The Imitation Game

Imitation GameIn the media this week there’s been a fair amount of speculation as to when the EU General Data Protection Regulation (GDPR) is likely to see the light of day. Some commentators are speculating that sign-off by the European Parliament, Council of Ministers and the European Commission won’t happen until Spring 2016.

Earlier this year, a joint statement by EC vice president Andrus Ansip and EU Commissioner Věra Jourová indicated that GDPR could become law by the end of 2015. Perhaps this was wishful thinking?

And this week, some 60 pressure groups including the UK’s Open Rights Group, Liberty, the Dutch Consumer Council and US Electronic Privacy Information Centre have written an open letter to EU President Jean-Claude Juncker outlining their concerns over the way GDPR is currently drafted and warning that it will erode rather than strengthen existing data protection and privacy laws than at present.

To some extent, a lot of this politicisation over the precise wording of GDPR is largely irrelevant. There’s enough evidence out there to show that Data Protection Authorities (DPAs) across the EU are already applying the risk-based principles of GDPR. In other words, DPAs are acting as if GDPR already exists. It’s a case of the ‘Imitation Game’.

Movie goers will recognise the link. In film of the same name, a group of cryptanalysts crack the German Enigma code with the help of Cambridge maths genius Alan Turing (played by Benedict Cumberbatch) who then goes on to invent the world’s first computer.

80 years later

Fast forward nearly 80 years and companies are now adept at deciphering intimate and sensitive data on just about every aspect of online and offline lives – in order to drive their vast business empires.

The fact that the European Parliament has already voted on GDPR is evidence that the time for talking really is over and what’s now required is action. Hanging on to the outdated Data Protection Directive 95/46/EC isn’t really an option.

However, it isn’t as simple as that.

Following the first reading of GDPR, there were some 4,000 proposed amendments to the EU Commission’s draft and agreement on the GDPR by the European Parliament was reached on 12 March 2014.

The Council of Ministers is now pouring over whether to accept the European Parliament’s position – in which case the GDPR is adopted or where the Council doesn’t adopt all of the European Parliament’s amendments or wants to introduce its own, it adopts a first reading position which then goes back to the European Parliament for a second reading.

And this is where things are right now.

The Council is expected to come clean very soon, although there’s no time limit placed on how long it can take to deliberate on its position on GDPR, which is part of the frustration felt by many data protection and privacy professionals.

Make your mind up time

When the Council eventually makes up its mind on its first reading position, it is back to the European Parliament to examine the Council’s position and this could take between 3-4 months of deliberation.

A special European Parliament committee – Civil Liberties, Justice and Home Affairs Committee (LIBE Committee) – is tasked with drawing up a recommendation for Parliament’s second reading.

At this stage of the game, the text to be amended is the Council’s first reading position rather than the original European Commission proposal for the GDPR that first saw the light of day way back on 25 January 2012!

Likely outcome?

Good question – and it depends on how much tampering has been done by the Council as to whether the European Parliament decides to expedite and approve the Council’s first reading position.

In the event that this happens, this will speed up the process. Of course, there are likely to be some tweaks and further amendments on the Council’s first reading of GDPR. In other words, concessions are likely.

But the good news for GDPR watchers is that about 80% of all EU laws are now agreed after the first reading and in fact most law-making takes place behind the scenes. This is the ‘trilogue’ phase which isn’t mentioned in EU treaties but is specifically designed to speed up the cumbersome EU legislative process.

Three-way split

Informal meetings behind closed doors will take place between:

  • European Parliament (represented by Rapporteur and shadow rapporteurs)
  • European Council (chair of Working Party and/or Permanent Representatives Committee)
  • European Commission (responsible for the dossier and Secretariat-General).

In these informal discussions, the Commission’s role is that of mediator or facilitator of compromise texts but because of its expertise and resources it can have significant influence over the final drafting that’s produced.

Thinking of where to put a data centre in Europe?

Some Governments are blatantly cashing in on the current situation by offering a ‘safe place’ for organisations to continue to ply their trade and not trip up over the forthcoming GDPR.

For example, at the recent IAPP Europe Data Protection Intensive held in London earlier this month, Dara Murphy, Irish Minister for State European Affairs & Data Protection was making such a pitch to IAPP members.

In his address, Murphy made the point that Ireland had become the first EU Member State to create a Ministerial position with respect to data protection and he acknowledged what this meant to the Irish economy.

“We have in our country 29 of the top 30 digital companies in the world and nine of the top ten companies born on the internet. Many of them have their European HQs in Ireland. One of the key priorities we set when we had our reshuffle a couple of months ago was to up the role and importance of data protection within government.

“We’ve doubled our expenditure, opened a second office in Dublin and significantly increased the number of staff.”

Whilst promoting the principle of balancing the benefits to be gained through data-sharing, analytics and innovation, Murphy was also careful to stress the importance of protecting citizens’ rights.

“The work ahead is to put the right of the citizen at the heart of everything lawmakers do with an eye toward reducing administrative burdens and providing a consistent application of rules that foster an environment that creates jobs and growth while simultaneously protecting civil and digital rights and privacy.”

Murphy reflected the mood of many at the IAPP conference that the pace of data protection regulation has picked up remarkable speed and that the existing laws that were developed nearly a decade before most of the tech giants existed were now looking “ridiculous”.

However, conscious that he was there to “sell” Ireland to other global businesses thinking of putting a data centre in Dublin, Murphy added that he didn’t believe in “exemplary fines” in the hope that this signal would encourage more inward investment in his country as a Data Protection Authority that was on the side of big business and in favour of a strong digital market having the capacity for business to function.

An astute PR move but the EU Regulation will have the effect of reducing – not exacerbating – differences in approach to data protection and privacy across the EU that currently exists and has caused the level of uncertainty and confusion that we have at present.

Start making plans for GDPR mechanism now

“Many organisations that are ahead of the curve are mitigating their risks of an ICO investigation by taking educated guesses on how portions of the forthcoming GDPR will come into reality,” explains Martin Hickley, a leading data protection and cyber security expert.

He adds: “For example, many have started making plans where under GDPR they will need to respond to complaints through a one-stop shop mechanism, respond to subject access requests for the right to be forgotten, put in place a higher standard for data transfer and encryption of data that is accessed within the enterprise as well as the pseudonymization of that data among other measures.”

But lingering questions still remain and clarity on the following points will be required so that organisations can start to fully prepare themselves for life under the new EU data protection and privacy mechanism:

  • How will GDPR help to harmonize the way data processing and compliance is conducted within the EU as well as outside of the EU?
  • What should large multi-national organisations do regarding the one-stop shop mechanism if they are significant data controllers across several jurisdictions both within the EU and outside of the EU?
  • Will Data Protection Authorities (DPAs) look at mutual recognition systems like Binding Corporate Rules (BCRs) and apply the same logic to the one-stop shop? In such a scenario, a lead DPA is backed by two supporting DPAs in approving a company’s data transfer process.
  • How will GDPR apply to situations where the company is both controller and processor of a vast quantity of data?
  • What will the seal that is an assurance mark for data protection and privacy look like?
  • Will the Safe Harbor Principles need to change as a result of GDPR?

Hickley concludes: “My advice is to conduct a data protection impact assessment (DPIA) without due delay across the whole organisation rather than on a project basis which is a mistake often made by many organisations that I advise. Ask yourself the question – where do you sit now in relation to what’s been published about GDPR so far? And what do you need to do in order to be compliant before it’s too late.”

Leave a reply