Companies will therefore have 2 years in which to rely on the more relaxed rules included in the Data Protection Directive 95/46/EC. In particular, some processing that can be conducted without the consent of individuals, where these are new uses of the individuals’ data which are in the “legitimate interests pursued by [the company] or by the third party or parties to whom the data are disclosed”, will become much more difficult, if not impossible.
The whole nature of consent is properly addressed in the draft regulation. In the Directive, data can be processed where there is unambiguous consent. In the UK implementation of the Directive, the Data Protection Act 1998, is has always been possible to obtain consent indirectly for data that is not “sensitive personal data”. Whilst this has been one of a number of long-standing issues between the European Commission and the UK on data protection, there is a new provision in the draft regulation that will address valid consent. Of particular interest in cases such as Google, which is a dominant operator in the search engine services market, is the draft provision that states “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the [company]”.
This goes back to another of the significant changes in the draft regulation. In the Directive there is a basic provision that personal data must be “processed fairly and lawfully”. In the regulation, the equivalent provision is “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Expect some interesting arguments about transparency in the coming months – perhaps these have already started, given Viviane Reding’s comments on the Google changes.
To make matters even more interesting, the draft regulation gives consumer bodies the standing to be able to complain to a supervisory authority about data protection breaches on behalf of individuals. Super-complaints, as they are known in competition law, will up the ante for regulators – easy for the Information Commissioner to downplay an individual’s complaint; less easy to ignore a complaint from a body such as Which? or the National Consumer Council?
Lastly, the draft regulation includes new powers for supervisory authorities, including the power to fine enterprises, in the worst cases, up to 2% of their annual worldwide turnover. That ought to grab the attention of companies like Google and Twitter.