A Problem for Business: The Data Protection Patchwork
Mark Watts -
Data protection has come a long way in the 15 years since the Data Protection Directive first saw the light of day. For one thing, it’s less common these days to hear business complaining about there being restrictions on the use of personal data, and there seems to be a greater appreciation, particularly among US multinationals, that handling personal data in a manner that respects individuals’ rights is generally a good thing.
Most businesses of a certain size and degree of sophistication have long since “got it” and are trying to do the right thing but, at least on one level, failing miserably, despite spending lots of money, appointing data protection champions internally and implementing elaborate compliance programmes. Why? Because despite originating from the same legal instruments, EU data protection laws have all been implemented in different ways (sometimes wildly different ways), something that is compounded by the different approaches (again, sometimes wildly different approaches) of the various EU data protection authorities. There is no single “answer” for Europe, and it’s this “patchwork” of requirements that business struggles with.
A good example of the patchwork defeating business is the notification process. Most EU countries require that a data controller files a detailed notification describing its processing operations. In many cases, this isn’t merely a notification process but an approval process. Putting aside the burning question of what is the point of notification at all and what benefit does it provide, particularly for individuals (apart from raising money for the DPAs), it cannot be necessary to have an EU system with 27 different requirements – in some countries all systems must be notified, in others all except “low risk” systems, in others only “high risk” systems, in others still you can avoid notification if you appoint a data protection officer. On top of this, what each country regards as a “system” varies – in some it’s individual databases, in others it’s all connected systems processing for a particular purpose. Against this complexity, consider the position of a multinational trying to comply and having, say, a thousand IT systems internally that process personal data – quite a modest number for many multinationals. For each of these systems, the position in 27 different countries will need to be considered and forms completed, often in local language, often with the country’s unique execution requirements, such as the need to sign powers of attorney or to have the application form stamped by an embassy overseas. Even taking a sensible approach and prioritising countries (eg, start with those with the strictest laws or most likely to issues fines), systems (eg, start with those with most personal data) and countries (eg, start with those where the company has most employees or makes most revenue), the whole process can take months or even years. Such “paper” compliance is a hugely disproportionate exercise and, worst of all, one that adds no value to how individuals’ personal data is protected, only cost, delay and frustration. Indeed, it could even be said that multinational companies spending their time and dollars on form-filling, makes practical compliance worse, partly by distracting their energies from looking at how is data actually handled in practice, and partly by creating a false sense of being “compliant”, simply from having completed lots of paperwork and spent lots of money. The current system is broken.
A patchwork of different legal requirements is bad enough. However, the position is worsened by the various DPAs taking different and often inconsistent approaches to issues. On one level this is perhaps unsurprising. Data protection is a human right and something to be considered in light of all of the circumstances, including different cultural sensitivities – data that is sensitive in one country might be considered as benign and uninteresting in another country. DPAs need to be sensitive to this. However, the drafters of the Data Protection Directive were aware of this point and so included article 29 to establish a Working Party so that the various EU DPAs could agree on pressing data protection issues of the day and issue written opinions on them. Since 1997, the article 29 Working Party has issued 175 formal opinions. However, only a fairly brief review of these opinions reveals that whilst they represent an “agreed” position between the EU DPAs, this is usually on the strictest requirement, the highest common denominator for all. Putting aside the unnecessary strictness that this approach leads to, and putting aside the that these Working Party opinions have come to be regarded as “law”, despite the absence of any formal consultation or legislative process, one might say that at least there is a consistent position across the EU countering the patchwork that business apparently finds so difficult to deal with – namely – comply with the article 29 Working Party opinions and you will be okay.
If Only Life Were That Simple
What is seen in practice is that despite agreeing on a standard of data protection that is often unachievable, significant deviations in requirements continue to exist at a country level. Putting it another way, EU DPAs often impose requirements in excess of those in the relevant Working Party opinion. For example, one of the more significant opinions issued is paper 114 (25 November 2005), which deals with the exceptions that allow data controllers to transfer personal data out of the EU. One exception permitted by the Directive is where an individual consents to his or her data being transferred out of the EU. On this exception, the Working Party said the following:
“The Working Party suggests that consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question [...] Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome.”
And the remainder of the opinion effectively rules out relying on consent, particularly for transfers employees’ data, as it is usually regarded as invalid. However, as anyone who has ever tried to notify the processing and transfers of employee data out of Spain to a US-based headquarters will know, consent is a specific requirement of the Spanish Data Protection Agency. To make matters worse, it’s not as if they are saying that the consent exception may be relied upon, but rather that the consent of all employees must be obtained in addition to implementing one of the other solutions in the Directive allowing data transfers.
In the UK, problems also arise, although, of a different kind. The UK’s DPA, the Information Commissioner, takes a highly pragmatic approach that is often out of sync with the positions of other EU DPAs. To be clear, the ICO is to be congratulated on this sensible, risk-based approach, but while this benefits businesses with only domestic UK operations, for multinationals, it contributes to patchwork of requirements that has to be navigated.
A good example of this, and an area where business is likely to see an increasing variety of requirements, is with regard to cookies and online behavioural advertising. OBA concerns the use of information about a consumer’s online activities to tailor the online advertising served to that consumer to his or her interests. The ICO has recently issued an Online Personal Information Code of Practice, where it takes a markedly relaxed view of online behavioural advertising in comparison to that of the article 29 Working Party. The ICO points out that it receives “relatively few complaints” about online advertising. It states that use of information about customers to market goods is “an established practice that customers have come to expect and are generally happy with”. It also suggests that fears about online advertising “may arise partly from a misunderstanding of the technology”.
Its code specifically states that using personal data to categorise an internet user by his or her apparent interests and then using that categorisation to target advertising to the user is “not intrinsically unfair or intrusive” and does not necessarily require consent. It recommends use of clear opt-outs to allow users to exercise control. It also reminds websites and ad networks placing cookies of the need to inform users that a cookie will be stored on their equipment and to give them the opportunity to refuse this. Accordingly, the approach recommended in the code is in line with current “opt-out” regime used in online behavioural advertising. Active, prior consent to the setting of cookies is not generally required.
By contrast, the article 29 Working Party’s tone on the subject of online advertising has been more negative. The Working Group worries about online behavioural advertising’s “high level of intrusiveness into people’s privacy” and says that it is “deeply concerned” about the implications of online behavioural advertising.
The Working Party opinion on OBA states that ad networks must obtain informed consent before setting a cookie on a user’s computer. According to the Working Party, neither an explanation of how to reject cookies nor the opportunity to opt-out via the ad network’s website are adequate mechanisms to obtain informed consent from users to the setting of cookies for online advertising purposes.
The divergence between the UK and the Working Party is explicable in part due to the recent amendments to the Privacy & Electronic Communications Directive. These amendments are confusing. On the one hand, they require users to consent before a cookie is set on his or her computer, whilst on the other hand, the recitals to the amended PEC Directive state that “[...] the user’s consent to processing may be expressed by using the appropriate settings of a browser [...]”. This “opt-out” approach is the case at the moment. This apparent contradiction is likely to mean that the patchwork of requirements becomes worse, even in respect of a technology as ubiquitous and important as that of cookies. In some countries, a user’s consent will be required, in other countries it won’t be – an impossible situation for online business if ever there was one.
At the time of writing, there are many moves to review and update EU DP law, both at a national and European level. Whichever way this goes, it is essential that sufficient weight is given to the need for harmonisation across the EU. Compliance with whatever legal requirements might result from this review will increase everywhere if business is able to implement uniform processes everywhere in the EU that they do business.