The opinion highlights the proposal’s potential for enhancing the internal market and creating a level playing field for businesses in the EU. The rapporteur - MEP Lara Comi (EPP, Italy) - focused on the definitions within the proposed Regulation, the rights of the data subject, the obligations of data controllers with regard to consumer rights, and consistency.
An overview of the amendments relevant for health is given below:
- Amendment 4 introduces the notions of anonymous and pseudonymous data into the definition of personal data.
- Amendment 13 states that consent shall not constitute a legal basis for processing if the subject has no alternative access to an equivalent service.
- Amendment 14 relaxes the conditions under which employers may process employee data, where such processing is in the interest of the subject and such consent can be freely withdrawn.
- Amendment 15 classifies the withdrawal of consent to process as a termination of contract for some services.
- Amendment 17 reinstates the provision of the current directive, which gives member states the option to adopt sector-specific legislation adapted to national circumstances.
- Amendment 18 provides that data collected for another purpose can be made available for public scientific research where the scientific relevance of the processing can be documented.
- Amendment 19 adds electronic communication of appointments at clinics and hospitals to the list of activities excluded from the prohibition on processing.
- Amendment 27 introduces privacy accountability mechanisms as an alternative to prior consultation and authorisation mechanisms, meaning companies which demonstrate accountability practices are exempt from the latter oversight initiatives.
- Amendments 31 and 149 remove some of the administrative burden around recording of all processing activities.
- Amendment 42 allows a patient’s relative to gain access to the patient’s data where the patient is not able to take decisions or use the information.
- Amendment 43 states that a professional health data should receive, where possible, only anonymous and pseudonymous data.
- Amendment 67 allows for health data to be stored for longer periods of time and for research purposes.
- Amendment 81 removes the ’significant imbalance’ provision for consent.
- Amendment 89 stipulates that consent from parent or guardian should not always be required where the data concerns a child’s health and the child is deemed of a competent age.
- Amendment 162 removes the 24 hour deadline to report a data breach.
- Amendment 180 makes the appointment of a DPO voluntary.
- Amendment 213 removes the delegated act allowing the Commission to further stipulate what is meant by ’reasons of public interest in the area of public health’.
- Amendment 214 allows member states to adopt by collective agreement among employers and employees special rules regulating the processing of employee data.
- Amendment 217 allows member states to adopt specific measures regulating the processing of data for research.
Some bodies have criticised the IMCO opinion as n attempt to ’water down’ the Commission’s proposal, on the basis that it makes it easier for U.S. companies to operate in Europe. The file was also discussed by EU ministers at the informal Justice and Home Affairs Council on 18 January.
The final opinion offers 226 amendments for consideration by the committee responsible and was adopted by 19 votes to 16 with one abstention.
IMCO is the first of four committees due to adopt an opinion on the Commission’s proposal. The committee responsible - Civil Liberties, Justice and Home Affairs (LIBE) - issued its draft report in December. The deadline for tabling amendments is 27 February and it is hoped that the plenary will adopt a final text before the end of the current parliamentary session.
Full opinion of the IMCO Committee
Legislative Observatory file
EPHA related articles
European Parliament releases draft report on General Data Protection Regulation
[EPHA Briefing] General Data Protection Regulation
EPHA position on General Data Protection Regulation
European Parliament’s LIBE Committee debates General Data Protection Regulation
European Parliament Committee issues draft opinion on General Data Protection Regulation