So, did Commissioner Reding show her softer side when the Justice Council discussed the Data Protection Regulation proposals on 8th March? UK media got excited about the prospect of her giving ground in the face of pressure to make changes. Having read her intervention during the debate, all I can say is, if you think this is soft, what do you use for toilet paper?
Firstly, on the timetable for passing the Regulation. The outside hope for those opposed to the proposals is for the schedule to slip until the Lithuanians take over the presidency of the European Union. (Or even better, that it drags on for a further six months until Greece is in charge, by when there will be little chance of it becoming law.)
According to Reding, “all the elements are falling into place to make decisive political progress on this crucial political dossier under the Irish Presidency.” In other words, no slippage is expected on the published timetable.
Secondly, on lobbying for a more risk-based approach suggested by, among others, the UK’s own Information Commissioner. The Irish presidency has suggested that different criteria could be developed for each level of risk. In response, Reding said that, “we are not here to create a toy for the lawyers of multi-nationals.”
That is the clearest possible indication that the objections of Facebook and Google (among other US companies pressing hard for changes) are not welcomed. Reding argues that her proposals offer simplicity and certainty. “Complexity creates costs. If you Ministers force the butcher on the corner to prove he is not a data protection risk, you will deserve the ‘Nobel Prize for Red Tape’,” she said. No sign there of any softening of the prescriptive approach that has been adopted.
Thirdly, many digital marketers have been worried about the expansion of the definition of personal information to include IP address. Reding noted that a key law suit in the Court of Justice has already established that IP addresses are personal data. Not only is the Commission unwilling to alter a legal precedent, it also does not want to reduce the level of data protection in Europe. In fact, Reding explicitly said this was something she will not accept.
Starting to think that claims of a softening were misguided? There’s more. Reding made it clear that anonymous data is outside of the scope of the Regulation because there is no risk. But pseudonymous data, which many practitioners have been viewing as their great white hope (not least because there are technology vendors just itching to sell their solutions), offers difficulties that the Commissioner wants to ensure are also covered. “Pseudonymous data is personal data,” she affirmed. It must not become “a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions,” she said.
Still, there was some good news - especially if you are one of those lawyers (or a provider of consultancy and data services). Reding underlined that SMEs are exempt from the requirement to have a data protection officer (DPO). But she also said there is no obligation to create a new position - DPOs can be full or part-time, employees or external advisors. This does represent a significant cost-saving for businesses which had feared the need to spend up to £100,000 a year on a DPO.
And that is as soft as Reding got. Nothing in her speech suggested that big changes would be acceptable to the Commissioner, which implies a major political battle if the Parliamentary committees try for them. For Reding, it seems, soft is a four-letter word.
Note that the ICO will be giving an update regarding the legislation at this years dataIQNOW! Conference - you can find out more at www.dqmgroup.com/now2013