- Email: [email protected]
Modernization of European data protection law at a turning point
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 5 8 7 e5 8 8
Available online at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Comment
Modernization of European data protection law at a turning point Ulrich Wuermeling Latham & Watkins LLP, Frankfurt, Germany
abstract Keywords:
CLSR welcomes occasional comment pieces on issues of current importance in the law and
Data protection
technology field. In this note Dr Ulrich Wuermeling of Latham & Watkins LLP, Frankfurt
EU data protection reform
offers a personal viewpoint on the EU data protection reform package.
Charter of Fundamental Rights of
ª 2012 Ulrich Wuermeling. Published by Elsevier Ltd. All rights reserved.
the European Union Treaty on the Functioning of the European Union
1.
Introduction
The data protection reform package (COM (2012) 10 and 11) presented by the European Commission on 25 January 2012 has sparked off a vital discussion about the best future approach to data protection regulation. The proposal fails to deliver what the Commission aimed for. It is neither modern nor does it reduce bureaucracy. Thus, the question has come up as to whether the approach taken in the Commission’s proposal is appropriate for a modern information society. In addition, the proposal is criticized severely for being outside of the scope of European legislative powers and for proposing to allocate to the European Commission regulatory powers to decide on fundamental aspects of the future data protection law.
2. How could a modern data protection reform look like? This question is debated intensively by the Council of the Member States as well as by the European Parliament. The
German Ministry of the Interior has sparked off an intensive discussion by proposing that modern data protection regulation should concentrate on the high-risk aspects of personal data processing, whereas everyday data processing should be more or less excluded from regulation. The approach presented by the German Ministry of the Interior is refreshing. Data processing as such does not pose a danger as it was still believed to be the case in the 70’s. Just like water and wood are not regulated as dangerous substances, the regulation of data protection issues can be limited to the major spheres of risk. The Commission’s draft reform contains some timid attempts in this direction. But as yet the reform package does not take any courageous steps towards such an approach. A risk-oriented approach might not only be more modern, but also more effective as a means to protect the privacy of data subjects. The forces of the regulation would be concentrated on areas which really matter for the protection of the citizens’ rights. It would become possible to reduce superfluous data protection bureaucracy. The implementation of such an approach, however, would necessitate massive changes in the current proposal of the Commission, because the proposal ventured exactly in the opposite direction.
0267-3649/$ e see front matter ª 2012 Ulrich Wuermeling. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2012.08.004
588
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 5 8 7 e5 8 8
3. What scope of application would be desirable for the European harmonization?
4. What role may the Commission play in future with regard to data protection issues?
The Commission demands complete harmonization in the public and the private sector. It justifies the approach by reference to Article 8 of the Charter of Fundamental Rights of the European Union (2000/C 364/1 OJ 18.12.2000) and Article 16 (2) of the Treaty on the Functioning of the European Union (TFEU) (OJ C 83/47 30.03.2010). A closer look at these provisions, however, reveals that they do not provide the required legal basis. The application of Article 8 of the Charter is limited by Article 51 to “the institutions and bodies of the Union with due regard for the principle of subsidiarity and to the Member States only when they are implementing Union law”. Article 16 (2) of the TFEU is clear on the point as well. It only applies to the “processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data”. Art. 16 (2) of the TFEU mentions the “internal market”, but this reference encompasses only the data which is processed in the context of Union law. Due to an error in the German translation, this restriction is, unfortunately, not clearly discernible. The English language version (like all other language versions, except the German one), however, refers explicitly to “such data”. Whilst the old Data Protection Directive (95/46/EC) applied to the private and public sector, the Lisbon Treaty has clearly limited the powers of the European Commission at least for the public sector. The scope presented in the proposal of the Commission is, therefore, in breach of Article 16 (2) of the TFEU. Following criticism in this respect, a reference to the legal basis of Article 114 of the TFEU was included into the draft regulation at the last minute before the publication of the proposal. This Article contains, in fact, the only provision that could justify a broader European harmonization of data protection. It was also used as a legal basis for the old Directive (at the time Article 100a). Since the Lisbon Treaty introduced Article 16 (2) of the TFEU, however, Article 114 of the TFEU can only apply to the regulation of data protection in the private sector. A regulation of the complete public sector can no longer be justified by resorting to Article 114 of the TFEU, because Article 16 (2) of the TFEU is the more specific rule on the matter.
The Commission plans to build up a large internal administration to monitor and enforce a uniform interpretation and implementation of data protection law. The draft General Data Protection Regulation (COM (2012) 11) contains 26 powers for the European Commission to pass legislative acts and 20 powers to pass implementing acts (plus 2 in order to pass accelerated procedures). For the Member States, this is unacceptable, and the granting of such powers would constitute an infringement against Article 290 (2) of the TFEU. On top of that, the Commission, atleast in some aspects, wants to supervise the data protection supervisory authorities, which are currently acting independent of the administrative bodies of the Member States. Irrespective of their scope of action, such type of subordination of national bodies under the European Commission has so far been unheard of.
5.
Conclusion
In summary, it can be said that the reform package not only presents an outdated approach, but also fails to fulfill its legal mission and transcends the competences specified in the TFEU by far. Taking into account the existing competences in the TFEU, the reform should follow quite a different order of priorities than it does now: As a first step, data protection should be regulated for the entities of the Union and the Member States to the extent that they execute Union law. Data protection in the private sector should be dealt with separately and within the existing competences of the internal market. The latter, however, would require a much more economy-oriented approach than the one contained in the current draft Regulation. The idea to concentrate data protection regulation on risk areas would be one way to fulfill the goal. On 17/18 October 2012, the Alexander von Humboldt University in Berlin and the German Ministry of Interior will conduct a European academic conference on the data protection reform package in order to discuss the fundamental issues raised by the Commission’s proposal. The outcome of this conference is expected to have a deep impact on where the reform package will be going. Dr. Ulrich Wuermeling LL.M. ([email protected]) Latham & Watkins LLP, Frankfurt, Germany.
Available online at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Comment
Modernization of European data protection law at a turning point Ulrich Wuermeling Latham & Watkins LLP, Frankfurt, Germany
abstract Keywords:
CLSR welcomes occasional comment pieces on issues of current importance in the law and
Data protection
technology field. In this note Dr Ulrich Wuermeling of Latham & Watkins LLP, Frankfurt
EU data protection reform
offers a personal viewpoint on the EU data protection reform package.
Charter of Fundamental Rights of
ª 2012 Ulrich Wuermeling. Published by Elsevier Ltd. All rights reserved.
the European Union Treaty on the Functioning of the European Union
1.
Introduction
The data protection reform package (COM (2012) 10 and 11) presented by the European Commission on 25 January 2012 has sparked off a vital discussion about the best future approach to data protection regulation. The proposal fails to deliver what the Commission aimed for. It is neither modern nor does it reduce bureaucracy. Thus, the question has come up as to whether the approach taken in the Commission’s proposal is appropriate for a modern information society. In addition, the proposal is criticized severely for being outside of the scope of European legislative powers and for proposing to allocate to the European Commission regulatory powers to decide on fundamental aspects of the future data protection law.
2. How could a modern data protection reform look like? This question is debated intensively by the Council of the Member States as well as by the European Parliament. The
German Ministry of the Interior has sparked off an intensive discussion by proposing that modern data protection regulation should concentrate on the high-risk aspects of personal data processing, whereas everyday data processing should be more or less excluded from regulation. The approach presented by the German Ministry of the Interior is refreshing. Data processing as such does not pose a danger as it was still believed to be the case in the 70’s. Just like water and wood are not regulated as dangerous substances, the regulation of data protection issues can be limited to the major spheres of risk. The Commission’s draft reform contains some timid attempts in this direction. But as yet the reform package does not take any courageous steps towards such an approach. A risk-oriented approach might not only be more modern, but also more effective as a means to protect the privacy of data subjects. The forces of the regulation would be concentrated on areas which really matter for the protection of the citizens’ rights. It would become possible to reduce superfluous data protection bureaucracy. The implementation of such an approach, however, would necessitate massive changes in the current proposal of the Commission, because the proposal ventured exactly in the opposite direction.
0267-3649/$ e see front matter ª 2012 Ulrich Wuermeling. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2012.08.004
588
c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 5 8 7 e5 8 8
3. What scope of application would be desirable for the European harmonization?
4. What role may the Commission play in future with regard to data protection issues?
The Commission demands complete harmonization in the public and the private sector. It justifies the approach by reference to Article 8 of the Charter of Fundamental Rights of the European Union (2000/C 364/1 OJ 18.12.2000) and Article 16 (2) of the Treaty on the Functioning of the European Union (TFEU) (OJ C 83/47 30.03.2010). A closer look at these provisions, however, reveals that they do not provide the required legal basis. The application of Article 8 of the Charter is limited by Article 51 to “the institutions and bodies of the Union with due regard for the principle of subsidiarity and to the Member States only when they are implementing Union law”. Article 16 (2) of the TFEU is clear on the point as well. It only applies to the “processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data”. Art. 16 (2) of the TFEU mentions the “internal market”, but this reference encompasses only the data which is processed in the context of Union law. Due to an error in the German translation, this restriction is, unfortunately, not clearly discernible. The English language version (like all other language versions, except the German one), however, refers explicitly to “such data”. Whilst the old Data Protection Directive (95/46/EC) applied to the private and public sector, the Lisbon Treaty has clearly limited the powers of the European Commission at least for the public sector. The scope presented in the proposal of the Commission is, therefore, in breach of Article 16 (2) of the TFEU. Following criticism in this respect, a reference to the legal basis of Article 114 of the TFEU was included into the draft regulation at the last minute before the publication of the proposal. This Article contains, in fact, the only provision that could justify a broader European harmonization of data protection. It was also used as a legal basis for the old Directive (at the time Article 100a). Since the Lisbon Treaty introduced Article 16 (2) of the TFEU, however, Article 114 of the TFEU can only apply to the regulation of data protection in the private sector. A regulation of the complete public sector can no longer be justified by resorting to Article 114 of the TFEU, because Article 16 (2) of the TFEU is the more specific rule on the matter.
The Commission plans to build up a large internal administration to monitor and enforce a uniform interpretation and implementation of data protection law. The draft General Data Protection Regulation (COM (2012) 11) contains 26 powers for the European Commission to pass legislative acts and 20 powers to pass implementing acts (plus 2 in order to pass accelerated procedures). For the Member States, this is unacceptable, and the granting of such powers would constitute an infringement against Article 290 (2) of the TFEU. On top of that, the Commission, atleast in some aspects, wants to supervise the data protection supervisory authorities, which are currently acting independent of the administrative bodies of the Member States. Irrespective of their scope of action, such type of subordination of national bodies under the European Commission has so far been unheard of.
5.
Conclusion
In summary, it can be said that the reform package not only presents an outdated approach, but also fails to fulfill its legal mission and transcends the competences specified in the TFEU by far. Taking into account the existing competences in the TFEU, the reform should follow quite a different order of priorities than it does now: As a first step, data protection should be regulated for the entities of the Union and the Member States to the extent that they execute Union law. Data protection in the private sector should be dealt with separately and within the existing competences of the internal market. The latter, however, would require a much more economy-oriented approach than the one contained in the current draft Regulation. The idea to concentrate data protection regulation on risk areas would be one way to fulfill the goal. On 17/18 October 2012, the Alexander von Humboldt University in Berlin and the German Ministry of Interior will conduct a European academic conference on the data protection reform package in order to discuss the fundamental issues raised by the Commission’s proposal. The outcome of this conference is expected to have a deep impact on where the reform package will be going. Dr. Ulrich Wuermeling LL.M. ([email protected]) Latham & Watkins LLP, Frankfurt, Germany.