On 21 October 2013, the European Parliament took a next step towards stricter privacy rules by approving its Compromise Text of the proposed EU General Data Protection Regulation. In our previous article, we discussed 7 important proposed amendments by the European Parliament. In this article we will discuss another 7 important amendments.
8 Pseudonymous data
A new definition "pseudonymous data" has been introduced in the Compromise Text. Pseudonymous data are personal data that cannot be attributed to a specific individual without the use of data held strictly separately. The Compromise Text puts forward pseudonymous data as a safeguard for privacy, which needs to be taken into account. It is explicitly mentioned for the required data protection impact assessment and in relation to the duty to inform. Furthermore, for the lawful processing ground of legitimate interest an additional requirement is added, being that the processing meets the reasonable expectations of the data subject. Here, the recitals add that if only pseudonymous data are processed, this should in principle be presumed to meet these reasonable expectations. In relation to profiling, additional recitals add that profiling based solely on pseudonymous data should be presumed not to affect the interests, rights or freedoms of the data subject significantly, as long as the data controller cannot attribute the pseudonymous data to a specific data subject. This is relevant, as profiling having such effect is subject to further conditions. The Compromise Text furthermore does not oblige controllers to process additional personal data, for the sole purpose of complying with the Regulation. This was introduced for data controllers processing data which did not permit them to identify a natural person, and is now extended explicitly to pseudonymous data.
9 Data subjects' rights
There is a new article summarizing the different rights provided to data subjects (article 10a). In relation to these rights, also other amendments are put forward. Data controllers are given 40 calendar days (one month in the original proposal) to respond to data subjects' requests. MEPs encourage data controllers to provide data subjects with direct access to their personal data via a secure system, echoing “mydata” movements.
10 Right to Erasure
Noteworthy is also the replacement of the proposed ‘right to be forgotten' with the 'right to erasure', since the effectiveness of the first was highly doubtful. The right to be forgotten aimed at enabling individuals to have their digital traces removed entirely from the internet. In the Comprise Text this stringent concept has been abandoned and replaced with the 'right of erasure'. This is considered a less drastic obligation of the data controller. According to the LIBE Committee, any person would have the right to have his or her personal data erased if he or she requests it. In that case, the data controller should also forward the request to others where the data are replicated.
11 European Data Protection Board (EDPB)
The Compromise Text tones down the role and competences of the European Commission. Where before the Commission was empowered to provide further (binding) guidance on the Regulation, this role is now largely attributed to the so called European Data Protection Board (EDPB). The EDPB consists of the heads of the supervisory authorities of each Member State and of the European Data Protection Supervisor. Where the Commission still has powers to adopt delegated acts, it is obliged to first request the EDPB's opinion. Other powers of the Commission introduced by the initial proposal, are deleted in the Compromise Text.
12 One-stop shop by a 'lead authority'
The one-stop shop, meaning a single competent authority for a data controller or processor in the EU, is clarified to be a 'lead authority'. It is also further specified that before taking certain measures, this lead authority must consult all other competent authorities, take the utmost account of their opinions, and endeavour to reach a consensus. The EDPB will be involved if a consensus cannot be found and may issue a public opinion on the matter. Eventually, the EDPB can even adopt a measure biding the supervisory authority.
13 European data protection seal
Where the original proposal encouraged certification mechanisms, under the Compromise Text controllers and processors have the right to request certification from the supervisory authority. This will be the European Data Protection Seal, reflecting compliant data processing. Authorities shall cooperate with each other and with the EDPB for a harmonised mechanism. They may also engage accredited third party auditors. A public register of valid and invalid certificates will be maintained to encourage certification. A valid European Data Protection Seal for example provides adequate safeguards for international data transfer; and a controller or processor with such a seal will not be subject to fines unless the noncompliance is intentional or negligent.
For those breaking the rules, data protection authorities would have to impose at least one of these penalties: (i) a written warning, in the event of less serious breaches; (ii) regular periodic data protection audits, or (iii) a fine up to €100 million or 5% of the annual worldwide turnover of an enterprise, whichever is greater (the Commission proposed up to €1 million or 2%). When imposing these penalties, the data protection authorities would have to take into account factors such as the duration of the breach, its negligent or repetitive character, willingness to cooperate and the amount of damage done.
Make Privacy an Agenda Item
Although the Regulation is not to be expected to come into force before 2016 or even 2017, businesses would do well to shape their privacy practices in line with the Regulation. The prospect of a penalty of 5% of the global annual turnover is bound to make privacy a Board Level item.