Data protection package concluded – 1420 days after being launched
On 15 December 2015, three years and ten months after the package was launched, the General Data Protection Regulation (GDPR) and Directive on Data Protection in Police and Justice matters were finally completed.
The reform package was launched in order to enhance data protection rights and improve their enforcement. Up until now, data protection in police and justice matters was regulated by a narrow “framework Decision” adopted by the EU Council in 2008. General data protection was regulated by a Directive from 1995.
Instead of a “framework Decision” that only covers data in relation to police and judicial “cooperation”, the new Directive covers data protection in police and justice matters more generally. Instead of a Directive, which is implemented by 28 different national laws, the new legislation is a Regulation, which will be directly applicable across all of the EU. This should greatly, but not completely, reduce disparities between interpretation of data protection law in the EU.
One of the biggest headline-grabbing innovations in the Regulation is a detailed explanation of the already-existing right to demand deletion of one’s own personal data. This right has now unfortunately been renamed the “right to be forgotten”, which gives a misleading impression of its meaning. It does not mean that your online history can be deleted or that newspapers can be obliged to change their archives. Individuals have no “right to be forgotten.” Within the limits of safeguards for freedom of expression, the new Regulation describes the conditions under which individuals can ask for deletion of their data.
Another innovation was the addition of obligations on notification of data breaches to the data protection authorities and to affected individuals. The necessity for such obligations has become very clear in recent months, with several major data breaches hitting the headlines, such as the Ashley Madison and TalkTalk cases. As with the rest of the proposal, this was subject to heavy lobbying. Individuals now only have to be notified if there is “likely” to be a “high risk” to their rights.
The concepts of “data protection by design” and “by default” were also added to the Regulation. The purpose here is to ensure that data protection is a priority that is included in the design phase of a new product and that, by default, only data which are necessary are processed for the particular task at hand.
Various attempts were made by the European Commission and the European Parliament to improve predictability of how and when data will be used. For example, explicit consent for data processing was initially suggested. While this was rejected, the text has added some improvements as regards the consent that does have to be provided.
The package, and the Regulation in particular, was subject to a huge amount of lobbying, much of which was based on misunderstandings and misrepresentations. The result is that the overall package is less clear and less protective of personal data than it could – and should – have been. However, compared with the potentially disastrous positions taken by some of the European Parliament’s committees and by the EU Member States in the Council of the European Union “general approach” adopted in June 2015, the outcome is vastly better than it could have been.
Council of the European Union: General Data Protection Regulation, general approach (11.06.2015)
Council of the European Union: Directive on Data Protection in Police and Justice matters, general approach (02.10.2015)
European Parliament: General Data Protection Regulation, first reading position (12.03.2014)
European Parliament: Directive on Data Protection in Police and Justice matters, first reading position (12.03.2014)
EDRi:General Data Protection Regulation: Document pool
EDRi: Everything you need to know about the Data Protection Regulation
EDRi: Everything you need to know about the Data Protection Directive for Law Enforcement
(Contribution by Joe McNamee, EDRi)