Data Protection: JURI Opinion : Différence entre versions
m (Arthur moved page Data Protection: JURI to Data Protection: JURI Opinion) |
|||
Ligne 9 : | Ligne 9 : | ||
You can find a detailed list of its members on [https://memopol.lqdn.fr/search/?q=committees:JURI%20is_active:1 Memopol] or visit its official [http://www.europarl.europa.eu/committees/en/juri/home.html website]. | You can find a detailed list of its members on [https://memopol.lqdn.fr/search/?q=committees:JURI%20is_active:1 Memopol] or visit its official [http://www.europarl.europa.eu/committees/en/juri/home.html website]. | ||
+ | |||
Its opinion proposes many amendments which would severely weaken personal data protection. | Its opinion proposes many amendments which would severely weaken personal data protection. | ||
Ligne 16 : | Ligne 17 : | ||
[[Data_protection:_JURI_shortlist|Top amendments to reject and to support]] | [[Data_protection:_JURI_shortlist|Top amendments to reject and to support]] | ||
+ | =Pseudonymous data= | ||
+ | |||
+ | 36 | ||
+ | |||
+ | 4 | ||
+ | |||
+ | '''(3a) 'pseudonymous data' means any | ||
+ | personal data that has been collected, | ||
+ | altered or otherwise processed so that it of | ||
+ | itself cannot be attributed to a data subject | ||
+ | without the use of additional data which is | ||
+ | subject to separate and distinct technical | ||
+ | and organisational controls to ensure | ||
+ | such non attribution;''' | ||
+ | |||
+ | =Supervisory authority= | ||
+ | |||
+ | 41 | ||
+ | |||
+ | 4 | ||
+ | |||
+ | '''(19a) 'competent supervisory authority' | ||
+ | means a supervisory authority with | ||
+ | exclusive competence to supervise the | ||
+ | processing activities of the controller or | ||
+ | processor in accordance with Article | ||
+ | 51(2);''' | ||
+ | |||
+ | =Legitimate interest= | ||
+ | |||
+ | 47 | ||
+ | |||
+ | 6 | ||
+ | |||
+ | (f) processing is necessary for the purposes | ||
+ | of the legitimate interests pursued by a | ||
+ | controller '''or by a third party or third | ||
+ | parties to whom the data are | ||
+ | communicated''', except where such | ||
+ | interests are overridden by the interests or | ||
+ | fundamental rights and freedoms of the | ||
+ | data subject which require protection of | ||
+ | personal data, in particular where the data | ||
+ | subject is a child. This shall not apply to | ||
+ | processing carried out by public authorities | ||
+ | in the performance of their tasks. | ||
+ | |||
+ | 48 | ||
+ | |||
+ | 6 | ||
+ | |||
+ | '''(fa) processing is necessary for fraud | ||
+ | detection and prevention purposes | ||
+ | according to applicable financial | ||
+ | regulation or established industry, or | ||
+ | professional body, codes of practice.''' | ||
+ | |||
+ | =Purpose limitation= | ||
+ | |||
+ | 49 | ||
+ | |||
+ | 6 | ||
+ | |||
+ | 4. Where the purpose of further processing | ||
+ | is not compatible with the one for which | ||
+ | the personal data have been collected, the | ||
+ | processing must have a legal basis at least | ||
+ | in one of the grounds referred to in points | ||
+ | (a) to <s>(e)</s> '''(f)''' of paragraph 1. This shall in | ||
+ | particular apply to any change of terms and | ||
+ | general conditions of a contract. | ||
+ | |||
+ | =Child protection= | ||
+ | |||
+ | 55 | ||
+ | |||
+ | 8 | ||
+ | |||
+ | 1. For the purposes of this Regulation, <s>in | ||
+ | relation to the offering of information | ||
+ | society services directly to a child, | ||
+ | </s> | ||
+ | the processing of personal data of a child | ||
+ | below the age of 13 years <s>shall only be | ||
+ | lawful if and to the extent | ||
+ | </s> '''would normally | ||
+ | require''' that consent is given or authorised | ||
+ | by the child's parent or <s>custodian</s> | ||
+ | '''legal | ||
+ | representative'''. '''The appropriate form for | ||
+ | obtaining consent should be based on any | ||
+ | risk posed to the child by the amount of | ||
+ | data, its type and the nature of the | ||
+ | processing.''' The controller shall make | ||
+ | reasonable efforts to obtain verifiable | ||
+ | consent, taking into consideration available | ||
+ | technology. '''The methods to obtain | ||
+ | verifiable consent shall not lead to the | ||
+ | further processing of personal data which | ||
+ | would otherwise not be necessary.''' | ||
+ | |||
+ | =Data subject's rights== | ||
+ | |||
+ | 64 | ||
+ | |||
+ | 12 | ||
+ | |||
+ | 4. The information and the actions taken on | ||
+ | requests referred to in paragraph 1 shall be | ||
+ | free of charge. Where requests are | ||
+ | manifestly excessive, in particular <s>because of</s> '''owing to | ||
+ | their high volume, complexity or''' their | ||
+ | repetitive character, the controller may | ||
+ | charge <s>a</s> '''an appropriate, not for profit,''' fee | ||
+ | for providing the information or taking the | ||
+ | action requested, or the controller may | ||
+ | <s>not</s> '''decline to''' take the action requested. In that | ||
+ | case, the controller shall bear the burden of | ||
+ | proving the manifestly excessive character | ||
+ | of the request. | ||
+ | |||
+ | =???= | ||
+ | |||
+ | 78 | ||
+ | |||
+ | 15 | ||
+ | |||
+ | 2. The data subject shall have the right to | ||
+ | obtain from the controller communication | ||
+ | of the personal data undergoing processing <s>. Where the data subject makes the request | ||
+ | in electronic form, the information shall | ||
+ | be provided in electronic form, unless | ||
+ | otherwise requested by the data subject. | ||
+ | </s> | ||
+ | '''and, on electronic request, an electronic copy of the non-commercial data | ||
+ | undergoing processing in an | ||
+ | interoperable and structured format | ||
+ | which allows for further use. The | ||
+ | controller shall verify the identity of a | ||
+ | data subject requesting access to data | ||
+ | within the limits of Articles 5 to 10 of this | ||
+ | Regulation.''' | ||
+ | |||
+ | =Right to be forgotten= | ||
+ | |||
+ | 79 | ||
+ | |||
+ | 17 | ||
+ | |||
+ | '''1a. Credit institutions that retain data for | ||
+ | the following grounds shall be exempt | ||
+ | from the requirements of this Article: | ||
+ | - risk management purposes; | ||
+ | - fulfilment of EU and international | ||
+ | supervisory and compliance | ||
+ | requirements; | ||
+ | - market abuse purposes.''' | ||
+ | |||
+ | Why only credit institution should enjoy this exception? > Lobby | ||
+ | |||
+ | |||
+ | 81 | ||
+ | |||
+ | 17 | ||
+ | |||
+ | (a) for exercising the right of freedom of | ||
+ | expression in accordance with Article 80 | ||
+ | '''or when providing an information society | ||
+ | service to facilitate the accessing of such | ||
+ | expression'''; | ||
+ | |||
+ | =Profiling= | ||
+ | |||
+ | 86 | ||
+ | |||
+ | 20 | ||
+ | |||
+ | 1. Every <s>natural person | ||
+ | </s> '''data subject''' shall have the right | ||
+ | not to be subject to a <s>measure which</s> '''decision that' | ||
+ | produces adverse legal effects <s>concerning this natural person</s> or <s>significantly</s> '''adversely''' | ||
+ | affects this <s>natural person</s> '''data subject''', and which is | ||
+ | based solely or predominantly on | ||
+ | automated processing intended to evaluate | ||
+ | certain personal aspects relating to this | ||
+ | <s>natural person</s> '''data subject''' | ||
+ | <s>or to analyse or | ||
+ | predict in particular the natural person's | ||
+ | performance at work, economic situation, | ||
+ | location, health, personal preferences, | ||
+ | reliability or behaviour </s> | ||
+ | . | ||
+ | justif : It is important to consider that some profiling activities have considerable benefits for | ||
+ | consumers and can be a good basis for good customer service. The wide definition of | ||
+ | profiling does not differentiate routine data processing activities that are positive in nature | ||
+ | with more negative profiling. Positive profiling is often used to tailor services to consumers | ||
+ | by recording their needs and preferences. | ||
[[Category:Data Protection]] | [[Category:Data Protection]] |
Version du 4 avril 2013 à 19:43
JURI is the European Parliament committee on Legal Affairs issues.
On 25 April 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.
You can find a detailed list of its members on Memopol or visit its official website.
Its opinion proposes many amendments which would severely weaken personal data protection.
This page lists and analyses the most dangerous of them.
Top amendments to reject and to support
Sommaire
Pseudonymous data
36
4
(3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;
Supervisory authority
41
4
(19a) 'competent supervisory authority' means a supervisory authority with exclusive competence to supervise the processing activities of the controller or processor in accordance with Article 51(2);
Legitimate interest
47
6
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
48
6
(fa) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
Purpose limitation
49
6
4. Where the purpose of further processing
is not compatible with the one for which
the personal data have been collected, the
processing must have a legal basis at least
in one of the grounds referred to in points
(a) to (e) (f) of paragraph 1. This shall in
particular apply to any change of terms and
general conditions of a contract.
Child protection
55
8
1. For the purposes of this Regulation, in
relation to the offering of information
society services directly to a child,
the processing of personal data of a child
below the age of 13 years shall only be
lawful if and to the extent
would normally
require that consent is given or authorised
by the child's parent or custodian
legal
representative. The appropriate form for obtaining consent should be based on any risk posed to the child by the amount of data, its type and the nature of the processing. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
Data subject's rights=
64
12
4. The information and the actions taken on
requests referred to in paragraph 1 shall be
free of charge. Where requests are
manifestly excessive, in particular because of owing to
their high volume, complexity or their
repetitive character, the controller may
charge a an appropriate, not for profit, fee
for providing the information or taking the
action requested, or the controller may
not decline to take the action requested. In that
case, the controller shall bear the burden of
proving the manifestly excessive character
of the request.
???
78
15
2. The data subject shall have the right to
obtain from the controller communication
of the personal data undergoing processing . Where the data subject makes the request
in electronic form, the information shall
be provided in electronic form, unless
otherwise requested by the data subject.
and, on electronic request, an electronic copy of the non-commercial data
undergoing processing in an
interoperable and structured format
which allows for further use. The
controller shall verify the identity of a
data subject requesting access to data
within the limits of Articles 5 to 10 of this
Regulation.
Right to be forgotten
79
17
1a. Credit institutions that retain data for the following grounds shall be exempt from the requirements of this Article: - risk management purposes; - fulfilment of EU and international supervisory and compliance requirements; - market abuse purposes.
Why only credit institution should enjoy this exception? > Lobby
81
17
(a) for exercising the right of freedom of expression in accordance with Article 80 or when providing an information society service to facilitate the accessing of such expression;
Profiling
86
20
1. Every natural person
data subject shall have the right
not to be subject to a measure which decision that'
produces adverse legal effects concerning this natural person or significantly adversely
affects this natural person data subject, and which is
based solely or predominantly on
automated processing intended to evaluate
certain personal aspects relating to this
natural person data subject
or to analyse or
predict in particular the natural person's
performance at work, economic situation,
location, health, personal preferences,
reliability or behaviour
.
justif : It is important to consider that some profiling activities have considerable benefits for consumers and can be a good basis for good customer service. The wide definition of profiling does not differentiate routine data processing activities that are positive in nature with more negative profiling. Positive profiling is often used to tailor services to consumers by recording their needs and preferences.