SafeGov recently had the opportunity to speak with the Inspector General of the Polish Data Protection Authority (Ochrony Danych Osobowych), Wojciech Wiewiórowski. Below is an edited transcript of our conversation.
EU Data Protection Regulation and the Future of Safe Harbor
Q: The proposed new EU Data Protection Regulation currently under debate will replace the 1995 Directive. Will the Regulation represent a significant tightening of the data protection rules that U.S. and other Internet firms must play by in Europe?
A: The Regulation is certainly a step forward. But the intention is not to make the 1995 requirements more restrictive. The text of the Regulation and the discussion that has ensued make it clear that in some ways the 1995 requirements need to be softened. The Regulation allows more scope for data protection safeguards that can be implemented by companies themselves rather than by regulators. For example, the treatment of Binding Corporate Rules (BCR) is a big change. The statutory laws under the 1995 Directive did not allow for BCR outside of Europe, but now that will be possible.
Q: Will the new Regulation abolish the Safe Harbor system negotiated between the U.S. and Europe to govern transatlantic transfers of personal data by Internet firms and other corporations?
A: The European Commission (EC) and the European Data Protection Authorities (DPAs) have had a long discussion about the future of Safe Harbor. As the Polish DPA, I have long been critical of Safe Harbor. But the enforcement efforts of the FTC have made me less skeptical. I don’t see anything in the proposed Regulation that would undermine Safe Harbor. The problem is not data transfer between Europe and the U.S., but between the U.S. and third countries. The dispute is whether the rules allow that. This topic has recently been reviewed by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE). (For commentary on the debate, see here. For the working documents of LIBE Committee Data Protection rapporteur Jan Philipp Albrecht, see here.)
A: I can’t discuss the specific findings of the report because they aren’t public yet [note: this interview was conducted shortly before the release of the CNIL’s report on October 16, 2012]. However I can comment on the overall process. This investigation was an example of the coordination procedure among the DPA members of the Article 29 Group. Those procedures are not yet written into law, so in this case the CNIL report is based on what you might call a “gentleman’s agreement”. During the investigation the various DPAs commented extensively on the CNIL’s work and made proposals for the final document, which therefore reflects the consensus view of the group as a whole.
When the DPAs were investigating Google over the WiFi Street View incident we had some complaints from Google about inconsistencies from country to country. So in the CNIL investigation we have tried to improve this process. In the future the Regulation will formalize these procedures for cooperation among the DPAs. This example was a good trial run of how things should work in the future. That isn’t to say that the Regulation has completely solved the problem. For example, there is still debate about the selection and role of the lead DPA for cases requiring investigation under the Regulation.
Tracking Cookies, Behavioral Advertising, and Do Not Track
Q: The so-called EU “cookie rule” requires web sites to inform users and seek their consent before setting cookies on their devices. Does this rule reflect a general EC intention to adopt a more restrictive approach to web advertising?
A: First of all, let me point out that the so-called “cookie rule” is not part of the proposed new Data Protection Regulation, but belongs to a totally different piece of legislation known as the “Telecom Package” (i.e. the revised EU Framework for the telecom sector, revised in 2009). The Article 29 Group recently published its opinion on the EU cookie rule here. The Article 29 Group was invited to participate in the development of the cookie rule, but we weren’t necessarily convinced that the way the rule was framed in the Telecom Package was the right approach. That approach has been implemented in the domestic regulations of the EU member states. But I think the EC’s approach was too rigid and too restrictive. Right now the subject is being actively debated in the Polish Parliament.
While some of the privacy NGOs fully support the EC approach that requires explicit user consent for cookies, the Article 29 Group has a somewhat different view, which distinguishes among the many different kinds of cookies. The cookies that have a significant impact on user privacy are the tracking cookies, but not all cookies track users, some have purely technical purposes. The Article 29 Group believes that the tracking cookies are the ones that should be regulated by EU law. As a DPA, I support the concept of EU regulation of cookies and the need for explicit user consent, but it isn’t practical to require such consent for every kind of cookie. In Poland the government is proposing an opt-out approach to consent rather than opt-in. Of course other countries may adopt different rules.
Q: What is your assessment of the Do Not Track proposals being debated in the World Wide Web Consortium (W3C)?
A: The DPAs are very interested in Do Not Track. It currently looks like the debate in the W3C is deadlocked between online advertisers and privacy advocates. I agree with Neelie Kroes (EC Vice-President, responsible for the Digital Agenda) that Do Not Track is a desirable goal. [See Kroes’ recent statement on the subject here.] However, the formal specifications of a Do Not Track agreement will not necessarily provide an answer to the legal question of how the EU cookie rule should be framed. The discussions between the Article 29 Group and the online behavioral advertisers are not easy (for background see here). The problem is that the advertisers led by the Internet Advertising Bureau (IAB) only want a voluntary agreement. They don’t want anything formal that would be legally binding on them.
Q: Should the proposed new Data Protection Regulation require browsers to incorporate Do Not Track?
A: It’s important to understand that the Do Not Track discussion in the W3C and the Data Protection Regulation under consideration by the EU Parliament represent two different and quite separate tracks. The first as I said refers to a voluntary agreement, the second is a piece of legislation that will be binding law in the EU when it is passed by the Parliament. As the DPA of an EU member state, Poland, I am bound by Polish and EU laws and by international regulations that Poland and the EU have accepted. Voluntary standards such as those that may emerge from the W3C regarding Do Not Track are helpful. But they are not solutions in law. As far as the law is concerned, I believe that it must maintain strict technical neutrality. I am opposed to putting anything into the law that dictates what technical tools browsers must use. It’s not a good idea to create laws that say how cloud computing should be done, because technology changes so quickly. So I can’t support the idea of adding special rules for cloud computing to the Data Protection Regulation.
EC Powers under the Data Protection Regulation: Too Much?
Q: The new Data Protection Rule will grant the European Commission significant rule-making powers in the form of so-called “delegated acts”. A number of European DPAs have indicated their unease with these powers granted to the EC. What is your view?
A: There are two issues here related to the EC’s powers under the Regulation. First, the draft Regulation does grant the EC a lot of power to make additional rules under delegated acts. At this point I think everyone agrees that the EC went too far. Some delegated acts are necessary, but not all of them. So now we have to discuss which ones are necessary and which ones should be dropped.
The second issue is the EC wants to have the power to intervene in individual cases that normally fall under the authority of national DPAs. This is a new principle for EU law and it poses some serious problems. One might argue that this is not what the EC is for. As an alternative to giving the EC this power, some have suggested that this power should be given to the EU Data Protection Board [the proposed future organization of EU DPAs that will replace the current Article 29 Group]. However even in that case there would still be a problem. Suppose the Board were to intervene in a specific data protection case in Poland or some other EU member state. The question is what does this intervention mean for the local courts in that country? The courts might say that the Board is not a body recognized by the EU Treaty, that they are only bound by Treaty bodies, and that the Board – unlike the EC itself – is not such a Treaty body. So you see that this is quite a difficult and complicated issue, and there is a lot of discussion right now about how to resolve it.
Q: When do you think these issues will be resolved and the new Data Protection Regulation will actually be implemented?
A: We are expecting a final text by the end of the Irish Presidency in June 2013. I think the debate over what powers the EC should have under delegated acts will be settled by then. But some of the issues we have mentioned may still be under discussion then. For example, the issue of whether or how the EC can intervene in individual cases will be decided by the European Council and the Parliament, probably in the second half of 2013. I expect the Regulation might be passed by the European Parliament sometime in 2014. The Parliament’s rapporteur for the Regulation, Jan Philipp Albrecht, has suggested this could happen in the first months of 2014. But perhaps it would be more realistic to expect passage somewhat later in 2014.