The European Parliament approved the report of rapporteur Axel Voss yesterday. Titled “Personal data protection in the European Union”, the report endorsed the Commission’s aim of reforming the Data Protection Directive (95/46/EC) and suggested specific directions for the upcoming reform. Among other positions explored by the report, the European Parliament:
- Repeated calls for more regulation of behavioural advertising and “profiling” (as enabled by, for example, discount and loyalty scheme cards). The Parliament also mentioned its concern over profiling in relation to “abuses stemming from online behavioural targeting” and “social network websites”), and called on the Commission to define the term “profiling” — presumably to enable more regulation of the practice under an amended data protection law;
- Acknowledged the need for more clarity in a number of areas, including what law is applicable to data processors and data controllers and the roles, rights and responsibilities of cloud computing service providers and cloud computing consumers;
- Supported a number of new individual rights, including the notion that data subjects should be able to “fully enforce” their data protection rights even when their data is transferred and processed in third countries beyond the EU, a right of data portability for data subjects and the well-known “right to be forgotten”, which the report also stated should be “clarified in detail”;
- Requested further consideration of the addition of new categories of potentially sensitive data, including biometric and genetic data, and further caution when such data would be processed together with new technologies such as cloud computing;
- Called for further harmonisation of the powers of the national data protection agencies; and
- Endorsed Commissioner Viviane Reding’s aim of creating a new mandatory data breach notification obligation. The Parliament took the position that any such obligation should not become a “routine alert for all sorts of breaches”, but nevertheless it also recommended that the new obligation require “all breaches without exception” to be recorded to aid in data breach investigations.
The report will now be forwarded to the European Council and European Commission — both bodies are now responsible for developing the report into a set of concrete legislative proposals in the next stage of the reform.