December 31, 2014

This issue is dominated by predictions. I am most grateful to the many who responded to my call for predictions: you certainly entertained and intrigued me and I trust that the readers of the magazine will be similarly engaged and pleased.

What was striking though was how few respondents were tempted to take up my challenge to predict the date when the new EU data protection regime would be finalised. I should not have been surprised. With the ‘one stop shop’ having so many amendments of detail and challenges of principle that it may end up resembling a travelling salesman and a series of CJEU judgments that spotlight new holes in the existing regime, it is easy to believe that the various EU institutions and the many entrenched interests will carry on chewing at this bone into eternity. And I am going to take some convincing that the new crop of Commissioners have the commitment and energy of those they replaced – and without that, we may never see the major issues resolved.

The most recent cause for depression is Case 212/13 František Ryneš v Ú?ad pro ochranu osobních údaj? where the CJEU held that those installing domestic CCTV cameras are subject to the duties associated with data protection legislation. The Court had to rule on the effect of the Czech exemption from data protection regulation which provides ‘This Law does not cover the processing of personal data carried out by a natural person solely for personal use’. (The relevant ‘domestic purposes’ exemption under the Data Protection Act 1998 is wider but the distinction is probably not significant; it provides ‘Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.’) The Court followed principle and logic, and the advisory Opinion of the Advocate General, and ended up with a judgment which flies in the face of common sense. Yet another hole that the data reform package should fill in.

If the judgment is taken seriously (and what’s the alternative?), it would seem that every user of home CCTV where the coverage stretches beyond the curtilage will have to notify the ICO. Moreover, a number of respected commentators believe, and have convinced me, that the effect of the judgment is to require all the people who have filmed or photographed in a public area and then posted that film or photograph on the Internet, perhaps by putting it on Facebook, to notify the ICO that they are data controllers.

Failure to notify is an offence. So the CJEU creates many thousands, probably millions, of offenders (because people won’t do this). And, even if the fantasy was to be fulfilled and everyone read the judgment and decided to notify as a precaution, the result would be still be damaging: the value of notification as a regulatory tool would dissolve because the only people who had not notified would be babes in arms.

In a recent piece in Data Protection Law & Policy, Eduardo Ustaran, one of the most widely respected commentators on EU data protection, links recent judgments on the Data Retention Directive, the Google Spain ‘right to be forgotten’ and this Czech CCTV case and suggests that these amount to ‘a concerted attempt by the judiciary to stop the relentless march of the surveillance society’. I suspect that his view that the CJEU has decided to ‘to change the course of society’ is right (do read the article). But what a strange time to pick a fight if the data protection regime is to be rewritten and the focus is soon to switch to what the data reform package contains.

Moreover, two of those judgments are so flawed that they required ‘spinning’. The Google Spain case was swiftly explained as being all about balance (when the Court itself made carefully limited mention of competing rights) and this CCTV case was covered in a press release that had far more coverage of ‘legitimate interests’ (which might justify the use of CCTV in such circumstances) than the judgment itself. I fear that the belief that data protection is a fundamental right, endorsed by a recent joint statement from the Article 29 Working Party, is obscuring the need for balance when determining the reach of data protection legislation.

As someone who often finds himself defending the importance of data protection, I am far from convinced that, in a world where the most awful abuse occurs (and the EU is not immune from awful abuse), the protection of personal data is a fundamental right. If we are to defend the rights that are truly fundamental, we must be prepared to accept that not every important thing is ‘fundamental’. That does not mean that abuses of the right to data protection should be swept under the carpet and ignored; it means that we have to strive for balance, and apply a little real-world common sense too. Otherwise I predict that the data protection reach will exceed its grasp and, though Robert Browning may find such ambition admirable, I fear that a fragile object of real value may be shattered.