Reforming Eu Information Protection Law: The Council Takes Its Laid About Babe Steps
November 27, 2018
Edit
Steve Peers
The EU’s controversial information protection rules, currently inward the cast of a Directive dating dorsum to 1995, would last reformed profoundly if a Regulation proposed past times the Commission is adopted. Talks on this proposal possess got been underway since Jan 2012, amongst no immediate halt inward sight. However, inward June, for the start fourth dimension the Council (consisting of Member States’ jurist ministers) has agreed its position on role of the proposal. Of course, the Council however has to concur its seat on the remainder of the text, as well as and hence negotiate amongst the European Parliament, which adopted its position on the entire text this spring. But at to the lowest degree this recent partial Council bargain offers the start chance to assess the administration of negotiations.
Furthermore, this is a proficient occasion to assess whether the novel legislation mightiness touching on upon the application of the controversial Google Spain judgment.
The partial Council bargain
The Council bargain exclusively concerns the inquiry of how the novel European Union rules volition apply to non-EU countries. However this number is of cracking importance inward low-cal of the ever-growing usage of the Internet as well as social media, since the European Union rules are potentially liable to apply worldwide.
To house the bargain inward context, it is necessary to await at 4 dissimilar things: (a) the electrical flow rules inward the 1995 Directive, equally interpreted past times the CJEU; (b) the 2012 proposal; (c) the Council’s position; as well as (d) the EP’s position.
In each case, I volition await at 2 dissimilar aspects which were addressed past times the Council deal. First, when produce the standard European Union information protection rules apply, fifty-fifty where the fellowship processing information is based exterior the EU? Secondly, when produce the special rules on external relations apply?
The electrical flow rules
Currently Article 4 of the 1995 Directive states firstly that the measure rules apply to a information controller established inward a Member State. According to the CJEU inward Google Spain, that concept applies at to the lowest degree where a non-EU fellowship has established a subsidiary inward a Member State, as well as that subsidiary carries out activities linked to the concern model of the parent company. The electrical flow rules become on to say that if the controller is established on the territory of to a greater extent than than 1 Member State, it must comply amongst the national constabulary of each of those States.
Furthermore, the measure rules inward the 1995 Directive apply where a Member State’s national constabulary applies past times virtue of populace international law, as well as where the controller is non established on European Union territory, but uses equipment located on a Member State’s territory, unless that equipment is used exclusively for the purposes of transit. This raises the inquiry of whether the usage of ‘cookies’, for instance, amounts to the usage of equipment on a national territory, since those cookies are installed on a Member State’s computer.
As for external transfers, the electrical flow rules supply (Article 25) that inward regulation information tin strength out exclusively last transferred if at that topographic point is an ‘adequate score of protection’ inward the 3rd soil concerned. The Commission tin strength out adopt decisions either finding that at that topographic point is, or is not, an adequate score of protection. By way of derogation (Article 26), Member US must nonetheless permit (unless their national constabulary provides otherwise) external transfers to accept house if: the information dependent area has given unambiguous consent; the transfer is necessary to perform a contract amongst the information controller or to implement pre-contractual measures which the information dependent area requested; the transfer is necessary to conclude or perform a contract inward the involvement of the information dependent area equally a 3rd party; the transfer is ‘necessary or legally required on of import populace involvement grounds’ or related to legal claims; the transfer is inward the information subject’s ‘vital interests’; or the transfer is from a register which provides information to the populace or to persons amongst a legitimate interest.
A Member State may authorise an external transfer to a soil amongst an inadequate score of protection if the information controller tin strength out offering ‘adequate safeguards’, inward especial arising from contractual clauses. The Commission tin strength out create upwards one's hear that for certain measure contractual clauses offering such protection.
The 2012 proposal
The 2012 proposal (Article 3) suggests that the novel Regulation should apply start of all where a controller or processor is established inward the EU. Secondly, it should apply where the information controller is non established inward the EU, but the information subjects reside inward the Union, as well as the information controller either offers them goods or services, or monitors their behaviour. Thirdly, equally before, it would apply where a Member State’s national constabulary applies past times virtue of populace international law. The provision concerning the ‘use of equipment’ would last dropped.
As regards external transfers, the 2012 proposal maintains the basic construction of the electrical flow rules, but elaborates upon it. So at that topographic point are to a greater extent than details on what the Commission has to accept into concern human relationship when assessing the adequacy of a 3rd State, including judicial redress as well as supervisory authorities. Adequacy decisions taken pursuant to the 1995 Directive would rest inward force.
External transfers would last permitted on the footing of binding corporate rules, or measure contractual rules adopted past times the Commission or a national supervisory authority, or individually negotiated contractual rules authorised past times a national supervisory authority. Otherwise transfers would require blessing past times a supervisory authority. Pre-existing authorisations past times a supervisory ascendancy would rest valid.
A novel clause would elaborate upon the content of binding corporate rules that would last adopted unilaterally. These would require the blessing of a supervisory authority.
Finally, farther derogations would last permitted. Compared to the electrical flow rules, these would last optional, non mandatory. The novel proposal would clarify that consent could exclusively last given after the information dependent area had been warned of the risks, as well as that transfers inward the information subject’s involvement could exclusively last given if the information dependent area were unable to consent. There would last a novel Earth of external transfers inward the information controller’s or processor’s legitimate interest, dependent area to safeguards beingness inward place. The concept of the ‘public interest’ justifying such transfers would last farther clarified inward national or European Union law.
The Council seat
As regards the measure rules, the Council would amend the Commission proposal to clarify that the rules volition apply whether or non the information controller offers goods or services for payment. However, equally regards monitoring of behaviour, the rules volition exclusively apply if the information controller monitors demeanor inside the EU.
For external transfers, the Council would add together farther especial to the rules regarding the assessment of the adequacy of 3rd states, including a specific reference to participation inward regional or multilateral information protection treaties. The Council likewise wants to laissez passer an advisory role to the planned novel European Data Protection Board inward this process. The Council would require the Commission to monitor the application of its adequacy decisions, as well as empower it to revoke them. However, the Commission would no longer possess got the ability to adopt a determination specifying that a 3rd State had inadequate protection.
The Council would likewise permit external transfers to accept house on the footing of a code of behave or a certification mechanism. Transfers inward the private involvement of the information processor or controller would last dependent area to a possible override inward the information subject’s interests. The Commission would lose powers to define the populace interests reasons for transfers, as well as Member US would arrive at to a greater extent than powers on this point.
The EP seat
The EP would amend the Commission proposal hence that, where the controller or processor is established inside the EU, it would non affair where the information was processed. Also, the measure rules would apply to the offering of goods or services or monitoring past times information controllers or information processors, as well as would apply to whatsoever form of monitoring of information subjects, non exclusively the monitoring of behaviour. Unlike the Council, the EP would non bound the monitoring clause to demeanor inside the EU. However, similar the Council, the EP would apply the rules fifty-fifty if goods or services are non offered for payment.
As for external transfers, the EP agrees amongst the Council that the Commission should monitor its adequacy decisions, as well as that at that topographic point should last a role for the novel Board. However, the EP wants to apply a ‘sunset clause’ to pre-existing adequacy decisions, as well as retain the ability for the Commission to adopt ‘inadequacy’ decisions.
Similarly, pre-existing authorisations of contractual clauses would expire presently after the novel rules were adopted, although the EP agrees amongst the Council that a cast of certification procedure should justify external transfers. For binding corporate rules, the EP wants to ensure consultation of workers where their information is involved, as well as apply the rules to sub-contractors (the Council approaches the latter number past times referring to groups of companies). As regards the derogations, the EP would spend upwards the thought of transfers inward the legitimate interests of controllers.
Finally, the EP has proposed a novel ‘Snowden clause’ which would hateful that national courts could non recognise the decisions of non-EU courts which ordered the disclosure of personal data. However, this dominion would last ‘without prejudice’ to usual assistance treaties or whatsoever other international agreements betwixt a non-EU province as well as the European Union or whatsoever Member State.
Comments
One of import dot should last addressed at the outset: what is the final result of the recent EP election on the EP’s position? In the European Union system, proposed legislation does non autumn simply because at that topographic point is an election for the EP, or because at that topographic point volition last a novel Commission equally from November. Rather, the newly elected EP traditionally holds a vote at an early on phase to create upwards one's hear whether to reaffirm the positions taken past times the previous legislature. Usually it reaffirms almost all of the prior legislature’s positions. It should last recalled that the EP’s seat on the information protection Regulation was adopted past times a huge majority, as well as hence despite the increase inward the number of populist MEPs, a bulk inward favour of approving the EP’s prior seat on this proposal should inward regulation non last hard to find.
For its part, the incoming Commission volition create upwards one's hear whether to withdraw about of its pending proposals, but is really rare for an incoming Commission to withdraw a proposal which is actively nether give-and-take inward the Council as well as EP, such equally the information protection proposal.
Moving on to the marrow of the issues, equally regards the application of the measure rules, all iii institutions concur to conk along the dominion on establishment, extending it to information processors also. The EP’s suggested amendment regarding the location of the information processing is but a clarification, which is in all likelihood non necessary.
The iii institutions all concur to drib the ‘use of equipment’ clause, to conk along the clause on populace international law, as well as to add together a novel clause regarding goods as well as services as well as monitoring. The EP as well as the Council likewise concur that the ‘goods as well as services’ clause volition apply fifty-fifty where at that topographic point is no payment made. The institutions differ equally regards extending the novel clause likewise to information controllers, as well as differ equally regards the exact reach of the monitoring of behaviour.
As for the external transfers rules, all iii institutions would conk along the electrical flow basic structure. They differ equally regards: the ‘Snowden clause’ (although this dominion is really weak, inward low-cal of its exceptions for whatsoever international treaties); whether the Commission tin strength out adopt an ‘inadequacy decision’ (it has never done so); sunset clauses for prior authorisations; whether private interests tin strength out justify external transfers; as well as the procedure of determining when the populace involvement tin strength out justify them.
Taken equally a whole, the touching on of the novel rules depends on how the electrical flow rules are interpreted. There is no argue to uncertainty that the ‘establishment’ clause would last interpreted the same way equally it was inward Google Spain, ie applying at to the lowest degree where a subsidiary’s action is linked to a non-EU parent company’s concern model. But at that topographic point is no representative constabulary clarifying what the ‘use of equipment’ means, as well as hence it is non slowly to assess what removal of this clause volition hateful inward practice.
Instead the focus volition last on what it way to offering goods or services (whether or non for payment), as well as what it way to monitor an individual. These concepts are clarified inward the preamble, which indicates that the ‘offering goods or services’ dominion volition apply where at that topographic point a website seeks to sell its products or services, as well as its online action is especially directed towards European Union citizens (in low-cal of the currency or linguistic communication used). So the intention is evidently not to embrace a non-profit trunk similar Wikipedia, or a social network or search engine which does non accuse for its services (although about such entities would last covered past times the ‘establishment’ rule).
What nearly ‘monitoring’? Here, the preamble suggests that the novel clause applies when an individual’s Internet activities are tracked amongst a sentiment to profiling him or her. There is no proffer inward the preamble that keeping records of a person’s usage of social networks would count equally monitoring. But if that is non the intention, it would last ameliorate for the European Union legislature to dominion it out to a greater extent than expressly. In whatsoever event, it is hard to run across how the Council’s limitation regarding the monitoring of demeanor within the EU would run inward practice, inward low-cal of the nature of the Internet.
As regards the external transfer clauses, their importance depends on whether the measure clauses apply. The greater the number of businesses covered past times the measure rules, the less of import the external transfer rules are – as well as vice versa.
It is clear that the external transfer clauses volition rest broadly similar to the electrical flow rules, hence whatsoever corporate or NGO strategies regarding these clauses would exclusively ask to last amended modestly, rather than last overhauled. The biggest issues may last the EP’s insistence on its ‘Snowden clause’ as well as its rejection of the thought that external transfers tin strength out accept house inward the information controller’s interest, although the one-time clause is weak as well as information controllers tin strength out unremarkably pursue their interests past times way of obtaining consent or establishing a contractual relationship.
Much of the most hard run equally regards the negotiation of the novel rules remains to last done. In fact, it is rather peculiar to negotiate a novel constabulary past times defining its territorial reach earlier agreeing on its primary substance.
While a vast number of issues volition arise inward the forthcoming negotiations, the next are especially relevant to the fallout from the Google Spain decision, inward especial equally regards its possible touching on on social networks as well as Wikipedia: the interpretation of a ‘data processor’ (which would last especially pregnant if the EP gets its way as well as the entire clause on territorial reach applies to information processors); the possible application of the ‘household exception’ to user-generated content; the exception for journalism; as well as the Definition of the grounds for processing personal information (notably consent as well as the controller’s legitimate interests).
Barnard & Peers: chapter 9
