Almost four years after its initial proposal in January 2012, the finalised text of the General Data Protection Regulation (the Regulation) was agreed in December 2015. It is anticipated to enter into force in January 2018, bringing with it some major changes to the current European data protection regime.
One such change is in the application and extra-territorial scope of the Regulation. Previously, the Data Protection Directive 95/46/EC (the Directive) set out substantive provisions of data protection law, transposed into domestic law through implementing legislation (such as the UK’s Data Protection Act 1998). However, this regime pre-dated the explosion of the Internet and its unprecedented levels of cross-border data transfers. The result, acknowledged in the Regulation’s preamble, is that there is now a need for a “strong and more coherent data protection framework.” The Regulation will be directly applicable in Member States’ law and seeks to ensure uniform standards of data protection throughout Europe.
The extraterritorial scope of data protection law is also modified. The Directive applies where a controller not established in a Member State “makes use of equipment situated on the territory of a Member State” (Article 4(1)(c)). By contrast, Article 3 of the Regulation provides that it shall apply to such controllers or processers where their activities are related to (a) the offering of goods or services to data subjects in the Union; or (b) the monitoring of their behaviour within the Union. Defining the Regulation’s scope by reference to data subjects, rather than controllers, has the potential to further expand the ambit of European data protection law.
Another notable change is the express inclusion, at Article 17, of the “right to be forgotten” (RTBF). This provides a statutory foundation for the right derived from the Directive in Google Spain SL and Google Inc. v AEPD and Costeja. The right contemplated in Costeja is expansive, so there are numerous and widely drafted grounds on which a data subject may exercise it (Articles 17(a)-(f)). Notably, the subject may exercise this right against the data controller directly, with no requirement for prior intervention from a court or national data protection body.
Another introduction, at Article 17a, is the right, in certain circumstances, to restrict the processing of personal data. This means that, storage aside, the data may only be processed with a subject’s consent or in certain limited situations. Significantly, this right may be exercised in disputes over accuracy or where processing is objected to (pending verification) (Articles 17a(1)(a) and (c)). Personal data may thus be restricted prior to investigations. With huge fines contemplated for infringements of data subjects’ rights (Article 79(3a)), there seems every reason for controllers to err on the side of caution and restrict processing at the earliest opportunity. Once the threat of a fine is removed, there is little impetus for controllers to investigate and reinstate content with any urgency. The risk of a chilling effect on freedom of expression is clear.
Furthermore, the lack of clarity over who is a data controller is concerning. Costeja made clear that search engines are subject to the RTBF. If the Regulation is interpreted to include social media companies and other publishers (following the trend in cases such as Schrems) then the RTBF may evolve from a right to have material de-indexed to a right to challenge the publishing of material at all. If this occurs, particularly in the context of a regime in which takedown is increasingly the default position, then the allegations of censorship that were neatly sidestepped by the focus on de-indexing start to look more credible.
The new regime puts the data subject in control by prioritising quick, user-friendly ways for data subjects to manage data in the hands of controllers and processers. The Regulation places specific emphasis on transparent and clearly timetabled procedures for the implementation of data subjects’ rights (Articles 5(1)(a) and 12).
This is just a snapshot of the changes instituted by the Regulation: a vast harmonising piece of legislation that reflects the EU’s determination to impose its will on the culture of the Internet. It remains to be seen how effectively the objective of uniform and effective data protection can be achieved. But it is certainly a lofty ambition that will keep media lawyers busy for years.