The Irish Presidency of the European Council has distributed a “discussion paper” on the protection of citizens’ personal data ahead of this week’s Justice and Home Affairs Council in Dublin. As the first Presidency in this “European Year of the Citizen”, we had every reason to expect the Irish to produce novel ways of protecting citizens. Their first suggestions are definitely novel, but certainly are not protective of citizens’ fundamental rights.
For example, based on the current situation in Ireland, the idea is that all companies can do whatever they want with personal data, without fear of sanction. Sanctions, such as fines, “should be optional or at least conditional upon a prior warning or reprimand”. In other words, do what you want, the worst that can happen is that you will receive a warning.
Of course, policies are often proposed that sound worse in theory than they are in practice. In this case, however, we just have to look at current practice in Ireland to see what such an approach looks like. The Irish police “PULSE” database saga gives a chilling insight into the brave new world into which the Irish Presidency apparently wants to lead us.
In 2007, the Irish data protection Commissioner agreed a “self-regulation” structure with the police. In 2010, a report from a judge assessing Ireland’s data retention regime identified serious abuses happening under this “light touch” regulatory system. The abuses passed apparently unnoticed by the vastly under-resourced data protection authority (DPA) that had approved the launch of the “self-regulatory” regime. The Irish DPA availed of its option not to take immediate enforcement action against the police.
In 2011, a full four years after the system had been set up, the Irish data protection authority at last came to the conclusion that the system was falling “short of the standards we expect”. Again, the Irish DPA chose not to take enforcement action against the police. Finally, after five years of apparently unremitting abuse of citizens’ data, the data protection authority announced in 2012 that it would audit the PULSE database and, from what we can tell, chose yet again not to take enforcement action against the ongoing breaches of citizens’ fundamental rights. In the meantime, we can only assume that the abuses continue unabated.
Under the Irish proposal, this approach would be made mandatory, warnings would have to be issued first, after citizens’ fundamental rights were abused, giving companies and state authorities “carte blanche” to breach our rights until (at the earliest) the data protection authority twice found a company to be in breach of the law.
If the EU-wide introduction of current unfit-for-purpose Irish strategies would not be bad enough, the reality would be a little worse. At the moment, companies are required to register their data processing with the data protection authority, which at least makes the DPA aware of the processing that is taking place. Under the new Regulation that has been proposed, those registration obligations would be substantially weakened, which makes sense in the context that the Commission originally proposed. In this context, however it would mean giving even fewer tools to the eviscerated DPAs. The “race to the bottom” would be replaced by a synchronised dive.
Two weeks into the European Year of the Citizen and two weeks since the start of the term of office, the Programme of the Irish Presidency of the European Union is beginning to look like a lame parody:
“Increased internet usage, social media, globalisation of data transfers and other technological advances have made life easier for millions, but also increase the collection, use and processing of personal data globally. The Lisbon Treaty contains a new legal base for EU data protection rules and the Charter of Fundamental Rights also enshrines protection of personal data as a fundamental right. As part of its focus on the Digital Agenda, the Presidency will work to reach agreement in the Council on key aspects of the Data Protection package. This is aimed at ensuring that citizens have more control over their personal data. Progress made by the Presidency in this area will strengthen confidence in the digital economy and support the growth of the Digital Single Market.”