Twitter, Google and EU Privacy

EU Commission Data Protection Reform logo

At the end of February is was reported that Twitter was selling off old tweets to marketing companies. Google also, with effect from 1 March 2012, changed its privacy policy for all of its services. These include YouTube, Gmail and Blogger as well as the ubiquitous search engine. In neither case were users’ consents obtained for the transaction or changes. This raises a number of privacy and data protection issues. In Google’s case the EU Justice Commissioner, Viviane Reding, has gone on record saying “transparency rules have not been applied”. The French data protection authority, the CNIL, launched a European-wide investigation into the Google policy changes.

I predict that there will be more of these announcements and privacy policy tweaks during the coming months. Companies with large banks of users’ or customers’ data from the European Union have a small window of opportunity to commercialise that data before the implementation of a new European Union data protection regulation. The draft of this regulation was published by the EU Justice Commission on 25 January 2012. In its current draft form, the regulation will begin to apply 2 years from the date it comes into force. No national laws are required to bring an EU regulation into effect in a member state.

Companies will therefore have 2 years in which to rely on the more relaxed rules included in the Data Protection Directive 95/46/EC. In particular, some processing that can be conducted without the consent of individuals, where these are new uses of the individuals’ data which are in the “legitimate interests pursued by [the company] or by the third party or parties to whom the data are disclosed”, will become much more difficult, if not impossible.

The whole nature of consent is properly addressed in the draft regulation. In the Directive, data can be processed where there is unambiguous consent. In the UK implementation of the Directive, the Data Protection Act 1998, is has always been possible to obtain consent indirectly for data that is not “sensitive personal data”. Whilst this has been one of a number of long-standing issues between the European Commission and the UK on data protection, there is a new provision in the draft regulation that will address valid consent. Of particular interest in cases such as Google, which is a dominant operator in the search engine services market, is the draft provision that states “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the [company]”.

This goes back to another of the significant changes in the draft regulation. In the Directive there is a basic provision that personal data must be “processed fairly and lawfully”. In the regulation, the equivalent provision is “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Expect some interesting arguments about transparency in the coming months – perhaps these have already started, given Viviane Reding’s comments on the Google changes.

To make matters even more interesting, the draft regulation gives consumer bodies the standing to be able to complain to a supervisory authority about data protection breaches on behalf of individuals. Super-complaints, as they are known in competition law, will up the ante for regulators – easy for the Information Commissioner to downplay an individual’s complaint; less easy to ignore a complaint from a body such as Which? or the National Consumer Council?

Lastly, the draft regulation includes new powers for supervisory authorities, including the power to fine enterprises, in the worst cases, up to 2% of their annual worldwide turnover. That ought to grab the attention of companies like Google and Twitter.

There's slow and then there's the European Commission

The main directive that governs the processing of personal information in the European Union, the Data Protection Directive 95/46/EC, was signed by the European Parliament and Council on 24 October 1995.  It had to be implemented by member states within 3 years from the this date of adoption (not to be confused with its publication date in the Official Journal – Official Journal L 281 , 23/11/1995 P. 0031 – 0050).

The UK started out well, with the Data Protection Act 1998 getting royal assent on 19 July 1998.  However, most of the Act’s operative provisions did not come into effect on the passing of the Act but came into effect late, on 1 March 2000.

However, the European Commission has for many years considered the implementation of the Directive by the UK to be inadequate.  In particular, the Commission considers that the powers given to the Information Commissioner, the UK’s national data protection authority, are insufficient.  There have been many rumours over the years about preliminary steps being taken by the Commission to enforce proper implementation of the Directive, but with no official confirmation.

This week we at last have confirmation that the Commission is after the UK, with a press release giving some details about its request that the UK strengthen the powers of the Information Commissioner.  The request is in the form of a reasoned opinion – the second stage under EU infringement procedures.  The Commission has four concerns about the implementation of the Directive in the UK:

  • the Information Commissioner cannot monitor whether third countries’ data protection is adequate. These assessments should come before international transfers of personal information;
  • the Information Commissioner can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks;
  • the courts in the UK can refuse the right to have personal data rectified or erased; and
  • the right to compensation for moral damage when personal information is used inappropriately is also restricted.

The UK now has two months to inform the Commission of measures it has taken to ensure full compliance with the Directive, else it risks being taken to the Court of Justice of the European Union (CJEU).  The Commission’s press release quotes Viviane Reding, the relevant Commissioner (Commissioner for Justice, Fundamental Rights and Citizenships):

“Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously. I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.”

Sadly, the UK had an excellent opportunity to make most of the necessary amendments when the Criminal Justice and Immigration Act 2008 and Coroners and Justice Act 2009 went through Parliament. The 2008 Act introduced monetary penalties powers for the Information Commissioner.  With these powers in place, specific mention could have been made about their use in the provisions on assessments introduced by the 2009 Act.  There was debate in the House of Lords on extending the assessment notice provisions at ss.41A-41C of the Data Protection Act 1998, which are currently restricted to Government bodies, to the private sector.  An amendment was proposed by Lord Dubs, a member of the Joint Committee on Human Rights, to extend the scope of these provision, but the amendment was not moved. It would have been possible, had the Government wished, to broaden the scope of assessment notices to include the assessment of transfers/exports of personal information.

(The link to the Data Protection Act 1998 above is to the consolidated act, which therefore includes ss.55A-55E inserted by s144 of the 2008 Act, and ss.41A-41C inserted by s173 of the 2009 Act.)

One of the most difficult rights of the Data Protection Act 1998 for an individual to exercise is the right of access to that individual’s personal information, particularly if that individual is in a dispute with the data controller (the holder of the personal information).  The problem is that if any individual is willing to accept the risk and cost of going to court to seek a court order to require compliance, then the court has a discretion on whether it makes an order and the terms of that order.  This has always been a frustration for advisers to individuals.

Still, there is finally a chance that the threat of being brought to the CJEU will prompt the UK to address the shortcomings of the Data Protection Act 1998 in time for the 15th anniversary of the passing of the Data Protection Directive 95/46/EC.

First incandescent light bulbs, next cathode ray tubes

© Briho

CRT Television

In our blog on incandescent light bulbs, we noted that the effect of Directive 2005/32/EC is to give the European Commission the power to regulate the ecodesign requirements of a wide range of energy-using products, without the need for further Member State intervention.

Whilst the disappearance of incandescent light bulbs has caused some stir, we expect only the potential demise of cathode ray tube (CRT) televisions and monitors under the Ecodesign Requirements for Televisions Regulations 2009 to attract attention in the recent batch of ecodesign regulations published on 22 July 2009 (the other 3 being on Electric Motors, Glandless Circulators and
Household Refrigerators).

We were tempted to try to explain squirrel cage motors (for the Electric Motors regulation) and glandless circulators, but frankly Wikipedia does a better job than we could in a short blog.

However, if you were thinking about buying a cheap fridge, we suggest you do so soon if your ‘green’ conscience will let you.  The new ecodesign requirements are likely to increase the price of compliant fridges in the short term.

Lights out for a bit of electrical history

Incandenscent Light Bulb

Incandescent Light Bulb

1 September 2009 marked the beginning of the end for the incandescent light bulb in Europe, curtesy of the Ecodesign for Non-Directional Household Lamps Regulation, after 130 years.

The Regulation is not for the faint-hearted, being a heavily technical document.  So much so that a handy “translation” has been prepared for MPs by a House of Commons Library Note.

From 1 September 2009, it should not be possible to obtain an 80W or higher wattage incandescent light bulb in the UK.

What makes this Regulation slightly more interesting from a legal point of view is that it was made by the Commission under an enabling power included in Directive 2005/32/EC.  Under the Directive the European Parliament and Council have handed over power to the Commission to set ecodesign requirements for a wide range of energy-using products by way of a Commission regulation.  A Commission regulation has direct effect on member states, ie no national legislation is required for the regulation to be effective and enforceable.

Our bags are packed; we're ready to go…

We reported over a week ago on the possibility of regulatory holidays sneaking into the Telecoms Package (We’re all going on a [regulatory] holiday…).   Last week (6 May 2009), the European Parliament did its best to get the last word on the Telecoms Package – see the outcome of the second reading. This has given us the first look at the Common Position adopted by the Council.

Don’t try doing a word/phrase search for “regulatory holiday”; nothing as blatant as that has been inserted into the Common Position.  However, have a look at the draft of the amended Article 8(5)(d) of the Framework Directive 2002/21/EC that is proposed:

5.  The national regulatory authorities shall …. apply objective, transparent, non-discriminatory and proportionate regulatory principles by, inter alia:

d) promoting efficient investment and innovation in new and enhanced infrastructures, including by ensuring that any access obligation takes appropriate account of the risk incurred by the investing undertakings and by permitting various cooperative arrangements between investors and parties seeking access to diversify the risk of investment, whilst ensuring that competition in the market and the principle of non-discrimination are preserved;

[bold italic text inserted by the Council.]

Anyone care to explain?  Is this the back door to regulatory holidays? It’s a typical example of European late night compromise drafting, so that the article appears to mean whatever you want it to mean (i.e. incumbents will argue that a degree of regulatory holiday is necessary to “diversify the risk of investment” whilst new market entrants will say that access to new non-replicable infrastructure is essential for “ensuring that competition in the market” are preserved).

The Telecoms Package has not been vetoed by the European Parliament, as reported by some commentators.  The Common Position, as amended by the European Parliament, now goes back to the Commission and the Council.  If subsequent trilogues do not lead to an agreed text, the amended Common Position will go to the Conciliation Committee.