Review of the proposed General Data Protection Regulation, as adopted by the European Parliament on 12 March 2014

De La Quadrature du Net
Révision datée du 4 août 2015 à 17:53 par Piks3l (discussion | contributions) (Page créée avec « ==Pseudoanonymous data===
 »)
Aller à la navigationAller à la recherche

On 25 January 2012, the European Commission published their [1] "on the protection of individuals with regard to the processing of personal data".

On the 12 March 2014, the European Parliament adopted an amended version of the [2], bundling it with a [3], together referred to as the Data Protection Reform Package (DPR). 


Now the Council of the European Union (also known as the Council of Ministers, it brings together the ministries of member states) is considering the proposals. Negotiations between the European Council, Parliament and Commission – referred to as a “trialogue” - are expected to come to a conclusion at the end of 2015.
 The aim is to bring European legislation on the use of personal data up to date with technical, commercial and societal changes brought about by the digital age. The previous legislation, a directive - hence legislation that relies on being transposed into national law as opposed to a regulation that applies to all member states equally - dates from 1995, [4], fails on many counts but most notably on the protection of personal data.


The proposed texts introduce some fundamental changes that directly impact internet users:


Data Subject Consent

Article 6 states that a user's ('data subjects') consent is required for data processing. This consent can, for instance, be obtained during the initial registration with a social network service when the user agrees to the EULA and thus to the use of their data by the company. It states that “'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes” (Article 4(8)). Moreover, it is specified that it “shall be as easy to withdraw consent as to give it.” (Article 7(3)).

The regulation, as proposed, contains a huge loophole in the form of the notion of “legitimate interest” (see Article 6(1)(f)). Left too vague and undefined in the regulation, it would allow companies to argue “legitimate interest” in order to by-pass the constraints inherent in the requirement for users' consent. It would allow the use of personal data in ways that the user did not consciously agree to.

== Data Subjects Rights==


The version adopted by the European Parliament introduces a new article, Article 10(a)(2) on the “General principles for data subject rights”.

This proposed regulation would sanction 'profiling'. Profiling is defined in the text as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour” (Article 4(3a)).

Profiling of individuals exacerbates the power imbalance between states and corporations on one hand and the individual user on the other. In the case of a private enterprise, data can be used in order to deduce consumer habits in order to more effectively target advertisements or decide on the terms and conditions of a bank loan. Profiling is also of interest to governments' security efforts. The surveillance of a person or group of persons can be done through the collection of their data to study their habits, movements, activities and international contacts. (See amongst other, Article 20) The text prohibits profiling that “has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity” and requests that the controller act to prevent discrimination. (Article 20(3)).

The European Parliament's version deletes the 'right to portability' of data initially proposed by the Commission in Article 18. Portability means that a user can demand that their data be transferred to another company (similar to the principle of portability of telephone numbers when switching providers). The deleted article also contained provisions aimed at encouraging the development of standards that would facilitate the inter-operability between systems, a necessary condition for the efficient sharing and porting of data between IT systems. (See Recital 55)


The 'right of information' is accorded to the user (see Recital 59). This information includes the purposes for which the data are being collected and the length of its retention. The user should know the identity of the data controller and be informed if the data are passed to third parties for commercial ends. 


The regulation specifies 'the right to erasure' of data of a personal nature under certain conditions (Article 17). An individual may request that their data be deleted when “the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” or when the data subject withdraws consent. The Parliament added that the right to erasure is also possible after a decision by a court or regulatory authority based in the EU or when the data “has been unlawfully processed" while restricting this right to cases other than when the data is needed “for exercising the right of freedom of expression” (Article 17(3a)).

==Pseudoanonymous data===


Le rapport a introduit dans le texte la notion de «données pseudonymisées », concernant les fins de recherche qui font exception à l'accord de l'internaute. Les données pourraient être uniquement « pseudonymisées », au lieu d'être «  anonymisées » lorsque cela n'est pas possible, pour ces fins (article 81 2bis). Le terme « pseudonymisées » n'est pas employée de manière anodine. Les données « anonymisées » sont des données à partir desquelles il n'est pas possible d'isoler et d'identifier un individu. Son anonymat étant ainsi pleinement respecté. Les données « pseudonymisées » restent en revanche relatives à un individu identifiable, en raison du lien existant entre le pseudonyme et les données d'identification (nom, prénom, adresse...) disponible pour l'organisation collectant l'information. En outre, il est extrêmement aisé d'identifier un individu avec relativement peu de données pseudonymisées. Par conséquent, la pseudonymisation n'est pas une solution suffisamment protectrice pour les utilisateurs qui peuvent être identifiés trop facilement.

Les obligations du responsable du traitement garantissant la protection des données

Le responsable de traitement doit assurer la protection des données des personnes concernées par le traitement. Il a ainsi trois obligations principales :

  • Une obligation de documentation (article 28) des traitements réalisés. Ces documents pourront être vérifiés à tout moment par l'autorité nationale de contrôle, sous peine de sanctions.
  • Une obligation de réaliser une étude d'impact pour les traitements à risque (article 32 bis). Celle-ci doit-être réalisée systématiquement lorsque le traitement présente des risques particuliers pour les droits et libertés des personnes (ex : données sensibles, fichiers de grande ampleur concernant des enfants, données génétiques, biométriques).
  • Une obligation d'assurer la sécurité du traitement des données, en garantissant sa confidentialité, et l'intégrité de la personne concernée.

Une sanction pécuniaire lourde

Si les responsables de traitement, notamment les entreprises, ne respectent pas le texte, ils sont soumis à une sanction pécuniaire très conséquente, à hauteur de 5% du chiffre d'affaire mondial du responsable de traitement (article 79).

Références