In the 18th century Immanuel Kant famously initiated a “Copernican revolution” in philosophy by shifting the understanding of reality away from external objects and towards the cognitive powers of the individual. The European Commission’s recent proposal for a General Data Protection Regulation attempts a similar revolution in European data protection law by seeking to shift its focus away from paper-based, bureaucratic requirements and towards compliance in practice, harmonization of the law, and individual empowerment. Indeed, the Proposed Regulation represents the most significant potential change to European data protection law since adoption of the EU Data Protection Directive 95/46/EC in 1998.
The final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept; the operation of the consistency mechanism; and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input.
If these three factors are realized, then it may work as designed to bring about a more harmonized level of data protection throughout the EU, and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process, or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements.Kuner concludes
The Proposed Regulation deserves to be considered a “Copernican revolution” in EU data protection law. It constitutes a bold attempt to make the legal framework more efficient and effective; increase protection of fundamental rights; and provide more legal certainty. Such a complete revision is justified, as it has been widely recognized that Directive 95/46 is out of date, and given the current political climate, the revision process now underway may be the best opportunity to update the framework for the foreseeable future.
Some of the reforms are highly welcome. For example, because the Proposed Regulation would be directly applicable, it would provide as near complete harmonization as is possible under EU law. It would also make companies with operations in multiple EU member states subject to the jurisdiction of a single DPA, based on their main place of establishment in the EU. Notifications to DPAs of data processing activities would be eliminated. The legal certainty of “adequacy” decisions and standard contractual clauses for transferring data outside the EU would be increased, and binding corporate rules would be explicitly recognized. DPAs would be forced to cooperate, and the Commission would be empowered to issue EU-wide interpretations of important provisions. These are all highly significant improvements to the legal framework, and represent changes that business has been requesting for years.
It is much easier to criticize such an ambitious proposal than to draft one. Nevertheless, the Proposed Regulation also gives grounds for criticism. First of all, it sometimes loses sight of the need to adopt provisions that can actually be implemented in practice, and to be precise and meticulous in drafting. While the text emphasizes the need for data controllers to use understandable language, it is equally important that legislation be written so that it can be easily used by non-lawyers and businesspeople unacquainted with data protection. In fact, the text abounds with legalistic jargon that many businesspeople will be able to make little sense of (for example, “The data subject shall have the right to obtain from the controller communication to each recipient to whom the data have been disclosed of any rectification or erasure carried out in compliance with Articles 14 and 15...” in Article 11). The text also contains several examples that seem merely illustrative and could better be included in the explanatory memorandum or in a recital; for example, the right to be forgotten is said to apply “especially in relation to personal data which are made available by the data subject while he or she was a child” (Article 17(1)), but it is unclear what the legal effect is of saying that the right applies “especially” to such data, or whether any special legal effect was intended at all.
The commendable reduction of bureaucracy in some areas is at least partially offset by the introduction of other procedural requirements (such as the need to keep extensive internal documentation of data processing). While a number of last-minute changes to the text were adopted to reduce the burden put on SMEs, it can be feared that they will still be burdened by extra costs. Despite its status as a regulation, the use of vague language is likely to lead to difficulties of interpretation, and may cause greater divergence in national approaches than the Commission thinks. Basic differences in legal systems and administrative cultures in member states may be one of the greatest risks to the Proposed Regulation, since these are not easily susceptible to harmonization from Brussels.
In addition, some of its specific innovations seem misguided. The “right to be forgotten” seems to be a version of the existing right to erasure which has been extended so far as to pose risks to other fundamental rights and to the use of the Internet. The rules on profiling will prove difficult to understand and apply in practice. And while there is a need for more stringent enforcement of the law and more harmonized enforcement powers, the combination of ill-defined offenses and huge mandatory fines raises basic questions of fairness.
Another point of concern relates to the role of EU data protection law in the current global environment. The apparent assumption that the majority of international data transfers can be legalized by the use of BCRs and standard contractual clauses insufficiently takes into account the realities of massive international data transfers via phenomena such as cloud computing. It is also unfair that the requirements for transferring personal data internationally for criminal justice purposes under the Proposed Directive are much more lenient than are those under the Proposed Regulation. The significant changes brought about by the Proposed Regulation may also make it more difficult to achieve interoperability between the EU legal framework and those in other regions. The Proposal also contains a whiff of protectionist language.
While the Proposed Regulation would in general harmonize the law at a high level, some member states may raise legitimate questions as to the affect it would have on data protection in their own countries. For example, a member state such as Austria has only a very small number of companies with over 250 employees, and thus the vast majority of companies there will be exempt both from the duty to appoint a DPO and from the documentation requirements, while the duty to notify the DPA of data processing would also be eliminated. Since the requirement to appoint a DPO and to keep documentation of data processing would be introduced largely as a replacement for the notification requirement, one might be legitimately concerned about how the fact that none of these three requirements would apply in a number of member states would affect the level of data protection in them. It also seems counterproductive to raise the threshold for appointment of a DPO so high in a country like Germany where their use has been a success.
Despite the above criticisms, the author’s overall view of the Proposed Regulation is cautiously positive, as it constitutes an improvement on Directive 95/46, and demonstrates a commendable willingness to take on some of the “sacred cows” of data protection law that have outlived their usefulness. For the private sector, the final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept; the operation of the consistency mechanism; and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input. If these three factors are realized, then it may work as designed to bring about a more harmonized level of data protection throughout the EU, and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process, or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements.