Data Protection: ITRE Opinion

From La Quadrature du Net
Jump to navigationJump to search


ITRE is the European Parliament committee on Industry, Research and Energy issues.

On 20 February 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.


Its opinion proposes many amendments that would severely weaken personal data protection. This page lists and analyses the most dangerous of them.

Consent[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 82

Article 4 - Definitions
  • (8) ‘the data subject's consent’ means any freely given specific, informed and explicit unambiguous indication of his or her wishes by which the data subject , either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

If the required consent must not be explicit, data subjects might give it by a 'passive action' - by not opposing to the process of their data. This amendment only proposes that consent must be 'unambiguous': that mere 'silence or inactivity does not in itself indicate consent' but does when occurring in a specific context - when data subjects can understand the consequences of their silence or inactivity.

That is the current state of the law. And it has showed not to fit anymore the information society at all. Users are loosing trust in Internet services as many websites are collecting their personal data without explicitly warn them about it. They are only stating they collect such data on a distant page of their site and it is not enough at all to regain users' trust: users must have entire control on the processing of their own data.

Pseudonymous data[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 77

Article 4 - Definitions
  • (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 101

Article 6 - Lawfulness of processing
  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (fa) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19 (3a).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.

Exceptions to consent[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 100

Article 6 - Lawfulness of processing
  • (f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This The interest or fundamental rights and freedoms of the data subject shall not apply to over-ride processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.

This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

Similar amendments have been voted in IMCO (amendment 70) and JURI (amendment 47) committees.

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 102

(fb) the data are collected from public registers, lists or documents accessible by everyone;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.

In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.

Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.

Data subjects' rights[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 134

Article 12 - Procedures and mechanisms for exercising the rights of the data subject
  • 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of owing to their high volume, complexity or their repetitive character, the controller may charge a an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may not decline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.

An identical amendment has been voted in JURI (amendment 64).

Profiling[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 181

Article 20 - Measures based on profiling
  • 1. Every natural person A data subject shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly adversely affects this natural person, and data subject, both offline and online which is based solely on automated processing of data intended to evaluate certain personal aspects relating to a this natural person data subject or to analyse or predict in particular the natural person's data subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendments 184 to 188 & 191

Article 20 - Measures based on profiling
  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
    • (aa) is based on pseudonymous data;
    • (ab) is based on the legitimate interests pursued by the data controller;
    • ...
    • (cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This set of amendments provides that data subjects' consent is not required any more to take a decision which will affect them and which is only based on profiling. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.

Similar amendments have been voted in JURI (amendment 86-87).

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 193

Article 20 - Measures based on profiling
  • 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.

Data breach[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 245

Article 31 - Notification of a personal data breach to the supervisory authority
  • 1. In the case of a personal data breach the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the relating to special categories of personal date, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment would let companies decide whether a security breach should be notified to the supervisory authority or not, depending on how they asses its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.

Similar amendments have been voted in IMCO (amendments 162 & 169) and JURI (amendment 111).

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 255

Article 32a - Communication of a personal data breach to other organisations
  • A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part of a government institution may be able to reduce the risk of harm that could result from it or mitigate that harm. Such notifications may be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of harm to the data subject that could result from the breach or mitigating that harm.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

In case of a data breach, the better people who can reduce the risk of harm to data subjects are data subjects themselves. This amendment deprives users from controll over their data and proposes a weak alternative - notification to 'government institutio' - which may result as a simple way out when applied by companies.

Transfer to third countries[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendments 267 & 268

Article 34 - Prior authorisation and prior consultation
  • 1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 308 & 309

Article 42 - Transfers by way of appropriate safeguards
  • 4 Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority for transfers according to this Article. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.


  • 4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The Proposal provides that a supervisory authority must give its authorisation before personal data may be transfered to a third country where the only safeguards provided by this transfer are set by contractual clauses. These amendments remove this requirement: controllers would be free to transfer the data they have collected to any country but would be rewarded with a seal when they can provide sufficiant safeguards.

Rapporteur's justification: Procedures requiring prior authorisation are costly and time-consuming for the controller, and their added value compared to a system of prior notification can be questioned from the point of view of data protection. Prior notifications, which would give the supervising authority the possibility to react and act, is sufficient and also provides for a user-friendly data protection procedure.


How to read an amendment: added to the initial text / deleted from the initial text

Amendment 318

Article 44
  • 1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
    • ...
    • (h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Supervisory authorities[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 87

Article 4 - Definitions
  • (13a) 'competent supervisory authority' means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Articles 51(2),(3) and (4);

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 240

Article 29 - Co-operation with the supervisory authority
  • 2a. Where the controller and the processor are established in several Member States for the purposes of the full or partial management of data, they shall be given the opportunity to designate their main establishment.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 323

Artcile 46 - Supervisory authority
  • 3a. Each supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6). Supervisory authorities may only issue sanctions for controllers or processors with their main establishment within the same Member State or, in coordination with Articles 56 and 57 if the supervisory authority of the main establishment fails to take action.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 327

Article 51 - Competence
  • 2a. Where this Regulation applies by virtue of Article 3(2), the competent supervisory authority shall be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 366

Article 79 - Administrative sanctions
  • 1. Each The competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This set of new amendments would make that only one supervisory authority may fine multinational companies and would allow these companies to precisly chose which one it would be.

Even if the Regulation will harmonize every european national law and provide supervisory authority effective ways to coordinate their actions, there will still be a strong risk that some authority will be less encline to issue truely disuasive fine than others. And that is for this unique and precise reason that multinational companies want to be able to chose which authority will supervise their activity. And that is what ITRE committee gave them.

Complaints[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 360

Article 73 - Right to lodge a complaint with a supervisory authority
  • 2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects from among its membership if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data and it has minimum funding of EUR 80 000 and representative membership with a corresponding membership structure.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 362

Article 76 - Common rules for court proceedings
  • 1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 on behalf of one or more data subjects. Claims according to Article 77 may not be exercised by bodies, organisations or associations within the meaning of Article 73(2).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These amendments propose to considerably reduce the right data subjects would have to be represented by an organisation in a procedure aimed to defend their fundamental right to privacy: they would not be able to be represented when bringing procedures for compensation or to be represented at all if they are not member of a € 80 000 association.

Similar amendments have been voted in IMCO (amendments 198 & 200) and JURI (amendments 170, 172 & 174).

Sanctions[edit]

How to read an amendment: added to the initial text / deleted from the initial text

Amendments 370 to 397

Article 79 - Administrative sanctions
  • 3. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 1% of its annual worldwide turnover.
  • 3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:
    • (a) a natural person is processing personal data without a commercial interest; or
    • (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
  • 4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
    • (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
  • 5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
    • (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
    • (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
    • (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
    • (e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
    • (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
    • (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
  • 6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
    • (b) processes special categories of data in violation of Articles 9 and 81;
    • (c) does not comply with an objection or the requirement pursuant to Article 19;
    • (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
    • (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
    • (f) does not designate a representative pursuant to Article 25;
    • (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
    • (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
    • (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
    • (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
    • (k) misuses a data protection seal or mark in the meaning of Article 39;
    • (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
    • (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
    • (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
    • (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the Proposal currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach.

Thus, these amendments drastically and unnecessarily lower the standards companies must meet in order not to be fined. These amendments may actually prevent supervisory authorities from issuing sanction at all, as they may fail to establish companies' actual intention to break the Regulation.

Similar amendments have been voted in IMCO (amendments 208-210) and JURI (amendments 176, 178 & 180).