Sunday, 9 October 2011

Does the Commission actually have the authority to make a data protection regulation?

Friends at dinner last night began a debate on whether the European Commission actually had a right to make changes to the current data protection directive by means of a regulation. Some of what they had to say was quite interesting, and repeatable, so I thought I should make some notes.

The debate was sparked off as we were about to see No Naughty Bits, a wonderful new comedy by Steve Thompson at the Hampstead Theatre. It followed the adventures of Michael Palin and Terry Gilliam as they travelled to New York in December 1975 to take on the ABC television channel – who had recently broadcast Month Python’s Flying Circus coast-to-coast, but without all the naughty bits. A court case followed. The play’s themes included freedom of expression and artistic integrity. We learnt about the nature of comedy, the operation of censorship and the misunderstanding of the Anglo-American relationship.

Sitting right behind me in the theatre was a comic from that era, the great Ronnie Corbett, who also found the play very funny – but that’s another story.

Anyway, we got onto this subject at the dinner table because I had pointed out the links between the ABC’s desire to make changes to a copyright work that they had only obtained a licence to broadcast, and a Commission desire to make changes to the data protection directive – and that both felt the changes were to be non-negotiable.

Ultimately, I suspect, this matter will be decided by the courts. Certainly not by us mere mortals having dinner in Hampstead last night. But, before the legal superstars weigh in (and before the mighty Chris Pounder opines on the subject in one of his Hawktalk blogs), I thought I would outline some of the arguments that are likely to be repeated for some time.

Starting at the basics (and with a suitable acknowledgement to Wikipedia) the Subsidiarity principle was established in EU law by the Treaty of Maastricht, and entered into force in November 1993. In very general terms, matters ought to be handled by the smallest, lowest or least centralised competent authority (the close to the citizen criterion). However, the European Commission may intervene when its actions:

• are necessary because actions of individuals or member-state governments alone will not achieve the objectives of the action (the sufficiency criterion);
• are necessary to bring added value over and above what could be achieved by individual or member-state government action alone (the benefit criterion); and
• will secure greater freedoms for the individual (the autonomy criterion).

So, the critical question is about whether this test can be successfully applied in the case of the data protection directive. I think it’s a very high threshold.

Counsel for the Commission are likely to argue that:

• The right to personal data protection is a fundamental European right.
• Transborder data flows mean it’s hard for Member States acting by themselves to safeguard individual’s rights.
• European citizens presumably need to enjoy the same level of rights wherever they are in the EU (no more or no less).
• Member States have not been particularly good at co-operating with each other and creating uniform data protection standards.
• It’s unlikely that they’ll be capable of greater co-operation in the foreseeable future.
• Current EU laws don’t appear to be particularly effective at ensuring the problems in the existing data protection framework will be reduced.
• A regulation is necessary because data protection issues affect a whole bunch of other legal rights that European citizens ought to enjoy, including:
- Respect for private life
- Freedom of expression
- Freedom to conduct a business
- Right to property
- Right to non-discrimination
- Right of the child
- Right to an effective remedy and a fair trial.

On the other hand, Counsel for those who oppose a regulation are likely to argue that:

• The global nature of data flows is such that European -wide laws are likely to have very limited degree of additional protection for individuals. It ignores the fact that regulation in this area is likely to work only if it’s global in nature, rather than regional.
• The “damage” done to individual citizens as a result of current laws is actually quite small, and there is no pressing case to suggest that any damage a citizen’s legitimate privacy interests would be significantly reduced by means of a regulation.
• Citizens in different Member States enjoy and expect different degrees of privacy. What is perfectly acceptable in one Member State is unacceptable in another (hence the argument for censorship of the Monty Python television programmes in America).
• There is no significant evidence that many citizens in different Member States actually care that the privacy laws are different in other Member States. Many people find it quaint that they live in different communities which share different values.
• Some Member States will find it unacceptable that this type of “social legislation” is foisted upon them and their citizens, as it represents a significant shift in legislative autonomy from the State to the Commission.
• The Commission ought to be prevented from micro-managing individuals’ lives.

I expect this discussion to carry on for some time. And I am looking forward to taking part in it, and seeing how it concludes.

Image credit:

Those who have seen, or will see, No Naughty Bits at the Hampstead Theatre, will certainly recognise it .