CCBE Position on the proposed data protection reform package COM(2012) 11 and COM(2012) 10

CCBE, data protection, reform package, privacy, professional secrecy

Categories: Consumer Law
Typology: Articles
Tags: Consumer - Lawyer - Privacy

CCBE Position on the proposed data protection reform package
COM(2012) 11 and COM(2012) 10

The Council of Bars and Law Societies of Europe (CCBE) is the representative organisation of around 1 million European lawyers through its member bars and law societies from 31 full member countries, and 11 further associate and observer countries.

As the CCBE has repeatedly stressed, the legal profession profoundly respects the fundamental right to protection of personal data, including the right to respect for privacy and for the confidentiality of communications. The CCBE is aware of its own responsibility in this area and has published recommendations to its membership regarding best practice in data protection when making use of the internet and e-communication (1).

The CCBE has also repeatedly stressed the importance of professional secrecy (2) and would point out that the European Court of Justice itself expressly stated in its decision in the AM&S case (case C-155/79): “that confidentiality serves the requirements, the importance of which is recognized in all of the member states, that any person must be able, without constraint, to consult a lawyer whose profession entails the giving of independent legal advice to all those in need of it” and added that “the principle of the protection against disclosure afforded to written communications between lawyer and client is based principally on a recognition of the very nature of the legal profession, inasmuch as it contributes towards the maintenance of the rule of law and that the rights of the defence must be respected”.

Furthermore, the CCBE has repeatedly emphasised that professional secrecy, avoidance of conflict of interest and independence are core values of the Legal Profession. As the CCBE has noted in its position on regulatory and representative functions of bars, (3) the independence of lawyers is recognised, inter alia, in the Council of Europe Recommendation on the freedom of exercise of the profession of lawyer. (4) As the Council of Europe states, the Committee of Ministers is “conscious of the need for a fair system of administration of justice which guarantees the independence of lawyers in the discharge of their professional duties without any improper restriction, influence, inducement, pressure, threats or interference, direct or indirect, from any quarter or for any reason”. As the Council of Europe further states under Principle V of its Recommendation on the freedom of exercise of the profession of lawyer, “Bar associations or other professional lawyers’ associations should be self-governing bodies, independent of the authorities and the public” and “the role of Bar associations or other professional lawyers’ associations in protecting their members and in defending their independence against any improper restrictions or infringements should be respected".

As the CCBE already stated in its position on regulatory and representative functions of bars, (5)

- an independent legal profession is the cornerstone of a free and democratic society,

- self-regulation, conceptually, must be seen as a corollary to the core value of independence,

- self-regulation addresses the collective independence of the members of the legal profession,

and

- exclusive direct state regulation, without a leading role for the profession in the setting and enforcing of standards of conduct and of service, is incompatible with an independent legal profession.

Considering the importance of professional secrecy and independence as core values of the Legal Profession and self-regulation by Bars as a corollary of independence, the CCBE has the following comments on the proposed General Data Protection Regulation (6) and, under point 7, some general observations regarding the proposed Directive for data protection in the law enforcement area: (7)

1. Articles 14 and 15 – Information to the data subject and right of access for the data subject

Article 14 of the draft Regulation sets out the principle that a data subject shall be informed about the fact that his/her data are being collected. There are exceptions to this rule, including e.g. cases where a data subject is aware of the collection of data. The list of exceptions however fails to include a specific provision for lawyers who are subject to strict professional secrecy (known in some jurisdictions as legal professional privilege). A lawyer, for example, may thus be required to provide a client’s opposing party with information and grant this party access to their data which was made known to him, provided the lawyer has recorded this data. This is clearly unacceptable. The lawyer would destroy his client’s trust and would violate his obligation for professional secrecy by supplying his client and case related data to the opponent.

There is already a special provision in the Regulation in Article 9 (2)(f) that recognises the special importance of effective pursuance of legal claims ("processing is necessary for the establishment, exercise or defence of legal claims"). However, such an exclusion is also necessary to be included in Articles 14 and 15 by provisions that ensure that notification (and disclosure of collected data) shall not be required if the data is affected by legal professional privilege or must be kept secret due to the overriding legal interests of the lawyer's client. We can find similar exceptions to e.g. "the right of access" in a number of Member States, e.g. the UK Data Protection Act 1998 Section 35 (b). Any difference in the national approaches to this subject could cause serious problems for legal professionals whose interests are often opposed to that of the data subject.

Thus, Article 14 and 15 of the Proposal should be supplemented by the following provisions:

In Article 14 (5) (d) the full stop should be replaced by a semicolon followed by “or”, and a new point (e) should be added:

“(e) the data are processed by, are entrusted or become known to a lawyer subject to legal professional privilege, professional secrecy regulated by the State, a statutory obligation of secrecy in the exercise of his profession or any like obligation not to reveal such data”.

In Article 15 a new paragraph 3 should be added after paragraph 2:

“3. There shall be no right of access in accordance with paragraphs 1 and 2 where data within the meaning of Article 14 (5) (e) are concerned.”

2. Article 16 – Right to rectification

The CCBE is concerned that the right to rectification under article 16 of the draft Regulation might raise practical problems for lawyers. The scope of article16 should be limited in the same way as article 15, so as to exclude the applicability of the right to rectification in respect of data where the data controller is a lawyer.

Thus, there should be added at the end of Article 16 a comma, in place of the full stop, and there should be added the words:

provided however, that the data subject shall have no such right where the controller is a lawyer holding the data in such circumstances as are specified in Article 14(5)(e).”

3. Article 49 and 53 – Rules on the establishment and powers of the supervisory authority

Article 49 sets out the establishment of supervisory authorities by the Member States. In Article 46(2), the draft Regulation recognises that there may be more than one supervisory authority in a Member State and Article 85 makes special provision for Churches not to be subject to supervision by a Member state's supervisory authority or authorities.

Considering that professional secrecy is a core value of the Legal Profession and considering the role of the Bars and Law Societies as the self-regulating and supervisory authorities of the Legal Profession, provision should be made to permit Bars and Law Societies as sectoral supervisory bodies to fulfil also the function of supervisory authorities in place of territorial supervisory authorities.

As envisaged in the existing draft, although Article 47(1) seeks to ensure the independence of supervisory bodies, nonetheless, in terms of Article 48(1) their members are to be appointed by member state Governments or Parliaments. Whilst the CCBE would not seek to call into question the independence of those who might come to be appointed, the arrangement lacks transparency, creating the appearance of the external control, by an emanation of the State, over data which may be subject to the obligations of legal professional privilege or professional secrecy or confidentiality, even in situations where the client is in conflict with the State, for example, a defence lawyer’s files or lawyer-client correspondence.

Furthermore, the powers available to a supervisory authority include (under Article 53(g)) power to impose a temporary or permanent ban on the processing of data. Given that it would be impossible for a lawyer to function or perform his obligations to the court or his clients without being able to process data, the exercise of this power would amount to a breach of the fundamental principle of the independence of the legal profession as it could amount (in its effect) to a preventing of the lawyer from effectively exercising his profession as a lawyer by a person other than the appropriate regulatory authority of the profession.

For these reasons, the CCBE would urge that where there is a Bar or Law Society in a Member State which already has the function of the regulation of the profession, it be permitted to assume the function of being the regulatory authority in respect of those lawyers who are subject to its supervision and control. Such supervision of data protection performed by the Bars or Law Societies would also enable those bodies, in their wider function as professional regulatory bodies (in addition to, as proposed, supervisory bodies under the proposed Regulation) to deploy a fuller range of possibilities in enforcing data protection rules and in imposing sanctions in respect of violations, including the treating of breaches of the data protection regime as also constituting professional misconduct and dealing with such breaches accordingly. The range of the sanctions and controls for such misconduct would potentially go far beyond the powers accorded to regulatory authorities under the data protection regime. In addition, from the client’s perspective, the data which the client entrusts to a lawyer would remain within the professional sector of that lawyer, which ensures an assessment of data processing in accordance with the specific concerns and regulatory requirements of the Legal Profession. Moreover, the lawyers’ obligation for professional secrecy remains unaffected since control is also exclusively exercised by Bars, Law Societies and lawyers who are themselves subject to obligations of professional secrecy.

Thus, the existing provisions in Article 49 should be stated as paragraph 1 and a new paragraph 2 should be added:

“2. Insofar as competent professional supervisory bodies for lawyers subject to legal professional privilege or professional secrecy exist at the time of the entry into force of the present Regulation, these bodies may establish the supervisory authority in respect of data processing by those over whom they exercise professional supervision”.

In the event that the supervisory authority is not one or more of the Bars or Law Societies of the Member State, then in view of the comments expressed above regarding the potential restriction of the ability of the lawyer to exercise his profession, the powers of the supervisory authority under Article 53(1) in respect of alleged breaches by lawyers of data protection rules, should be restricted to investigation of such alleged breaches, and the making of a determination as to whether the supervisory authority is minded to recommend such action as is specified in sub-paragraphs (a) to (g) of article 53(1), and then to report such determination to the Bar or Law Society of which the data controller is a member with a view to that Bar or Law Society taking such action as it sees fit.

Accordingly, the CCBE recommends that there be inserted a proviso to article 53(1) in the following terms:

provided that where the data controller in question in any given case is a lawyer, the power of the supervisory authority under sub-paragraphs (a) to (g) hereof shall be restricted to making a determination as to whether it would (apart from this proviso) have exercised such a power, and then to reporting such determination to the relevant Bar or Law Society for that body to take such action as it may consider fit.”

4. Article 51 – Competence of the supervisory authority

The effect of Article 51 (3) of the draft Regulation is that courts will not be supervised by the supervisory authorities with respect to their judicial (as opposed to administrative) activities. This is justified in terms of recital 99 on the ground of maintaining the independence of the judicial function. That justification applies with equal force with respect to the legal activities of lawyers for their clients. Therefore, where the interests of justice justify the exemption of the activities of a judge from supervision by the supervisory authority, there properly ought to be a similar exemption from supervision or control of the respective activities of the lawyer. It would not acceptable that a defence lawyer’s files and correspondence, for example, may be inspected by data protection supervisory authorities where the activities of a judge would enjoy exemption from such supervision or control. The exemptions provided for courts acting in their judicial capacity must be extended to the respective activities of lawyers.

Thus, Article 51 (3) of the current version of the Proposal for a General Data Protection Regulation provides:

“The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.”

The following sentence should be added to Article 51 (3):

“The same shall apply to the legal activities of lawyers”.

5. Article 53 – Powers of the supervisory authority

The CCBE has had drawn to its attention a practice, in at least one Member State, under the existing data protection regime, of the supervisory authority publishing, and aggressively publicising full details, including the naming of individual data controllers (including lawyers) who in lieu of proceedings having been taken against them, have been warned, admonished, or have signed undertakings in respect of alleged breaches of the data protection regime. The practice is so frequent as to be all but universally applied, and its avowed purpose is that by “naming and shaming” individuals, others will be discouraged from committing similar perceived breaches of the data protection regime. (8) The justification for such a practice is that it is is in exercise of the supervisory authority's powers to inform the public of its activities. It is not seen by the supervisory authority as being a sanction in relation to the individual data controller and is not exercised having regard to any proper principles of proportionality. (9)

The CCBE is concerned that Article 53(1)(j) of the draft regulation might similarly be used by supervisory authorities to justify a similar practice in the future. The CCBE is particularly concerned that such a practice would be, in its effect, the application of a sanction in relation to the activities of a data controller (even in the absence of formal proceedings having been taken against him), and that such a practical sanction might be applied without regard to questions of proportionality affecting the original alleged breach by the individual data controller, even though such may not have been the intent of the drafters of the present article 53(j) of the draft Regulation.

Thus, the following sentence should be added at the end of Article 53 (1) (j):

“(…), provided, however, that this power shall not be exercised so as to permit the publication of the name or identity of a data controller in any particular case where the publication of such name or identity may reasonably fall to be regarded as having the effect of the application of a sanction for any breach of this regulation committed by such data controller”.

The CCBE also notes that the French and German versions of Article 53 (1) (j) differ from the English one (in the French and German versions the term “question” is used while the English version uses the term “issues”). It must be flagged that this provision is unclear and might be interpreted very broadly and should be restricted to general questions only and not specific ones. In the three language versions the words

“general questions”

should therefore be used.

6. Article 31 and 32 - Notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject

It must be ensured that professional secrecy is respected when complying with the obligations laid down in Articles 31 and 32 regarding the notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject. This will be the situation in those Member States where Bars and Law Societies are the responsible supervisory authorities for lawyers, but for all other Member States, Articles 31 and 32 should be supplemented accordingly.

This could be achieved by amending Article 84 (1) so as to include the obligations laid down in Articles 31 and 32, thus:

“1. Within the limits of this Regulation, Member States may adopt specific rules to set out the obligations laid down in Articles 31 and 32 and the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.”

7. General comments on the proposed Directive for data protection in the law enforcement area (COM (2012) 10)

The CCBE agrees with the analysis from the European Data Protection Supervisor (EDPS) that “[t]he processing of personal data in the area of police and judicial cooperation in criminal matters, which by its very nature poses specific risks for the citizen, requires a level of data protection at least as high as under the proposed Regulation, if not higher due to its intrusive nature and the major impact such processing may have on the individual's life”. (10) In its response to the Commission communication on a comprehensive approach on data protection in the EU, (11) the CCBE already expressed its support for an extension of the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters. It therefore strongly regrets the choice of the European Commission to regulate data protection in the law enforcement area in, as noted by the EDPS, “a self-standing legal instrument which provides for an inadequate level of protection, by far inferior to the proposed Regulation”. (12) One of its particular concerns in this respect is the lack of legal certainty with regard to the subsequent use of personal data by law enforcement authorities and the absence of a general obligation for law enforcement authorities to demonstrate their compliance with data protection requirements.

Rather than having two separate regimes governing civil and law enforcement matters distinctly, the CCBE therefore calls upon the EU institutions to create a single comprehensive data protection regime that meets the requirement of a consistent and high level of data protection.

8. Conclusion

The CCBE therefore urges the EU institutions to take into account the following guidelines when considering the proposed data protection reform package:

- To supplement Articles 14, 15 and 16 by provisions that ensure that notification and rectification shall not be required if the data is affected by legal professional privilege or must be kept secret due to the overriding legal interests of the lawyer's client.

- To supplement Article 49 with a provision that permits a Bar or Law Society in a Member State which already has the function of the regulation of the profession, to assume the function of being the regulatory authority in respect of those lawyers who are subject to its supervision and control.

- In the event that the supervisory authority is not one or more of the Bars or Law Societies of the Member State, then the powers of the supervisory authority under Article 53(1) in respect of alleged breaches by lawyers of data protection rules, should be restricted to making a determination as to whether it would have exercised its powers under Article 53, and then to reporting such determination to the relevant Bar or Law Society for that body to take action as it may consider fit.

- In relation to Article 51, the exemptions provided for courts acting in their judicial capacity must be extended to the respective activities of lawyers.

- To specify in Article 53(1)(j) that the power to inform the public on any questions related to the protection of personal data, shall not be exercised so as to permit the publication of the name or identity of a data controller in any particular case where the publication of such name or identity may reasonably fall to be regarded as having the effect of the application of a sanction for any breach of this regulation committed by such data controller.

- To ensure that professional secrecy is respected complying with the obligations laid down in Articles 31 and 32 regarding the notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject.

- To create a single comprehensive data protection regime that meets the requirement of a consistent and high level of data protection, rather than having two separate regimes governing civil and law enforcement matters distinctly.

________________________________________________

1 CCBE Guidelines on Electronic Communication and the Internet, December 2005, http://www.ccbe.eu/fileadmin/user_upload/NTCdocument/EN_CCBE_Guidance_ele1_1231836053.pdf.

2 See, e.g., the CCBE Position on the Legal Framework for the Fundamental Right to Protection of Personal Data, http://www.ccbe.eu/fileadmin/user_upload/NTCdocument/EN_CCBE_response_to_1_1262595056.pdf.

3 http://www.ccbe.org/fileadmin/user_upload/NTCdocument/ccbe_position_on_reg1_1182254709.pdf.

4 Recommendation N. R(2000)21, https://wcd.coe.int/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=533749&SecMode=1&DocId=370286&Usage=2.

5 See footnote 3.

6 Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11.

7 Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM(2012) 10.

8 See Freedom of Information Response (case No. IRQ0451758) dated 5th July, 2012, by the UK Information Commissioner to FOI request by the Bar Council of England & Wales.

9 Ibid.

10 EDPS Opinion of 7 March on the data protection reform package, page 50, http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf.

11 CCBE response to the Commission communication on a comprehensive approach on data protection in the European Union, January 2011, http://www.ccbe.eu/fileadmin/user_upload/NTCdocument/EN_210111_CCBE_respo1_1296030383.pdf.

12 EDPS Opinion of 7 March on the data protection reform package, page 68.

Share on: Share this article on Facebook Share this article on Linkedin Share this article on Twitter Share this article on GooglePlus