Data Protection: ITRE Opinion

ITRE is the European Parliament committee on Industry, Research and Energy issues.

On 20 February 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.

Its opinion proposes many amendments that would severely weaken personal data protection. This page lists and analyses the most dangerous of them.

=Consent=

If the required consent must not be explicit, data subjects might give it by a 'passive action' - by not opposing to the process of their data. This amendment only proposes that consent must be 'unambiguous': that mere 'silence or inactivity does not in itself indicate consent' but does when occurring in a specific context - when data subjects can understand the consequences of their silence or inactivity.

That is the current state of the law. And it has showed not to fit anymore the information society at all. Users are loosing trust in Internet services as many websites are collecting their personal data without explicitly warn them about it. They are only stating they collect such data on a distant page of their site and it is not enough at all to regain users' trust: users must have entire control on the processing of their own data.

=Pseudonymous data=

These two amendments provide that data which are not directly collected or processed together with the data subject's name may be collected or processed without the data subject's consent, even though these data are tied to an unique identifier - which may be linked to the data subject's name in another dataset - or may otherwise be easilly linked back to the data subject, as sudies on recent re-identification advances show.

=Exceptions to consent=

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day.

This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to overridden data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

Similar amendments have been voted in IMCO (amendment 70) and JURI (amendment 47) committees.

This exception would be acceptable if it only concerned information that data subjects have explicitly decided to make publicly known to be linked to them - such as curriculum vitae published on professional network, for instance.

In other cases, such as messages published on common social network or under a pseudonyme, data subjects may not want that anyone can link these information back to them.

Actually, this amendment would allow by itself to process and identify without the data subjects' consent any information they have published using a pseudonyme.

=Data subjects' rights=

This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.

An identical amendment has been voted in JURI (amendment 64).

=Profiling=

This set of amendments provides that data subjects' consent is not required any more to take a decision which will affect them and which is only based on profiling. In lieu, profiling is authorised when based on one of the both fallacious grounds of pseudonymous data and legitimate interest.

Similar amendments have been voted in JURI (amendment 86-87).

This amendment provides that one may take a decision based only on 'race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions'.

=Data breach=

This amendment would let companies decide whether a security breach should be notified to the supervisory authority or not, depending on how they asses its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.

Similar amendments have been voted in IMCO (amendments 162 & 169) and JURI (amendment 111).

In case of a data breach, the better people who can reduce the risk of harm to data subjects are data subjects themselves. This amendment deprives users from controll over their data and proposes a weak alternative - notification to 'government institutio' - which may result as a simple way out when applied by companies.

=Transfer to third countries=

The Proposal provides that a supervisory authority must give its authorisation before personal data may be transfered to a third country where the only safeguards provided by this transfer are set by contractual clauses. These amendments remove this requirement: controllers would be free to transfer the data they have collected to any country but would be rewarded with a seal when they can provide sufficiant safeguards.

Rapporteur's justification: Procedures requiring prior authorisation are costly and time-consuming for the controller, and their added value compared to a system of prior notification can be questioned from the point of view of data protection. Prior notifications, which would give the supervising authority the possibility to react and act, is sufficient and also provides for a user-friendly data protection procedure.

=Supervisory authorities=

This set of new amendments would make that only one supervisory authority may fine multinational companies and would allow these companies to precisly chose which one it would be.

Even if the Regulation will harmonize every european national law and provide supervisory authority effective ways to coordinate their actions, there will still be a strong risk that some authority will be less encline to issue truely disuasive fine than others. And that is for this unique and precise reason that multinational companies want to be able to chose which authority will supervise their activity. And that is what ITRE committee gave them.

=Complaints=

These amendments propose to considerably reduce the right data subjects would have to be represented by an organisation in a procedure aimed to defend their fundamental right to privacy: they would not be able to be represented when bringing procedures for compensation or to be represented at all if they are not member of a € 80 000 association.

Similar amendments have been voted in IMCO (amendments 198 & 200) and JURI (amendments 170, 172 & 174).

=Sanctions=

These amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the Proposal currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach.

Thus, these amendments drastically and unnecessarily lower the standards companies must meet in order not to be fined. These amendments may actually prevent supervisory authorities from issuing sanction at all, as they may fail to establish companies' actual intention to break the Regulation.

Similar amendments have been voted in IMCO (amendments 208-210) and JURI (amendments 176, 178 & 180).