On October 8, 2012, the rapporteur of the LIBE Committee of the European Parliament, Mr. Jan Albrecht, published a first working document presenting certain orientations regarding the draft Regulation relating to personal data protection.
First of all, this document includes information as to the methodology followed by the rapporteur and the advance timetable of the Regulation review. Thus, this document sums up, and results from, four series of working meetings of the LIBE Committee and workshops with both institutional (Commission, Council) and private “stakeholders”. At this stage, the major changes that could take place and which we draw your attention to are the following:
Concerning the definitions and key principles of the Regulation, the rapporteur considers that the material scope of the Regulation will be identical to the scope of Directive 95/46. As a result, he excludes any modification, and then any restriction, of the notion of personal data (PD) since the protection scope of the personal data implements a “fundamental” right protected by article 8 of the Charter of Fundamental Rights. Consequently, the rapporteur considers that the European Legislator can not limit the scope of such a right.
However, in order to reach the best level of PD protection and enable the emergence of new business models, the rapporteur wishes to encourage the pseudonymous and anonymous uses of services. In this respect, it wishes to clarify the notion of “anonymity” in order to help data controllers to better determine whether their operations fall within the scope of the Regulation or not.
Concerning the consent, the rapporteur restates his commitment to this notion. Nevertheless, he wishes to clarify the fact that standard techniques that help a data subject to express its wishes are a valid form of providing express consent. The information of data subjects should be presented in easily comprehensive form, through layered privacy policies or standardized logos or icons. To encourage data controllers to comply with this express consent obligation, the corresponding burden could be reduced if an impact assessment has been conducted and the system is certified as conforming to the principles of privacy by design and privacy by default.
Another interesting possibility: the provisions specifying that the express consent is not mandatory if the data processing is necessary for the performance of a contract should be extended where the service is requested by the data subject. Consequently, this confirms the current trend that the use of an online service, without necessarily concluding a contract in due form (e.g. registration to a social network or a messaging service), would not require the consent of the data subject for this specific purpose.
Regarding the purpose principle, it is important to note that the rapporteur does not wish that the legitimate interest of the data controller (DC) enables it to process data for another purpose than the purpose for which it was initially collected.
Concerning the territorial scope of the Regulation, the rapporteur supports the fact that the Regulation shall apply wherever the data of the European citizens or residents is processed, including if the DC is not established in Europe. This provision concerns any company offering, on the Internet, services accessible to European consumers (social networks, search engines, geolocation service) where the concerned data controller is not established in Europe. This provision, which legal effect is extraterritorial, is among the most important provisions for companies based outside the European Union.
Moreover, the rapporteur considers that the access requests by foreign public authorities or courts concerning data processed in Europe should only be granted if they also have a legal ground in European law. This provision will become even more important with the growth of cloud computing and should make the performance of these access requests more complex and rigorous.
The rapporteur considers that the portability right is a new condition of the former access right. The rapporteur believes that this is a means to increase competition in an area where natural monopolies based on the technical specificities of a network occur regularly.
As regards the right to be forgotten, the rapporteur considers that it shall be understood in the light of the right to rectification and to erasure it tries to clarify for the digital environment. This right to be forgotten, as above defined, may not be contrasted with the freedom of expression, and the rapporteur adds that the wording of the Regulation should be clearer and more explicit concerning this exception.
Concerning DPOs (data protection officers), there is a consensus within the LIBE Committee on their mandatory nature. There is another consensus on the fact that the threshold for the mandatory appointment of a DPO should not only be based on the number of employees , but should also take into account the relevance of this obligation according to the nature of the processing operations contemplated: an appropriate measurement of this relevance could be the number of individuals whose data is collected.
The rapporteur considers the introduction of the data protection by design and by default as a major innovation of the draft Regulation. The rapporteur specifies that IT service providers and manufacturers need guidance and strong incentives to implement these principles. This approach, as well as the necessary clarification of the impact assessments, could result in the reinforcement of the role of DPOs.
Finally, the rapporteur deals with the institutional and governance questions of the Regulation. Concerning delegated acts, the rapporteur specifies that, although he understands that the Commission wishes to guarantee the general community interest, there is no support within the Parliament for achieving this goal through the extensive use of delegated acts in favor of the Commission. The rapporteur believes that the delegation of acts to the Commission should be assessed according to three categories of delegated acts: a) delegated acts concerning the technical implementation of the Regulation should remain “as is” (e.g. definition of PD breach notification forms); b) delegated acts concerning substantial issues but requiring regular technological specifications and updates (e.g. notion of sensitive data) should also remain delegated while being much more limited by criteria defined by the Legislator; and c) delegated acts concerning the essential provisions of the Regulation (e.g. definition of the legitimate interest) should not be delegated and should be withdrawn from the draft wording; instead, the European Legislator should be more precise.
In terms of timetable, the final draft report should be presented at the end of this year, and will be followed by a period, until the end of February 2013, allowing the members of the Parliament to file their amendments. An indicative vote should take place in April 2013 and enable to launch negotiations between the Parliament and the Commission, under the Irish presidency of the EU for which the adoption of the draft Regulation seems to be a priority. As a result, the agenda is speeding up but companies and their professional organizations may still inform the European Parliamentarians of their concerns and suggestions.