Twitter, Google and EU Privacy

EU Commission Data Protection Reform logo

At the end of February is was reported that Twitter was selling off old tweets to marketing companies. Google also, with effect from 1 March 2012, changed its privacy policy for all of its services. These include YouTube, Gmail and Blogger as well as the ubiquitous search engine. In neither case were users’ consents obtained for the transaction or changes. This raises a number of privacy and data protection issues. In Google’s case the EU Justice Commissioner, Viviane Reding, has gone on record saying “transparency rules have not been applied”. The French data protection authority, the CNIL, launched a European-wide investigation into the Google policy changes.

I predict that there will be more of these announcements and privacy policy tweaks during the coming months. Companies with large banks of users’ or customers’ data from the European Union have a small window of opportunity to commercialise that data before the implementation of a new European Union data protection regulation. The draft of this regulation was published by the EU Justice Commission on 25 January 2012. In its current draft form, the regulation will begin to apply 2 years from the date it comes into force. No national laws are required to bring an EU regulation into effect in a member state.

Companies will therefore have 2 years in which to rely on the more relaxed rules included in the Data Protection Directive 95/46/EC. In particular, some processing that can be conducted without the consent of individuals, where these are new uses of the individuals’ data which are in the “legitimate interests pursued by [the company] or by the third party or parties to whom the data are disclosed”, will become much more difficult, if not impossible.

The whole nature of consent is properly addressed in the draft regulation. In the Directive, data can be processed where there is unambiguous consent. In the UK implementation of the Directive, the Data Protection Act 1998, is has always been possible to obtain consent indirectly for data that is not “sensitive personal data”. Whilst this has been one of a number of long-standing issues between the European Commission and the UK on data protection, there is a new provision in the draft regulation that will address valid consent. Of particular interest in cases such as Google, which is a dominant operator in the search engine services market, is the draft provision that states “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the [company]”.

This goes back to another of the significant changes in the draft regulation. In the Directive there is a basic provision that personal data must be “processed fairly and lawfully”. In the regulation, the equivalent provision is “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Expect some interesting arguments about transparency in the coming months – perhaps these have already started, given Viviane Reding’s comments on the Google changes.

To make matters even more interesting, the draft regulation gives consumer bodies the standing to be able to complain to a supervisory authority about data protection breaches on behalf of individuals. Super-complaints, as they are known in competition law, will up the ante for regulators – easy for the Information Commissioner to downplay an individual’s complaint; less easy to ignore a complaint from a body such as Which? or the National Consumer Council?

Lastly, the draft regulation includes new powers for supervisory authorities, including the power to fine enterprises, in the worst cases, up to 2% of their annual worldwide turnover. That ought to grab the attention of companies like Google and Twitter.

There's slow and then there's the European Commission

The main directive that governs the processing of personal information in the European Union, the Data Protection Directive 95/46/EC, was signed by the European Parliament and Council on 24 October 1995.  It had to be implemented by member states within 3 years from the this date of adoption (not to be confused with its publication date in the Official Journal – Official Journal L 281 , 23/11/1995 P. 0031 – 0050).

The UK started out well, with the Data Protection Act 1998 getting royal assent on 19 July 1998.  However, most of the Act’s operative provisions did not come into effect on the passing of the Act but came into effect late, on 1 March 2000.

However, the European Commission has for many years considered the implementation of the Directive by the UK to be inadequate.  In particular, the Commission considers that the powers given to the Information Commissioner, the UK’s national data protection authority, are insufficient.  There have been many rumours over the years about preliminary steps being taken by the Commission to enforce proper implementation of the Directive, but with no official confirmation.

This week we at last have confirmation that the Commission is after the UK, with a press release giving some details about its request that the UK strengthen the powers of the Information Commissioner.  The request is in the form of a reasoned opinion – the second stage under EU infringement procedures.  The Commission has four concerns about the implementation of the Directive in the UK:

  • the Information Commissioner cannot monitor whether third countries’ data protection is adequate. These assessments should come before international transfers of personal information;
  • the Information Commissioner can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks;
  • the courts in the UK can refuse the right to have personal data rectified or erased; and
  • the right to compensation for moral damage when personal information is used inappropriately is also restricted.

The UK now has two months to inform the Commission of measures it has taken to ensure full compliance with the Directive, else it risks being taken to the Court of Justice of the European Union (CJEU).  The Commission’s press release quotes Viviane Reding, the relevant Commissioner (Commissioner for Justice, Fundamental Rights and Citizenships):

“Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously. I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.”

Sadly, the UK had an excellent opportunity to make most of the necessary amendments when the Criminal Justice and Immigration Act 2008 and Coroners and Justice Act 2009 went through Parliament. The 2008 Act introduced monetary penalties powers for the Information Commissioner.  With these powers in place, specific mention could have been made about their use in the provisions on assessments introduced by the 2009 Act.  There was debate in the House of Lords on extending the assessment notice provisions at ss.41A-41C of the Data Protection Act 1998, which are currently restricted to Government bodies, to the private sector.  An amendment was proposed by Lord Dubs, a member of the Joint Committee on Human Rights, to extend the scope of these provision, but the amendment was not moved. It would have been possible, had the Government wished, to broaden the scope of assessment notices to include the assessment of transfers/exports of personal information.

(The link to the Data Protection Act 1998 above is to the consolidated act, which therefore includes ss.55A-55E inserted by s144 of the 2008 Act, and ss.41A-41C inserted by s173 of the 2009 Act.)

One of the most difficult rights of the Data Protection Act 1998 for an individual to exercise is the right of access to that individual’s personal information, particularly if that individual is in a dispute with the data controller (the holder of the personal information).  The problem is that if any individual is willing to accept the risk and cost of going to court to seek a court order to require compliance, then the court has a discretion on whether it makes an order and the terms of that order.  This has always been a frustration for advisers to individuals.

Still, there is finally a chance that the threat of being brought to the CJEU will prompt the UK to address the shortcomings of the Data Protection Act 1998 in time for the 15th anniversary of the passing of the Data Protection Directive 95/46/EC.