Data protection: JURI shortlist
This page reproduces and completes the EDRi's analysis on the JURI's amendments to reject and to support.
Contents
- 1 Amendments to reject
- 1.1 Amendment 114 - Consent
- 1.2 Amendments 63-66 - Sanctions
- 1.3 Amendments 108-109-111 & 140 - Pseudonymous data
- 1.4 Amendment 219 & 227 - Profiling
- 1.5 Amendment 296 - Consumer organisation
- 1.6 Amendment 24 - Legitimate interest
- 1.7 Amendment 144 - Purpose limitation
- 1.8 Amendment 48 - Data breach
- 1.9 Amendment 259 - Processor
- 1.10 Amendment 36 - Right to data portability
- 2 Amendments to support
Amendments to reject[edit]
Amendment 114 - Consent[edit]
Proposed by Sajjad Karim (ECR)
Article 4 - Definitions
- (8) ‘'the data subject's consent’' means any
freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processedform of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;
Edri's analysis: The definition of "consent" should not be changed. Allowing implicit consent will lead to a 'race to the bottom', allowing for consent as pre-ticked boxes or as part of general terms and conditions.
Amendments 63-66 - Sanctions[edit]
Proposed by Rapporteure Marielle Gallo (EPP)
Article 79 - Administrative sanctions
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:...5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:...6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:...
- 3. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 2 % of its annual worldwide turnover.
Our analysis: these amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the proposed Regulation currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach. Thus, these amendments drastically lower the standards companies must meet in order not to be fined. More, these amendments may actually prevent most of the sanctions from being imposed at all, as supervisory authorities would not be able to establish the companie's actual intention to break the Regulation.
Amendments 108-109-111 & 140 - Pseudonymous data[edit]
Rapporteure Marielle Gallo (EPP), Sajjad Karim (ECR) and Klaus-Heiner Lehne (EPP) proposed three identical amendments which are the verbatim copy of an amendment proposed by both the American Chamber of Commerce (look at page 11) and EuroISPA, the 'world's largest association of Internet Services Providers' (look at page 2)
Article 4 - Definitions
- (3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;
Amendment 140
Proposed by Sajjad Karim (ECR)
Article 6 - Lawfulness of processing
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
- (fb) only pseudonymous data is processed.
Analysis: Together, these two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even if these data are tied to an unique identifier or may afterwards be easily linked to the data subject.
Amendment 219 & 227 - Profiling[edit]
Amendment 219 proposed by Sajjad Karim (ECR)
Article 20 - Measures based on profiling
- 1.
Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviourA data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.
Analysis: The Proposal strongly regulates profiling measures as such measures are inherently doomed to lead to unfair and discriminatory decisions. This amendements proposes to withdraw any safeguard the Proposal set, letting companies free to profile citizens as far as none of their decisions is brought to court.
Amendement 227 Proposed by Klaus-Heiner Lehne (EPP)
- 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
- ...
- (c) is
based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguardslawful pursuant to Article 6(1) (a) to (f) of this regulation.
Analysis: The Regulation currently provides three limited cases where profiling is authorized: under a contract, when authorized by a specific law and when the data subject consents to. This amendments ads to these exceptions those of the Article 6, which includes the dangerously vague one of "controller's legitimate interst" and the one of "public interst", which would grant public sector wide discretion to engage in profiling.
Amendment 296 - Consumer organisation[edit]
Proposed by Klaus-Heiner Lehne (EPP)
Article 76 - Common rules for court proceedings
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.
Analysis: The current proposal provides that organisation which aims to protect data subjects’ rights concerning the protection of their personal data have the right, on their behalf, to lodge a complaint with a supervisory authority or to seek a judicial remedy against any supervisory authority, controller or processor. But this amendment proposes to dismiss organisations' capacity to seek remedies on behalf of data subjects.
Amendment 24 - Legitimate interest[edit]
Proposed by Rapporteure Marielle Gallo (EPP)
Article 6 - Lawfulness of processing
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
- f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Edri's analysis: This formulation decreases control of citizens over their personal data, as data may be used by (unknown) third parties without citizens' consent.
Amendment 144 - Purpose limitation[edit]
Proposed by Klaus-Heiner Lehne (EPP)
Article 5 - Principles relating to personal data processing
- Personal data must be:
- (a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- ...
Article 6 - Lawfulness of processing
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
- f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
- ...
- 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to
(e)(f) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Our analysis: A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.
Edri's analysis: This amendment weakens the principle of purpose limitation (see Article 5 (b)) by allowing use of personal data for unrelated and incompatible purposes. Purpose limitation, as one of the main pillars of data protection, should not be weakened.
Amendment 48 - Data breach[edit]
Proposed by Rapporteure Marielle Gallo (EPP)
Article 31 - Notification of a personal data breach to the supervisory authority
- 1. In the case of a personal data breach which has a considerable effect on the data subject, the controller shall without undue delay
and, where feasible, not later than 24 hoursafter having become aware of it, notify the personal data breach to the supervisory authority.The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Gallo's justification: in the event of a breach, the controller must initially concentrate on putting into practice all appropriate measures to prevent it continuing. An obligation to notify the competent supervisory authority within 24 hours together with sanctions for failing to do so might have the opposite effect. In addition, as the Article 29 Working Party stated in its opinion of 23 March 2012, notification must not concern minor breaches, as otherwise the supervisory authorities would be over-burdened.
Amendment 259 - Processor[edit]
Proposed by Sajjad Karim (ECR)
Article 26 - Processor
- 1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
This amendment is the verbatim copy of one of the amendments proposed by Amazon to the JURI's MEPs (amendment 34 page 17)
Analysis: This amendment provides that a controller may ask any company to collect and process personal data on its behalf regardless the diligence and security garuantees offered by this company, except where the processed data can reasonably permit to identify the data subject. But this criteria is excessively vague and may result in controllers never evaluate at all the processor they hire. More, this amendment also states that controllers may only be responsible for their own activities, no matter what their processor does.
Amendment 36 - Right to data portability[edit]
Proposed by Rapporteure Marielle Gallo (EPP)
Article 18 - Right to data portability
- 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
- 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
EDRi's analysis: This amendment suggests the deletion of the right to data portability. The JURI Committee should follow the ITRE vote and adopt the right to port your data in interoperable formats.
Amendments to support[edit]
Amendment 107 - Personal data definition[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 4 - Definition
- (1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person;
EDRi's analysis: This amendment improves the Commission wording by pointing out that being able to "single out" a person is enough for the data to be considered personal data.
Amendment 135 - Legitimate interest[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 6 - Lawfulness of processing
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
EDRi's analysis: Given the slippery nature of the concept of "legitimate interest", it would be best to remove this ground for processing - or at least additional safeguards should be put in place to allowed this clause only as a measure of last resort when no other legal ground for data processing exists. It should also be justified and communicated to the public before it is used.
Amendment 211 - Data portability[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 18 - Right to data portability
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data subject.
EDRi's analysis: This improves the right to data portability. Requiring interoperable formats prevents controllers from providing data in formats that would create a “lock-in effect” or even tie users to possibly expensive proprietary formats.
Amendment 221 - Profiling[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 20 - Measures based on profiling
- 1. Every natural person shall have the right, both off-line and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
EDRi's analysis: This amendment clarifies that profiling of citizens should be properly regulated, both on- and offline.
Amendments 223-225 - Profiling[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 20 - Measures based on profiling
- 2. Subject to the other provisions of this Regulation,
including paragraphs (3) and (4),a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:- (a) is
carried out in the course ofnecessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced,such as the right to obtain humanincluding the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or - (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or
- (a) is
EDRi's analysis: These amendments improve the Commissions proposal by providing better safeguards regarding profiling.
Amendment 345 - Tranfers to third countries[edit]
Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group
Article 44 - Disclosures not authorised by Union law
- 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
- 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (d) of Article 34(1).
- 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44.
- 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.
- 5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
EDRi's analysis: This amendment provides good additional protection against third countries that wish to enforce their laws against European citizens.