Data protection regulation 12 march 2014

De La Quadrature du Net

The European Union Regulation proposal on Personal Data Protection was published by the European Commission on 25 January 2015, on a proposal from Viviane Reding, Commissioner for Fundamental Rights. This Regulation was adopted at first reading on 12 March 2014 by the European Parliament [1] [2]. A directive [3] was also proposed to complete the Regulation. This text aims at preventing, detecting, or pursuing criminal offences and applying the corresponding sentence. The Council of the European Union (also called Council of Ministers) tabled an amended text, and hence negotiations are set to proceed under the conciliation procedure (also called "trialogue"), which would gather around the table representatives from the European Commission, the European Parliament and the Council of the EU.

This "legislative package" aims at updating European legislation on personal data protection, in order to adapt them to societal developments associated with the new technologies. Directive 95/46/CE [4] on the protection of individuals with regard to the processing of personal data and on the free movement of such data was indeed lacking, particularly regarding data protection on the Internet. The new text makes fundamental changes with direct consequences for Internet users:

Consent of the data subject

Article 6.1 of the Regulation states that the data subject must give consent before the processing of their personal data. This would be the case, for example, while registering with a social network (Facebook, Twitter…) where the user agrees that the company processes their data. As such, consent given by the data subject must be "free, specific, informed and explicit" (article 4.8). The user has the right to withdraw consent as simply as it was given. However, the need for consent is not absolute, as it can be bypassed if the data processing party has a "legitimate interest". This exception is a dangerous flaw, considering that "a legitimate interest" is a too broad concept and is not specifically defined in the Regulation.

Rights of the data subject

The last version adopted by the European Parliament includes a new article on data protection for users (refered to as "data subject") (article 10bis §2).

This article opens up a possibility for punishing profiling. Profiling is defined as automated data processing that allows for evaluation of "certain personal characteristics specific to a natural person, or for forecasting their professional capacity, their economic situation, location, health, personal preferences, reliability or behaviour" (article 4§3 bis). Profiling can be a very powerful tool for States or companies that are granted access to this data. As such, a private company could make use of profiling in order to learn about an individual's consumption habits in order to further target marketing activities. Profiling is also of interest to States for public security reasons, as it allows them to monitor a person or a group of people using their data, in order to know their lifestyles, residence and movement, as well as activities and cross border contacts. Profiling must be forbidden if discriminatory, as it would be, for example, if based on ethnic origin or the user's opinion.

The new text removes the right to data portability, that is to say, the possibility for the internet user to ask for the transfer of their personal data toward a new service provider (think about the portability of telephone numbers). The article proposed by the European Commission and removed by the European Parliament allowed for system and platform interoperability to facilitate data portability. Interoperability refers to the ability of a computer system to operate with other systems or platforms, without access or implementation restrictions. This is a necessary condition for portability, as it establishes the possibility to transfer data from a system to another, or to share it between several systems.

By contrast, Internet users do have the right to information. In particular, information relating to the data retention period and their end-use must be available. The user must also be aware of the identity of the data processing party, and be informed if the user's data is relayed to commercial third parties.

The Regulation also refers to the right to delete personal data under specific conditions (detailed under article 17). As such, an individual can ask for his data to be removed when their use no longer matches the initial agreement, or when the user does not consent to their use anymore. The new version of the text adds that the right to deletion is possible after decision from a court or a statutory authority established within the Union, as well as in the case when data have been illegally processed. Nonetheless, this right should not infringe the right to freedom of expression.

The notion of pseudonymised data

The report introduced the idea of "pseudonymised data", used for scientific research, which would not be subject to the user's consent. As such, data processing for scientific use would be accepted, and data would be pseudonymised when anonymisation is not possible (article 81 2bis). The term "pseudonymised" is not without implications. On one hand, "anonymised" data should not allow for separation and identification of an individual. On the other hand, "pseudonymised" data would still relate to an identifiable individual, because the connection remains between the pseudonym and identification data (name, surname, address…) available to the organisation that collects said data. Hence, it would still be possible to identify the internet user.

The obligations of the one responsible for treating guaranteed protected data

The processing party must ensure the protection of the concerned person's data, through three main obligations:

  • Obligation of documentation of the processing carried out (article 28). This documentation should be available to consult at any moment by the national control authority, failing which penalties will be applied.
  • Obligation to conduct an impact assessment on risk processing (article 32 bis). The impact assessment must be systematic in the case where data processing could raise specific risks for the rights and freedoms of individuals (e.g. sensible data, wide-ranging files concerning children, genetic data, biometrics).
  • Obligation to ensure the security of the data processing, thus guaranteeing confidentiality, and the data subject's integrity.

Heavy Financial Penalty

If the data processing party, especially companies, do not respect this text, they are subject to heavy financial penalties, of around 5% of their global sales revenue.

References

  1. Procedural note 2012/0010 (COD)
  2. Texte du Règlement, version du 12 mars 214
  3. Procedural note 2012/0010 (COD)
  4. Texte de la directive 95/46/CE