I have today been speaking at the IAPP conference at A&O alongside David Smith (UK Deputy Information Commissioner), Bruno Gencarelli (European Commission, Head of Data Protection Unit) and Wojciech Wiewiórowski (Assistant European Data Protection Supervisor). The conference yielded a number of really interesting insights, a number of which I highlight below.
First and perhaps most importantly, Mr Gencarelli made clear that, so far as the draft General Data Protection Regulation was concerned, the firm expectation within Europe was that the GDPR would be agreed by the end of this year. This is obviously important given that the apparently endless European wranglings over the shape of the GDPR had led some to question whether the GDPR would be finalised within the foreseeable future. Mr Gencarelli also pointed out that we could expect that, over the ensuing two year transition period, the GDPR principles would be further refined and developed, as the European Commission engaged in a trilogue with the European Data Protection Authorities and industry bodies. This inevitably suggests that the conclusion of the formal negotiations over the GDPR will not in any sense bring the process of developing European data protection principles to an end.
Mr Gencarelli also highlighted the significant impact which the EU Charter had had on the legal approach to data protection. As he put it, the fact that data protection rights were given specific protection under the Charter meant that data protection rights now had a greater legal resonance and significance than was previously the case. Notably, Mr Gencarelli’s observations on this issue obviously chime closely with the approach to the application of Charter rights adopted by the Court of Appeal in its recent judgment in Vidal-Hall v Google.
Mr Wiewiórowski also provided some fascinating insights into the European perspective on data protection. He reflected in particular upon the role being played by the CJEU in terms of pushing the privacy agenda within Europe under the existing Directive. Mr Wiewiórowski made clear that, in his view, this was a judicial trend which was itself born out of discussions on the new privacy-preoccupied agenda embodied in the Commission’s proposals for the GDPR. Thus, in effect, the EU judiciary was working in a highly dialectical relationship with the EU legislature to produce a new cultural approach to privacy rights within Europe.
Mr Wiewiórowski also made the interesting point that developments in the UK data protection jurisprudence had a disproportionately large impact on the development of data protection law within Europe as a whole. As he observed, this was not because UK lawyers and judges were seen as being cleverer than their European counterparts. Rather it was simply a product of the somewhat prosaic fact that UK judgments are in English, with the result that they are more readily comprehensible to our EU colleagues. Thus, he suggested that the Court of Appeal’s judgment in Vidal-Hall was now being discussed very widely within Europe, particularly because it was a judgment which could be accessed and understood by practitioners across the European piste.
Mr Wiewiórowski also made some very interesting observations about the approach taken within the GDPR to the ‘journalistic exemption’. As many readers of this blog will know, there is currently a debate going on within Europe as to whether the approach to the exemption proposed by the Council of Europe gives enough protection to classic journalistic freedoms. This debate has arisen particularly because the Council’s proposed text removes any reference to journalism per se. This has prompted many within the media to raise concerns that Europe is unacceptably seeking to dilute protection for journalists in a way that fundamentally offends against Article 10 of the European Convention on Human Rights and Article 11 of the EU Charter. Mr Wiewiórowski expressed the view that the scope of the journalistic exemption was perhaps one of the most challenging issues to arise under the draft GDPR and he was not at all confident that this issue would be satisfactorily resolved by the time the GDPR was finalised. These are obviously really important observations, not least because they suggest that existing questions as to how data protection rights are to be reconciled with Article 10 rights are unlikely to be finally resolved merely as a result of the enactment of the GDPR.
In terms of the domestic regulatory perspective, David Smith’s presentation very helpfully illuminated how the ICO was approaching the right to be forgotten regime.
On this regime, Mr Smith made clear that, since Google Spain was decided, the ICO had received approximately 200 complaints from data subjects in response to refusals by Google to delete particular links. Of those 200 complaints, roughly 150 had been decided in Google’s favour, with the remaining 50 being decided in favour of the data subjects. Mr Smith indicated that the ICO was now engaged in discussions with Google about this latter set of cases.
Mr Smith also made clear that the ICO had been impressed with Google’s overall approach to the right to be forgotten regime and that there were generally no significant differences of approach between the ICO and Google in terms of how the regime was to be applied. He did however indicate that one area of disagreement was as to whether Google should be notifying publishers when they receive requests from individual applicants. Google’s position on this issue is that typically publishers should be notified. By way of contrast, the ICO’s position is that notification should take place only in exceptional cases. Obviously, this divergence of view takes us back to the important and, as yet, unresolved question as to how data protection rights should be reconciled with Article 10 freedom of expression rights. Clearly as matters currently stand, Google is preferring a more pro-Article 10 approach than the ICO. Query whether Google will continue to adopt such a stance in future.
Notably, Mr Smith also made clear that the ICO’s view was that google.com should be treated as caught by the CJEU’s judgment in Google Spain. Again this is an important point. As matters currently stand, Google’s position is that google.com is not caught by the judgment. This has the result that users within Europe can potentially avoid all the amnesiac effects of the Google Spain judgment simply by setting their default browsers to google.com. Evidently the ICO regards this as an illegitimate loophole which Google should now look to close.
In terms of the wider question of whether the CJEU’s judgment in Google Spain had had a damaging effect on the internet as a whole, Mr Smith made clear that in his view that this was not the case. He pointed out that Google had now delivered important results for data subjects in hundreds of thousands of cases. By way of contrast, he said the ICO had received only a handful of complaints about deletion. Mr Smith pointed out that obviously the introduction of the right to be forgotten regime had not resulted in the internet grinding to a halt, and that it had not sounded the death-knell of Article 10 rights. Instead, what it had done in his view was deliver real tangible results for data subjects in a wide range of cases. As Mr Smith put it, what the judgment in Google Spain had achieved was the practical recognition within the online world of important human values, including values relating to the autonomy of the individual and the need for forgiveness.
Additionally Mr Smith made clear that, whereas once the ICO’s voice may not have been seen as an important voice in litigation on data protection issues, now the ICO was increasingly being recognised by the courts as an important contributor in legal debates on those issues. He used the ICO’s involvement in the recent case of Vidal-Hall as an illustration of this important development. As Mr Smith put it the effect of these developments was that the ICO could now be more active and assertive when it came to litigation on key data protection issues.
Finally, it is worth pointing out that Mr Smith, Mr Gencarelli and Mr Wiewiórowski all agreed that, so far as the concept of ‘personal data’ was concerned, the GDPR did not expand the existing definition. Instead, all it did was clarify the existing law, as adopted in the Directive. Notably, this is consistent with the approach taken to the definition by the ICO in the case of Vidal-Hall.
So much food for thought emerging from the conference. Incidentally, those who are interested in future IAPP events may like to note that the IAPP is holding its European Data Protection Congress in Brussels in December 2015. No doubt the congress will offer an important opportunity to debate some of the issues referred to above.