The European Parliament has published a study aimed at providing advice on priority measures to ensure that the Proposed Data Protection Regulation, presented by the European Commission (EC) earlier this year, is more comprehensive in relation to data protection and more protective of consumers’ privacy rights.
The European Parliament supports various new rights, namely the right to be forgotten, the right of portability, and the right against profiling, and commends the EC’s proposal to create a level playing field across the EU through inclusion of a ‘one-stop-shop’ principle. This principle involves a single data-protection authority based on an organisation’s main location, the applicability of data protection laws extraterritorially for businesses active in, but based outside, the EU, and the general principle of accountability.
The European Parliament believes, however, that globalisation and the advent of new technologies still needs to be fully addressed. The proliferation of geo-location services, smart metering, face recognition technologies, social networking services, online gaming, and RFID technologies, has meant that companies and governments are often processing personal data without data subjects being aware of the impact of these activities.
While the European Parliament supports the refined definition of consent, the study recommends that a variety of online identifiers, such as IP addresses or cookies, should be specifically qualified, and situations illustrated where they should be treated as personal data. The study also recommended that the proposed Regulation should encourage anonymisation, especially for the processing of sensitive data. Further, the European Parliament would like to see the scope of what constitutes a data controller limited to organisations that determine the “purposes” of data processing, rather than the “conditions”, as well.
The European Parliament sees international data transfers as a key area requiring improvement, especially in the context of cloud computing. The study calls for a greater emphasis on risk assessment prior to transferring data with more emphasis on accountability, and suggests the development of an accreditation system or the dedicated Cloud Safe Harbour Programme, as well as self-regulatory industry standards.