Data Protection: Unambiguous is Ambiguous

Paris, 16th September 2015 — The main pending issues for the European Data Protection Regulation will be discussed on 16th and 17th September during the coming trialogue meeting. The latest proposals from the Council visibly aim at limiting the guarantees provided to the users in favor of private lobbies.

The trialogue planned on 16th and 17th September will focus on very key provisions of the Data Protection Regulation, such as data protection principles (Chapter II), the data subject rights (Chapter III) and the rules regarding controllers and processors (Chapter IV). This regulation aims to replace the directive adopted in 1995, where Internet was less developed than nowadays. A growing part of our lives happens on the Internet, enabling organisations to collect informations on visited websites and social networks to get a very precise knowledge of any individual's professional and personal life, interests and even health. It becomes urgent to ensure a clear and strong protection of Internet users and give them the opportunity to regain control of their data. There is clear need to reshift the power balance between individuals and the organisations collecting and processing data in favour of individuals.

The Council and even some MEPs are now trying to limit the safeguards established by the European Parliament in March 2014. They would like to authorize the storage of personal data for historical, statistical or scientific research purposes, even when this is no longer necessary for processing. Due to the lack of a clear and demanding definition of "historical, statistical or scientific research purposes", this introduces an important breach and therefore great insecurity for personal data protection rights.

Furthermore, there are some attempts to ask only for an "unambiguous" consent from the data subject in order to start the data collection and processing. "Unambiguous" is too vague and very dangerous as it would enable websites to collect and process data when the browser does not automatically provides for an informed consent to the data collection and processing, or consider that visiting a website constitutes an unambiguous consent. This is absolutely not acceptable and an "explicit freely given and informed consent" should be required before any collection and processing of personal data. All processors should be compelled to indicate very clearly on their websites what data are collected, how long these data will be stored, and mention the right of access to these personal data, rectification or erasure and the right to lodge a complaint.

The regulation, as proposed, contains a huge hidden loophole in the notion of “legitimate interest”. Left too vague and undefined, this would allow companies to argue “legitimate interest” in order to by-pass the constraints related to the compulsory users' consent. It would allow the use of personal data in ways the user did not consciously agree to. This would probably also lead to divergences between Member States when implementing the regulation, whereas the goal is the harmonisation of all Member States rules.

The pseudonymisation of data is not a real protection as it is quite easy to acquire more information in order to identify the data subject. The Council -contrary to the Parliament- opens the door to the collection or processing of data aiming at identification of the subjects of pseudonymized data in order to ask for their consent to a new processing. The Parliament forbids such collection or processing, while the Council only says the data controller cannot be obliged to carry it. This would create a loophole threatening the rights of individuals.

"The EU Council is willingly trying to leave huge loopholes in the text for the sake of corporate interests and to minimize protections for Internet users. It is urgent to not only maintain the level of protection afforded by the 1995 directive, but also to address the gaps in the legislation. It is time to restore the confidence of Internet users and to enable them to assert their right ro privacy and fundamental freedoms", declares Agnès de Cornulier, policy and legal analysis coordinator at La Quadrature du Net.

See EDRI's Analysis.