DP Regulation to accidentally introduce voluntary “three strikes”?
This article is also available in:
Deutsch: Bringt uns die Datenschutz-Verordnung unabsichtlich "Three Strike...
The European Commission proposed a new framework for protection of personal data in the EU earlier this year. While it has been the subject of probably more lobbying than any other piece of legislation in this history of modern politics anywhere in the world, there has not been a similar upsurge in interest from citizens' groups across Europe.
While EDRi has been working hard on the Regulation and Directive proposed by the Commission, the texts are long, complex and difficult to understand. The huge industry lobby and the lack of corresponding reaction from citizens risks creating a framework which is meaningless and significantly worse than the current legislation.
The Regulation proposed by the Commission is a solid proposal, although there are just a few “weak links” in the chain of protections of personal data. If these are not fixed, then the fundamental right to privacy will be seriously undermined. The avalanche of lobbying over recent months means that not alone are the weak points not being addressed, but they are being further weakened, to the point of threatening to destroy the entire meaning of the proposal. This article looks at just one of these weak points - “legitimate interest”.
One of the six grounds on which personal data can legally be processed is the “legitimate interest” of the data processor. The other five are consent, necessity for performance of a contract, a legal obligation that the data processor is subject to, the vital interests of the data subject (i.e the citizen) and the public interest/exercise of official authority. This provision is already in the existing European Directive on data protection and is already causing problems.
The main reason that “legitimate interest” is a problem is that there is no guidance as to what type of activity would be considered to be so important that none of the other legal grounds for processing would be feasible for the data controller. For example, when can a data controller act on the basis of “legitimate interest” and when should he obtain specific and informed consent instead? Worse still, the decision on whether “legitimate interest” is an acceptable basis for processing the data is initially made by the data controller (i.e. the company you give your data to) and is only questioned if a citizen takes a court case against the particular processing activity. Alternatively, the citizen can make a complaint to the data protection authority – who may (or may not, depending on the outcome of the legislative process) be able to impose fines - if the data protection authority was prepared to take the risk and cost of an appeal being made to the courts against its decision.
This then brings us to “three strikes”. In Ireland, the ISP Eircom runs a “voluntary” “three strikes” system. Under that system, personal data is collected online by agents of the music industry (without authorisation of the citizens whose data are being processed), passed on to Eircom (again without authorisation) and then Eircom further processes the data (again without authorisation) to “warn” its customers that they have been alleged to have broken the law and, after two warnings, the customer is subject to sanctions.
The Irish High Court ruled that these activities are legal because it was “completely within the legitimate standing of Eircom to act and to be seen to act as a body which upholds the law”. Under the current legal framework, data protection experts believe that this decision was very questionable, although the ineffective implementation of data protection law in Ireland is infamous, so the ruling was no great surprise. The fact that the collection of data, which were being collected for the specific purpose of identifying persons, were ruled not to be personally identifiable information, was something more of a shock, even by Irish standards.
The question now is whether the proposed new Data Protection Regulation could be amended in ways to export the very weak interpretations in Ireland to the rest of Europe?
Irish MEP Seán Kelly, MEP responsible for the Opinion in the Industry Research and Energy Committee in the European Parliament has tabled several amendments that may inadvertently go in this direction:
1. He has changed the text which says “The legitimate interests of a controller may provide a legal basis for processing” to say “The legitimate interests of a controller,**or of the third party or parties in whose interest the data is processed**,” may provide a legal basis for the processing. This greatly expands the possible use of this provision and would cover, for example, the policing and enforcement in a “three strikes” regime.
2. He then extended the possibilities for non-consensual use of personal data, by tabling an amendment saying that “legitimate interest” can be used as a legal basis for processing that is “not compatible” with the original reason for collecting the data.
Of course, in the fullness of time, it is likely that a competent court or data protection authority would reach the conclusion that a “voluntary” three strikes system runs contrary to the right to due process of law, to the presumption of innocence and to the protection of the fundamental right of privacy. However, each particular instance of a company deciding that its own interests outweigh those of the citizen would need to be tested individually in court... eventually... if and when a citizen had the time and resources to test the issue in court. Alternatively, as the Irish Data Protection Commissioner tried and failed to do, the data protection authority could make a ruling and attempt to defend it in court.
And all of this leaves just one small question – if, whenever you give your data to a company, they are within their rights to give those data to a different company and that company is entitled (unless and until a court tells them otherwise) to reuse your data for purposes that are incompatible with the reasons you handed over your data in the first place... what exactly is the value of the legislation?
This is just one of several loopholes which are being broadened due to industry lobbying.
European Commission's reform package
Irish high court ruling
EDRi comments on the data protection reform
(Contribution by Joe McNamee - EDRi)