'Dead Ringers? Legal Persons and the Deceased in European Data Protection Law' (University of Cambridge Faculty of Law Research Paper No. 21/2020) by David Erdos
comments
Notwithstanding suggestions that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this paper finds that stark divergences are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time.
The Access Now
Two Years under the EU GDPR: An Implementation Progress Report comments
It has been two years since the EU General Data Protection Regulation (GDPR) entered into application. We have witnessed the first positive impacts of the law but also the challenges authorities, courts, and people have faced in its enforcement. The past 12 months have proven particularly demanding for the protection of personal data and the application of the law as the European Union — and the world — has faced significant political and health crises.
In our first GDPR progress report, published in May 2019, we wrote: “for most, 2018 was the year of data protection awakening in Europe. Still, for the GDPR to reach its full potential, 2019 must be the year of enforcement.” As it turned out, however, the last year has been a time of crisis. From public health to political crises, human rights abuses to administrative backlog, a series of challenges have put the robustness of the GDPR to test.
In this report, we look at how the multiple crises of the last year have impacted the application of the GDPR. We will start by addressing some of the internal challenges, wherein the mechanisms established for enforcement of the GDPR have begun to show their limitations, with a particular focus on the lack of cooperation among data protection authorities (DPAs) and the lack of resources to do their work. We will then analyse how external crises, such as the United Kingdom’s decision to leave the European Union and the COVID-19 outbreak, are further challenging the application of the law. We close this report by putting forward a list of recommendations to enable the European Commission, EU states, and DPAs to address the hurdles here identified with the application of the GDPR.
May 2020 not only marks the second anniversary of the GDPR, it is also the first official review of the law to be conducted by the EU institutions. Access Now has contributed to the process by providing comments to the European Commission through our membership in the multistakeholder expert group on the implementation of the law.
The publication of this report, coinciding with the review process of the law, is an opportunity to highlight the successes of the GDPR. These include its robustness and ability to provide human rights safeguards during crises; its role in advancing and protecting our rights in the EU; its capacity as a reference point globally, establishing the EU as a world leader in the field of data protection; and more. But we must also reflect on the challenges, such as how the law has been misused in efforts to silence journalists and NGOs, and how the slow pace of enforcement, exacerbated by the lack of cooperation between DPAs, has threatened to undermine the GDPR’s long-term capacity to change private-sector norms and practices with regard to data protection.
In our report, we further note a disconnect between the rate of enforcement and the perception of enforcement by the public. Data show that DPAs have opened investigations and imposed fines at an exponentially increasing rate since May 2018. However, in some cases it is yet not clear what the impact will be of these enforcement measures, and we continue to wait for the resolution of landmark cases with the potential to force broad changes in invasive data-harvesting behaviour.
Opponents of the GDPR are meanwhile using the review process as an opportunity to seek a change of the text, and with it, to remove many of the provisions that safeguard our rights. It would be ill-advised for the EU to reform or re-open the GDPR before it has been adequately implemented, applied, and enforced.
It took the EU institutions and member states five years to negotiate the GDPR under immense external pressure to compromise, so it is perhaps not surprising that its application is not perfect two years in. But we will need more than patience to see the promises of the GDPR delivered. Concrete, urgent action is needed. It is imperative that DPAs work faster and in a more coordinated manner. The GDPR will be as strong as its weakest link and we cannot let that weak link be the enforcement process and the bodies in charge of representing our rights. Even the best law in the world will bring little benefit if it is not applied. Fear of legal costs and delay tactics have sharply limited the capacity of DPAs to move forward key cases against tech giants whose revenues are sometimes ten times higher than the DPAs’ budgets. To counter this imbalance, member states and the EU must give DPAs ample resources and protect their independence.
As the GDPR has withstood two years of tests, crises, and challenges, we call on the EU institutions and the DPAs to move forward with the application and enforcement of the law.
Access Now make the following recommendations -
1. RECOMMENDATIONS TO GOVERNMENTS
INCREASE RESOURCES FOR DPAs
To function properly and be able to address the large number of complaints, governments across the EU must increase the financial and human resources allocated to Data Protection Authorities, including technical staff.
GUARANTEE DPAs’ INDEPENDENCE
Governments must guarantee the independence of Data Protection Authorities, both in statutes and financially.
GOVERNMENTS MUST UPHOLD HUMAN RIGHTS DURING CRISES
International and national laws recognise that extraordinary crises require the use of extraordinary measures. This means that certain fundamental rights, including the rights to privacy and data protection, may be restricted to address crises as long as basic democratic principles and a series of safeguards are applied, and the interference is lawful, limited in time, and not arbitrary.
GOVERNMENTS MUST UPHOLD THE GDPR DURING THE COVID-19 CRISIS
Governments should ensure the application of the GDPR and the protect the right to data protection in their COVID-19 response, particularly in the areas concerning the collection and use of health data, the use of tracking and geolocation, and the conclusion of public-private partnerships for the development and deployment of contact-tracing apps.
THE UK MUST UPHOLD HUMAN RIGHTS BEYOND BREXIT
For the benefit of UK citizens and everyone living in the UK, the UK government must continue to apply the GDPR and reform its surveillance laws.
2. RECOMMENDATIONS TO THE EUROPEAN COMMISSION
LAUNCH INFRINGEMENT PROCEDURES
The European Commission should launch infringement procedures against EU states :
- When they do not provide sufficient resources to Data
Protection Authorities, or
- When they do not guarantee the Data Protection Authority
independence in status and in practices, or
- Where Data Protection Authorities or courts misuse the GDPR
to restrict freedom of the press or stifle NGOs’ work.
REVIEW ADEQUACY DECISIONS
AND CONDUCT THOROUGH REVIEW OF UK DATA PRACTICES
The European Commission shall review all existing adequacy decisions concluded prior to May 2018.
In its negotiations for an adequacy decision with the UK, the European Commission has the obligation to ensure that data from EU data subjects will not be misused or intercepted for surveillance once it reaches the UK.
3. RECOMMENDATIONS TO THE NATIONAL DATA PROTECTION AUTHORITIES AND THE EUROPEAN DATA PROTECTION BOARD
INCREASE COOPERATION
Data Protection Authorities should increase cooperation between each other to ensure the functioning of the “one-stop-shop”, including sharing information on cross-border cases and providing support to each other during investigations.
USE THE URGENCY PROCEDURE
Data Protection Authorities should start utilising the urgency procedure laid down in Article 66 of the GDPR to adopt temporary measures or to force other authorities to act.
DO NOT MISUSE THE GDPR
Data Protection Authorities hold much of the responsibility for the GDPR’s success or failure. It is absolutely unacceptable that DPAs misuse the GDPR to undermine human rights, restrict freedom of the press, or otherwise stifle NGOs’ work.
UPHOLD DATA PROTECTION RIGHTS DURING CRISES
When governments adopt emergency legislations and derogate from human rights obligations, national DPAs and the EDPB will have a crucial role in maintaining scrutiny over measures impacting data protection. In the context of the COVID-19 crisis, the DPAs must uphold the GDPR and provide guidance to states.
