RESPONSE OF HOGAN LOVELLS INTERNATIONAL LLP TO THE MINISTRY OF JUSTICE'S CALL FOR
EVIDENCE ON THE EU DATA PROTECTION PROPOSALS
Introduction
Hogan Lovells is an international law firm with one of the largest privacy practices in the world.
We operate from more than 40 offices worldwide and have a team of over 50 lawyers who
regularly advise clients on privacy matters across the globe. The proposals for change to the
European data protection regime have attracted enormous interest across our client base.
We welcome the opportunity to take part in the Ministry of Justice's call for evidence on the EU
data protection proposals. We have provided information to clients and others on the proposed
changes on a regular basis through our privacy blog, available at www.hldataprotection.com. We
have conducted general briefings to clients as well as many presentations to individual
organisations. On 29 February 2012 we held a breakfast briefing session in London for clients
where we sought and obtained views on the impact of the proposals made by the European
Commission. This document contains a distillation of our own observations and comments made
to us by clients since the proposals first became public knowledge.
1.
STRUCTURE OF THE NEW LEGISLATION
The lack of harmonisation in EU data protection law has been awkward and expensive for
business. The proposal for a Regulation (as opposed to a revised Directive) is therefore
welcome. However, as set out further below, unless further clarity is introduced into the
proposals the possibility remains that courts in Member States may come to different
interpretations of the law. The consistency mechanism introduced by the draft Regulation
is not sufficiently robust to address this problem.
2.
BASIC PRINCIPLES
While we detect no appetite amongst our clients to change the basic principles of data
protection law, our clients do need clarity on the application of those principles. One area
where there has been enormous confusion over the last 10 years is the definition of
"personal data". In English law, following the decision of the English Court of Appeal in
Durant –v- Financial Services Authority1, it is clear that the term "personal data" must be
given a narrow interpretation. Information will not qualify as personal data unless it
focuses on the relevant individual and is biographical in a significant sense.
By contrast, the general view of European data protection authorities is that the 1995
Directive contains a broad notion of personal data2.
The impact of this difference of interpretation is profound. Under the interpretation given
by the English Court of Appeal, the vast majority of business emails would not fall within
the definition of personal data. On the other hand, following the Opinion of the Article 29
Working Party and also the jurisprudence of the European Court in the Lindqvist case 3,
since emails refer to both sender and recipient in such a way that they can be identified,
the emails concerned would contain personal data. This results in considerable
uncertainty when businesses are trying to decide what rules should be adopted when
1
2
3
[2003] EWCA Civ 1746
Opinion 4/2007 on the Concept of Personal Data, adopted by the Article 29 Data Protection Working Party on 20 th
June 2007, page 4. There is no mention in the Article 29 Working Party's 2007's Opinion of any requirement of focus
or any stipulation that information be biographical to any significant degree.
Case C-101/01, Criminal Proceedings against Bodil Lindqvist, 6 November 2003
LIB01/C4RT/2566489.1
Hogan Lovells
-2-
processing and storing business emails or when they are required to produce the
contents of emails to a third party.
The guidance of the UK Information Commissioner4 is not specific on this point, although
it appears to follow the Opinion of the Article 29 Working Party more closely than the
decision in the Durant case. However, his guidance is not the law, and in the absence of
a Supreme Court case to the contrary, or an Act of Parliament, the Durant case will
remain good law in the United Kingdom. Since the definition of "personal data" is not
substantially different in the new Regulation, we fear that this significant difference of view
may continue.
3.
THE COST OF COMPLIANCE
In its press statements on 25th January 2012 the European Commission emphasised the
savings in cost which the abolition of the notification requirement would entail. It is
certainly true that there is very little support indeed for a continuation of the notification
requirement in its current form, and business will welcome the end of a system which has
obliged them to make notifications in different formats in most countries of the European
Union.
However, there is a considerable fear that costs saved by the abolition of the notification
requirement will be exceeded by the costs of creating internal processes for the sole
purpose of complying with the new Regulation. In particular, there are specific
requirements concerning new documentation, accountability, the appointment of data
protection officers, the performance of impact assessments, compliance with the new
rights to be forgotten and rights of data portability, the enhanced requirements of
notification to data subjects and the extended contents of contracts between data
controllers and data processors. In all likelihood, many business processes will have to
be changed. For example, processes which currently do not rely on explicit consent from
individuals will have to be redesigned so that explicit consent is obtained in future, unless
an alternative basis for processing exists.
It is not possible at present to quantify the amount of these costs and we do not think that
the Commission has sufficiently evaluated them in its impact assessment.
There is considerable scepticism as to whether the documentation requirements of Article
28 of the Regulation will be proportionate for all companies with more than 250
employees. The amount of documentation which employees will have to read in this and
other regulated areas is overwhelming. It will differ from one organisation to another.
Companies in regulated industries may already have detailed processes in place, and
should not be subject to yet another layer of regulatory procedures unless there is a clear
case for doing so following a risk-based analysis. There is a strong argument for
stipulating that businesses should have to follow clear principles rather than being
required to document everything they do. We concur with the Information Commissioner,
who stated that "Again there is too much emphasis on mandating the bureaucracy of data
protection when the objective of the Regulation is the protection of personal data in
practice rather than the creation of paperwork".
4.
THE "ONE-STOP SHOP"
In its press statements the Commission made much of the introduction of a "one-stop
shop" for compliance, with controllers and processors being subject to a single
supervisory authority rather than (potentially) several. However there is no provision in
4
Data Protection Technical Guidance - Determining what is personal data, 16 August 2007
LIB01/CM3QDRA/2837490.1
Hogan Lovells
-3-
the draft Regulation which enables groups of undertakings with subsidiaries in many
countries to be subject to a single regulator in the country of their main establishment in
the EU. Given that groups of undertakings can appoint a single data protection officer,
this seems anomalous, and the absence of the provision also significantly undermines the
Commission's wishes to provide an easy means of achieving compliance across the EU.
5.
TRANSITIONAL PROVISIONS
The Regulation contains nothing about transitional provisions. It may be that these are to
be left to delegated legislation to be issued by the European Commission in due course.
However, it is of considerable interest to business to know whether procedures which are
acceptable under current legislation can be continued for any length of time once the new
Regulation is issued, or whether processing will effectively become unlawful overnight.
For example, if processing is based on a form of consent which is arguably not "explicit",
is that to be rendered automatically unlawful when the new Regulation takes effect? It
could require, for example, financial services companies to obtain millions of consents
from their customers which both company and customer may find profoundly irritating. We
do not think that this aspect has been sufficiently weighed in the Commission's impact
assessment.
6.
IMPACT ASSESSMENTS (ART. 33)
It is clearly right that processing which is likely to have a significant impact on the privacy
of an individual should be subject to particularly careful consideration. It is to be
questioned, however, whether it is necessary for the data subjects to be consulted on
each such occasion. For example, if a bank is making automated decisions concerning
creditworthiness, should it really have to invite customers or their representatives to
comment on its logic processes? We do not think that there is a significant demand for
this kind of consultation, and any perceived unfairness in assessing customers for loans
and other forms of financial products is just as likely to be corrected by market forces as
by data protection law.
7.
NEW RIGHTS TO BE FORGOTTEN AND RIGHTS OF DATA PORTABILITY (ARTS. 17 AND 18)
As expressed in the draft Regulation, the right to be forgotten includes the right for data
subjects to require the deletion of data as soon as they are no longer needed for the
original purposes for which the data were collected, or upon the data subject's
withdrawing his or her consent, if consent was the original basis for the processing.
These rights are already included in the 1995 Directive, and are not controversial. Article
17(2) of the Commission's proposal then imposes on the controller the obligation to "take
all reasonable steps" to inform third parties about the need to erase the data. This
obligation is fraught with difficulties:

5
In social networks, the controller or co-controller will often be the data subject.
The Commission's proposal gives the incorrect impression that the hosting
provider is the controller and will therefore be responsible for implementing
technical means to help the data subject obtain the erasure of his or her data on
third party platforms. The hosting provider may indeed provide technical solutions
to help the data subject reduce the visibility of previously published material5, but
a careful impact assessment is needed before these technical solutions become
regulatory obligations for Internet intermediaries.
Some market solutions are available today
LIB01/CM3QDRA/2837490.1
Hogan Lovells
-4-

If a data subject previously gave his or her consent to the data controller sharing
personal data with a third party, the terms of that original consent should continue
to apply. If the consent is revocable, then the third party should be required to
erase the data immediately upon withdrawal of the consent. If the consent is
irrevocable, however, the third party and the data controller should be entitled to
rely upon the consent. By giving data subjects an absolute right to withdraw their
consent regardless of the terms of the original agreement, the Commission's
proposal will destroy contract rights that third parties rely upon.

Our clients underline how potentially dangerous the right to be forgotten can be
with regard to other fundamental rights, such as freedom of expression, or the
legitimate right to build a data-centric business. These rights must in all cases be
balanced. We strongly suggest that the provisions of the Regulation should
reiterate the rights that are already contained in the OECD Guidelines and the
1995 Directive, which give data subjects the right to rectification, erasure or
blocking of data the processing of which does not comply with the provisions of
the Regulation.
Where these rights are not sufficiently enforced, then new
measures should focus on that problem instead of creating a new right the effects
of which are not sufficiently understood.
The right to data portability seems to be focused on a competition law objective, reducing
switching costs between service providers, rather than a data protection objective. It
therefore exceeds the scope of Article 16 TFEU on which the proposed Regulation is
based.
The Commission's proposal no doubt has social media in mind. But data portability would
apply to all sectors of industry: banking, insurance, healthcare, telecommunications, etc.
The Community legislature has in the past introduced number portability for
telecommunications operators, and some Member States have enacted specific
provisions imposing portability in other industries (eg. the UK for the banking industry).
The Commission proposes an across-the-board portability obligation, but has not
analysed the impact of that proposal, nor whether there are specific market failures
warranting such an intrusive economic regulation. If the Commission had done a market
analysis, it would have found that even in the field of social networking, the market is
evolving quickly and that regulation is no doubt premature. Google + makes data
portability a commercial argument to attract customers away from Facebook. In other
industries (eg. banking in certain Member States), data portability may be a good idea to
increase competition, but a privacy regulation is the wrong vehicle to use to address this
issue.
The creation of a right to data portability also raises the complex issue of whether a data
subject has a property interest in his or her personal data. Economists are divided on this
controversial issue, and the Commission's proposal goes too far down the road of
recognizing a property right in personal data, where none has heretofore been
recognized.
Both the right to withdraw consent and the right to be forgotten require further
consideration as to how they would be operated in practice, for example in the following
circumstances:

If there are joint customers for a financial services product and one wishes to
withdraw consent or be forgotten, what impact will that have on the processing of
data in relation to the other customer?
LIB01/CM3QDRA/2837490.1
Hogan Lovells
-5-

Where there is an ongoing service such as a current account or a product such as
a loan, what is the impact of a customer seeking to withdraw consent to
processing of their data or asking to be forgotten? For the current account,
should this be treated as a request to terminate the account? Should there be a
minimum timescale before such a request can take effect? What is the impact on
transactions the customer tries to carry out after withdrawing consent or asking to
be forgotten? For a loan, further processing will always be required, not just on a
restricted basis, for example for the purposes of proof.
In our view, this whole area requires significant further consideration.
8.
DATA BREACHES (ARTS. 31 AND 32)
We have considerable experience of advising clients in relation to data breaches. In
practice we find that the full facts surrounding a data breach emerge only over a period of
time. Rarely, if ever, do they become clear within a period of 24 hours. We feel that any
requirement (or encouragement) to report data breaches within 24 hours is likely to lead
to misleading or inaccurate information being provided to regulators in the first place, with
no corresponding benefit for the affected individuals.
We also query whether there is a good reason to notify data subjects except in the most
serious cases. In the vast majority of instances we have handled the information
concerned has not been misused but has merely been mislaid or accidentally destroyed.
However, if notifications are made then there is a greatly increased possibility that
miscreants may appreciate the true value of the information they have in their possession
and be able to misuse it to the ultimate disadvantage of data subjects.
The threshold for notifying both data subjects and supervisory authorities should include a
materiality standard, such as: "likely to adversely affect, in a serious manner, the
protection of the personal data or privacy of the data subject". The Commission's
delegated acts would then define how that threshold would apply in given circumstances.
Under the current wording, any likely adverse effect, no matter how minor, would trigger a
notification obligation.
9.
PENALTIES (ARTS. 78 AND 79)
It appears odd to our clients that the list of penalties which attract the highest fines is also
the longest list. There are many activities set out in Article 79(6) which do not appear to
us to be of particular seriousness. Furthermore, the fact that the Commission has given
itself the right to alter the amount of the penalties means that businesses are left in some
uncertainty as to what the ultimate sanction against them may be. The levels of penalties
should, we feel, be set by legislative act and not by administrative decision.
10.
JURISDICTION (ART. 3)
The jurisdiction provisions in the Regulation represent a radical change from the current
position, and many organisations which are not subject to the Data Protection Directive
will find themselves subject to the new Regulation. If that is to be case, then the
operation of the relevant provisions must be clearly understood. For example, if offers of
goods and services are to be taken as a basis for exercising jurisdiction, does that include
passive sales? If a vendor in the United States does not actively target customers in the
EU, but nevertheless allows EU customers to select their delivery address by means of a
drop-down list which names their country, does that constitute an activity which should
make the vendor subject to EU jurisdiction? We suggest that the "offering of goods and
services" be replaced by the criterion of "targeting" EU residents, in order to be consistent
LIB01/CM3QDRA/2837490.1
Hogan Lovells
-6-
with CJEU case law on the applicability of EU law for purposes of intellectual property
infringement.
The "monitoring" criterion is also too broad. If a financial institution in the United States
monitors transactions between its U.S. customers and EU residents as required by U.S.
anti-money laundering legislation, does that subject the U.S. financial institution to EU
jurisdiction? Surely that should not be the intended effect of the Commission's proposal.
We are again concerned that this Internet-driven measure will have unintended effects on
other industries.
11.
INTERNATIONAL TRANSFERS
We think it is regrettable that there have not been significant improvements to the
international transfer regime. It remains a very documentary process. We do not
consider that there is an absolute need for model clauses or even binding corporate rules,
particularly if these are to be agreed on a case-by-case basis. It would be preferable if
organisations exporting personal data were deemed to be subject to clear rules regarding
the security and onward processing of that data, thus dispensing with the bureaucracy but
not reducing the protection for data subjects.
It is also regrettable that the position regarding transfers to overseas regulators remains
uncertain. European businesses are continually subject to requests for information
(including personal data) from US courts, prosecutors and regulators. The lawfulness of
these transfers, and the procedures which European businesses should undergo when
making decisions concerning them, are not at all clear. This is an opportunity to clarify
the law which should not be lost.
Hogan Lovells International LLP (ref: CM3/QDRA)
6 March 2012
LIB01/CM3QDRA/2837490.1
Hogan Lovells