As we reported last week, MEP Jan Philipp Albrecht, the rapporteur for the lead European Parliament Committee (LIBE) for the proposed EU Data Protection Regulation, has released a controversial report on the Commission’s proposal

There have been several news articles and commentaries in recent days about numerous aspects of the report — including the threat to the U.S.-EU Safe Harbor, the dilution of the “one-stop shop” concept regarding regulators, the re-emphasis on consent and limiting the “legitimate interests” ground for processing data, further restrictions on profiling, etc. — but one troubling aspect of the report has generally not received the attention that it arguably deserves amidst this hubbub: namely, that the report proposes to expand general compliance obligations and “privacy-by-design”/“privacy-by-default” requirements, in particular, to software and hardware manufacturers — regardless of whether they process personal data.

The report introduces the concept of a “producer”, which it defines as “a natural or legal person, public authority, agency or any other body which creates automated data processing or filing systems designed for the processing of personal data by data controllers and data processors” (see amendment 88).  Producers must take measures to ensure compliance with general data protection principles (e.g., data minimisation, purpose limitation, storage minimisation, etc.) “in the design, set-up, and operation” of systems, despite the fact that they do not themselves process personal data (see amendment 98).   Further, producers and data processors (so this will affect many cloud providers) must also “implement appropriate technical and organisational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this Regulation, in particular [privacy-by-design and privacy-by-default]” (emphasis added). 

If these obligations were not enough, the door appears to have been left open for producers to be subject to the highest level of DPA fines (see amendment 321), but not to direct compensation claims from individuals; exactly how they would be supervised by DPAs is unclear.

This potential expansion of the scope of EU data privacy law is just one major issue that will be debated fiercely in the coming weeks.  Following last week’s consideration of Albrecht’s report in the LIBE Committee, there will be a second round of discussions at the next LIBE Committee meeting on January 21-22; for the moment, the deadline for tabling amendments in the LIBE Committee remains February 27.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.