP would amend the Commission proposal so that, where the controller or processor is established within the EU, it would not matter where the data was processed. Also, the standard rules would apply to the offering of goods or services or monitoring by data controllers or data processors, and would apply to any sort of monitoring of data subjects, not only the monitoring of behaviour. Unlike the Council, the EP would not limit the monitoring clause to behaviour within the EU. However, like the Council, the EP would apply the rules even if goods or services are not offered for payment.
As for external transfers, the EP agrees with the Council that the Commission should monitor its adequacy decisions, and that there should be a role for the new Board. However, the EP wants to apply a ‘sunset clause’ to pre-existing adequacy decisions, and retain the power for the Commission to adopt ‘inadequacy’ decisions.
Similarly, pre-existing authorisations of contractual clauses would expire soon after the new rules were adopted, although the EP agrees with the Council that a form of certification process should justify external transfers. For binding corporate rules, the EP wants to ensure consultation of workers where their data is involved, and apply the rules to sub-contractors (the Council approaches the latter issue by referring to groups of companies). As regards the derogations, the EP would reject the idea of transfers in the legitimate interests of controllers.
Finally, the EP has proposed a new ‘Snowden clause’ which would mean that national courts could not recognise the decisions of non-EU courts which ordered the disclosure of personal data. However, this rule would be ‘without prejudice’ to mutual assistance treaties or any other international agreements between a non-EU state and the EU or any Member State.
One important point should be addressed at the outset: what is the result of the recent EP election on the EP’s position? In the EU system, proposed legislation does not fall simply because there is an election for the EP, or because there will be a new Commission as from November. Rather, the newly elected EP traditionally holds a vote at an early stage to decide whether to reaffirm the positions taken by the previous legislature. Usually it reaffirms almost all of the prior legislature’s positions. It should be recalled that the EP’s position on the data protection Regulation was adopted by a huge majority, and so despite the increase in the number of populist MEPs, a majority in favour of approving the EP’s prior position on this proposal should in principle not be hard to find.
For its part, the incoming Commission will decide whether to withdraw some of its pending proposals, but is very rare for an incoming Commission to withdraw a proposal which is actively under discussion in the Council and EP, such as the data protection proposal.
Moving on to the substance of the issues, as regards the application of the standard rules, all three institutions agree to keep the rule on establishment, extending it to data processors also. The EP’s suggested amendment regarding the location of the data processing is merely a clarification, which is probably not necessary.
The three institutions all agree to drop the ‘use of equipment’ clause, to keep the clause on public international law, and to add a new clause regarding goods and services and monitoring. The EP and the Council also agree that the ‘goods and services’ clause will apply even where there is no payment made. The institutions differ as regards extending the new clause also to data controllers, and differ as regards the exact scope of the monitoring of behaviour.
As for the external transfers rules, all three institutions would keep the current basic structure. They differ as regards: the ‘Snowden clause’ (although this rule is very weak, in light of its exceptions for any international treaties); whether the Commission can adopt an ‘inadequacy decision’ (it has never done so); sunset clauses for prior authorisations; whether private interests can justify external transfers; and the process of determining when the public interest can justify them.
Taken as a whole, the impact of the new rules depends on how the current rules are interpreted. There is no reason to doubt that the ‘establishment’ clause would be interpreted the same way as it was in Google Spain, ie applying at least where a subsidiary’s activity is linked to a non-EU parent company’s business model. But there is no case law clarifying what the ‘use of equipment’ means, and so it is not easy to assess what removal of this clause will mean in practice.
Instead the focus will be on what it means to offer goods or services (whether or not for payment), and what it means to monitor an individual. These concepts are clarified in the preamble, which indicates that the ‘offering goods or services’ rule will apply where there a website seeks to sell its products or services, and its online activity is particularly directed towards EU citizens (in light of the currency or language used). So the intention is apparently not to cover a non-profit body like Wikipedia, or a social network or search engine which does not charge for its services (although some such entities would be covered by the ‘establishment’ rule).
What about ‘monitoring’? Here, the preamble suggests that the new clause applies when an individual’s Internet activities are tracked with a view to profiling him or her. There is no suggestion in the preamble that keeping records of a person’s use of social networks would count as monitoring. But if that is not the intention, it would be better for the EU legislature to rule it out more expressly. In any event, it is difficult to see how the Council’s limitation regarding the monitoring of behaviour within the EU would work in practice, in light of the nature of the Internet.
As regards the external transfer clauses, their importance depends on whether the standard clauses apply. The greater the number of businesses covered by the standard rules, the less important the external transfer rules are – and vice versa.
It is clear that the external transfer clauses will remain broadly similar to the current rules, so any corporate or NGO strategies regarding these clauses would only need to be amended modestly, rather than be overhauled. The biggest issues may be the EP’s insistence on its ‘Snowden clause’ and its rejection of the idea that external transfers can take place in the data controller’s interest, although the former clause is weak and data controllers can usually pursue their interests by means of obtaining consent or establishing a contractual relationship.
Much of the most difficult work as regards the negotiation of the new rules remains to be done. In fact, it is rather peculiar to negotiate a new law by defining its territorial scope before agreeing on its main substance.
While a vast number of issues will arise in the forthcoming negotiations, the following are particularly relevant to the fallout from the Google Spain decision, in particular as regards its possible impact on social networks and Wikipedia: the interpretation of a ‘data processor’ (which would be particularly significant if the EP gets its way and the entire clause on territorial scope applies to data processors); the possible application of the ‘household exception’ to user-generated content; the exception for journalism; and the definition of the grounds for processing personal data (notably consent and the controller’s legitimate interests).
Barnard & Peers: chapter 9