Data Protection: ITRE Opinion : Différence entre versions

De La Quadrature du Net
Aller à la navigationAller à la recherche
(Supervisory authorities)
(Profiling)
Ligne 99 : Ligne 99 :
 
{{lawbox|title=Amendment 181|=
 
{{lawbox|title=Amendment 181|=
  
Article 20
+
'''Article 20''' - Measures based on profiling
  
1. <s>Every natural person</s> '''A data subject''' shall have the right not to be subject to a measure which <s>produces legal effects concerning this natural person or significantly</s> '''adversely''' affects this <s>natural person, and</s> '''data subject, both offline and online''' which is based solely on automated processing '''of data''' intended to evaluate certain personal aspects relating to a <s>this natural person</s> '''data subject''' or to analyse or predict in particular the <,atural person's</s> '''data subject's''' performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
+
1. <s>Every natural person</s> '''A data subject''' shall have the right not to be subject to a measure which <s>produces legal effects concerning this natural person or significantly</s> '''adversely''' affects this <s>natural person, and</s> '''data subject, both offline and online''' which is based solely on automated processing '''of data''' intended to evaluate certain personal aspects relating to a <s>this natural person</s> '''data subject''' or to analyse or predict in particular the <s>natural person's</s> '''data subject's''' performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
 
}}
 
}}
  
{{lawbox|title=Amendment 184|=
+
{{lawbox|title=Amendment 186, 187 & 188|=
  
Article 20
+
'''Article 20''' - Measures based on profiling
  
2.
+
*2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
'''(aa) is based on pseudonymous data;'''
+
**<s>(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or</s>
 +
**<s>(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or</s>
 +
**<s>(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.</s>
 
}}
 
}}
  
{{lawbox|title=Amendment 185|=
+
{{lawbox|title=Amendment 184, 184 & 191|=
  
'''(ab) is based on the legitimate interests pursued by the data controller;'''
+
'''Article 20''' - Measures based on profiling
 +
 
 +
*2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
 +
**'''(aa) is based on pseudonymous data;'''
 +
**'''(ab) is based on the legitimate interests pursued by the data controller;'''
 +
**'''(cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;'''
 
}}
 
}}
  
{{lawbox|title=Amendment 190 |=
+
This set of amendments provides that the data subject's consent is not required any more to take a decision based on profiling which will affect him. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.
 
 
(cb) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Article 19 (3a) shall apply correspondingly;
 
}}
 
  
 
{{lawbox|title=Amendment 193|=
 
{{lawbox|title=Amendment 193|=
 +
'''Article 20''' - Measures based on profiling
  
<s>3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.</s>
+
*<s>3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.</s>
 
}}
 
}}
 +
 +
This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.
  
 
=Data breach=
 
=Data breach=

Version du 3 avril 2013 à 17:49


ITRE is the European Parliament committee on Industry, Research and Energy issues.

On 20 February 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.


Its opinion proposes many amendment which would severely weaken personal data protection. This page lists and analyses the most dangerous of them.

Consent

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 82

Article 4 - Definitions
  • (8) ‘the data subject's consent’ means any freely given specific, informed and explicit unambiguous indication of his or her wishes by which the data subject , either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

If the required consent must not be explicit, data subjects might give it by a 'passive action' - by not opposing to the process of their data. This amendment only proposes that consent must be 'unambiguous': that mere 'silence or inactivity does not in itself indicate consent' but does when occurring in a specific context - when data subjects can understand the consequences of their silence or inactivity.

That is the current state of the law. And it has showed not to fit anymore the information society at all. Users are loosing trust in Internet services as many websites are collecting their personal data without explicitly warn them about it. They are only stating they collect such data on a distant page of their site and it is not enough at all to regain users' trust: users must have entire control on the processing of their own data.

Pseudonymous data

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 77

Article 4 - Definitions
  • (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 101

Article 6 - Lawfulness of processing
  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (fa) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19 (3a).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.

Purpose limitation

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 95

Article 6 - Lawfulness of processing
  • 1.Processing of personal data shall be lawful only if and to the extent that at least one

of the following applies:

    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The initial Proposal provided that consent must be given for each processing's purpose. Thus, data subjects might exactly control where their data will go and what for. This amendment proposes that users give their consent once for all, no matter the purpose for which or the number of time their data will be processed. Once users have give their consent, controllers are free to collect, process and transfer any personal data to any ends. Data subjects would only be informed of these processing and might object to them afterwards.

Exceptions to consent

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 100

Article 6 - Lawfulness of processing
  • (f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This The interest or fundamental rights and freedoms of the data subject shall not apply to over-ride processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.

This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 102

(fb) the data are collected from public registers, lists or documents accessible by everyone;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.

In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.

Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.

Data subjects' rights

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 134

Article 12
  • 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of owing to their high volume, complexity or their repetitive character, the controller may charge a an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may not decline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.

Profiling

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 181

Article 20 - Measures based on profiling 1. Every natural person A data subject shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly adversely affects this natural person, and data subject, both offline and online which is based solely on automated processing of data intended to evaluate certain personal aspects relating to a this natural person data subject or to analyse or predict in particular the natural person's data subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 186, 187 & 188

Article 20 - Measures based on profiling
  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 184, 184 & 191

Article 20 - Measures based on profiling
  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (aa) is based on pseudonymous data;
    • (ab) is based on the legitimate interests pursued by the data controller;
    • (cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This set of amendments provides that the data subject's consent is not required any more to take a decision based on profiling which will affect him. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 193

Article 20 - Measures based on profiling
  • 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.

Data breach

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 245

Article 31 1. In the case of a personal data breach the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the relating to special categories of personal date, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 251

Article 32 1. When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach shall be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 255

Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part of a government institution may be able to reduce the risk of harm that could result from it or mitigate that harm. Such notifications may be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of harm to the data subject that could result from the breach or mitigating that harm.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Authorisation

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 256

DATA PROTECTION IMPACT ASSESSMENT AND PRIOR AUTHORISATION NOTIFICATION

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Justification: Procedures requiring prior authorisation are costly and time-consuming for the controller, and their added value compared to a system of prior notification can be questioned from the point of view of data protection. Prior notifications, which would give the supervising authority the possibility to react and act, is sufficient and also provides for a user-friendly data protection procedure.

Supervisory authorities

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 240

Article 29 2a. Where the controller and the processor are established in several Member States for the purposes of the full or partial management of data, they shall be given the opportunity to designate their main establishment.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 323

Artcile 46 3a. Each supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6). Supervisory authorities may only issue sanctions for controllers or processors with their main establishment within the same Member State or, in coordination with Articles 56 and 57 if the supervisory authority of the main establishment fails to take action.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 327

Article 51 2a. Where this Regulation applies by virtue of Article 3(2), the competent supervisory authority shall be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 360

Article 73 2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects from among its membership if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data and it has minimum funding of EUR 80 000 and representative membership with a corresponding membership structure.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude> Justif: Minimum funding and a representative membership structure are necessary in order to guarantee that collective actions are not misused and avoid a situation where associations are set up specifically for this purpose, as well as to ensure minimum cover for lawyers' fees and court costs.

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 362

Article 76 1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 on behalf of one or more data subjects. Claims according to Article 77 may not be exercised by bodies, organisations or associations within the meaning of Article 73(2).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 366

Article 79 1. Each The competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 370

Article 79 3. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 1% of its annual worldwide turnover.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

370-397 delete 3.-6.