Data Protection: JURI Opinion : Différence entre versions

De La Quadrature du Net
Aller à la navigationAller à la recherche
(Transfer to third countries)
 
(47 révisions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
 
{{Infobox Version
 
{{Infobox Version
|en=Data Protection: JURI
+
|en=Data Protection: JURI Opinion
|fr=Données personnelles : JURI
+
|fr=Données personnelles : JURI Avis
 
}}
 
}}
  
JURI is the European Parliament [http://www.laquadrature.net/wiki/Understanding_european_legislative_procedure#The_Committees committee] on Legal Affairs issues.
+
JURI is the European Parliament [[Understanding_european_legislative_procedure#The_Committees|committee]] on Legal Affairs issues.
  
On 25 April 2013, it issued an [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-494.710%2b02%2bDOC%2bPDF%2bV0%2f%2fEN opinion] on the [http://www.laquadrature.net/wiki/images/6/69/Data_protection_proposal_regulation.pdf Proposal for a Data Protection Regulation] aimed to assist [http://www.laquadrature.net/wiki/Data_protection:_LIBE LIBE] committee in the drafting of its own report.
+
On 25 April 2013, it issued an [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-494.710%2b02%2bDOC%2bPDF%2bV0%2f%2fEN opinion] on the [http://www.laquadrature.net/wiki/images/6/69/Data_protection_proposal_regulation.pdf Proposal for a Data Protection Regulation] aimed to assist [[Data_protection:_LIBE|LIBE]] committee in the drafting of its own report.
  
 
You can find a detailed list of its members on [https://memopol.lqdn.fr/search/?q=committees:JURI%20is_active:1 Memopol] or visit its official [http://www.europarl.europa.eu/committees/en/juri/home.html website].
 
You can find a detailed list of its members on [https://memopol.lqdn.fr/search/?q=committees:JURI%20is_active:1 Memopol] or visit its official [http://www.europarl.europa.eu/committees/en/juri/home.html website].
Ligne 17 : Ligne 17 :
 
[[Data_protection:_JURI_shortlist|Top amendments to reject and to support]]
 
[[Data_protection:_JURI_shortlist|Top amendments to reject and to support]]
  
=Pseudonymous data=
+
='''Pseudonymous data'''=
  
36
+
{{lawbox|title=Amendment 36|=
 +
'''Article 4''' - Definitions
  
4
+
*'''(3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;'''
 +
}}
 +
 
 +
This amendment proposes to define a new category of personal data: data which are not directly collected or processed together with the data subject's name.
 +
But JURI did not make the same mistake IMCO ([[Data_protection:_IMCO#Amendment_75|amendment 75]]) and ITRE ([[Data_protection:_ITRE#Amendment_101|amendment 101]]) did and rejected amendments which proposed to reduce the protection provided for this kind of data.
 +
 
 +
Alone, this definition would change nothing. But it is still showing that MEPs are willing to distinguish different kind of personal data while there is no reason that any of them should be less protected than others.
 +
 
 +
='''Legitimate interest'''=
 +
 
 +
{{lawbox|title=Amendment 47|=
 +
'''Article 6''' - Lawfulness of processing
 +
 
 +
*1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
 +
**(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
 +
**...
 +
**(f) processing is necessary for the purposes of the legitimate interests pursued by a controller '''or by a third party or third parties to whom the data are communicated''', except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
 +
}}
 +
 
 +
The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.
 +
This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to override data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.
 +
 
 +
Similar amendments have been voted in IMCO ([[Data_protection:_IMCO#Amendment_70|amendment 70]]) and ITRE ([[Data_protection:_ITRE#Amendment_100|amendment 100]]) committees.
 +
 
 +
='''Purpose limitation'''=
 +
 
 +
{{lawbox|title=Amendment 49|=
 +
'''Article 6''' - Lawfulness of processing
 +
 
 +
*4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to <s>(e)</s> '''(f)''' of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
 +
}}
 +
 
 +
A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.
  
'''(3a) 'pseudonymous data' means any
+
A similar amendment has been voted in IMCO ([[Data_protection:_IMCO#Amendment_77|amendment 77]]).
personal data that has been collected,
 
altered or otherwise processed so that it of
 
itself cannot be attributed to a data subject
 
without the use of additional data which is
 
subject to separate and distinct technical
 
and organisational controls to ensure
 
such non attribution;'''
 
  
=Supervisory authority=
+
='''Data subjects' rights'''=
  
41
+
{{lawbox|title=Amendment 64|=
 +
'''Article 12''' - Procedures and mechanisms for exercising the rights of the data subject
  
4
+
*4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular <s>because of</s> '''owing to their high volume, complexity or''' their repetitive character, the controller may charge <s>a</s> '''an appropriate, not for profit,''' fee for providing the information or taking the action requested, or the controller may <s>not</s> '''decline to''' take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
 +
}}
  
'''(19a) 'competent supervisory authority'
+
This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.
means a supervisory authority with
 
exclusive competence to supervise the
 
processing activities of the controller or
 
processor in accordance with Article
 
51(2);'''
 
  
=Legitimate interest=
+
An identical amendment has been voted in ITRE ([[Data_protection:_ITRE#Amendment_134|amendment 134]]).
  
47
+
{{lawbox|title=Amendment 78|=
 +
'''Article 15''' - Right of access for the data subject
  
6
+
*2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing <s>. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. </s> '''and, on electronic request, an electronic copy of the non-commercial data undergoing processing in an interoperable and structured format which allows for further use. The controller shall verify the identity of a data subject requesting access to data within the limits of Articles 5 to 10 of this Regulation.'''
 +
}}
  
(f) processing is necessary for the purposes
+
{{lawbox|title=Amendment 79|=
of the legitimate interests pursued by a
+
'''Article 17''' - Right to be forgotten and to erasure
controller '''or by a third party or third
 
parties to whom the data are
 
communicated''', except where such
 
interests are overridden by the interests or
 
fundamental rights and freedoms of the
 
data subject which require protection of
 
personal data, in particular where the data
 
subject is a child. This shall not apply to
 
processing carried out by public authorities
 
in the performance of their tasks.
 
  
48
+
*'''1a. Credit institutions that retain data for the following grounds shall be exempt from the requirements of this Article:'''
 +
**'''- risk management purposes;'''
 +
**'''- fulfilment of EU and international supervisory and compliance requirements;'''
 +
**'''- market abuse purposes.'''
 +
}}
  
6
+
{{lawbox|title=Amendment 81|=
 +
'''Article 17''' - Right to be forgotten and to erasure
  
'''(fa) processing is necessary for fraud
+
*3. The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary:
detection and prevention purposes
+
**(a) for exercising the right of freedom of expression in accordance with Article 80 '''or when providing an information society service to facilitate the accessing of such expression''';
according to applicable financial
+
}}
regulation or established industry, or
 
professional body, codes of practice.'''
 
  
=Purpose limitation=
+
='''Profiling'''=
  
49
+
{{lawbox|title=Amendment 86|=
 +
'''Article 20''' - Measures based on profiling
  
6
+
*1. Every <s>natural person </s> '''data subject''' shall have the right not to be subject to a <s>measure which</s> '''decision that''' produces adverse legal effects <s>concerning this natural person</s> or <s>significantly</s> '''adversely''' affects this <s>natural person</s> '''data subject''', and which is based solely or predominantly on automated processing intended to evaluate certain personal aspects relating to this <s>natural person</s> '''data subject''' <s>or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour </s>.
 +
}}
  
4. Where the purpose of further processing
+
JURI's Opinion explains that:'' 'It is important to consider that some profiling activities have considerable benefits for consumers and can be a good basis for good customer service. The wide definition of profiling does not differentiate routine data processing activities that are positive in nature with more negative profiling. Positive profiling is often used to tailor services to consumers by recording their needs and preferences.' ''
is not compatible with the one for which
 
the personal data have been collected, the
 
processing must have a legal basis at least
 
in one of the grounds referred to in points
 
(a) to <s>(e)</s> '''(f)''' of paragraph 1. This shall in
 
particular apply to any change of terms and
 
general conditions of a contract.
 
  
=Child protection=
+
But Eva Lichtenberger provided great counter-arguments against this position on the 37th amendment's justification:
 +
'' 'Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While some circles see profiling as a panacea for many problems, it should be noted that there is a significant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they should be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online services. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted.' ''
  
55
+
{{lawbox|title=Amendment 87|=
 +
'''Article 20''' - Measures based on profiling
  
8
+
*2. Subject to the other provisions of this Regulation, a <s>person</s> '''data subject''' may be <s>subjected</s> '''subject''' to a decision of the kind referred to in paragraph 1 if the processing:
 +
**<s>(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or</s>
 +
**<s>(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or</s>
 +
**<s>(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.</s>
 +
**'''(a) is authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or'''
 +
**'''(b) is lawful pursuant to points (a) to (fa) of Article 6(1) of this Regulation;'''
 +
 
 +
*'''With due regard to Article 9, paragraph 2, profiling shall not have the effect of discriminating against individuals on the basis, for instance, of race or ethnic origin, religion or sexual orientation.'''
 +
}}
  
1. For the purposes of this Regulation, <s>in
+
The Regulation currently provides three limited cases where profiling is authorized: under a contract, when authorized by a specific law and when the data subject consents to. This amendment replaces these exceptions whith those of the Article 6, which include the dangerously vague one of "controller's legitimate interst" and the one of "public interst" which would grant public sector wide discretion to engage in profiling.
relation to the offering of information
 
society services directly to a child,
 
</s>
 
the processing of personal data of a child
 
below the age of 13 years <s>shall only be
 
lawful if and to the extent
 
</s> '''would normally
 
require''' that consent is given or authorised
 
by the child's parent or <s>custodian</s>
 
'''legal
 
representative'''. '''The appropriate form for
 
obtaining consent should be based on any
 
risk posed to the child by the amount of
 
data, its type and the nature of the
 
processing.''' The controller shall make
 
reasonable efforts to obtain verifiable
 
consent, taking into consideration available
 
technology. '''The methods to obtain
 
verifiable consent shall not lead to the
 
further processing of personal data which
 
would otherwise not be necessary.'''
 
  
=Data subject's rights==
+
Similar amendments have been voted in ITRE ([[Data_protection:_ITRE#Profiling|amendment 184-188]]).
  
64
+
='''Data breach'''=
  
12
+
{{lawbox|title=Amendment 111|=
 +
'''Article 31''' - Notification of a personal data breach to the supervisory authority
  
4. The information and the actions taken on
+
*1. In the case of a personal data breach '''which has a considerable effect on the data subject, ''', the controller shall, without undue delay <s>and, where feasible, not later than 24 hours after having become aware of it</s>, notify the personal data breach to the supervisory authority. <s>The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.</s>
requests referred to in paragraph 1 shall be
+
}}
free of charge. Where requests are
 
manifestly excessive, in particular <s>because of</s> '''owing to
 
their high volume, complexity or''' their
 
repetitive character, the controller may
 
charge <s>a</s> '''an appropriate, not for profit,''' fee
 
for providing the information or taking the
 
action requested, or the controller may
 
<s>not</s> '''decline to''' take the action requested. In that
 
case, the controller shall bear the burden of
 
proving the manifestly excessive character
 
of the request.
 
  
=???=
+
This amendment would let companies decide whether a security breach should be notified to the supervisory authority or not, depending on their assesment of its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.
  
78
+
Similar amendments have been voted in IMCO ([[Data_protection:_IMCO#Data_breach|amendments 162 & 169]]) and ITRE ([[Data_protection:_ITRE#Data_breach|amendments 245 & 255]]).
  
15
+
='''Complaints'''=
  
2. The data subject shall have the right to
+
{{lawbox|title=Amendment 170|=
obtain from the controller communication
+
'''Article 74''' - Right to a judicial remedy against a supervisory authority
of the personal data undergoing processing <s>. Where the data subject makes the request
 
in electronic form, the information shall
 
be provided in electronic form, unless
 
otherwise requested by the data subject.
 
</s>
 
'''and, on electronic request, an electronic copy of the non-commercial data
 
undergoing processing in an
 
interoperable and structured format
 
which allows for further use. The
 
controller shall verify the identity of a
 
data subject requesting access to data
 
within the limits of Articles 5 to 10 of this
 
Regulation.'''
 
  
=Right to be forgotten=
+
*<s>3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.</s>
 +
}}
  
79
+
{{lawbox|title=Amendment 172|=
 +
'''Article 74''' - Right to a judicial remedy against a supervisory authority
  
17
+
*<s>4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.</s>
 +
}}
  
'''1a. Credit institutions that retain data for
+
{{lawbox|title=Amendment 174|=
the following grounds shall be exempt
+
'''Article 76''' - Common rules for court proceedings
from the requirements of this Article:
 
- risk management purposes;
 
- fulfilment of EU and international
 
supervisory and compliance
 
requirements;
 
- market abuse purposes.'''
 
  
Why only credit institution should enjoy this exception? > Lobby
+
*<s>1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.</s>
 +
}}
 +
The current Proposal provides that organisation which aims to protect data subjects’ rights concerning the protection of their personal data have the right, on their behalf, to lodge a complaint with a supervisory authority or to seek a judicial remedy against any supervisory authority, controller or processor. But this amendment proposes to dismiss organisations' capacity to seek remedies on behalf of data subjects.
  
 +
Similar amendments have been voted in IMCO ([[Data_protection:_IMCO#Complaints|amendments 198 & 200]]) and ITRE ([[Data_protection:_ITRE#Complaints|amendments 360 & 362]]).
  
81
+
='''Sanctions'''=
  
17
+
{{lawbox|title=Amendment 176|=
 +
'''Article 79''' - Administrative sanctions
  
(a) for exercising the right of freedom of
+
*1. <s>Each</s> '''The''' supervisory authority '''competent under Article 51(2)''' shall be empowered to impose administrative sanctions in accordance with this Article.
expression in accordance with Article 80
+
}}
'''or when providing an information society
 
service to facilitate the accessing of such
 
expression''';
 
  
=Profiling=
+
{{lawbox|title=Amendment 178|=
 +
'''Article 79''' - Administrative sanctions
  
86
+
*'''2a. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 2 % of its annual worldwide turnover.'''
 +
}}
  
20
+
{{lawbox|title=Amendment 180|=
 +
'''Article 79''' - Administrative sanctions
  
1. Every <s>natural person
+
*<s>4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
</s> '''data subject''' shall have the right
+
**(a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
not to be subject to a <s>measure which</s> '''decision that'
+
**(b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).</s>
produces adverse legal effects <s>concerning this natural person</s> or <s>significantly</s> '''adversely'''
+
*<s>5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
affects this <s>natural person</s> '''data subject''', and which is
+
**(a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
based solely or predominantly on
+
**(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
automated processing intended to evaluate
+
**(c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
certain personal aspects relating to this
+
**(d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
<s>natural person</s> '''data subject'''
+
**(e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
<s>or to analyse or  
+
**(f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
predict in particular the natural person's
+
**(g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.</s>
performance at work, economic situation,  
+
*<s>6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
location, health, personal preferences,  
+
**(a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
reliability or behaviour </s>
+
**(b) processes special categories of data in violation of Articles 9 and 81;
.
+
**(c) does not comply with an objection or the requirement pursuant to Article 19;
 +
**(d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
 +
**(e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
 +
**(f) does not designate a representative pursuant to Article 25;
 +
**(g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
 +
**(h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
 +
**(i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
 +
**(j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
 +
**(k) misuses a data protection seal or mark in the meaning of Article 39;
 +
**(l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
 +
**(m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
 +
**(n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
 +
**(o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.</s>
 +
}}
  
justif : It is important to consider that some profiling activities have considerable benefits for
+
These amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the Proposal currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach.
consumers and can be a good basis for good customer service. The wide definition of
+
Thus, these amendments drastically and unnecessarily lower the standards companies must meet in order not to be fined. These amendments may actually prevent supervisory authorities from issuing sanction at all, as they may fail to establish companies' actual intention to break the Regulation.
profiling does not differentiate routine data processing activities that are positive in nature
 
with more negative profiling. Positive profiling is often used to tailor services to consumers
 
by recording their needs and preferences.
 
  
 +
Similar amendments have been voted in IMCO ([[Data_protection:_IMCO#Sanctions|amendments 208-210]]) and ITRE ([[Data_protection:_ITRE#Sanctions|amendments 370-397]]).
  
 
[[Category:Data Protection]]
 
[[Category:Data Protection]]

Version actuelle datée du 9 octobre 2013 à 06:32

LanguagesData Protection: JURI Opinion English  Données personnelles : JURI Avis Français  Si vous pouvez ou voulez traduire cette page, contactez nous sur IRC ou sur la mailing-list. / If you can or want to translate this page, feel free to contact us on IRC or mailing-list


JURI is the European Parliament committee on Legal Affairs issues.

On 25 April 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.


Its opinion proposes many amendments which would severely weaken personal data protection. This page lists and analyses the most dangerous of them.


Top amendments to reject and to support

Pseudonymous data[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 36

Article 4 - Definitions
  • (3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment proposes to define a new category of personal data: data which are not directly collected or processed together with the data subject's name. But JURI did not make the same mistake IMCO (amendment 75) and ITRE (amendment 101) did and rejected amendments which proposed to reduce the protection provided for this kind of data.

Alone, this definition would change nothing. But it is still showing that MEPs are willing to distinguish different kind of personal data while there is no reason that any of them should be less protected than others.

Legitimate interest[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 47

Article 6 - Lawfulness of processing
  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day. This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to override data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

Similar amendments have been voted in IMCO (amendment 70) and ITRE (amendment 100) committees.

Purpose limitation[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 49

Article 6 - Lawfulness of processing
  • 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) (f) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.

A similar amendment has been voted in IMCO (amendment 77).

Data subjects' rights[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 64

Article 12 - Procedures and mechanisms for exercising the rights of the data subject
  • 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of owing to their high volume, complexity or their repetitive character, the controller may charge a an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may not decline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.

An identical amendment has been voted in ITRE (amendment 134).

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 78

Article 15 - Right of access for the data subject
  • 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing . Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. and, on electronic request, an electronic copy of the non-commercial data undergoing processing in an interoperable and structured format which allows for further use. The controller shall verify the identity of a data subject requesting access to data within the limits of Articles 5 to 10 of this Regulation.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 79

Article 17 - Right to be forgotten and to erasure
  • 1a. Credit institutions that retain data for the following grounds shall be exempt from the requirements of this Article:
    • - risk management purposes;
    • - fulfilment of EU and international supervisory and compliance requirements;
    • - market abuse purposes.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 81

Article 17 - Right to be forgotten and to erasure
  • 3. The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary:
    • (a) for exercising the right of freedom of expression in accordance with Article 80 or when providing an information society service to facilitate the accessing of such expression;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Profiling[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 86

Article 20 - Measures based on profiling
  • 1. Every natural person data subject shall have the right not to be subject to a measure which decision that produces adverse legal effects concerning this natural person or significantly adversely affects this natural person data subject, and which is based solely or predominantly on automated processing intended to evaluate certain personal aspects relating to this natural person data subject or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour .

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

JURI's Opinion explains that: 'It is important to consider that some profiling activities have considerable benefits for consumers and can be a good basis for good customer service. The wide definition of profiling does not differentiate routine data processing activities that are positive in nature with more negative profiling. Positive profiling is often used to tailor services to consumers by recording their needs and preferences.'

But Eva Lichtenberger provided great counter-arguments against this position on the 37th amendment's justification: 'Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While some circles see profiling as a panacea for many problems, it should be noted that there is a significant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they should be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online services. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted.'

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 87

Article 20 - Measures based on profiling
  • 2. Subject to the other provisions of this Regulation, a person data subject may be subjected subject to a decision of the kind referred to in paragraph 1 if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
    • (a) is authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (b) is lawful pursuant to points (a) to (fa) of Article 6(1) of this Regulation;
  • With due regard to Article 9, paragraph 2, profiling shall not have the effect of discriminating against individuals on the basis, for instance, of race or ethnic origin, religion or sexual orientation.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The Regulation currently provides three limited cases where profiling is authorized: under a contract, when authorized by a specific law and when the data subject consents to. This amendment replaces these exceptions whith those of the Article 6, which include the dangerously vague one of "controller's legitimate interst" and the one of "public interst" which would grant public sector wide discretion to engage in profiling.

Similar amendments have been voted in ITRE (amendment 184-188).

Data breach[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 111

Article 31 - Notification of a personal data breach to the supervisory authority
  • 1. In the case of a personal data breach which has a considerable effect on the data subject, , the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment would let companies decide whether a security breach should be notified to the supervisory authority or not, depending on their assesment of its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.

Similar amendments have been voted in IMCO (amendments 162 & 169) and ITRE (amendments 245 & 255).

Complaints[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 170

Article 74 - Right to a judicial remedy against a supervisory authority
  • 3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 172

Article 74 - Right to a judicial remedy against a supervisory authority
  • 4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 174

Article 76 - Common rules for court proceedings
  • 1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude> The current Proposal provides that organisation which aims to protect data subjects’ rights concerning the protection of their personal data have the right, on their behalf, to lodge a complaint with a supervisory authority or to seek a judicial remedy against any supervisory authority, controller or processor. But this amendment proposes to dismiss organisations' capacity to seek remedies on behalf of data subjects.

Similar amendments have been voted in IMCO (amendments 198 & 200) and ITRE (amendments 360 & 362).

Sanctions[modifier]

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 176

Article 79 - Administrative sanctions
  • 1. Each The supervisory authority competent under Article 51(2) shall be empowered to impose administrative sanctions in accordance with this Article.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 178

Article 79 - Administrative sanctions
  • 2a. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 2 % of its annual worldwide turnover.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 180

Article 79 - Administrative sanctions
  • 4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
    • (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
  • 5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
    • (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
    • (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
    • (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
    • (e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
    • (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
    • (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
  • 6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
    • (b) processes special categories of data in violation of Articles 9 and 81;
    • (c) does not comply with an objection or the requirement pursuant to Article 19;
    • (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
    • (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
    • (f) does not designate a representative pursuant to Article 25;
    • (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
    • (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
    • (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
    • (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
    • (k) misuses a data protection seal or mark in the meaning of Article 39;
    • (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
    • (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
    • (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
    • (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the Proposal currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach. Thus, these amendments drastically and unnecessarily lower the standards companies must meet in order not to be fined. These amendments may actually prevent supervisory authorities from issuing sanction at all, as they may fail to establish companies' actual intention to break the Regulation.

Similar amendments have been voted in IMCO (amendments 208-210) and ITRE (amendments 370-397).

Récupérée de « https://wiki.laquadrature.net/index.php?title=Data_Protection:_JURI_Opinion&oldid=156400 »