The European Data Protection Directive is effectively dead, due to the infringement upon European citizens’ human rights.
Speaking to IT Security Guru, privacy consultant Martin Hoskins said that the European Commission’s justice and home affairs legal team has deemed it to be “unlawful” as it breaches the human rights of customers as they may have to go to a foreign jurisdiction rather than their national privacy commissioner.
“If the lead regulator was in Ireland, then someone in the UK who had a problem wouldn’t be able to complain to the UK Information Commissioner, they would have to complain to Dublin,” he explained.
“What would happen if someone in Poland or Portugal complained to a Lithuanian regulator? How would they know what the rulings were? Can they speak Lithuanian? It is fine if you are Lithuanian, but what if you are Polish? It is not good enough for citizens. Why can’t companies be subject to one regulator rather than the whims of all 28?”
Hoskins doubted that the regulation will survive in its current format. “It will be interesting to see what happens; next time it will be a directive and not a regulation. It has got to be a directive, as the concept of a regulation is that it is a detailed law but it applies everywhere. Data protection is based on principles and local cultures, and you have got to meet local attitudes to privacy, which are different in local cultures”, he said.
“So effectively the current proposal is dead – what they want to do is bank the progress that has gone on with the member states and Home Affairs council, and bring the draft into the new European parliament when it meets.”
Stewart Room, partner at Field Fisher Waterhouse, said that the current directive is built around a “one stop shop” principle, which is intended to streamline regulation by having a data controller in each country, so that controllers can be subject to regulation in every country where it does business. However, this one stop shop principle may actually breach the fundamental rights of individuals, because it may make access to justice much harder, according to EC lawyers.
“Basically, if you have to complain to a regulator in a different country, and perhaps in a foreign language, that will make it harder for you to pursue a complaint about bad data processing, hence access to justice is harder,” he said.
“So, if this point is correct, the regulation might be in real trouble. It would be brave to say right now that the regulation is dead, but time is running out for it to be adopted by the initial cut-off point in May. It will take a big effort by the EU and the Member States to get it over the line by then, but that’s not impossible.”
Hoskins claimed that the problem is that the EC has never had such a large piece of legislation fail, and this faces a race to be passed before the European Parliament changes at the end of April.
Hoskins said: “The issue is who is making decisions next time. It will be a Euro sceptic parliament, so you wonder if a Euro sceptic parliament will be happy with more power going to the centre. In the UK, some would prefer to stick with the ICO than lots of power going to a European institution. There is too much to do and the structure is not there to be able to consider such huge issues.”
Room said that the European Union may go for a new directive instead, but said that would be a humiliating climb down for the writers of the report.
The directive was originally announced in January 2012 by Viviane Reding, vice-president of the European Commission in charge of justice, fundamental rights and citizenship. She said it was intended as a single set of rules on data protection that would be valid across the EU’s 27 member states and would create “one data protection authority for one company” and “one authorisation for the whole of the EU”.
Major changes were announced in November around the size of the fines and to the “right to be forgotten”, while in December the directive was described as being “incompatible” with the Charter of Fundamental Right due to the absence of sufficient regulation of the guarantees governing access to the data collected and retained, and because member states have exercised their powers with moderation with respect to the maximum period of data retention.
