Strengthening individuals’ data protection rights

Much of the proposed modernisation addresses individual rights in the digital environment (European Commission, 2010c, p. 5; 2012, Recital 5). Not all proposals add up to regulatory innovation that could offer new responses to a technical paradigm shift.⁵⁵

54 Online behavioural advertising, for example, where each component - online tracking, behavioural profiling and targeted advertising – would be covered by both instruments simultaneously.

55 Provisions relating to children have not been covered by the Task Force.

 Clarification

In parts, the legislative proposal clarifies and removes certain ambiguities:

- In the definition of consent, a statement or affirmative action is a prerequisite (European Commission, 2012a, Art. 4(8));

- The nascent separation principle also clarifies that consent is not “freely” given where the data subject has no choice not to consent (European Commission, 2012a, Recitals 32, 33).

Neither proposal reforms the law, but may out-law practices that relied on interpretations according to which the consent mutates to a right to object (Kosta, 2013). While Task Force participants stress the need for flexibility and shared responsibilities, as well as the benefits of free online content for consumers, pervasive commercial practices essentially place the opportunity costs of managing privacy on individuals.

Germany, and possibly the new EU framework, foresees a lighter form of the separation principle, which requires that the request for consent for additional data processing must be prominently separated. The economic evidence would also support measures that reverse dynamics in online transactions to the benefit of users and consumers (see section 3.3.4).

Some Task Force participants cautioned that, as a result, a “privacy divide” can emerge where those who can afford privacy enjoy it. However, it also emerged that businesses are specifically interested in this segment of the population that is happy to pay a premium for privacy. What other consequences of a separation principle would be, beyond the possible need to determine what is a fair premium for privacy (which may require regulatory intervention), cannot be predicted.

The regulatory treatment of consent in a situation of significant imbalance between the data subject and the controller is still very much in flux. Originally inferred as a safeguard in employment relationships, this provisions now oscillates between dominant firms in a consumer relationship and other situations that are critical for free decision-making, e.g.

individual insurances. Participants of the Task Force were particularly sensitive to expand the provision to dominant firms per se. Perhaps a clear separation principle under fair conditions would suffice to address the concern regarding online service, be they free or for remuneration.

 Extensions of existing rights

Certain rights of the data subject in the draft proposal for a general data protection Regulation could be better perceived as extensions of existing rights:

- The right to be forgotten as an extension to the right of erasure (Art. 17) (Kuner, 2012a, p. 11);

- The right to data portability as a modern means to access one’s own personal data, but with the new edge to transfer it between providers (Art. 18).

The right to be forgotten appears to be most controversial where the controller has made the personal data public, not the least because of the right to freedom of expression. Leaving the arguably legalistic exercise of balancing conflicting fundamental rights to the controller may potentially result “in a chilling effect on use of the Internet” (Kuner, 2012a, p. 11; see also FRA, 2012, p. 15f.).⁵⁶ Beyond clashing fundamental rights, the right to be forgotten and erasure is designed as a best effort approach and requires the controller to inform third parties that are processing the personal data about the data subject’s request “to erase any links to, or copy or replication of that personal data” (Art. 17(2).

 Regulatory innovation

The rules on data portability and profiling are new to the fabric of personal data protection and can therefore be considered regulatory innovation (European Commission, 2012a, Arts 18, 20).

The right to data portability is a highly controversial issue, largely because it is not clear from the legislative proposal whether this is a ‘lex social network’ (European Commission, 2010c, pp. 7ff; see also De Hert & Papakonstantinou, 2012, p.138) or would concern every other context, such as electricity providers and banks. The feasibility of implementing the portability of personal data and the extent to which this implies mandating electronic data exchange formats are also contested points (Art. 18(3)). The principle of portability is, however, capable of significantly strengthening individuals’ rights where personal information is compiled over time and could be transferred to a different provider (Costa &

Poullet, 2012, p. 527; De Hert & Papakonstantinou, 2012, p.138).

The concern about profiling, which is now within the reach of nearly every controller of systematic personal data collections, is difficult to pin down. While the draft proposal for a general data protection Regulation appears to settle for regulating measures based on profiling, a few Task Force contributors expressed caution about the very process of creating personal profiles (Leenes, 2013) and possibly discrimination and indirect processing of sensitive data in algorithms (De Hert & Papakonstantinou, 2012, p. 138; Korff, 2012).⁵⁷ Several legitimate bases for profiling would be offered. However, the threshold for measures legitimately based on profiling is comparatively low and the interests of the data subject not

56 See also the provisions on the processing of personal data for journalistic purposes or artistic or literary expression and freedom of expression in the draft proposal for a General Data Protection Regulation (Art. 80).

57 See also the definition used by the Council of Europe (2010, at 1(e)) regarding profiling: “an automatic data processing technique that consists of applying a “profile” to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.

to be subject to profiling in a commercial context, except where explicitly consented to, would not be specifically protected.⁵⁸