Data protection: JURI shortlist

De La Quadrature du Net
Révision de 6 mars 2013 à 16:30 par Manu1400 (discussion | contributions) (Eva Lichtenberger, shadow rapporteur in the JURI Committee for the Greens/EFA group)

This page reproduces and completes the EDRi's analysis on the JURI's amendments to reject and to support.

Amendments to reject

Amendment 22 - Anonymisation

Proposed by Rapporteure Marielle Gallo (EPP)


Article 4 - Definitions

  • (2a) ‘data rendered sufficiently anonymous’ means data, the information on personal or material characteristics contained in which can no longer be associated with an identified or identifiable individual or could only be so associated at a disproportionate cost in terms of time and financial and human resources;


Edri's analysis: The problem with this formulation is that with technological progress, the means for de-anonymising data advance quickly. In other words: it is likely that measures that are 'disproportionate' today will not be 'dispropotionate' in several years, which removes the increased legal certainty that the amendment was intended to create.


Amendment 24 - Legitimate interest

Proposed by Rapporteure Marielle Gallo (EPP)


Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.


Edri's analysis: This formulation decreases control of citizens over their personal data, as data may be used by (unknown) third parties without citizens' consent.


Amendment 36 - Right to data portability

Proposed by Rapporteure Marielle Gallo (EPP)


Article 18 - Right to data portability

  • 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
  • 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
  • 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Gallo's justificationData subjects have the right of access established by Article 15 of the proposal for a regulation. The right of access gives every data subject the right to know which personal data are being processed. Article 18, which enables data subjects to obtain a copy of their data, brings no added value in terms of the protection of citizens’ personal data and creates confusion regarding the exact scope of the right of access, which is a principal right.

Edri's analysis: [This amendment] suggests the deletion of the right to data portability. The JURI Committee should follow the ITRE vote and adopt the right to port your data in interoperable formats.

Amendment 114 - Consent

Proposed by Sajjad Karim (ECR)


Article 4 - Definitions

  • (8) ‘'the data subject's consent’' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed form of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;


Edri's analysis: The definition of "consent" should not be changed. Allowing implicit consent will lead to a 'race to the bottom', allowing for consent as pre-ticked boxes or as part of general terms and conditions.


More:

Amendment 74 proposed by Sajjad Karim (ECR)

Rectial 25

(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This is notwithstanding the possibility to express consent to processing in accordance with Directive 2002/58/EC by using the appropriate settings of a browser or other application. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.


Amendment 152 proposed by Sajjad Karim (ECR)

Deletes Article 7

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

Amendment 144 - Purpose limitation

Proposed by Klaus-Heiner Lehne (EPP)


Article 5 - Principles relating to personal data processing

  • Personal data must be:
    • (a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
    • (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
    • ...

Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
  • ...
  • 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) (f) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.


Edri's analysis: This amendment weakens the principle of purpose limitation (see Article 5 (b)) by allowing use of personal data for unrelated and incompatible purposes. Purpose limitation, as one of the main pillars of data protection, should not be weakened.

Explanation: A data subject may accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.


Amendment 227 - Profiling

Proposed by Klaus-Heiner Lehne (EPP)


Article 20 - Measures based on profiling

  • 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards lawful pursuant to Article 6(1) (a) to (f) of this regulation.


Edri's analysis: : This would effectively remove all additional protections against profiling, rendering the right not to be subject to it void. It would for example include "legitimate interests" of the controllers and would also grant public sector controllers wide discretion to engage in profiling.

Amendments to support

Amendment 107 - Personal data definition

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group


Article 4 - Definition

  • (1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person;


EDRi's analysis: This amendment improves the Commission wording by pointing out that being able to "single out" a person is enough for the data to be considered personal data.


Amendment 135 - Legitimate interest

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.


EDRi's analysis: Given the slippery nature of the concept of "legitimate interest", it would be best to remove this ground for processing - or at least additional safeguards should be put in place to allowed this clause only as a measure of last resort when no other legal ground for data processing exists. It should also be justified and communicated to the public before it is used.


Amendment 211 - Data portability

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 18 - Right to data portability

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data subject.


EDRi's analysis: This improves the right to data portability. Requiring interoperable formats prevents controllers from providing data in formats that would create a “lock-in effect” or even tie users to possibly expensive proprietary formats.


Amendment 221 - Profiling

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 20 - Measures based on profiling

  • 1. Every natural person shall have the right, both off-line and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.


EDRi's analysis: This amendment clarifies that profiling of citizens should be properly regulated, both on- and offline.


Amendments 223-225 - Profiling

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 20 - Measures based on profiling

  • 2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of necessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human including the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or


EDRi's analysis: These amendments improve the Commissions proposal by providing better safeguards regarding profiling.


Amendment 345 - Tranfers to third countries

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 44 - Disclosures not authorised by Union law

  • 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
  • 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (d) of Article 34(1).
  • 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44.
  • 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.
  • 5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).


EDRi's analysis: This amendment provides good additional protection against third countries that wish to enforce their laws against European citizens.