EU Commission sets the scene for the future of EU data protection laws
The objective of improving the standards in this regard is genuine but the general impression is that data protection laws need a lighter framework or ‘they will not fly’.
Article 16(2) of the Treaty on the Functioning of the European Union, as deriving from the Treaty of Lisbon, creates a specific legal basis for adopting EU rules on the protection of personal data. Commissioner Reding got down to work with gusto.
The Commission recently presented a proposal for a General Data Protection Regulation. Once approved, the instrument would replace Directive 95/46/EC, which at the moment sets out the relevant EU rules. It is easy to forecast that the dossier will be one of the ‘heavyweight’ procedures at the EU level in the coming years.
Trying to leave a lasting mark
The first striking element about the Commission’s strategy is in its adamant insistence on opting for the instrument of a Regulation, rather than for a Directive. Prudence would have recommended the second option. With its natural flexibility, a Directive would have ensured maximum respect for the diversity of well-tested approaches existing in the Member States. The fact that in this area of law implications of a constitutional nature often come into play reinforces this assessment. The possible issues that could be generated by the choice of a Regulation have already provoked some openly defensive stances in the Council.
The proposal broadly embraces the objectives and principles of the current Directive 95/46/EC, but the robust enhancement of the general framework, developed in the light of the rapid technological progress of the last few years, is equally evident. Considering the sheer length of the text, it is advisable to focus on the elements that deserve greater attention.
One of the most widely debated elements of the proposal is the explicit introduction of a ‘right to be forgotten’, accompanied by a further development of the ‘right to erasure’. Data subjects would now have the right to obtain from the controller the erasure of personal data relating to them and to refrain from their further dissemination (with particular regard to personal data made available by the data subject while he/she was a child) where: the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent to the processing in accordance with the Regulation, or the storage period consented to has expired, and there is no other legal ground for the processing of the data; the data subject objects to the processing of personal data in accordance with Article 19; the processing of the data does not otherwise comply with the Regulation. In the event that the controller has made the personal data public, it will have to take all reasonable steps to inform third-parties which are processing data (for whose publication the controller is responsible), that a data subject has requested them to erase any links to, or copy or replication of, that personal data. Some exceptions are foreseen to these provisions (the controller is obliged to carry out the erasure without delay, except to the extent that the retention of the personal data is for example, necessary for exercising the right of freedom of expression in accordance with Article 80 or for historical, statistical and scientific research purposes in accordance with Article 83). While the concept at issue has its merits in the online environment, its generalised application could also lead to excesses. It is important to avoid both hampering the activities of entities that pursue legitimate purposes and any unintended negative impact on some other safeguards contained in the text (including in the area of sensitive data). The potential impact of this right should be carefully explored.
The proposal also quite radically revises the data subject’s ‘right to object’ to the processing (Article 19). It places on the controller’s shoulders the burden of countering such requests by having to prove ‘compelling legitimate grounds’ for the processing which override the interests, fundamental rights and freedoms of the data subject. Article 14 of the current Directive, in requiring from the data subjects ‘compelling legitimate grounds’ relating to his/her particular situation, seems to be more cautiously crafted, as frivolous or purposelessly litigious requests should be prevented.
The most praiseworthy core of the proposal concerns the protection of minors, especially in the online context. According to the text, children deserve specific protection of their personal data (Recital 29) and measures based on electronic ‘profiling’ with regard to them are not allowed (Recital 58). Moreover, the legitimate interests of the controller, in terms of assessing the lawfulness of its processing, must be carefully scrutinised when the data subject is a child (Article 6). Article 8 also links the lawfulness of offering information society services directly to a child below the age of 13 to the consent given or authorised by the child’s parent or custodian. The right to be forgotten and to erasure is also explicitly linked with children.
Finally, two more technical elements that should not be neglected concern the excessive recourse to so-called ‘delegated acts’ which is encouraged in the text and the extensive use of heavy sanctions.
Churches vis-a-vis the new regime
The case most often associated with the Church in the area of data protection is that of ‘debaptisation’ requests (applications for deletion of data from baptism records). Recurrent problems more generally concern sacramental records. An element that is often overlooked is the fact that such data collections are meant not only to allow Churches to carry out their legitimate activities but also to protect individuals and their rights (e.g. in case of marriage).
In this regard, the framework concerning sensitive data (including data which reveal one’s religion or beliefs) positively confirms and builds upon the system introduced with Directive 95/46/EC, thereby ensuring a solid foundation.
Churches might also benefit from the extension of the consideration for historical purposes, which fittingly acknowledges the specificity of this sector.
A lot will also depend on the extent to which the Regulation will be interpreted and applied in a way that fully ensures respect for the fundamental right to religious freedom, especially in its institutional aspect.
For Churches as well, the proposal brings with itself the obligation to reflect on the need to make sure that their relevant internal provisions conform to the Regulation, but also to identify ways to introduce the necessary improvements and safeguards in the text. The Churches are ready to take up this challenge within their contemporary commitment to ensure a high level of protection of personal data inside their own structures.
A long road lies ahead
There should be appreciation for the European Commission’s aim of strengthening the protection of personal data and citizen’s fundamental rights. The objective of improving the standards in this regard is genuine. Moreover high ambitions and determination should guarantee the quality of the new EU data protection framework. On a less encouraging note, the general impression is that data protection laws need a lighter framework or ‘they will not fly’. In the Council, many delegations fear that the text could bring about ponderous administrative burdens rather than simplification. Adding to this the number of divisive elements that already burden the proposal, some could wonder whether the Commission has not assembled an aeroplane that is too heavy to take off. Together with the other actors, Churches will certainly be present in the debate and strive to facilitate the hardly enviable task awaiting the EU Institutions, in the spirit of constructiveness that constitutes one of their central features.