DP Regulation to accidentally introduce voluntary “three strikes”?

By EDRi · November 21, 2012

This article is also available in:
Deutsch: [Bringt uns die Datenschutz-Verordnung unabsichtlich “Three Strikes”? | https://www.unwatched.org/EDRigram_10.22_Bringt_uns_die_Datenschutz-Verordnung_unabsichtlich_Three_Strikes?pk_campaign=edri&pk_kwd=20121107]

The European Commission proposed a new framework for protection of
personal data in the EU earlier this year. While it has been the subject
of probably more lobbying than any other piece of legislation in this
history of modern politics anywhere in the world, there has not been a
similar upsurge in interest from citizens’ groups across Europe.

While EDRi has been working hard on the Regulation and Directive
proposed by the Commission, the texts are long, complex and difficult to
understand. The huge industry lobby and the lack of corresponding
reaction from citizens risks creating a framework which is meaningless
and significantly worse than the current legislation.

The Regulation proposed by the Commission is a solid proposal, although
there are just a few “weak links” in the chain of protections of
personal data. If these are not fixed, then the fundamental right to
privacy will be seriously undermined. The avalanche of lobbying over
recent months means that not alone are the weak points not being
addressed, but they are being further weakened, to the point of
threatening to destroy the entire meaning of the proposal. This article
looks at just one of these weak points – “legitimate interest”.

One of the six grounds on which personal data can legally be processed
is the “legitimate interest” of the data processor. The other five are
consent, necessity for performance of a contract, a legal obligation
that the data processor is subject to, the vital interests of the data
subject (i.e the citizen) and the public interest/exercise of official
authority. This provision is already in the existing European Directive
on data protection and is already causing problems.

The main reason that “legitimate interest” is a problem is that there is
no guidance as to what type of activity would be considered to be so
important that none of the other legal grounds for processing would be
feasible for the data controller. For example, when can a data
controller act on the basis of “legitimate interest” and when should he
obtain specific and informed consent instead? Worse still, the decision
on whether “legitimate interest” is an acceptable basis for processing
the data is initially made by the data controller (i.e. the company you
give your data to) and is only questioned if a citizen takes a court
case against the particular processing activity. Alternatively, the
citizen can make a complaint to the data protection authority – who may
(or may not, depending on the outcome of the legislative process) be
able to impose fines – if the data protection authority was prepared to
take the risk and cost of an appeal being made to the courts against its

This then brings us to “three strikes”. In Ireland, the ISP Eircom runs
a “voluntary” “three strikes” system. Under that system, personal data
is collected online by agents of the music industry (without
authorisation of the citizens whose data are being processed), passed
on to Eircom (again without authorisation) and then Eircom further
processes the data (again without authorisation) to “warn” its customers
that they have been alleged to have broken the law and, after two
warnings, the customer is subject to sanctions.

The Irish High Court ruled that these activities are legal because it
was “completely within the legitimate standing of Eircom to act and to
be seen to act as a body which upholds the law”. Under the current legal
framework, data protection experts believe that this decision was very
questionable, although the ineffective implementation of data protection
law in Ireland is infamous, so the ruling was no great surprise. The
fact that the collection of data, which were being collected for the
specific purpose of identifying persons, were ruled not to be personally
identifiable information, was something more of a shock, even by Irish

The question now is whether the proposed new Data Protection Regulation
could be amended in ways to export the very weak interpretations in
Ireland to the rest of Europe?

Irish MEP Seán Kelly, MEP responsible for the Opinion in the Industry
Research and Energy Committee in the European Parliament has tabled
several amendments that may inadvertently go in this direction:

1. He has changed the text which says “The legitimate interests of a
controller may provide a legal basis for processing” to say “The
legitimate interests of a controller,**or of the third party or parties
in whose interest the data is processed**,” may provide a legal basis
for the processing. This greatly expands the possible use of this
provision and would cover, for example, the policing and enforcement in
a “three strikes” regime.

2. He then extended the possibilities for non-consensual use of personal
data, by tabling an amendment saying that “legitimate interest” can be
used as a legal basis for processing that is “not compatible” with the
original reason for collecting the data.

Of course, in the fullness of time, it is likely that a competent court
or data protection authority would reach the conclusion that a
“voluntary” three strikes system runs contrary to the right to due
process of law, to the presumption of innocence and to the protection of
the fundamental right of privacy. However, each particular instance of a
company deciding that its own interests outweigh those of the citizen
would need to be tested individually in court… eventually… if and
when a citizen had the time and resources to test the issue in court.
Alternatively, as the Irish Data Protection Commissioner tried and
failed to do, the data protection authority could make a ruling and
attempt to defend it in court.

And all of this leaves just one small question – if, whenever you give
your data to a company, they are within their rights to give those data
to a different company and that company is entitled (unless and until a
court tells them otherwise) to reuse your data for purposes that are
incompatible with the reasons you handed over your data in the first
place… what exactly is the value of the legislation?

This is just one of several loopholes which are being broadened due to
industry lobbying.

European Commission’s reform package

Irish high court ruling

EDRi comments on the data protection reform

(Contribution by Joe McNamee – EDRi)