Data protection: JURI shortlist

De La Quadrature du Net
Révision datée du 8 mars 2013 à 19:29 par Arthur (discussion | contributions) (Amendments to reject)
Aller à la navigationAller à la recherche

This page reproduces and completes the EDRi's analysis on the JURI's amendments to reject and to support.

Amendments to reject

Amendment 114 - Consent

Proposed by Sajjad Karim (ECR)


Article 4 - Definitions

  • (8) ‘'the data subject's consent’' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed form of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;


Edri's analysis: The definition of "consent" should not be changed. Allowing implicit consent will lead to a 'race to the bottom', allowing for consent as pre-ticked boxes or as part of general terms and conditions.


Amendment 144 - Purpose limitation

Proposed by Klaus-Heiner Lehne (EPP)


Article 5 - Principles relating to personal data processing

  • Personal data must be:
    • (a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
    • (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
    • ...

Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
  • ...
  • 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) (f) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.


Our analysis: A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.


Edri's analysis: This amendment weakens the principle of purpose limitation (see Article 5 (b)) by allowing use of personal data for unrelated and incompatible purposes. Purpose limitation, as one of the main pillars of data protection, should not be weakened.

Amendments 63-66 - Sanctions

Proposed by Rapporteure Marielle Gallo (EPP)

Article 79 - Administrative sanctions

  • 4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: ...
  • 5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently: ...
  • 6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: ...
  • 3. The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 2 % of its annual worldwide turnover.


Our analysis: these amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the proposed Regulation currently provides that fines may be imposed to anyone who breaches the Regulation, even for a single and negligent breach. Thus, these amendments drastically lower the standards companies must meet in order not to be fined. More, these amendments may actually prevent most of the sanctions to be imposed at all, as supervisory authorities would not be able to establish the companie's actual intention to breach the Regulation.

Amendments 108-109-111 & 140 - Pseudonymous data

Rapporteure Marielle Gallo (EPP), Sajjad Karim (ECR) and Klaus-Heiner Lehne (EPP) proposed three identical amendments which are the verbatim copy of an amendment proposed by both the American Chamber of Commerce (look at page 11) and EuroISPA, the 'world's largest association of Internet Services Providers' (look at page 2)


Article 4 - Definitions

  • (3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;


Amendment 140 Proposed by Sajjad Karim (ECR)

Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (fb) only pseudonymous data is processed.


Analysis: Together, these two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even if these data are tied to an unique identifier or may afterwards be easily linked to the data subject.

Amendment 259 - Processor

Proposed by Sajjad Karim (ECR)

Article 26 - Processor

  • 1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.


This amendment is the verbatim copy of one of the amendments proposed by Amazon to the JURI's MEPs (amendment 34 page 17)


Our analysis: This amendment provides that a controller may ask any company to collect and process personal data on its behalf regardless the diligence and security garuantees offered by this company, except where the processed data can reasonably permit to identify the data subject. But this criteria is excessively vague and may result in controllers never evaluate at all the processor they hire. More, this amendment also states that controllers may only be responsible for their own activities, no matter what their processor does.




Amendment 227 - Profiling

Proposed by Klaus-Heiner Lehne (EPP)


Article 20 - Measures based on profiling

  • 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
  • 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
    • (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards lawful pursuant to Article 6(1) (a) to (f) of this regulation.


Edri's analysis: : This would effectively remove all additional protections against profiling, rendering the right not to be subject to it void. It would for example include "legitimate interests" of the controllers and would also grant public sector controllers wide discretion to engage in profiling.


Amendment 219

Proposed by Sajjad Karim (ECR)


  • 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour A data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.

Analysis: The purpose of prohibiting profiling measures is to prevent unfair or discriminatory decision because such measures are inherently doomed to lead to such consequences. This amendements proposes to withdraw any safeguard the Proposal set, letting companies free to profile citizens as far as none of their unfair decisions is brought to court.


Amendment 48 - Data breach

Proposed by Rapporteure Marielle Gallo (EPP)

Article 31 - Notification of a personal data breach to the supervisory authority

  • 1. In the case of a personal data breach which has a considerable effect on the data subject, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

Gallo's justification: in the event of a breach, the controller must initially concentrate on putting into practice all appropriate measures to prevent it continuing. An obligation to notify the competent supervisory authority within 24 hours together with sanctions for failing to do so might have the opposite effect. In addition, as the Article 29 Working Party stated in its opinion of 23 March 2012, notification must not concern minor breaches, as otherwise the supervisory authorities would be over-burdened.


Amendment 22 - Anonymisation

Proposed by Rapporteure Marielle Gallo (EPP)


Article 4 - Definitions

  • (2a) ‘data rendered sufficiently anonymous’ means data, the information on personal or material characteristics contained in which can no longer be associated with an identified or identifiable individual or could only be so associated at a disproportionate cost in terms of time and financial and human resources;


Edri's analysis: The problem with this formulation is that with technological progress, the means for de-anonymising data advance quickly. In other words: it is likely that measures that are 'disproportionate' today will not be 'dispropotionate' in several years, which removes the increased legal certainty that the amendment was intended to create.


Amendment 24 - Legitimate interest

Proposed by Rapporteure Marielle Gallo (EPP)


Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.


Edri's analysis: This formulation decreases control of citizens over their personal data, as data may be used by (unknown) third parties without citizens' consent.


Amendment 36 - Right to data portability

Proposed by Rapporteure Marielle Gallo (EPP)


Article 18 - Right to data portability

  • 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
  • 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
  • 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Gallo's justification: Data subjects have the right of access established by Article 15 of the proposal for a regulation. The right of access gives every data subject the right to know which personal data are being processed. Article 18, which enables data subjects to obtain a copy of their data, brings no added value in terms of the protection of citizens’ personal data and creates confusion regarding the exact scope of the right of access, which is a principal right.

Edri's analysis: [This amendment] suggests the deletion of the right to data portability. The JURI Committee should follow the ITRE vote and adopt the right to port your data in interoperable formats.

Our analysis: Article 15 provides data subject a right to obtain from the controller information on the processing of their data (purpose, categorie of the data, storage period) and communication of these data. But this article does not say in which format the data must be communicated. Thus, the controller may communicate them in a form the data subject can not understand (data being usally processed in a computer-friendly format only). But, if the data subject can not precisely know what data is processed, how is he supposed to use his right to rectification and to be forgotten? None of these fundamental rights may be exercised without this article 18.

Amendments to support

Amendment 107 - Personal data definition

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group


Article 4 - Definition

  • (1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person;


EDRi's analysis: This amendment improves the Commission wording by pointing out that being able to "single out" a person is enough for the data to be considered personal data.


Amendment 135 - Legitimate interest

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 6 - Lawfulness of processing

  • 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
    • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
    • ...
    • (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.


EDRi's analysis: Given the slippery nature of the concept of "legitimate interest", it would be best to remove this ground for processing - or at least additional safeguards should be put in place to allowed this clause only as a measure of last resort when no other legal ground for data processing exists. It should also be justified and communicated to the public before it is used.


Amendment 211 - Data portability

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 18 - Right to data portability

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data subject.


EDRi's analysis: This improves the right to data portability. Requiring interoperable formats prevents controllers from providing data in formats that would create a “lock-in effect” or even tie users to possibly expensive proprietary formats.


Amendment 221 - Profiling

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 20 - Measures based on profiling

  • 1. Every natural person shall have the right, both off-line and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.


EDRi's analysis: This amendment clarifies that profiling of citizens should be properly regulated, both on- and offline.


Amendments 223-225 - Profiling

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 20 - Measures based on profiling

  • 2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
    • (a) is carried out in the course of necessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human including the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or
    • (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or


EDRi's analysis: These amendments improve the Commissions proposal by providing better safeguards regarding profiling.


Amendment 345 - Tranfers to third countries

Proposed by Eva Lichtenberger (Greens/EFA), shadow rapporteur in the JURI Committee for the Greens/EFA group

Article 44 - Disclosures not authorised by Union law

  • 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
  • 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (d) of Article 34(1).
  • 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44.
  • 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.
  • 5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).


EDRi's analysis: This amendment provides good additional protection against third countries that wish to enforce their laws against European citizens.