This page lists the different key points of the Commission's Proposal for a General Data Protection Regulation. It aims to show the issues raised by these points (as analysed by European Digital Rights^[1]) and to identify the positions took by the european committees, political parties and lobbies.

Scope of the Regulation

The Regulation mainly aims to deal with the collect, the processing and the transfer of personal data. As it defines personal data as 'any information relating to a data subject', it actualy aims to protect these 'data subjects'. Thus, the amount of activities the Regulation will regulate will depend on the scope of the definition of this 'subjetcs'.

Provisions of the General Data Protection Regulation

Article 2 - Material scope

• 1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

• 2. This Regulation does not apply to the processing of personal data:
  • (a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
  • (b) by the Union institutions, bodies, offices and agencies;
  • (c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of the Treaty on European Union;
  • (d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;
  • (e) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Article 4 - Definitions

• 1. 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

• 2. 'personal data' means any information relating to a data subject;

Recital 23

• The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

Recital 24

• When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.

Amendments proposed by the Rapporteur

Amendment 84

Article 4 – point 1

• 1. 'data subject' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a identification number unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person;

Amendments proposed by ITRE

Compromise amendment 31

Article 4

• 1. ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, working together with the controller, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person and who is not acting in his/her professional capacity;

• Note: This CA proposes to set out the scope of the Regulation the individuals:
  • who are acting in their professional capacity (who are not acting as mere consumers) or;
  • who can be identified by third parties where these third parties are not working together with the controller.

Compromise amendment 32

Article 4

• 2. ‘personal data’ means any information relating to a data subject whose specific identity can be identified, directly or indirectly by the controller or by any other natural or legal person, working together with the controller.

Consent

As it makes the lawfulness of a processing depend on the data subject's consent, the protection provided by the Regulation is based on the consent it requires.

Provisions of the General Data Protection Regulation

Article 4 - Definitions

• 8. 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

Article 6 - Lawfulness of processing

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

Article 7 - Conditions for consent

• 1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

• 2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

• 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

• 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

Amendments proposed by the Rapporteur

Amendment 106

Article 7 - Conditions for consent

• 4.(a) Consent looses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were collected.

Amendment 107

Article 7 - Conditions for consent

• 4.(b) The execution of a contract or the provision of a service may not be made conditional on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1)(b).

Amendments proposed by IMCO

Amendment 63

• Article 4 - Definitions

• 8. ‘the data subject's consent’ means any freely given indication that must be specific, informed and explicit as explicit as possible according to the context, of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, explicitly whenever the data referred to in Article 9(1) are to be processed, signifies agreement to personal data relating to them being processed;

Amendments proposed by ITRE

Compromise amendment 35

Article 4 - Definitions

• 8. ‘the data subject's consent’ means any freely given specific, informed and explicit unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;

Pseudonymous Data

Amendments proposed by the Rapporteur

Amendment 85

Article 4 – point 2 a (new)

• 2.(a) 'pseudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject;

Amendment 105

Article 7 - paragraph 2 a (new)

• 2.(a) If the data subject's consent is to be given in the context of the use of information society services where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union in accordance with paragraph 4c, which allows the data subject to clearly express his or her wishes without collecting identification data.

Amendment 108

Article 7 – paragraph 4 c (new)

• 4.(c) The Commission shall be empowered to adopt, after requesting an opinion from the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the requirements and conditions for technical standards referred to in paragraph 2a, and for declaring that a technical standard is in line with this Regulation and has general validity within the Union.

Amendments voted by IMCO

Amendment 61

Article 4 - point 3(b) (new)

• 3.(b) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort

Amendment 75

Article 6 - paragraph 1 - point f e (new)

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (fe) only pseudonymous data is processed.

Amendment 139

Article 23 – paragraph 1 a (new)

• 1.(a) Anonymisation or pseudonymisation of personal data should be applied by the data processor where feasible and proportionate according to the purpose of processing.

Amendments voted by ITRE

Compromise amendment 33

Article 4 – paragraph 1 – point 2 a (new)

• 2.(a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution.

Compromise amendment 40

Article 6 – paragraph 1

• 1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
  • (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • ...
  • (g) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Art. 19 (3) (new).

Anonymous Data

Amendments proposed by IMCO

Amendment 50

Article 2 – paragraph 2 – point d a (new)

• 2. This Regulation does not apply to the processing of personal data:
  • ...
  • (da) which have been rendered anonymous within the meaning of Article 4(2a);

Amendment 59

Article 4 – point 2 a (new)

• 2.(a) 'anonymous data' means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data.

Amendments proposed by ITRE

Compromise amendment 34

Article 4 – paragraph 1 – point 2 b (new)

• 2.(b) 'anonymous data' means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data