The draft report on the proposed EU General Data Protection Regulation released on 8 January has provoked much criticism and debate. The report has been prepared by Green MEP Jan Philipp Albrecht, the rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament, the lead Committee for the European Commission’s legislative proposal for a reform of the EU data protection legal framework.
Commissioner Viviane Reding and the French data protection authority, the CNIL, have welcomed the report, whereas strong criticism has been voiced by industry.
Albrecht has tabled a total of 350 amendments to the proposed regulation, aiming to strengthen the rights of individuals and supervisory authorities and reinforcing existing—or imposing additional—obligations on companies. In the following, we have highlighted some of the most important proposed amendments for private-sector companies.
Changes of a more general nature
The changes of a more general nature concern the scope of application of the draft regulation, the definitions, the legal grounds for making data processing legitimate, an alternative consistency mechanism and the possibility for member states to adopt national rules.
Scope of application
One of the more general changes that has sparked a lot of debate concerns the scope of application of the draft regulation. Albrecht proposes to extend the scope of application to the processing of personal data of data subjects residing in the EU by a non-EU controller, where the processing activities are “aimed at”—instead of “related to”—the offering of goods or services to such data subjects in the EU or the monitoring of such data subjects—no longer limited to the monitoring of “behaviour”. Albrecht also proposes to clarify that no payment for the goods or services would be required, but free goods or services would also be covered.
Albrecht proposes a clarification of the concepts of personal data and data subject. In particular, a new alternative criterion is introduced, namely whether a natural person can “be singled out,” which would seem to require less than “identification,” and both identification or singling out could be made “alone or in combination with associated data.” There have been calls from industry to introduce a definition for pseudonymous and anonymous data and to provide for privileged treatment of these types of data. Whilst the report has not picked up on these calls, it nonetheless proposes to include a definition of “pseudonym.” Interestingly, the report also for the first time proposes a definition of the concept of “transfer,” distinguishing it from making data (publicly) available. The draft regulation contains strict rules for measures based on profiling but does not define what profiling entails. The report seeks to remedy this situation by proposing a definition for “profiling.”
The report also creates a new definition of the concept of “producer” of automated data processing or filing systems, which is of relevance in relation to the concept of data protection by design as will be discussed below.
Finally, as regards the definition of “personal data breaches,” Albrecht wants to ensure that data breaches are covered even if there is no security breach. The report also proposes an extended data breach notification deadline of 72 hours—up from 24 hours—and that supervisory authorities keep a public register of the types of breaches notified.
Legal grounds for data processing
According to Albrecht, “Consent should remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities.” He proposes including two additional conditions for consent. In particular, the execution of a contract or provision of a service may not be made conditional on the consent to the processing or use of data that is not necessary for the execution of the contract or provision of the service. This would seem to exclude certain business models that require consent to the use of personal data for advertising purposes. Albrecht also introduces a mandatory consent requirement for the processing of personal data concerning health for historical, statistical or scientific research purposes, which would seem to significantly limit applicable exceptions in these areas.
Albrecht further proposes to make the “legitimate interest” criterion a fallback provision, which would only apply in case none of the other legal grounds for data processing apply. Moreover, he very significantly limits the scope of application of this provision, introducing cases where the interests of data subjects are, as a general rule, considered to outweigh the controller’s legitimate interest. Moreover, he wants to remove the possibility to rely on the legitimate interest criterion as a legal basis altogether when the purpose of the data processing is subsequently altered.
Alternative consistency mechanism
Although Albrecht maintains the idea of a lead data protection authority based on the controller’s or processor’s main establishment, pursuant to the report, other data protection authorities would maintain jurisdiction and be co-competent regarding processing operations within their territory or affecting data subjects resident in their territory. This will require increased cooperation among all competent supervisory authorities, and in cases where it is unclear or the authorities do not agree, the European Data Protection Board (EDPB) shall designate the lead authority. The EDPB would also obtain final decision-making powers in some cases, subject to judicial review.
It has been criticised that member states would retain the power to adopt national laws regarding issues such as freedom of expression, professional secrecy, health and employment. The report proposes further extending this power to the social security context.
Additional obligations for controllers, processors and producers
A number of the proposed amendments reinforce the obligations for controllers. The report proposes the deletion of several exceptions applicable to small- and medium-sized enterprises, for instance, regarding the documentation obligation in Article 28 or the obligation for non-EU controllers to designate a representative.
Albrecht wants controllers to make a summary of the accountability measures they have taken public. The report also further refines the data protection impact assessment obligation as well as the principles of data protection by default and by design. In particular, the application of the latter two principles should be extended to both processors as well as producers.
The mandatory designation of a data protection officer (DPO) would no longer be based on the number of employees but rather on the relevance of the data processing. For instance, a DPO must be appointed as soon as a controller or processor processes data about more than 500 individuals per year or the core activities consist of profiling. The roles and positions of DPOs is also further elaborated in the report. For instance, the minimum period of designation is extended to four years, and DPOs will be direct subordinates of the head of the management of the controller or processor. The DPO will also have an obligation to report suspected violations to the supervisory authority.
Strengthened rights of data subjects
The report strengthens the rights of data subjects. In particular, it emphasises the transparency principle and introduces additional information obligations, expands the restrictions on profiling, proposes that the right to object should always be free and grants data subjects a right to be informed about the disclosure of their personal data to a public authority. Albrecht also aims to strengthen the possibilities for effective redress, for instance, in relation to associations acting in the public interest or compensation for nonmonetary damages.
On the other hand, the right to be forgotten would be more limited. In particular, controllers would only need to act where they have transferred or made the personal data public without a proper legal basis.
Additional restrictions in the field of international data transfers
The report proposes removing the option of recognising sectors in third countries as adequate, as this would increase legal uncertainty. Adequacy findings should be made by means of a delegated act so as to involve both Council and Parliament.
Albrecht proposes an expiry date for all previous adequacy decisions—including on the U.S. Safe Harbor—and decisions concerning standard contractual clauses by the European Commission as well as authorisations by a supervisory authority of data transfers. All these decisions should only remain in force until two years after the entry into force of the proposed regulation.
Albrecht further refines the content of appropriate safeguards; e.g., observance of principles of privacy by design and by default, existence of a DPO.
The report also proposes to reinsert an article concerning data transfers triggered by requests from authorities or courts in third countries. It basically requires that any mutual assistance treaties or international agreements are respected—as well as prior notification and authorisation by the supervisory authority.
The report has certainly the potential to fuel a lot of heated debates. Amendments to the report must be tabled by the end of February and an orientation vote in the LIBE Committee is scheduled for the end of April. From May, negotiations between the European Parliament, the council and the commission could start, depending, however, on the progress that will have been made in the Council of Ministers by then.
If you want to comment on this post, you need to login.