ICO has EU reform negotiations firmly in sight as it reiterates its views on the benefits and dangers involved with a risk-based and flexible approach to data protection enforcement

Further to Sophie’s post on the German viewpoint, the ICO – the UK’s data protection agency – has also added its voice to the public debate over the preferred approach under the data protection reform, with the release of its latest analysis of the Council’s general approach to the proposed General Data Protection Regulation (GDPR).

This document is the latest in the line of comments by the ICO on the reform proposals at different stages in the legislative process (including its initial 2012 analysis, and its 2013 article-by-article analysis, of the draft GDPR). The stated purpose of this latest analysis is to set out its observations on those parts of the Council’s proposed text that it believes are in most need of improvement to assist those involved in the trilogue process of negotiation reach agreement.

Like the German Data Protection Commissioners, the ICO is also worried by many of the Council’s key amendments to the original text proposed by the European Commission and the European Parliament’s suggested revisions to that text before it. These include, most notably, the Council’s proposed definition of personal data, pseudonymisation, the extent to which the processing of personal data can be based on a data controller’s legitimate interests (and how far incompatible processing is permitted), consent, data subject rights, profiling measures, and the level of administrative fines. I will mention some important points from the ICO’s commentary about each of these topics in turn:

• Definition of Personal Data and Pseudonymisation (Article 4, GDPR) – The ICO welcomes that the Council’s text no longer includes “pseudonymous data” as a separate sub-category (or defined class) of personal data. However, the ICO raises concerns over the Council’s position on pseudonymous data generally, which it says is liable to give rise to confusion, because the Council has suggested that such data should in most cases be treated as personal data (and, therefore, subject to data protection rules). According to the ICO, the Council “says that pseudonymous data should be considered as information on an identifiable natural person – this implies all pseudonymous data whoever it is held by. However, the relevant Recital’s [23] new reference to the likelihood of identification presumably means that some pseudonymous data would be personal data whilst other pseudonymous data would not be, depending on the likelihood of the relevant identifying information being added to the pseudonymous information”. The ICO adds that the Council should have done more in its text to highlight what the ICO labels to be the “only” relevant role of the pseudonymisation process –as a privacy-enhancing technique – and also it should have provided clear and proportionate incentives directly in the Regulation for those who would undertake pseudonymisation.
• Lawfulness of processing (Article 6, GDPR) – As mentioned in my earlier post, the Council proposes to amend Article 6, including through the insertion of a new Article 6(3a) in the GDPR. This sets out criteria to be taken into account in order to ascertain whether a purpose of further processing of personal data is compatible with the one for which the data were originally collected. The Council also proposed to extend Article 6(4) – to a degree that goes much further than the Commission in its original proposal for a Regulation – in recommending that the ground contained in Article 6(1)(f), the ‘balance of interests – legitimate interest’ condition should also be capable of being relied upon for further use for an incompatible purpose. The ICO criticises the Council’s position and, in particular – like the German Data Protection Commissioners as Sophie mentioned – its apparent (and wrongful) conflation of distinct elements under data protection law. These are the requirement for a legal bases for personal data processing; and, the purpose limitation principle that independently acts to constrain such processing. The ICO states that, in practice, data controllers and supervisory authorities would find in difficult “to evaluate whether or not its legitimate interests override those of the individual and whether or not, therefore, the incompatible processing is permitted”.
• Consent (Articles 7 and 8, GDPR) – The ICO advocates more clarity for organisations regarding the type and quality of data subject consent they need to justify their data processing activities. In particular, the ICO roundly criticises the Council text for confusing references to “explicit” and “unambiguous” consent, which could lead to uncertainty on the part of data controllers. Instead, the ICO argues the case for “a single, high standard of consent and that should be either ‘explicit’, ‘unambiguous’ or both, but not one or the other depending on context”. The ICO also criticises the approach taken by the Council text in relation to its proposed requirement for parental consent before the personal data of a child can be processed. It says that this requirement in a legal provision where ‘child’ is no longer defined could lead to uncertainty for those offering information services that are accessible by children.
• Data subject rights (Articles 12–19, GDPR) – The ICO emphasises the importance of data subject rights, not least the right of access by data subjects to the personal data relating to them held by data controllers, as well as the right to object to data processing. Notwithstanding, the agency takes umbrage at the ways in which the Council has extrapolated on these rights. For example, the ICO calls the distinction made by the Council (Article 15) between the right to free access, and the right to obtain a copy of personal data without excessive charge, confusing and liable to give rise to dispute over what is ‘excessive’. Furthermore, the ICO states that – where making personal data accessible might also involve the disclosure of a third party’s personal data – the latter should only be withheld if the third party’s right to privacy exceeds the data subject’s right of access. Thus it intended to clarify Article 15 (2a) of the Council’s text, which states “The right to obtain a copy referred to in paragraph 1b (…) shall not apply where such copy cannot be provided without disclosing personal data of other data subjects or confidential data of the controller”.
• Measures based on automated individual decision making (Article 20, GDPR) – As regards the right of data subjects not to be subject to a decision based solely on automated processing, including profiling measures, the ICO agrees with the Council’s approach of limiting this rights to circumstances where the data subject is significantly affected. At the same time the ICO, criticises the requirement in the Council’s text for a “human intervention safeguard” in certain circumstances – such as where the data controller and data subject are in a contractual relationship – as unworkable in practice. Its reasons are: “We do not believe that this is always possible, for example in behavioural advertising where online behaviour is analysed and particular content delivered. It is not clear what form of human intervention would be appropriate here.” Notably, the ICO is far less prolix than the German data commissioners on the subject of Article 20 in its current analysis (see Sophie’s post on this point for comparison). Notwithstanding, in its 2013 analysis, the ICO had been more vocal on this topic regarding earlier versions of the GDPR. In particular, it highlighted that Article 20 fails to recognise that profiling takes place in different contexts for different purposes and with a different effect on individuals. The ICO has, accordingly argued, that Article 20 should reflect this different degree of risk (see p.27), although it did not elucidate on how this should be accomplished exactly.
• Mandatory data security breach notification (Article 31) – The ICO welcomes reference by the Council to data breach notification to a supervisory Member State authority being limited to ‘high-risk’ cases, as opposed to notifications of trivial or inconsequential breaches that could ‘over-load’ the agency.  It encourages a similar position to be taken in respect of Article 32 (informing the data subject directly).
• Administrative fine setting (Article 79, GDPR) – The ICO is highly critical of the Council’s proposal for a three-tier system of fines that a supervisory authority can impose for data protection breaches (ranging from fines of up to €250,000 or 1% or total worldwide annual turnover for minor breaches to €1 million or 2% of total worldwide annual turnover for major breaches). Instead, it suggests removing these fining levels and introducing a single list of breaches that can attract a fine to give agencies more flexibility in their fine-setting discretion.

In summary, the ICO’s analysis is consistent with its previous assessments. In particular, it highlights it preference for a risk-based approach to data protection, such as that would allow for less restrictive enforcements approaches by agencies in relation to data processing practices considered to be low-risk.

Notwithstanding, while recognising that national data protection agencies should have reasonably wide discretion in applying the new Regulation when it comes into effect, the ICO stresses that divergent interpretations of data protection requirements across the Member States should be kept to a minimum. This would help avoid the dangers of different data protection regimes developing across Europe in practice following reform, which could otherwise undermine the harmonisation-of-Member-State-laws impetus for introducing the Regulation in the first place.

As the trilogue negotiation rumble on this autumn until the end of the year, it is expected that we will have clarity on the final position that will make it into the GDPR on some of these key areas by the end of the year.

Alison Knight