There were two big expectations from this morning's release of the initial draft of data protection regulations from the European Commission, both of which were built up through quite a bit of fanfare from EC Vice President Viviane Reding's office last November. One was that the Commission would "stick it to" the U.S. Patriot Act, the law that enables American law enforcement agencies access to private data elsewhere in the world, under controlled conditions. Another was that citizens of E.U. member states would be granted a "right to be forgotten," to order online firms collecting personal data about them to purge their records.
The initial draft of these new Data Protection regulations shows moderation on both counts.
Taking a stand on behalf of whatever
With respect to what constitutes fair handling of E.U. citizens' personal data by other countries, the proposed law would essentially reserve the right for commissioners to make that determination from time to time.
Specifically, the draft regulation states that a transfer of data from a European member state to an outside country ("third country") may only take place after the Commission has ascertained that this country would also be able to provide "an adequate level of protection." A country meeting that standard would be judged by the Commission on the following characteristics: "the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defense, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organization, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the [European] Union whose personal data are being transferred."
That phraseology would give the Commission the authority to use its own judgment to declare, for instance, the United States an inappropriate handler of E.U. citizens' personal data, depending also upon whether an independent monitoring authority was in place to ensure U.S. compliance with E.U. rules. Exactly when such judgments would be made, the draft regulation does not say. It would be difficult to imagine authorities making these determinations on a case-by-case basis. More likely, the Commission would make a judgment call about each country where an entity requests a personal data transfer soon after the first request was made, and would apply that judgment to subsequent cases.
But should the U.S. change its stance toward enforcement of the Patriot Act, or even if the E.U. should change its policy toward whether such enforcement endangers the rights of its citizens, the regulation as drafted would give the Commission the freedom to change its mind without changing the law. As drafted, the law does not codify any notion that it is necessarily wrong for foreign investigating bodies to seek data on E.U. citizens. It does state, however, it would be wrong for foreign governments not to afford those citizens "effective administrative and judicial redress" should they wish to protest the actions of foreign governments or foreign companies in court.
Should a company retain personal data in some archival form, just in case it receives such a request from a foreign government? The draft law makes clear: No, it should not. "A controller should not retain personal data for the unique purpose of being able to react to potential requests." (Here, "a controller" refers to a person tasked with managing or processing collections of personal data.) However, a controller may retain personal data about a specific individual beyond the maximum time allowed for member states (two years) in individual cases where a member state or the E.U. is investigating that person. (It can't retain the entire database containing that person's data for that long.)
The context in which the inspiration for these laws was originally considered was a world where databases reside in easily addressable file systems on hard drives within servers addressable through a URL. In just the past few years, data centers have evolved into states and configurations that laws and regulations have only just now begun to consider, and certainly not everywhere in the world. The big problem the E.U. faces today lies with the reluctance of companies there to partake in public and hybrid cloud computing - the most revolutionary and potentially beneficial architectures for the enterprise since the decline of the punch card reader - for fear that virtual machines that happen to contain databases including E.U. citizens' private information will egress into U.S. territory. There, it might be subject to a U.S. law enforcement investigation, and businesses are worried that if they let that happen, they'll be held responsible by the E.U. for violating its laws.
The media loophole
With respect to the issue RWW profiled yesterday involving possible exceptions to the "right to be forgotten," journalists would indeed be granted a kind of limited exemption from these data protection laws. The key to how judges would interpret this law, presuming it's passed, is how they interpret the concept of "journalists." While the Commission has been liberal in describing the term as including people who do journalism, there does not appear to be exclusions against corporations that do journalism.
And the official description of the regulation (not the law itself, but part of the draft that explains how it should be applied) explains that the law would leave it up to member states to determine how the concept of a journalistic endeavor applies to it specifically. This could lead to an interesting discussion about a possible loophole for organizations that collect data for marketing purposes and also conduct journalism - a possibility which the official explanation leaves open, in the name of freedom of speech.
"In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly," the explanation reads. "Therefore, Member States should classify activities as 'journalistic' for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non-profit making purposes."