EU Data Protection and Open Standards
January 9, 2013 1:44 PM
by Glyn Moody
As happened for last year, 2013 will doubtless see plenty of battles in the domains of open standards, copyright and software patents, but there will also be a new theme: data protection. That's a consequence of an announcement made by the European Commission almost exactly a year ago:
The European Commission has today proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.
The Commission's proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission's objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
We now have the proposed text of the Regulation [.pdf], which includes numerous amendments made by the German Green MEP Jan Albrecht, who is the European Parliament's Rapporteur for this matter. He has a useful page linking to relevant background documents and videos of meetings, but most of them are in German.
The Regulation is quite long, and written in the form of the original Commission text and the proposed changes, so it's not the easiest of reading. A better place to start is the commentary from the European Digital Rights organisation EDRI:
The draft Report of the European Parliament on the European Commission's proposed Data Protection Regulation was published today. The Parliamentarian responsible, German Green MEP Jan Albrecht, has sought to improve on the Commission's initial proposal and also to address many of the concerns raised by his colleagues in the discussions that have taken place so far in various Committees. The draft text is therefore a mix of straightforward attempts at positive improvements and attempts at compromise based on the opinions so far expressed by his colleagues.
One place where EDRI feels that Albrecht has improved the original text regards “legitimate interest”:
Under this approach, companies can decide to process personal data without permission and without this being necessary for the conclusion of a contract. They may do so if they feel that their reasons for doing so are more compelling than the individual's right to privacy (although this decision may be challenged in the courts or by a Data Protection Authority). Contradicting proposals from Green colleagues to delete this exception, Mr Albrecht suggests a compromise - permitting this unilateral approach if it is “exceptional”. The data controller would be required to justify the use of this approach and to inform the data subject. Five broad justifications are listed for the use of the “legitimate interest” exception - one example being the sending of junk mail by a company that is already providing services to the data subject (as is currently the case under EU law for sending junk e-mail).
EDRI is less happy with the question of "profiling":
following the logic of various fundamental rights restricting measures proposed by the Commission in the area of profiling for policing purposes, Mr Albrecht's report suggests that measures that produce legal effects on the data subject may not be based “solely” on automated processing. This wording is so narrow that any human intervention at all would be enough to satisfy this “safeguard”.
All-in-all, though, EDRI feels that he has done a reasonable job in difficult circumstances:
Generally, many of the proposals from Mr Albrecht represent an improvement on suggestions already been made by lobbyists and certain Parliamentarians. However, it is far from certain whether his colleagues will accept the draft report as a genuine first attempt at compromise or simply a compromised position that can be further eroded during the remainder of the legislative process.
One of the vexed questions in this whole area is how the use of personal data from the EU would be regulated when gathered and processed by US companies. Indeed, there is something of a tussle going on here, as two opposing world-views slug it out.
On the European side, there is a greater focus on protecting the public's data from misuse; on the US side, the main concern is that US technology companies won't be inconvenienced when it comes to providing their services in Europe. Here's how the New York Times puts it:
Although the effort is intended to standardize and consolidate the enforcement of data protection regulation across the 27 European Union countries, some American regulators, industry groups and scholars have objected. They say the draft rule was overly broad and burdensome for technology companies to carry out.
The NYT article raises one specific issue that may well be of particular interest to readers of this blog: personal data portability. Here's the relevant text from the Rapporteur:
2a. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data, where technically feasible and appropriate, and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
Here's the rationale, which makes a key point:
If data subjects want to exercise their right to access their personal data, it should be provided to them in an electronic format which they can use. This further use includes the right to move it to other platforms and services if the data subject wants this. The right to data portability, therefore, is a mere specification of the right to data access.
That is, without real data portability there is no real data access. But as the New York Times post notes:
Granting people the right to transfer the updates and photos they posted on Facebook to Google Plus, for example, may sound perfectly reasonable, said Yianni Lagos, a legal and policy fellow at Ohio State University and the co-author of a recent analysis of the European draft regulation published in the Maryland Law Review. But the proposed rule broadly requires that a company transfer a person’s data “without hindrance” and in a commonly used format.
“We’re not exactly sure what that means,” Mr. Lagos said.
“The largest challenge is the concept of interoperability,” Mr. Lagos said. “Translating from a coded format to a commonly used format, that is what will be difficult and costly to achieve.”
Of course, this is precisely why people should use truly open standards. Then there is no need to "translate" from a coded format, because it's already in a form that can be readily exported. It is therefore vitally important that the new EU Data Protection Regulation make this explicit, perhaps by amending the relevant section as follows:
2a. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data, where technically feasible and appropriate, and retained by an automated processing system, into another one, in an electronic format based on open standards, without hindrance from the controller from whom the personal data are withdrawn.
Doing so will not only achieve the goals of data portability - a key facet of the proposals - but will also give a useful fillip to the whole idea of open standards, with wider knock-on benefits for computing in the EU.
As the EDRI piece notes, it's quite possible that the text will be changed substantially as it passes through the EU legislative system. Given the importance of this regulation, I'll be reporting on the key stages as they happen, and noting when it might be useful to contact your MEPs on the topic.
Data protection is an area that affects everyone online, and so it's important that we get a good solution here that offers protection to users while permitting companies to use personal information as easily as possible subject to basic rules. If, along the way, we can boost the use of open standards by major companies like Facebook and Google, that will be an added bonus.
After all, the reason that the US companies and their government are so exercised about what looks to be a purely parochial issue for the EU is that it has huge knock-on consequences for everywhere in the world. Thanks to the global nature of operations these days, it's rarely feasible to set up very different systems for different parts of the world that operate in different ways. If EU regulations force companies providing services to Europeans to adopt open standards in order to allow true data portability, those same open standards will be rolled out worldwide. That's something really worth striving for.