Data Protection: IMCO Opinion

De La Quadrature du Net
Révision datée du 28 mars 2013 à 15:03 par Arthur (discussion | contributions) (Exceptions to consent)
Aller à la navigationAller à la recherche


IMCO is the European Parliament committee on Internal Market and Consumer Protection issues. As such, it is usualy asked to express its opinion about Regulation, Directive or anything the Parliament has to vote, focusing on matters relating to consumer protection.

The opinion it issued on the proposed Regulation is aimed to assist LIBE in the drafting of its report (which will contain the amendements the Parliament will vote on).

You can find a detailed list of its members here on Memopol.

This page aims to show and analyse the main points IMCO (Consumers) opinion focuses on.


Pseudonymous data

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 59

Article 4 - Definitions
  • 3.(b) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 75

Article 6 - Lawfulness of processing
  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (fe) only pseudonymous data is processed.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.

Consent

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 63

Article 4 - Definitions
  • 8. ‘the data subject's consent’ means any freely given indication that must be specific, informed and as explicit as possible according to the context, of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, explicitly whenever the data referred to in Article 9(1) are to be processed, signifies agreement to personal data relating to them being processed;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The explicit consent requirement is the core of this proposal. It is based on the idea that users can only trust the data industry if they can control exactly who knows what about them and that only explicit consent would give them such a control. This amendment states that, depending on the context, users may not always be able to give an explicit consent - that it may be impossible or too difficult to. Or, except when they are unconscious, there is absolutely no context in which data subjects may not be able to accept something explicitly. This amendment is actually just a way to admit "contextual consent" - passive consent - when it would be considered to be "sufficient" - according to unknown criteria - even though the only way to gain users' trust would be, in any context, to require their explicit consent.

Purpose limitation

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 66

Article 5 - Principles relating to personal data processing
  • Personal data must be:
    • (a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
    • (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
    • (c) adequate, relevant, and limited to the minimum necessary not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This amendment provides that data may be processed for other purposes that users have consented to, as long as these "new purposes" are not too disconnected from the one accepted by the user. Once again, it is actually just a way to admit processing that data subjects have not explicitly consented to.


Exceptions to consent

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 69

Article 6 - Lawfulness of processing
  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the performance of a task carried out for assessing creditworthiness or for fraud

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Even if it would be healthy that banks may evaluate creditworthiness of their customers, there is no reason why these information should be collected without the consent of the latter. If someone wants to subscribe to a loan, its banker should directly ask him the needed information. Otherwise, it would give banks an unnecessary freedom to collect and process personal data with no control at all from data subjects.


How to read an amendment: added to the initial text / deleted from the initial text

Amendment 70

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.

This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.


How to read an amendment: added to the initial text / deleted from the initial text

Amendment 71

(fa) the data are collected from public registers, lists or documents accessible by everyone;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.

In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.

Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.


How to read an amendment: added to the initial text / deleted from the initial text

Amendment 74

(fd) the processing is necessary to defend an interest, collecting evidences as judicial proofs or file an action;

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Purpose limitation

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 77

Article 6 - Lawfulness of processing
  • 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Consent

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 81 & 82

Article 7 - Conditions for consent
  • 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
  • 4a. The execution of a contract or the provision of a service may not be made dependent on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service according to Article 6 (1) (b).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Sensitive data

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 94

Article 9 - Processing of special categories of personal data
  • 1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
  • 2. Paragraph 1 shall not apply where:
    • ...
    • (e) the processing relates to personal data which are manifestly made public by the data subject or which are freely transferred to the controller on the initiative of data subject and which are processed for the specific purpose determined by data subject and in his interest; or

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Information

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 111

Article 14 - Information to the data subject
  • 5. Paragraphs 1 to 4 shall not apply, where:
    • ...
    • (b) the data are meant to serve solely the purposes of art. 83, are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Profiling

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 130 & 131

Article 20 - Measures based on profiling
  • 1. A data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.

Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour

  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Controller's liability

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 144

Article 26 - Processor
  • 1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Data breach

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 162

Article 31 - Notification of a personal data breach to the supervisory authority
  • 1. In the case of a personal data breach, which would have a significantly adverse impact on the protection of the personal data or privacy of the data subject, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 163

Article 31 - Notification of a personal data breach to the supervisory authority
  • 3. The notification referred to in paragraph 1 must at least if possible:
  • (a) describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned;
  • (b) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained;
  • (c) recommend measures to mitigate the possible adverse effects of the personal data breach;
  • (d) describe the consequences of the personal data breach;
  • (e) describe the measures proposed or taken by the controller to address the personal data breach.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 167

Article 32 - Communication of a personal data breach to the data subject
  • 1. When the personal data breach is likely to adversely affect have a significantly adverse impact on the protection of the personal data or privacy of the data subject, for example identity theft or fraud, physical harm, significant humiliation or damage to the reputation, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject in a clear and concise manner and without undue delay.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 169

Article 32 - Communication of a personal data breach to the data subject
  • 3. The communication of a personal data breach to the data subject shall not be required if the data breach does not have significant risk of harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Data Protection Officer

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 181

Article 35 - Designation of the data protection officer
  • The controller and the processor shall designate a data protection officer in any case where:
    • (a) the processing is carried out by a public authority or body; or
    • (b) the processing is carried out by an enterprise employing 250 persons or more; or
    • (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Transfer to third countries

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 192

Artcile 44 - Derogations
  • 1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
    • ...
    • (h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive or where, prior to such transfer, the personal data is already made public in the third country, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Complaint

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 198

Article 73 - Right to lodge a complaint with a supervisory authority
  • 2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 200

Article 74 - Right to a judicial remedy against a supervisory authority
  • 4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

Sanctions

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 208

Article 79 - Administrative sanctions
  • 3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:
    • (a) a natural person is processing personal data without a commercial interest; or
    • (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
  • 4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
    • (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2);
    • (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 209

5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
  • (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
  • (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
  • (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
  • (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18;
  • (e) does not or not sufficiently determine the respective responsibilities with co-controllers pursuant to Article 24;
  • (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
  • (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>

How to read an amendment: added to the initial text / deleted from the initial text

Amendment 210

6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
  • (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
  • (b) processes special categories of data in violation of Articles 9 and 81;
  • (c) does not comply with an objection or the requirement pursuant to Article 19;
  • (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;
  • (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
  • (f) does not designate a representative pursuant to Article 25;
  • (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
  • (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;
  • (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
  • (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
  • (k) misuses a data protection seal or mark in the meaning of Article 39;
  • (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
  • (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
  • (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2);
  • (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.

lawbox|title=Amendment 100|rate=-|1=Vive la liberté d'expression !|2=Vive la liberté d'expression ! d'entreprise

Modèle en boucle détecté : Modèle:Lawbox</noinclude>