The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) published its draft report amending the Commission’s proposal for a General Data Protection Regulation on 17 December 2012. In doing so, Rapporteur Jan Albrecht MEP (Green/EFA, Germany), has stuck to his ambitious goal of having an updated European data protection framework by the end of the current Parliamentary term.
The report makes 350 amendments to the original Commission text, covering a range of issues and addressing some core concerns that have been highlighted since the Regulation was proposed in January 2012. It also shortens the Commission proposal in many parts and reduces the complexity of the text.
Definitions and scope
The concept of personal data more broadly is clarified in amendment (AM) 84, but the specific definition of personal data relating to health, as laid out in Article 81 and Recital 26, is not changed. The applicability of the principle of data minimisation as concerns health-related information is clarified and member states are required, under the new proposals, to inform the Commission about any laws it adopts in relation to Article 81(1). The specific inclusion of social networking sites and search engines is not mentioned in the draft report, but elements of flexibility remain in place to allow for future adaption to changing technological norms. Finally, the inclusion of anonymous and pseudonymous data has been clarified, allowing for the processing of both in the proposed new text - the inclusion of the process of anonymising and pseudonimising, however, remains unclear.
The Article 11 provisions ensuring transparent and easily accessible information on data protection processes are strengthened in AM 118, which provides for multi-layered notices designed to give the data subject the information they need to understand their position and make the necessary decisions. The provisions enshrining the right to access, contained in Article 15, further emphasise the importance of clarity, as well as highlighting the specific case of profiling, whilst AM 140 requires that data subjects be informed of any request made by a public authority for access to data. In a broader attempt to simplify and clarify the proposal, Articles 15 and 18, on right to access and data portability respectively, are merged in the draft report - where data is accessed by the subject, it should be provided in electronic format, allowing for transfer to other platforms and services.
The EPHA position states that Article 83 and its associated derogations must be maintained and clarified so as to facilitate health research. The draft report (AM 27) amends the conditions in which data concerning children and sensitive data, including health information, may be used for research - AM 334 and AM 337 provide that data in these categories (covered by Articles 8 and 9) may only be used for research where consent is obtained, or where the member state provides an exception for research of ’exceptionally high public interest’. In the latter case, such data must be anonymous or pseudonymous, and the processing of such data is subject to prior approval by the supervisory authority. AM 341 removes the Commission’s power to adopt delegated acts in this area, providing greater legal clarity, but does not clarify how research of ’exceptionally high public interest’ is to be classified.
The Article 17 provisions concerning the right to be forgotten are clarified and the need to respect the right to freedom of expression is highlighted. Similarly, the Article 7 conditions for consent are strengthened to take account of information society services and electronic consent - the use of ’pre-ticked boxes’ is prohibited as a means of obtaining legal consent (AM 19).
Derogations and exemptions
The draft report seeks to address the widespread concern about the number of delegating acts provided for in the Commission proposal - the power to adopt such acts has been removed in articles concerning breach notifications, impact assessments, the right to erasure and to be forgotten, the classification of public interest and commonly used electronic formats, among others. In most cases, these have been replaced with clarifications and details within the text. Where the power to adopt delegating and implementing acts remains, the Commission is, in most cases, required to request an opinion of the European Data Protection Board.
AM 70 deems social security measures, in addition to employment contexts, to be an area where member states may keep specific laws concerning data protection. However, the issues relating to access to such information by professional bodies and employers is not addressed.
The draft report goes some way to clarifying the liability of data controllers and the scope of the proposal as concerns transfer of data to third parties outside of the EU. AM 10 ensures that intermediaries are only held liable for activities over which they have control, whilst AM 12 states that data controllers outside of the EU should be subject to the regulation if they offer services or goods to data subjects within the Union, even where these are free of charge. Furthermore, AM 54 states that transfer to third countries should be based on legally binding instruments and AM 259 lays out the conditions under which data requested from outside the EU can be transferred.
AMs 42 and 48 remove the use of employee numbers to determine applicability of the regulation, instead using the type of activity and volume of data processed to establish whether a data protection officer (DPO) is required. In instances where an organisation is processing the data of more than 500 subjects each year, a dedicated DPO must be appointed (AM 223). AM 9 states that the regulation covers only competent public authorities for law enforcement, not private bodies.
The fines charged for failure to meet right-to-access requests remain unchanged, but are no longer under the control of the Commission - instead, these will be decided by the supervisory authority according to the criteria set down in the Regulation (AM 316).
The draft report makes some positive steps in simplifying and clarifying the Commission’s original proposal - it emphasises the fundamental rights arguments and brings the law of EU institutions in line so as to create a coherent framework for data protection across the Union (AM 7). The role of the European Data Protection Board (EDPB) is strengthened and expanded, allowing it to advise and respond to requests by the European Parliament and the Council, as well as the Commission. It is also responsible for the new consistency mechanism, which maintains the previous model’s reliance on a lead supervisory authority, but encourages closer cooperation between such authorities where data processing takes place across borders. A greater examination of the Regulations applicability to profiling is also included, reflecting the increasing importance of social networking sites, and the Commission retains some power in its right to refer decisions of the EDPB to the European Court of Justice.
MEPs have until 27 February to propose amendments to the report, and opinions are expected from the Committees on Employment and Social Affairs; Industry, Research and Energy; Internal Market and Consumer Protection; and Legal Affairs. The LIBE Committee is expected to vote on it in April 2013.
For further information:
Original Commission proposal for a regulation
Full draft report by LIBE Committee
Economic and Social Committee opinion EPHA position on General Data Protection Regulation European Parliament’s LIBE Committee debates General Data Protection Regulation