Data Protection: ITRE Opinion : Différence entre versions
(→Supervisory authorities) |
(→Profiling) |
||
Ligne 99 : | Ligne 99 : | ||
{{lawbox|title=Amendment 181|= | {{lawbox|title=Amendment 181|= | ||
− | Article 20 | + | '''Article 20''' - Measures based on profiling |
− | 1. <s>Every natural person</s> '''A data subject''' shall have the right not to be subject to a measure which <s>produces legal effects concerning this natural person or significantly</s> '''adversely''' affects this <s>natural person, and</s> '''data subject, both offline and online''' which is based solely on automated processing '''of data''' intended to evaluate certain personal aspects relating to a <s>this natural person</s> '''data subject''' or to analyse or predict in particular the < | + | 1. <s>Every natural person</s> '''A data subject''' shall have the right not to be subject to a measure which <s>produces legal effects concerning this natural person or significantly</s> '''adversely''' affects this <s>natural person, and</s> '''data subject, both offline and online''' which is based solely on automated processing '''of data''' intended to evaluate certain personal aspects relating to a <s>this natural person</s> '''data subject''' or to analyse or predict in particular the <s>natural person's</s> '''data subject's''' performance at work, economic situation, location, health, personal preferences, reliability or behaviour. |
}} | }} | ||
− | {{lawbox|title=Amendment | + | {{lawbox|title=Amendment 186, 187 & 188|= |
− | Article 20 | + | '''Article 20''' - Measures based on profiling |
− | 2. | + | *2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: |
− | '' | + | **<s>(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or</s> |
+ | **<s>(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or</s> | ||
+ | **<s>(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.</s> | ||
}} | }} | ||
− | {{lawbox|title=Amendment | + | {{lawbox|title=Amendment 184, 184 & 191|= |
− | '''(ab) is based on the legitimate interests pursued by the data controller;''' | + | '''Article 20''' - Measures based on profiling |
+ | |||
+ | *2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: | ||
+ | **'''(aa) is based on pseudonymous data;''' | ||
+ | **'''(ab) is based on the legitimate interests pursued by the data controller;''' | ||
+ | **'''(cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;''' | ||
}} | }} | ||
− | + | This set of amendments provides that the data subject's consent is not required any more to take a decision based on profiling which will affect him. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest. | |
− | |||
− | |||
− | |||
{{lawbox|title=Amendment 193|= | {{lawbox|title=Amendment 193|= | ||
+ | '''Article 20''' - Measures based on profiling | ||
− | <s>3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.</s> | + | *<s>3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.</s> |
}} | }} | ||
+ | |||
+ | This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'. | ||
=Data breach= | =Data breach= |
Version du 3 avril 2013 à 17:49
ITRE is the European Parliament committee on Industry, Research and Energy issues.
On 20 February 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.
You can find a detailed list of its members on Memopol or visit its official website.
Its opinion proposes many amendment which would severely weaken personal data protection.
This page lists and analyses the most dangerous of them.
Sommaire
Consent
Amendment 82
- (8) ‘the data subject's consent’ means any freely given specific, informed and
explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action,signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
If the required consent must not be explicit, data subjects might give it by a 'passive action' - by not opposing to the process of their data. This amendment only proposes that consent must be 'unambiguous': that mere 'silence or inactivity does not in itself indicate consent' but does when occurring in a specific context - when data subjects can understand the consequences of their silence or inactivity.
That is the current state of the law. And it has showed not to fit anymore the information society at all. Users are loosing trust in Internet services as many websites are collecting their personal data without explicitly warn them about it. They are only stating they collect such data on a distant page of their site and it is not enough at all to regain users' trust: users must have entire control on the processing of their own data.
Pseudonymous data
Amendment 77
- (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 101
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
- (fa) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19 (3a).
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.
Purpose limitation
Amendment 95
- 1.Processing of personal data shall be lawful only if and to the extent that at least one
of the following applies:
- (a) the data subject has given consent to the processing of their personal data
for one or more specific purposes;
- (a) the data subject has given consent to the processing of their personal data
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
The initial Proposal provided that consent must be given for each processing's purpose. Thus, data subjects might exactly control where their data will go and what for. This amendment proposes that users give their consent once for all, no matter the purpose for which or the number of time their data will be processed. Once users have give their consent, controllers are free to collect, process and transfer any personal data to any ends. Data subjects would only be informed of these processing and might object to them afterwards.
Exceptions to consent
Amendment 100
- (f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
ThisThe interest or fundamental rights and freedoms of the data subject shall notapply toover-ride processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.
This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.
Amendment 102
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.
In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.
Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.
Data subjects' rights
Amendment 134
- 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular
because ofowing to their high volume, complexity or their repetitive character, the controller may chargeaan appropriate, not for profit, fee for providing the information or taking the action requested, or the controller maynotdecline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.
Profiling
Amendment 181
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 186, 187 & 188
- 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 184, 184 & 191
- 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
- (aa) is based on pseudonymous data;
- (ab) is based on the legitimate interests pursued by the data controller;
- (cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This set of amendments provides that the data subject's consent is not required any more to take a decision based on profiling which will affect him. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.
Amendment 193
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.
Data breach
Amendment 245
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 251
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 255
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Authorisation
Amendment 256
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Justification: Procedures requiring prior authorisation are costly and time-consuming for the controller, and their added value compared to a system of prior notification can be questioned from the point of view of data protection. Prior notifications, which would give the supervising authority the possibility to react and act, is sufficient and also provides for a user-friendly data protection procedure.
Supervisory authorities
Amendment 240
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 323
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 327
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 360
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude> Justif: Minimum funding and a representative membership structure are necessary in order to guarantee that collective actions are not misused and avoid a situation where associations are set up specifically for this purpose, as well as to ensure minimum cover for lawyers' fees and court costs.
Amendment 362
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 366
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 370
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
370-397 delete 3.-6.