The beginning of 2013 could not have been more dramatic for the future of European data protection. After months of deliberations, veiled announcements and guarded statements, the rapporteur of the European Parliament's committee responsible for taking forward the ongoing legislative reform has revealed his position loudly and clearly. Jan Albrecht's proposal is by no means the final say of the Parliament but it is an indication of where an MEP who has thought long and hard about what the new data protection law should look like stands. The reactions have been equally loud. The European Commission has calmly welcomed the proposal, whilst some Member States' governments have expressed serious concerns about its potential impact on the information economy. Amongst the stakeholders, the range of opinions vary quite considerably – Albrecht's approach is praised by regulators whilst industry leaders have massive misgivings about it. So who is right? Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?
There is nothing more appropriate than a dispassionate legal analysis of some key elements of Albrecht's proposal to reveal the truth: if the current proposal were to become law today, many of the most popular and successful Internet services we use daily would become automatically unlawful. In other words, there are some provisions in Albrecht's draft proposal that when combined together would not only cripple the Internet as we know it, but they would stall one of the most promising building blocks of our economic prosperity, the management and exploitation of personal information. Sensationalist? Consider this:
- Traditionally, European data protection law has required
that in order to collect and use personal data at all, one has to
meet a lawful ground for processing. The European Commission
had intended to carry on with this tradition but ensuring that the
so-called 'legitimate interests' ground, which permits data
uses that do not compromise the fundamental rights and freedoms of
individuals, remained available. Albrecht proposes to replace
this balancing exercise with a list of what qualifies as a
legitimate interest and a list of what doesn't. The
combination of both lists have the effect of ruling out any data
uses which involve either data analytics or simply the processing
of large amounts of personal data, so the obvious outcome is that
the application of the 'legitimate interests' ground to
common data collection activities on the Internet is no longer
possible.
- Albrecht's aim of relegating reliance on the
'legitimate interests' ground to very residual cases is due
to the fact that he sees individual's consent as the primary
basis for all data uses. However, the manner and
circumstances under which consent may be obtained are strictly
limited. Consent is not valid if the recipient is in a
dominant market position. Consent for the use of data is not
valid either if presented as a condition of the terms of a contract
and the data is not strictly necessary for the provision of the
relevant service. All that means that if a service is offered
for free to the consumer – like many of the most valuable
things on the Internet – but the provider of that service is
seeking to rely on the value of the information generated by the
user to operate as a business, there will not be a lawful way for
that information to be used.
- To finish things off, Albrecht delivers a killing blow through the concept of 'profiling'. Defined as automated processing aimed at analysing things like preferences and behaviour, it covers what has become the pillar of e-commerce and is set to change the commercial practices of every single consumer-facing business going forward. However, under Albrecht's proposal, such practices are automatically banned and only permissible with the consent of the individual, which as shown above, is pretty much mission impossible.
The collective effect of these provisions is truly
devastating. This is not an exaggeration. It is the
outcome of a simple legal analysis of a proposal deliberately aimed
at restricting activities seen as a risk to people. The
decision that needs to be made now is whether such a risk is real
or perceived and, in any event, sufficiently great to merit
curtailing the development of the most sophisticated and widely
used means of communication ever invented.
This article was first published in Data Protection Law & Policy in January 2013.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.