This past January 10th, the rapporteur of the draft Regulation on the protection of personal data, Mr. Jan Albrecht, presented his report and its main guidelines to the European Parliament’s LIBE Committee. This 230-pages document includes the rapporteur’s 350 amendments, which relate both to the recitals as well as to the articles of the future Regulation.
Given the degree of modifications proposed, which are right in line with the rapporteur’s guidelines provided in our October 19th, 2012 alert, this alert will concentrate on the most important modifications involving individual rights and companies’ obligations.
Broader territorial scope
When the data controller is not established in the territory of the European Union, Article 3 of the draft Regulation provides that its rules apply if the processing is related to “the offering of goods or services” involving data subjects residing in the Union’s territory (targeting criterion) or when the processing is related to their “behaviour”. The rapporteur proposed two modifications to these provisions, the first stating that free activities for providing goods or services are also affected, which may appear to be excessive, the second replacing the term “behaviour” by more broadly referring to “monitoring of such data subjects” (Amendments 82 and 83).
Toward a modulated consent?
In order to respond to some companies’ comments, and specifically companies working in Big Data, the rapporteur proposes encouraging use of “pseudonymisation and anonymisation”, but “without violating fundamental rights” and without reducing the scope of the notion of personal data. The rapporteurs defines a pseudonym in Article 4 (Amendment 85) as being comprised of “a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject.”
The rapporteur explains what is of interest in this new provision in Amendment 105 on the obligations of data controllers. Indeed, the rules for obtaining consent would be: “where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union” developed by the Commission. According to the rapporteur, this modification “allows for the use of standards such as ‘Do Not Track’, combined with an incentive to use only pseudonymous data bases.”
In addition, the rapporteur proposes to modify Article 10 of the draft Regulation in order to state that when the processed data do not permit the controller to identify or, “single out a natural person, or consist only of data relating to pseudonyms, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation” (Amendment 117).
This relative relaxation of Article 10 must not be analyzed as a manifestation of an intent to lessen the place and scope of the principle of consent, quite to the contrary. The rapporteur forcefully reaffirms that consent must “remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities.”
Increasing information provided to individuals in case of profiling
Wishing to increase the information provided to individuals in order “to ensure an informed consent to profiling activities”, the rapporteur proposes to complete the information to be mandatorily provided to the interested individual by “information about the existence of profiling, of measures based on profiling, and of mechanisms to object to profiling" (Amendment 131).
A right to be forgotten “balanced” with the right to freedom of expression
In an Amendment (148) to Article 17, the rapporteur wishes to introduce into the legislation the fact that “any measures of erasure of published personal data shall respect the right to freedom of expression”. However, it should be emphasized that the draft already provides that the data controller is not required to erase if the storage of the data is “necessary […] for exercising the right of freedom of expression” (Article 17 §3(a)). The legal scope of this Amendment is therefore not all that obvious.
The legitimate interest of the data controller better framed
The wording of Article 6 of the draft Regulation provides that processing is lawful inter alia to the extent that it is “necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Deeming this reference imprecise, the rapporteur wished to define and better frame the term legitimate interest. To this end, he first proposes for the data controller to inform the data subject, explicitly of the reasons, “for believing that its interests override the interests or fundamental rights and freedoms of the data subject.” Secondly, the rapporteur proposes a list of assumptions in which the legitimate interest of the controller overrides, as a rule, the data subject’s rights. These include, inter alia, processing taking place as a part of the right to freedom of expression, processing is necessary for the enforcement of the legal claims of the data controller or when the processing takes place in the context of professional business-to-business relationships (Amendments 100 and 101).
Conversely, the rapporteur provides cases in which the data subjects’ interests override the legitimate interests of the data controller. This includes, inter alia, processing “causes a serious risk of damage to the data subject”" (without any further details), involving “sensitive” data, data on location, biometric data or profiling (Amendment 102).
A restriction of possibilities for processing data for new purposes
According to the rapporteur, “purpose limitation is a core element of data protection, as it protects the data subjects from an unforeseeable extension of data processing”. The rapporteur states that, “[a] change of purpose of personal data after its collection should not be possible only on the basis of a legitimate interest of the data controller”. Accordingly, he removes this possibility as provided in Article 6 §4 of the legislation.
A new threshold for the obligation to designate a data protection officer (DPO)
The draft Regulation plans on making it mandatory to designate a DPO as of 250 employees. After having noted that, in the age of cloud computing, “very small controllers can process large amounts of data through online services", the rapporteur states that "the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise”. He therefore proposes three criteria making such designation mandatory: the size of the processing, which must involve more than 500 individuals (Amendment 223), the type of processing, meaning profiling (Amendment 224) and the nature of data processed, here “sensitive” data (Amendment 225).
Regarding the DPO himself/herself, the rapporteur wishes him/her to be designated for four years, as opposed to two years in the initial draft, and that his/her duties can be performed on a part-time basis.
Terms of impact assessments provided
The rapporteur wishes to extend the obligation to carry out an impact assessment when, through the planned processing, “personal data are made accessible to a large number of persons or if high volumes of personal data about the data subject are processed or combined with other data” (Amendment 208). Although this amendment does not contain a written justification in the report, it could be construed as introducing an obligation to perform an impact assessment for all Big Data projects involving personal data, which would be an indirect but powerful incentive for using pseudonymized data.
Regarding the impact assessment itself, the rapporteur’s amendment (210) provides its outlines since it is supposed to contain “at least” a systematic description of the envisaged processing, its necessity and proportionality in relation to the purpose, measures envisaged to address the risks and “to minimize” the volume of data which is processed.
As regards the obligation to notify the supervisory authority of breaches of personal data, the rapporteur wishes to extend the time the data controller has to provide notification from 24 to 72 hours, which would appear to be more pragmatic. However, this amendment (45) is presented only in the recitals and not at all in the articles, which tends to undermine its normative scope. Lastly, in order to, “to prevent notification fatigue to data subjects” due to frequent notifications of breaches of their data, the rapporteur proposes that informing them be limited to cases where a data breach affects privacy, “for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation” (Amendment 201).
What are the next steps? On the 27th of February, the deadline given to all European MP’ to present their amendments to the draft regulation will expire. Then, the public debate in Parliament will be ready to start.