Portfolio blogger

Saturday, August 27, 2016

What changed in the new General Data Protection Regulation since the first position of the Council?



The new General Data Protection Regulation had a long history. It was maybe the regulation which attracted the biggest number of amendments in the Parliament and was one of those which were subject of the longest and most complicated negotiations. The EU regulations under the ordinary legislative procedure have to be approved by both the Parliament and the Council. There are several rounds until an agreement is found or a regulation is finally failing to be approved.
The negotiations centred around some new elements of the regulation, like the „one stop shop”, the possibility of a person and a company to have to deal only with one data protection authority (and the two, namely the one stop shop for a company and a person whose data that company uses, may be contradictory in an international setting), the extent of penalties, the liberty of member states to regulate further and the liberty of public services compared to economic actors in using personal data. The new concepts, „the right to be forgotten”, the concepts of „privacy by design” and „privacy by default” and mainly the „data portability” were also subject to long discussion concerning their definition, scope and practical applicability. The mechanical duty of notification to the data protection authority (which was actually required to a different extent in different countries) has given way in a lot of cases to a preliminary impact assessment.
I try to highlight here some of these aspects, comparing what the Council wanted (it published its position with a concrete text of the regulation the 24th February 2014) with the final text.
The final regulation contains 173 recitals which fix the main principles and considerations (and serve as a guidance concerning the „intention of the legislator” if interpretation of the text is needed).
First let’s examine the freedom of manoeuvre given to the member states:
In the Council position, the member states wanted to have the power to legislate ignoring some requirements if data are processed by public authorities. The new regulation frames this liberty: „Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.” Member state law can set out the circumstances for specific situations, „determining more precisely the conditions under which the processing of personal data is lawful”. This right extends also to processing of special categories of personal data (‘sensitive data’), i.e. data related to health, sexual orientation, religion, political views, membership in trade unions and similar data.
The regulation is not applicable for „activities which fall outside the scope of Union law, such as activities concerning national security” and also „when carrying out activities in relation to the common foreign and security policy of the Union”.
The most important exception is the „processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act... namely Directive (EU) 2016/680 of the European Parliament and of the Council”. If these authorities process data in the framework of other activities, the regulation is however applicable. An exemption for fraud prevention and detection, including tax evasion is also included in the regulation.
Limits to data portability were set in the new regulation: it „should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.”
A point in favour of economic actors – and deviating from the spirit of the old directive – was that direct marketing could be considered as legitimate interest. The new regulation formulated some limiting conditions to that: „the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”
The impact assessment requirement was also sensitively limited to circumstances „where processing operations are likely to result in a high risk to the rights and freedoms of natural persons”. The result of this assessment will then determine whether consultation of the data protection authority is necessary (which was obligatory under the old regime for all processing operations involving „sensitive data”.
Special simplified requirements are applicable to small companies, and special codes of conduct can be issued by member states for these enterprises. In this the Council succeeded to make its position accepted.
Following the Schrems case, where the adequacy decision of the Commission about the Safe harbour agreement – which declared that persons have equivalent protection to that ensured by European legislation if their data are processed in the U.S. – was invalidated, the new regulation sets more precise conditions when the Commission can take such a decision.
The „one stop shop” , i.e. the possibility of persons to turn to one competent authority – preferably the one in their country - to deal with their complaints was also given precise conditions and the process described. There will be a “lead authority”, competent for the organisation processing the data, and other „concerned authorities” (among them the one with whom the complaint was lodged). Cooperation obligations are described. What is left from the power of the authority with whom the complaint was lodged is that „where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.”
The Commission will participate in the new Data Protection Board's activities (which, as opposed to the solely consultative nature of its predecessor, the so-called „Article 29 working party” of national data protection authorities, can take binding decision (but these decisions are not binding on the European Data Protection Supervisor, who is the Data Protection Authority for EU institutions – this may change with the forthcoming regulation about processing of personal data in EU institutions which is now under preparation and should enter into force at the same time, i.e. May 2018, when the new GDPR enters into force) without voting rights and the European Data Protection Supervisor should have specific voting rights.
The amount of penalties and fines was fixed as a maximum of 4% (the Parliament proposed 5%) of turnover of the company infringing the rules but for certain offences only to 2%.
Specific rules for associations, in particular religious associations are also fixed.
There are of course a number of other changes compared to the system in force now, but here I only wanted to deal with some topics which were subject to discussion between the Commission (who prepared the original proposal), the Parliament (more prone to the interest of harmonisation and the fundamental rights of citizens – the rapporteur came from the Green faction) and the Council, representing more the interest of public administrations and enterprises.

Wednesday, July 27, 2016

The Schrems-Facebook saga continues

The Irish High Court turns to the European Court of Justice with a reference to preliminary ruling in the second case of the Austrian law student Maximilian Schrems against Facebook.
In the first, the European Curt of Justice invalidated in its judgment the "Safe Harbour" agreement between the U.S. and the EU. (Other "adequacy decisions" declaring that countries comply with European data protection principles, can be found here.)
This system enabled U.S. companies to self-certify and register at the U.S. Department of Commerce that they comply with EU data protection rules.
Based on the Snowden revelations, the European Court of Justice found that the "indiscriminate and mass surveillance" of the U.S. government agencies and the lack of legal redress for EU citizens (which redress was ensured for U.S. citizens) against illegitimate use of data by them is not compatible with EU data protection principles and therefore the Commission decision that companies participating in this arrangement don't have the right to use EU citizens' personal data based on this was invalidated.
An alternative was that the U.S. companies commit themselves through "standard contractual clauses" defined by the European Commission to ensure the same protection as if they were obliged by European Law. This is now also attacked before the Irish High Court, who decided to refer a question to the European Court of Justice. This was announced early June but the question is not available yet on the Court website.
Meanwhile the Irish High Court also endorsed some requests to testify in front of it as "Amicus Curiae". The U.S. also received this right. The representative of the U.S. will testify under oath and is not bound by U.S. secrecy laws.
The 8th June actually the European member states endorsed the "Privacy shield", the system intended to replace the "Safe Harbour". The U.S. ensured the adequate legal redress also for European citizens and thus - apart from the question of how indiscriminate and mass character the U.S. surveillance has - the main problem was declared solved.
The arrangement had no smooth ride neither in the U.S., where the republicans introduced last minute amendments to the bill, weakening its guarantees, nor in the EU, where the so-called "Article 29 working party", the community of national Data Protection Authority chiefs (which will become the European Data Protection Board, a much more powerful and institutionalised group after the entering into force in May 2018 of the new General Data Protection Regulation - a post about that will follow) and the European Data Protection Supervisor requested changes to the already agreed text and of course this was very difficult to make the U.S. swallow. Certainly, this "Privacy shield" will also be tested in courts. However, the changes in U.S. law will also influence the decision on the standard contract clauses, as their government environment has changed.
One interesting aspect of the U.S. rules on personal data access of the government is that they are valid in principle to subsidiaries of U.S. companies, even to companies outside the U.S. who have a subsidiary or important operations in the U.S.  This was, however weakened when Microsoft won a case in Ireland, and thus does not have to disclose data to U.S. authorities.
The opinion of the EDPS on the "Privacy shield" can be found here.

Tuesday, January 26, 2016

Why does the EU finance the Orban regime?

I hear this question more and more often. The Hungarian government plans to use all EU funds available for the 2014-2020 programming cycle till 2019 (mainly before the 2018 parliamentary elections and the 2019 municipal elections. This may mean 6 billion euros every year or even more
These amounts help to keep the system running. They amount to about 4% of GDP at the moment, may be as much as 6% according to the ambition plans, thus they are the source of the 2-3% growth (and may increase it to 4-5% per year in the future) with which the goverment boosts.
Apart from the legal problems which hinder the decrease or withdrawal of these funds, the workings and the logic of the EU does not enable to withdraw them.
I do not agree, by the way, that these funds should be withdrawn. These are used for good purposes, beyond some publicity actions like fancy pavements on the main squares of villages, fountains and other, well publicised useless projects. They make it possible to revamp the university clinics in Budapest, a lot of seqage and other utilities reconstruction in the slums and in rural cities, technology and building improvements for schools, transport reconstruction and renewal (all these are concrete projects taking place). And without the EU, the "small circles of liberty" we still have, would not excist or be much more limited. The Orbán (FIDESZ) government retreated on the media law, on forced premature retirement of judges, publicity taxes killing the biggest independent TV-station and much more.
It is still worth understanding, how the EU works. It is not a superstate (it is supranational, true, but neither a state, nor super), it is rather a co-operation framework. The Commission is more a regulatory agency then a government, inparticular not in the sense of the executive branch of most European parliamentary democracies (where the party or coalition giving the executive is also in majority in the Parliament and thus, as the goverment implements the party programme in theory, it is able to gain every vote in the parliament.
I do not think the basics need explanation here: the European Parliament has no governing party or coalition, all decisions require approval from the Council, which consists of the heads of state or government (the head of the executive according to the legal system of each country) of the member states, Commission implementing decisions (very limited and only possible when the directive or regulation voted by the Parliament and the Council foresees it) are reached through consultation with committees of experts of the member states and are subject to validation by the legislative (although ex post).
In my view the EU has three, relatively distinct coordination domains (not identical to the pre-Lisbon three pillars, though not unrelated):
First the common market - this requires a lot of harmonisation concerning product standards, like quality and security requirements. I would classify the land-based and porduction agricultural support and agricultural market regulation measures here. Trade and competition issues also belong here.
Secondly political co-operation which is first of all a way to increase the weight of Europe in the world compared to tis individual member states. Of course for this we have to talk with one voice- therefore a harmonisation of opinions is necessary, sometimes some countries have to accept that their opinions are not represented - of course this only works if there are common goals. This is the practical reason why this only works when there are shared values (of course all political co-operation requires common values an the values of Europe are noble and on the long term they ensure a lot of benefits, but let's stay on a practical ground.
Thirdly, the interest of good co-operation and the common values also lead to the recognition that too big deviations in the level of development are unfavourable and thus it is in the interest of the richer countries to help the poorer ones to develop, to approach them in living standards, technical and social level. The structural funds are the means for that. Let us not go into the debate how much of thesse funds are used in the donor countries as goods and services are provided in exchange and similarly an argument could be brought up that the awarding and managing authorities both also have an interest to favour local suppliers. Formally speaking there is no possibility to promote neither donor country nor local suppliers, but if one of these is possible, the other is also.
This interest of leveling is independent whether a country "behaves well" in the political arena. Legally it is clearly separated, but it is also not practical - a higher level of economic development and integration can also foster sharing of values but not the other way: cutting funds leads to resentment and even lower sharing of values.
We do not like the practice of the government in Hungary that economic support depends on whether someone agrees with the politics of the government - why do we expect that from the EU? We have to solve our problems ourselves, not rely on blackmail by outsiders to do it for us.

Sunday, January 10, 2016

Both the Council of the EU and the LIBE Committee of the European Parliament accepted the compromise text of the new General Data Protection Regulation which will be formally voted on plenary and then in the Council early 2016 to come into force in 2018.
The compromise text is available here.

Some important issues (based on the first analyses http://www.ashfords.co.uk/the-new-eu-general-data-protection-regulation-is-finally-here/; http://www.natlawreview.com/article/general-eu-data-protection-regulation-bullet-points)

The most publicised change is maybe the formal inclusion of the "right to be forgotten" : that even when processing (mainly in the case of publishing) date was legitimate originally, with time the interest of privacy of the data subject may override the interest of processing (the public to know, for example).
All companies processing data of residents of the EU are subject to the regulation, whether seated in the EU or not.
Some points enhance the responsibility of the controllers (who determine the prupose and means of the data processing and are primarily responsible for it and usually most interested also) and processors (who act on instructions of the controller). The latter are explicitly responsible for their actions and can directly (without instruction of the controller) be instructed by the courts or by the data protection authorities.
Nomination of a data protection officer, stricter rules for consent of the data subjects to processing their data, the risks to the data subjects must be assessed before processing their data - with reasonable limits of proportionality. This risk analysis gives companies the possibility on the other hand to define themselves what security measures are adequate.
The research community noticed with relief that those points which they thought would hinder scientific (mainly medical) research were softened. However, there are restrictions: pseudonymised data remain personal data, for example with the resulting responsibility and rules to be complied with.
The much heralded "one stop shop" - making it easier for the data subjects to complain in case of cross-boarder processing of their data - gave some way to convenience of the authorities but basically stayed in the text.
A compromise was found between the Parliament (who wanted 5% of turnover) and the Council (who wanted 2) about maximum fines: it will be 4%.
Privacy by design is another new concept enshrined in the new regulation.
Transfer of data, possibility to base processing personal data on legitimate interest of the controller and data portability (the possibility of the data subject to request transmitting his/her data to another controller, for example in the case of changing a service provider) is also better defined.

Friday, November 27, 2015

Security vs liberties (and privacy)

No surprise that after all attacks by terrorists the cry for more surveillance, more intrusion into the privacy (of prospective terrorist, of course) is demanded. Gladio (stay behind) maybe already knew that...
There are several problems with this, I only want to reflect on one of them.
Some demands simply do not make sense or their sense is not spelled out. Some are exaggerated (simpler to ask for everything then setting clear limits). And these excesses discredit also the justified requirements for measures.
A lot of noise is made around free travel within the Schengen area and  passenger name records for flights. Should we add to this high-speed trains? Are really movements between countries in the Schengen zone the danger? Or just movement through rapid transport? To intercept all cars on the boarders would mean such a disturbance which may not justify itself.
Not quite independently, draconic measures are in demand after the attacks - and attacks are not so frequent. Thus, sometimes these measures become more lax, routine takes their edge by the time the next attack is being prepared.
On the other hand, think about the measures in airline security, the seemingly ridiculous limitation on liquids. Everybody could invent ways to circumvent them. However, since their introduction, no attack occurred on airplanes by circumventing them. By the way, the European Commission, feeling the ridicule, wanted to abolish them, but national security experts resisted.
Security measures prevented the attackers to enter the stadium in Paris and wreak much greater havoc then what they did.
These measures are inconvenient, but not a significant intrusion into our privacy. Significant intrusions are required with the argument that they help to track down prospective terrorists, to follow their movements and explore their plans. However, when two of the attackers of Paris were auditioned by Belgian police and left free, it is difficult to justify how more information or information on more people could have helped.
What is really missing, is not more data, but more analysis of these data, drawing conclusions and acting on these conclusions - and these conclusions are better to be sound as arresting innocent people on basis of data analysis would again discredit the whole exercise.

Saturday, October 24, 2015

Why does the refugee crisis boost the popularity of the Hungarian government?

It is commonplace that the inability of the European Union and its governments to manage the refugee crisis and even to explain the complexities which prevent them to find the solution ("For every complex problem there is an answer that is clear, simple, and wrong" - H.L.Mencke) helps extremist to increase their popularity. But the Hungarian government is not an extremist (it just uses extreme statements to lure voters from the far right), was not able to manage the crisis within its own country correctly and there is no "mainstream" (real) force which could be blamed for being soft.
The explanation can be found in the attitudes and communication messages.
It is clear that people are worried, there are real and imaginary reasons behind that. And we know, that people are looking for messages that reinforce their attitudes, not which contradict them (as we know from Klapper). And this they find in media which are either promoting the government's or Jobbik's (the extreme right party) point of view. hey just exaggerate a little, and by that reinforce the fears, add food by transmitting seemingly true information about an even bigger danger (spreading diseases, being terrorists, refugees being financed by obscure forces, be it the Islamic State to conquer Europe or the Jews or Americans wanting to bring down Europe - not being disturbed by the contradiction between these two messages, throwing away food, etc. etc.). As soon as the danger is perceived, all actions are justified to keep these people far, to incarcerate, humiliate them, send them anywhere but not here. And the effectivity of these measures is not questioned. It is also useless that after two days, all of these menaces prove to be untrue, based on falsified evidence or certified by "experts" who have no expertise and were eventually agents of the communist system. The message is there and all previous wrongdoing is excused, news about continuing or new scandals ignored.
However, the increase in popularity does not compensate for the total loss suffered since the tentative to introduce and Internet tax. And the Hungarians are still in favour of an European solution, as surveys show.

Sunday, July 5, 2015

Miscellaneous

Although Sunday evening isn't the best time to blog, the last weeks were so full that it is worth reviewing some of the events.
As I write this, the first exit polls are out on the Greek referendum: they predict a narrow win for the "No" while the official data an overwhelming "No". No is no, so what is the difference? Well, an overwhelming "No" would give a much stronger mandate for the government (as counts progress, it seems "No" is over 60% - oh wait, what for?
No one knows (pun not intended). We will see, what the Greek government does - they also had several proposals on the table, the last two or three maybe not so far from the proposal of the Troika - which is off the table but probably would be acceptable for them again.
While we wait to see, let's talk about Hungary (and also about the U.S. Supreme Court). It's Pride weekend, and just before it, the SCOTUS (official abbreviation of the Court) ruled that same-sex couples have a right to marriage. And this stirs waves in Hungary. OK, the decision to save Obamacare by correcting the badly written law is not so relevant, but that Hungarian facebookers totally ignored the other decision (from early June) about a threat on Facebook, is somewhat surprising. A man was writing on Facebook (apparently in a rap poem - according to experts it was disastrously bad) about wanting to see his ex-wife killed. He was condemned by a court, and actually isn't off the hook due to the Supreme Court's verdict. But the verdict reinforced the "clear and present danger" principle. If the husband really wanted to have her wife killed and called others who could do it to do it, he is guilty (my simplistic interpretation). But if he did not really want it (here the "literary" expression comes into play), or it was unrealistic that anybody do it, he is protected by the freedom of speech.
Meanwhile Hungary is receiving almost as many refugees (asylum seekers) as Italy. And the government wants to seal off the Serbian boarder by a big and strong fence, costing 22 bn forints (itself sufficient to feed 14 thousand refugees for a year - although the decision to accept or reject their demand for asylum should be decided within months and a lot of them go further to the west). Let's forget about the money for the fake "National consultation" and the outraging publicity campaign.
What is more important that first a collection was started to counter the government giant poster campaign. The estimated cost was 3 million forints (as compared to a hundred times as much for the government giant posters), but within a week or so, ten times as much was donated by private individuals.
Then real actions started to emerge: groups of volunteers sacrificed their free time to help them, information leaflets were translated and printed (why only by volunteers? - the link is there, you can see what vital information it contains), food, drink (there is a heat wave also in Hungary) clothes, toys for children, medicines, blankets etc. etc. collected. The coordination runs of Facebook, even between groups in different locations to try to warn when a bigger group is due to arrive (they have to travel usually changing at least once but sometimes more - see also the leaflet). But the group is kept closed to exclude those who would only post rude comments (I see them on posts on articles dealing with the problem).
I should close now on an optimistic note - it is heartwarming what these, mostly young people do and tell about the solidarity they encounter - people bringing donations, coming to help, travelling dozens of kilometres to go to help.