As we reported last week, MEP Jan Philipp Albrecht, the rapporteur for the lead European Parliament Committee (LIBE) for the proposed EU Data Protection Regulation, has released a controversial report on the Commission’s proposal

There have been several news articles and commentaries in recent days about numerous aspects of the report — including the threat to the U.S.-EU Safe Harbor, the dilution of the “one-stop shop” concept regarding regulators, the re-emphasis on consent and limiting the “legitimate interests” ground for processing data, further restrictions on profiling, etc. — but one troubling aspect of the report has generally not received the attention that it arguably deserves amidst this hubbub: namely, that the report proposes to expand general compliance obligations and “privacy-by-design”/“privacy-by-default” requirements, in particular, to software and hardware manufacturers — regardless of whether they process personal data.

The report introduces the concept of a “producer”, which it defines as “a natural or legal person, public authority, agency or any other body which creates automated data processing or filing systems designed for the processing of personal data by data controllers and data processors” (see amendment 88).  Producers must take measures to ensure compliance with general data protection principles (e.g., data minimisation, purpose limitation, storage minimisation, etc.) “in the design, set-up, and operation” of systems, despite the fact that they do not themselves process personal data (see amendment 98).   Further, producers and data processors (so this will affect many cloud providers) must also “implement appropriate technical and organisational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this Regulation, in particular [privacy-by-design and privacy-by-default]” (emphasis added). 

If these obligations were not enough, the door appears to have been left open for producers to be subject to the highest level of DPA fines (see amendment 321), but not to direct compensation claims from individuals; exactly how they would be supervised by DPAs is unclear.

This potential expansion of the scope of EU data privacy law is just one major issue that will be debated fiercely in the coming weeks.  Following last week’s consideration of Albrecht’s report in the LIBE Committee, there will be a second round of discussions at the next LIBE Committee meeting on January 21-22; for the moment, the deadline for tabling amendments in the LIBE Committee remains February 27.

Tags: data processors, European Parliament, General Data Protection Regulation (GDPR), privacy by default, Privacy by Design
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Read more about Mark YoungEmail
Show more Show less