by Kristof Van Quathem
On January 8, 2013, MEP Jan Philipp Albrecht released his draft report on the proposed EU Data Protection Regulation. Albrecht, of the European Green Party, is rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament, the lead Committee for the proposal. His draft report will now be considered by the Committee members, who have until the end of February to table amendments before it will be discussed in plenary. They will need this time as Albrecht has tabled a total of 350 amendments to the proposed Regulation. Those who expected a conciliatory report searching for compromise and practical solutions will be disappointed, as many of the proposed amendments will strengthen the rights of individuals and supervisory authorities and reinforce existing, or impose additional, obligations on companies. As a result, the draft report is expected to be heavily criticized and amended in the months to come.
In terms of content, it is noteworthy that Albrecht puts greater emphasis on the Internet. A number of the proposed amendments are closely related online practices. This is rather worrisome as the proposed Regulation is not limited to online data processing, and care should be taken not to turn the General Data Protection Regulation into an Internet Data Protection Regulation.
We review the key points of the draft report after the jump.
Salient points of the draft report include:
general changes, including:
- The scope of application of the draft Regulation is extended to cover all processing activities related to services, regardless of whether these services are free of charge, and to all collection and processing of personal data about EU residents. It is also clarified that the proposed Regulation does not apply to competent public authorities for law enforcement activities, although it applies to private entities in this context, which may lead to conflicting rules.
- The concepts of personal data and data subject (which would include natural persons that “can be singled out”, “alone or in combination with associated data”) are clarified and new definitions for “pseudonym”, “transfer”, “profiling” and “producers” (of automated data processing or filing systems) created.
- The “legitimate business interest” legal ground for data processing is completely revised. This legal basis can only be used if none of the other legal grounds apply, and the controller will need to explicitly inform the data subject. The proposed amendments now also include cases in which, as a rule, the legitimate interests override the interests of the data subject and cases in which they do not. This will substantially limit the scope of application of the “legitimate business interest” legal ground.
- The processing of data for the execution of a contract may not be made conditional on consent for uses of personal data that are not necessary for the execution of the contract or to provide the service. The further use of personal data would thus be made much more difficult. For example, offering a service in exchange for consent to the use of personal data for advertising purposes would no longer seem possible.
- Consent will remain a cornerstone of the EU approach to data protection.
- The processing of sensitive data, such as health data, is further restricted and some of the exceptions (for instance, regarding research) will be limited.
- The provision of information to individuals by means of icons is promoted.
- Member States obtain the possibility to adopt national laws in the area of social security.
- Some of the powers of supervisory authorities are refined and strengthened.
- The heavily criticized sanctions remain in place with some modest changes. In particular, the criteria to be taken into account when setting the level of administrative sanction are refined. Any infringements of the proposed Regulation not listed specifically can be sanctioned with administrative fines and the absolute amounts of fines regularly updated.
- Some of the powers of the European Commission to adopt delegated acts are curtailed.
- An alternative consistency mechanism is proposed. In particular, supervisory authorities will retain enforcement powers within their respective jurisdictions but a lead authority will act as a single contact point for the controller or processor, with increased cooperation among supervisory authorities (a one-stop coordination shop). The European Data Protection Board shall designate the lead authority in cases where it is unclear or the authorities do not agree. The European Data Protection Board may adopt in some cases a final decision by a qualified majority, subject to judicial review.
additional obligations for controllers, including:
- Controllers will have to make public a summary of the accountability measures taken.
- The data protection impact assessment obligation is further refined and expanded.
- The principles of data protection by default and by design are further refined. For instance, producers and service providers shall also be subject to these principles.
- A number of the exemptions for small and medium sized enterprises are deleted.
- The mandatory designation of a data protection officer (DPO) is no longer based on the size of the enterprise, but rather on the relevance of the data processing. For instance, a DPO must be appointed as soon as a controller or processor processes data about more than 500 individuals per year. The role and position of DPOs is also further elaborated (for instance, the minimum period of designation is extended to four years, and DPOs will be direct subordinates of the head of the management of the controller or processor (a provision clearly inspired by German data protection law). The DPO will also have an obligation to report suspected violations to the supervisory authority.
- The data breach notification deadline is extended from 24 hours to 72 hours; on the other hand, supervisory authorities shall keep a public register of the types of breaches notified.
strengthened rights of data subjects, including:
- Restrictions on profiling are expanded to a large extent.
- Individuals have a right to be informed about the disclosure of personal data to a public authority.
- The right to be forgotten has been restricted. In particular, where the controller has made personal data public, he shall only be obliged to inform those third parties which he can reasonably expect to be further processing the data and the data subject about them.
- The right to object should always be free of charge.
- The possibilities for effective redress are further strengthened (for instance, in relation to associations acting in the public interest or compensation for non-monetary damages).
more restrictions in the field of international data transfers, including:
- The option of recognizing sectors in third countries as adequate, which was proposed by the European Commission, is rejected altogether, and adequacy findings will be made by means of a delegated act so as to involve both Council and Parliament.
- All previous adequacy decisions (including on the US Safe Harbor) and decisions concerning standard contractual clauses by the European Commission as well as authorizations by a supervisory authority of data transfers will only remain in force until two years after the entry into force of the proposed Regulation. Standard data protection clauses should always be approved by the European Data Protection Board before being generally declared valid by the European Commission.
- Transfers without a legally binding instrument should not be possible and the content of appropriate safeguards is further refined
- The draft report in particular proposes to reinsert an article where a third country judgment or authority requires the transfer of data not authorized by Union law, in which case prior notification and authorization by the supervisory will be required.
- The proposed amendments also foresee a few other instances in which prior authorization for the transfer will be required.