Europe’s data protection legislation remains stuck in the pre-Internet age, despite an all-hands-on-deck effort under the outgoing Irish Presidency to agree urgently needed new rules.
With a key vote by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee postponed until autumn, and more than 3,000 amendments tabled by MEPs, consensus over the General Data Protection Regulation, which would introduce a single data protection law across all 27 member states, seems as distant as ever.
The need for sensitively calibrated data protection laws that will allow the new oil of Big Data to be exploited for economic gain is intensifying daily, while the requirement for a single and up to date regulation that protects personal information has been heightened by the revelation earlier this month that US intelligence services have been monitoring European citizens. Viviane Reding, Vice-President of the European Commission, described this as a “wake-up call” in the Parliament on 19 June. "That shows how urgent it is to advance with a solid piece of legislation,” she said.
But the European Commission’s attempts over the past 18 months to steer new data protection laws through the legislative mill has sparked concerns from researchers and business. While there is widespread recognition of the need to modernise the rules, there is heated debate over aspects such as patient consent to reuse of data in medical research and a proposed new ‘right to be forgotten’.
Consumers hesitate
It was in January 2012 that Vice-President Reding proposed the revision of data protection rules, which date back to the infancy of the internet in 1995. She hopes to build greater consumer trust to unlock the economic potential of Europe’s massive data stores. “Lack of trust makes consumers hesitate to buy online and adopt new services,” Reding said. "This risks slowing down the development of innovative uses of new technologies.”
As the proposal has rolled through Parliament however, it has become clear that the methods chosen to secure this trust may burden innovative research and businesses.
Explicit consent
Personal data can be processed lawfully in a number of scenarios, including where the individual has given their “unambiguous” consent. The Commission has proposed a change to “explicit” consent, for example ticking a consent box when browsing the internet. Interest groups GSMA (Groupe Speciale Mobile Association) and ETNO (European Telecommunications Network Operators’ Association), representing mobile and telecommunications operators respectively, say this “is not suited to the reality of the online world where the collection and sharing of an individual’s data takes place in real-time, simultaneously between multiple parties.” It is feared another pop-up may give rise to a "tick-box culture", where consumers agree to terms and conditions, the use of cookies, the processing of their data and so on, as a matter of routine rather than informed consent.
At a March conference on Cloud Computing in Brussels, Reding sought to dispel these fears saying, “What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.”
Speaking after the latest Council meeting of national justice ministers on 6 June, the Irish Minister of Justice, Alan Shatter said there is, “Substantial agreement that the requirement for explicit consent in all cases is unnecessary. The text should retain “unambiguous” as the standard qualifier for exercise of consent.”
Consent in research
The Commission proposes to exempt historical, statistical and scientific research from the explicit consent requirement, but the Civil Liberties, Justice and Home Affairs Committee has removed this exemption from its draft report, saying “The processing of sensitive data for historical, statistical and scientific research purposes is not as urgent or compelling as public health or social protection.
The R&D community jumped to the defence of the exemption, with the Helmholtz Association of German Research Centres saying much of biomedical research “Will be brought to a halt if specific informed consent is required each and every time data already acquired are to be re-analysed.” The Association is also concerned about an effect on quality, saying research based on opt-in participation, “Can lead to biased data acquisition owing to differing inclinations to participate among demographic groups.”
However, there were hopeful signs in the Parliament for a more research-friendly definition, with Irish MEP Sean Kelly, Rapporteur for the Industry, Research and Energy Committee’s opinion introducing a broad consent option for data use in historical, statistical or scientific research. “People should be able to donate their data to the benefit of science in the same way we can donate our organs - through a broad, opt-out consent model,” he said.
“The option of broad consent given to a data subject at their first encounter with a doctor allows the researchers to use this data without having to go back to the data subject for every minor research they are conducting, and is thus a necessary and practical solution for protecting and fostering public health research,” reads Kelly’s Opinion Report.
Right to be forgotten
The proposal would allow individuals to demand the deletion of personal data under a new right to be forgotten. This is an extension of the existing right to demand the erasure of inaccurate, incomplete or unlawfully processed data. An onus will be placed on businesses, in the case of data that has been made public, to “take all reasonable steps” to inform third parties with links or copies of the request.
But there is much concern about how this could operate in practice. In a report to the UK Information Commissioner’s Office, consultancy group London Economics say the right to be forgotten, “Is widely considered over-ambitious and impractical; moreover, in an environment where data can be replicated and divulged in seconds it is found to be misleading and place unrealistic expectations on data controllers.”
Lead Rapporteur for the Parliament, Jan Philipp Albrecht says this new right “is neither realistic nor legitimate” in the case of lawfully processed data.” Worse than that, it’s “insane” says Nigel Shadbolt, Chairman and Co-Founder of the UK’s Open Data Institute. “You can’t make technology forget in the way you want to,” he said at a Science|Business event, Smarter Data for Europe, held on 23 May. Shadbolt proposes a less-intrusive approach, saying “The real protection...is to ensure that if information is used inappropriately, you will be held accountable”.
Data retention vital in healthcare
The Parliament’s Legal Affairs Committee joined the healthcare community in saying the right to be forgotten should not apply to data processed for healthcare purposes. “It is in the vital interest of the data subject to keep a complete record of their health in order to receive the best care and treatment through their life,” says the Opinion Report.
The Healthcare Coalition for Data Protection, representing various interest groups in the European healthcare sector, wants to see an exemption from this delete clause for data pertaining to health. “Deleting data from electronic health records may run counter to individual treatments and patient safety. Healthcare providers will not have access to life-saving information on the patient when establishing a diagnosis, such as allergies, ongoing treatments, specific conditions, blood type, medical history, organ donation etc,” the Coalition says.
Cost of complying with new rules
The Commission claims the Regulation will save business around €2.3 billion by cutting red tape, such as the annual notification form and need to notify the supervisory authority in each EU state. The UK Ministry of Justice, however, has estimated a net cost to UK businesses of complying with the new rules, of between £80 and £320 million a year. The extra costs include the requirement for companies and public authorities with 250 or more employees to explain their data protection policies and have a data protection officer.
The disparity between the figures is partially explained by the finding of the London Economics’ survey that 82 per cent of UK businesses do not know how much they currently spend on data protection. UK Information Commissioner Christopher Graham said, "There has been much talk of ‘what is best for business’, but that must be based on valid evidence. This reform is too important for guesswork.”
One continent, one law
Almost eighteen months after the proposal was made public, the institutions are far from reaching consensus, and this is before the tedious process of inter-institutional negotiating begins. Eight member states, including the UK, Belgium and Denmark, continue to suggest the rules would be better suited as a directive rather than a regulation, meaning each member state would separately embody the new rules in national law. This is counter to Reding’s “one continent, one law” aim of, “Replac[ing] a patchwork of 27 contradictory national rules with a single law, valid throughout the whole of Europe.”
There’s still much to argue over, but the aim is to see the legislation adopted before the European elections in May 2014, in order to avoid a replay of the whole contentious debate.