I was on a conference panel recently with an Irish solicitor who gushed enthusiasm for data protection, and made it sound… well, interesting. I carefully watched him perform his schtick, and I’m now ready to sing and dance for you on the same subject.
Here come the opening bars. Earlier this year, the European Commission proposed a major reform of the data protection legal framework. They cited the following as reasons: recent technological progress, globalisation, national divergences in enforcement of the current legislation, and trying to save businesses lots of money through simplification (around €2.3bn a year). The commissioner for justice touts it as one her ‘Justice for Growth’ initiatives – but then she sees many things under that heading. There are two legislative proposals in the data protection package: a Regulation setting out a general EU framework for data protection, and a Directive on protecting personal data in criminal investigations.
So far, so dry. But it has sparked passionate arias. One of the high-profile aspects of the Regulation is what has been termed ‘the right to be forgotten’ – in other words, the right to have material about yourself removed from the internet or other electronic location. I agree with that right. If there was a photo which I wanted removed from the internet – the Gazette photo which accompanies these blogs, say, which looks nothing like the Brad Pitt I resemble – I should be able to remove it. But not everyone agrees. Some say that the right conflicts with freedom of expression and freedom of the press. As a further example, I might be able to delete whatever I have posted myself on Facebook, but should I have the right to delete others’ comments about me on their own Facebook accounts and which I do not like, assuming that they are not defamatory?
Then there is the fact that there are two pieces of legislation on the one topic, the Regulation (for everyday protection) and the Directive (for criminal investigations). They have doubtless been separated because the Commission was afraid that the member states would never allow the passage of legislation which limited their trafficking of data on criminals, and so the Commission removed crime in the hope that the general Regulation would pass easily.
But the European Data Protection Supervisor (EDPS) has said that ‘[t]he processing of personal data in the area of police and judicial cooperation in criminal matters, which by its very nature poses specific risks for the citizen, requires a level of data protection at least as high as under the proposed Regulation, if not higher due to its intrusive nature and the major impact such processing may have on the individual's life’. It describes the Directive – which is for criminal investigations - as ‘a self-standing legal instrument which provides for an inadequate level of protection, by far inferior to the proposed Regulation’.
One of its particular concerns is the lack of legal certainty for the subsequent use of personal data by law enforcement authorities, and the absence of a general obligation for law enforcement authorities to demonstrate their compliance with data protection requirements. My own organisation, the Council of Bars and Law Societies of Europe (CCBE), has called upon the EU institutions to create a single comprehensive data protection regime that meets a consistent and high level of data protection.
The CCBE’s concern is also that legal professional privilege should be protected. As so often in draft legislation, the needs of professional secrecy are ignored. We have drawn attention to a number of provisions which, in our opinion, need to be changed. Under the current draft, a lawyer might be required to provide a client’s opposing party with information, and grant this party access to their data which was made known to him or her, provided the lawyer has recorded the data - which is clearly unacceptable.
On top of that, we have called for bars or law societies to be able to be sectoral supervisory bodies, to fulfil the function of supervisory authorities in place of territorial supervisory authorities. This is again not only to protect professional secrecy, but also because the powers available to a supervisory authority include the ability to impose a temporary or permanent ban on the processing of data.
It would be impossible for a lawyer to function without being able to process data; so the exercise of this power would amount to a breach of the fundamental principle of the independence of the legal profession, as it could be equivalent to a removal from practice of a lawyer by a person other than the appropriate professional regulatory authority.
As you can see, there is a lot to be excited about… before the curtain falls.
Jonathan Goldsmith is secretary general of the Council of Bars and Law Societies of Europe, which represents about one million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs