As we reported last week, MEP Jan Philipp Albrecht, the rapporteur for the lead European Parliament Committee (LIBE) for the proposed EU Data Protection Regulation, has released a controversial report on the Commission’s proposal.
There have been several news articles and commentaries in recent days about numerous aspects of the report — including the threat to the U.S.-EU Safe Harbor, the dilution of the “one-stop shop” concept regarding regulators, the re-emphasis on consent and limiting the “legitimate interests” ground for processing data, further restrictions on profiling, etc. — but one troubling aspect of the report has generally not received the attention that it arguably deserves amidst this hubbub: namely, that the report proposes to expand general compliance obligations and “privacy-by-design”/“privacy-by-default” requirements, in particular, to software and hardware manufacturers — regardless of whether they process personal data.
The report introduces the concept of a “producer”, which it defines as “a natural or legal person, public authority, agency or any other body which creates automated data processing or filing systems designed for the processing of personal data by data controllers and data processors” (see amendment 88). Producers must take measures to ensure compliance with general data protection principles (e.g., data minimisation, purpose limitation, storage minimisation, etc.) “in the design, set-up, and operation” of systems, despite the fact that they do not themselves process personal data (see amendment 98). Further, producers and data processors (so this will affect many cloud providers) must also “implement appropriate technical and organisational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this Regulation, in particular [privacy-by-design and privacy-by-default]” (emphasis added).
If these obligations were not enough, the door appears to have been left open for producers to be subject to the highest level of DPA fines (see amendment 321), but not to direct compensation claims from individuals; exactly how they would be supervised by DPAs is unclear.
This potential expansion of the scope of EU data privacy law is just one major issue that will be debated fiercely in the coming weeks. Following last week’s consideration of Albrecht’s report in the LIBE Committee, there will be a second round of discussions at the next LIBE Committee meeting on January 21-22; for the moment, the deadline for tabling amendments in the LIBE Committee remains February 27.