Data Protection: ITRE Opinion
ITRE is the European Parliament committee on Industry, Research and Energy issues.
On 20 February 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.
You can find a detailed list of its members on Memopol or visit its official website.
Its opinion proposes many amendments that would severely weaken personal data protection.
This page lists and analyses the most dangerous of them.
Sommaire
Consent
Amendment 82
- (8) ‘the data subject's consent’ means any freely given specific, informed and
explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action,signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
If the required consent must not be explicit, data subjects might give it by a 'passive action' - by not opposing to the process of their data. This amendment only proposes that consent must be 'unambiguous': that mere 'silence or inactivity does not in itself indicate consent' but does when occurring in a specific context - when data subjects can understand the consequences of their silence or inactivity.
That is the current state of the law. And it has showed not to fit anymore the information society at all. Users are loosing trust in Internet services as many websites are collecting their personal data without explicitly warn them about it. They are only stating they collect such data on a distant page of their site and it is not enough at all to regain users' trust: users must have entire control on the processing of their own data.
Pseudonymous data
Amendment 77
- (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 101
- 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
- ...
- (fa) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19 (3a).
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.
Purpose limitation
Amendment 95
- 1.Processing of personal data shall be lawful only if and to the extent that at least one
of the following applies:
- (a) the data subject has given consent to the processing of their personal data
for one or more specific purposes;
- (a) the data subject has given consent to the processing of their personal data
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
The initial Proposal provided that consent must be given for each processing's purpose. Thus, data subjects might exactly control where their data will go and what for. This amendment proposes that users give their consent once for all, no matter the purpose for which or the number of time their data will be processed. Once users have give their consent, controllers are free to collect, process and transfer any personal data to any ends. Data subjects would only be informed of these processing and might object to them afterwards.
Exceptions to consent
Amendment 100
- (f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
ThisThe interest or fundamental rights and freedoms of the data subject shall notapply toover-ride processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.
This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.
Amendment 102
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.
In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.
Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.
Data subjects' rights
Amendment 134
- 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular
because ofowing to their high volume, complexity or their repetitive character, the controller may chargeaan appropriate, not for profit, fee for providing the information or taking the action requested, or the controller maynotdecline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.
Profiling
Amendment 181
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendments 186, 187 & 188
- 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendments 184, 184 & 191
- 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
- (aa) is based on pseudonymous data;
- (ab) is based on the legitimate interests pursued by the data controller;
- (cc) is necessary to protect the rights available to other data subjects, for example for the purposes of detecting fraud, or for the purposes of detecting irregularities or other illegal activity according to Union law or Member State law;
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This set of amendments provides that the data subject's consent is not required any more to take a decision based on profiling which will affect him. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.
Amendment 193
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.
Data breach
Amendment 245
- 1. In the case of a personal data breach
the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify therelating to special categories of personal date, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 251
- 1. When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach shall be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 255
- A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part of a government institution may be able to reduce the risk of harm that could result from it or mitigate that harm. Such notifications may be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of harm to the data subject that could result from the breach or mitigating that harm.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Transfer to third countries
Amendments 267 & 268
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 309
- 4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
- 5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). [...]
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
The Proposal provides that a supervisory authority must give its authorisation before personal data may be transfered to a third country where the only safeguards provided by this transfer are set by contractual clauses. These amendments remove this requirement: controllers would be free to transfer the data they have collected to any country but would be rewarded with a seal when they can provide sufficiant safeguards.
Rapporteur's justification: Procedures requiring prior authorisation are costly and time-consuming for the controller, and their added value compared to a system of prior notification can be questioned from the point of view of data protection. Prior notifications, which would give the supervising authority the possibility to react and act, is sufficient and also provides for a user-friendly data protection procedure.
Supervisory authorities
Amendment 240
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 323
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 327
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 366
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Only one supervisory authority is competent to issue sanction and controllers may chose which one
Complaints
Amendment 360
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Amendment 362
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>
Sanctions
Amendments 370 to 397
- 3. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 1% of its annual worldwide turnover.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:- (a) a natural person is processing personal data without a commercial interest; or
(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:- (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
(b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:- (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
- (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
- (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
- (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
- (e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
- (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
(g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:- (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
- (b) processes special categories of data in violation of Articles 9 and 81;
- (c) does not comply with an objection or the requirement pursuant to Article 19;
- (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
- (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
- (f) does not designate a representative pursuant to Article 25;
- (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
- (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
- (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
- (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
- (k) misuses a data protection seal or mark in the meaning of Article 39;
- (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
- (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
- (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
(o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.
lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise
Modèle en boucle détecté : Modèle:Lawbox</noinclude>