15 December 2011 - As reported in the EDRi-gram biweekly newsletter about digital civil rights in Europe (Number 9.24, 14 December 2011) (www.edri.org), last week, Europe got a look at the "General Data Protection Regulation", thanks to a leak by Statewatch. Get a copy here. Location data now figures in the definitions and protected rights in the new Regulation.
The new EC General Data Protection Regulation is due to be officially published on 25 January 2012 and will repeal the outdated Data Protection Directive from 1995. It keeps the Directive's key principles but takes into account technological developments since the 1995 Directive was introduced. It aims at greater harmonisation and more "coherent" rules: "Differences in the level of protection of the rights and freedoms of individuals may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law."
The draft regulation introduces new rights and new definitions - now including 'location data', as well as genetic and biometric data, and the definition of a data subject is extended to a person who can be identified directly or indirectly by the controller or "any natural or legal person". New rights include clearer rights on data portability, and it introduces mandatory reporting of data breaches and new competences and powers for supervisory authorities in terms of independence and capacity. Moreover, the regulation (article 63) establishes a European Data Protection Board which is going to replace the existing Article 29 Working Party.
The extracts below indicate where 'location' now figures more prominently in the new Data Protecton Regulation. Note the specific refrences to 'location' and/or 'location data' in the Preamble and Articles 3, 18 and 30.
===============
Proposal for a Regulation of the European Parliament and of the Council
on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Preamble
(22) Given the importance of the developments under way, in the framework of the information society, of the techniques used to capture, transmit, manipulate, record, store or communicate location data relating to natural persons, which may be used for different purposes including surveillance or creating profiles, this Regulation should be applicable to processing involving such data.
Article 3
Definitions
For the purposes of this Regulation:
(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Article 18
Measures based on profiling
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour.
Article 30
Data protection impact assessment
1. Prior to the processing of personal data, the controller or the processor shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data where those processing operations are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes.
2. In particular the following processing operations are likely to present such specific risks as referred to in paragraph 1:
(a) an evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and likely to result in measures that produce legal effects concerning the individual or significantly affect the individual;
<end extract>
Why introduce a Regulation?
The original Data Protection Directive was published in 1995 and all EU Member States were required to enact national legislation to implement the Directive, just as with any other EU Directive. So why the promulgation of an EC Regulation this time around. Iin the addenda to the document, we see:
"Lessons learned from similar experiences in the past"
The present proposals build on the experience with Directive 95/46/EC and the problems encountered due to the fragmented transposition and implementation of that Directive which have blocked it form achieving both its objective, i.e. a high level of data protection and a single market for data protection.
<ends>
Note that Directives are implemented by EU Member States via their own national legislation, which often does not follow the principles and/or 'rules' set out in a Directive (which is why EU states are then taken to court until 'transposition' is considered to be complete and adequate). However, in the case of an EC Regulation, it becomes law across all EU States as soon as published in the Official Journal (although there are typically stated time frames by which or within which the regulation's rules come into affect). In the case of the Data Protection Regulation:
Article 91 - Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply as from two years from the date referred to in paragraph 1.
<ends>
So if the Regulation is published on 22 January 2012, it will come into effect from 21 January 2014.
It is also worth looking at the 'Legislative Financial Statement' at the end of the document (beginning p. 96 of the 116 page document) to see more about implementation and its impact.
Reporting by Roger Longhorn
vice-Chair, Communications, GSDI Assoc. Outreach & Membership Committee
Member, GSDI Assoc. Legal & Socioeconomic Committee - www.gsdi.org
Editor, SDI Magazine - This email address is being protected from spambots. You need JavaScript enabled to view it.
