Data Protection: IMCO Opinion

IMCO is the European Parliament committee on Internal Market and Consumer Protection issues.

On 28 January 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.

Its opinion proposes many amendments which would severely weaken personal data protection. This page lists and analyses the most dangerous of them.

=Pseudonymous data=

These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easily linked back to the data subject, as shown in sudies on recent re-identification advances.

=Consent=

The explicit consent requirement is the core of this proposal. It is based on the idea that users can only trust the data industry if they can control exactly who knows what about them and that only explicit consent would give them such a control. This amendment states that, depending on the context, users may not always be able to give an explicit consent - that it may be impossible or too difficult to. Or, except when they are unconscious, there is absolutely no context in which data subjects may not be able to accept something explicitly. This amendment is actually just a way to admit "contextual consent" - passive consent - when it would be considered to be "sufficient" - according to unknown criteria - even though the only way to gain users' trust would be, in any context, to require their explicit consent.

=Purpose limitation=

This amendment provides that data may be processed for other purposes that users have consented to, as long as these "new purposes" are not too disconnected from the one accepted by the user. Once again, it is actually just a way to admit processing that data subjects have not explicitly consented to.

A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases (paragraph 1 points (a) to (e)): new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest (paragraph 1 point (f)).

A similar amendment has been voted in JURI (amendment 49).

=Exceptions to consent=

Even if it would be relevant that banks may evaluate the creditworthiness of their customers, there is no reason why these information should be collected without the consent of the latter. If someone wants to subscribe to a loan, its banker should directly ask him the needed information. Otherwise, it would give banks an unnecessary freedom to collect and process personal data with no control at all from data subjects.

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.

This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to override data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

Similar amendments have been voted in ITRE (amendment 100) and JURI (amendment 47) committees.

This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.

In other cases, such as messages published on common social networks or under a pseudonym, data subjects may not want that anyone can link these information back to them.

Actually, this amendment alone would allow to process and identify without the data subjects' consent any information they have published using a pseudonym.

=Profiling=

The Proposal offers to strongly regulate profiling measures because such measures are inherently doomed to lead to unfair and discriminatory decisions. These amendements propose to withdraw any safeguard the Proposal set, letting companies free to profile citizens as far as none of their 'decisions' is brought to court.

=Controller's liability=

This amendment is the verbatim copy of one of the amendments proposed by Amazon to the JURI's MEPs (amendment 34 page 17)

It provides that a controller may ask any company to collect and process personal data on its behalf regardless the garuantees it offers, except where the processed data can reasonably permit to identify the data subject. But this criteria is excessively vague and may result in controllers never evaluating at all the processor they hire. More, this amendment also states that controllers may only be responsible for their own activities, no matter what the processor they chose does.

=Data breach=

These amendments would let companies decide whether a security breach should be notified to the supervisory authority and data subjects or not, depending on their assesment of its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.

Similar amendments have been voted in ITRE (amendments 245 & 255) and JURI (amendment 111).

=Transfer to third countries=

See comment on amendment 71: there is no reason that personal data which have been made public would not be protected just as other data are.

=Complaints=

IMCO committe simply proposed to remove from the Regulation the right data subects would have to be represented by an organisation during a procedure aimed to defend their fundamental right to privacy.

This amendments proposes that data subjects who disagree a foreign authority's decision can not be represented by their national authority but should bring procedure against the foreign authority on their own.

The only purpose of these two amendments is to avoid that citizens may bring procedure against controllers too easily. Despite "IMCO" stands for "Internal Market and Consumer Protection", these amendments clearly show that, in order to address companies' concerns, this committee is ready to deprive consumers of ways to defend their rights.

Similar amendments have been voted in ITRE (amendments 360 & 362) and JURI (amendments 170, 172 & 174).

=Sanctions=

These three amendements dismiss the proposed sanctions but does not provide to replace them with other - 'better' - ones. It would actually mean that IMCO considers that no fine or sanction (except 'warning in writing') should be imposed to companies infriging the Regulation.

Similar amendments have been voted in ITRE (amendments 370-397) and JURI (amendments 176, 178 & 180).