Data Protection: JURI Opinion

JURI is the European Parliament committee on Legal Affairs issues.

On 25 April 2013, it issued an opinion on the Proposal for a Data Protection Regulation aimed to assist LIBE committee in the drafting of its own report.

You can find a detailed list of its members on Memopol or visit its official website.

Its opinion proposes many amendments which would severely weaken personal data protection. This page lists and analyses the most dangerous of them.

Top amendments to reject and to support

=Pseudonymous data=

This amendment proposes to define a new category of personal data: data which are not directly collected or processed together with the data subject's name. But JURI did not make the same mistake IMCO (amendment 75) and ITRE (amendment 101) did and rejected amendments which proposed to reduce the protection provided for this kind of data.

Alone, this definition would change nothing. But it is still showing that MEPs are willing to distinguish different kind of personal data while there is no reason that any of them should be less protected than others.

=Legitimate interest=

The third party's legitimate interest exception was already provided by the 1995 Directive. The proposal goes back on this exception as it does not fit the new context of the Internet where controllers are trading thousands of personal data with hundreds of companies every day. This exception would bring an unacceptable uncertainty by allowing the "legitimate interest" of one of these many companies to override data subjects' right to privacy, the "legitimate interest" concept being in itself way too vague, undefined and let to the interpretation of the judges, when privacy should be entirely, precisely and directly protected by the Regulation.

Similar amendments have been voted in IMCO (amendment 70) and ITRE (amendment 100) committees.

=Purpose limitation=

A data subject may only accept his data to be collected for a specified and specific purpose. Thus, these data cannot be processed in a way incompatible with this purpose, except in five limited cases: new consent is given, the data subject is party to a contract which requires this process, his vital interests are at stake or public interest demands this process. This amendment extends these narrow exceptions to the broad and dangerously vague concept of legitimate interest.

A similar amendment has been voted in IMCO (amendment 77).

=Data subjects' rights=

This amendment would allow controllers to charge users who would ask information on their personal data - what of their data are processed, for what purpose, who can access to them and for how long will they be stored ? -, who would ask for the rectification or the erasure of these data or who would object to their processing where these requests would be 'excessively complex'. Thus, whenever controllers would decide that it would be too complex for them, users would have to pay to know and control who knows what about them.

An identical amendment has been voted in ITRE (amendment 134).

=Profiling=

JURI's Opinion explains that:'' 'It is important to consider that some profiling activities have considerable benefits for consumers and can be a good basis for good customer service. The wide definition of profiling does not differentiate routine data processing activities that are positive in nature with more negative profiling. Positive profiling is often used to tailor services to consumers by recording their needs and preferences.' ''

But Eva Lichtenberger provided great counter-arguments against this position on the 37th amendment's justification: '' 'Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While some circles see profiling as a panacea for many problems, it should be noted that there is a significant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they should be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online services. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted.' ''

The Regulation currently provides three limited cases where profiling is authorized: under a contract, when authorized by a specific law and when the data subject consents to. This amendment replaces these exceptions whith those of the Article 6, which include the dangerously vague one of "controller's legitimate interst" and the one of "public interst" which would grant public sector wide discretion to engage in profiling.

Similar amendments have been voted in ITRE (amendment 184-188).

=Data breach=

This amendment would let companies decide whether a security breach should be notified to the supervisory authority or not, depending on their assesment of its impact's nature and degree. But as long as such an incident harms companies' reputation, we can not rely on them to spontaneously notify every important breach. Thus, controllers should notify each of them.

Similar amendments have been voted in IMCO (amendments 162 & 169) and ITRE (amendments 245 & 255).

=Complaints=

The current Proposal provides that organisation which aims to protect data subjects’ rights concerning the protection of their personal data have the right, on their behalf, to lodge a complaint with a supervisory authority or to seek a judicial remedy against any supervisory authority, controller or processor. But this amendment proposes to dismiss organisations' capacity to seek remedies on behalf of data subjects.

Similar amendments have been voted in IMCO (amendments 198 & 200) and ITRE (amendments 360 & 362).

=Sanctions=

These amendments state that only repeated and deliberate breaches of the Regulation may lead to a fine, while the Proposal currently provides that fines may be imposed to anyone who breaks the Regulation, even for a single and negligent breach. Thus, these amendments drastically and unnecessarily lower the standards companies must meet in order not to be fined. These amendments may actually prevent supervisory authorities from issuing sanction at all, as they may fail to establish companies' actual intention to break the Regulation.

Similar amendments have been voted in IMCO (amendments 208-210) and ITRE (amendments 370-397).